Desktop Virus issues

[AarKay]

Hi

My desktop has been infected with some kind of virus for the past few weeks.
I have symantec antivirus and i also ran Malware Antibytes and Housecall and the viruses keep on comng even after cleanup

Some of the problems i noticed are :
1) .tmp files keep popping in the C:\Windows\Temp directory
2) The AV also keeps on complaining about the tdlcmd.dll file in C:\Windows\system32 folder

I ran ProcessMonitor and noticed that the svchost.exe file is the one that is creating the tmp files (almost 3 files every min). Because of these issues i have disabled the LAN. I see these problem only if the computer is connected to a network.

Here's the DDS.txt output:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Raghu at 9:34:31.70 on Sat 11/21/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.206 [GMT -6:00]

AV: Active Security *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\temp\win.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Raghu\Desktop\Win Virus Removal\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.mot.com;access.motorola.com
uInternet Settings,ProxyServer = wwwgate0.mot.com:1080
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: c:\windows\system32\drrq5c.dll: {b45a4b16-23f2-41ad-f4e4-00aac39c0004} - c:\windows\system32\drrq5c.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /M "Stylus CX3800" /EF "HKCU"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\temp\win.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [A00F150DAFC.exe] c:\windows\temp\_A00F150DAFC.exe
dRun: [jsh87r3huiehf89esiudgd] c:\windows\temp\fk6ejc.exe
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\login.exe
dRun: [wow64main.exe] c:\windows\temp\wow64main.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: __c005A807 - c:\windows\system32\__c005A807.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\drrq5c.dll: {b45a4b16-23f2-41ad-f4e4-00aac39c0004} - c:\windows\system32\drrq5c.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\raghu\applic~1\mozilla\firefox\profiles\bvwstg9n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\documents and settings\raghu\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2009-7-4 181120]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2009-7-4 51072]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-10-6 111072]
S3 daqdrv;daqdrv;c:\windows\system32\daqdrv.sys [2006-2-28 2304]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\motorola mvp\Extranet_serv.exe [2008-10-6 561152]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]

=============== Created Last 30 ================

2009-11-21 15:34:28 0 d-----w- c:\temp\B.tmp
2009-11-21 15:30:50 0 d-----w- c:\docume~1\raghu\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-21 15:28:24 0 d-----w- c:\temp\WPDNSE
2009-11-21 01:44:14 0 d-----w- c:\temp\Rar$EX00.875
2009-11-21 01:20:33 43 ----a-w- C:\xcrashdump.dat
2009-11-21 01:17:01 22020 ---h--w- c:\temp\win.exe
2009-11-21 01:17:00 22020 ---h--w- c:\temp\win16.exe
2009-11-21 01:17:00 22020 ---h--w- c:\temp\svchost.exe
2009-11-21 01:16:47 22016 ----a-w- c:\temp\1274611234.exe
2009-11-20 23:01:22 28672 ----a-w- c:\windows\system32\__c005A807.dat
2009-11-20 23:01:14 15000 ----a-w- c:\windows\system32\drrq5c.dll
2009-11-20 18:59:30 15872 ----a-w- c:\windows\system32\tdlcmd.dll
2009-11-05 04:07:12 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-05 04:04:36 0 d-----w- c:\temp\HouseCall
2009-11-05 03:55:23 0 d-----w- c:\temp\HCBackup
2009-11-04 16:48:09 0 d-----w- c:\docume~1\raghu\applic~1\Malwarebytes
2009-11-04 16:47:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-04 05:15:15 0 d-----w- c:\windows\system32\TVUAx
2009-11-02 01:36:18 0 d-----w- c:\temp\plugtmp-28
2009-10-31 19:18:36 0 d-----w- c:\temp\plugtmp-27
2009-10-31 10:28:47 0 d-----w- c:\documents and settings\raghu\LocalLow
2009-10-31 10:28:47 0 d-----w- c:\docume~1\alluse~1\applic~1\TVU Networks
2009-10-27 23:26:47 0 d-----w- c:\temp\plugtmp-26
2009-10-27 00:22:26 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-26 23:55:32 0 d-----w- c:\temp\WSDDSys
2009-10-26 23:55:18 722424 ----a-w- c:\temp\mozcrt19.dll
2009-10-26 23:55:17 428024 ----a-w- c:\temp\sqlite3.dll
2009-10-26 23:52:54 0 d-sh--w- c:\documents and settings\raghu\PrivacIE
2009-10-25 20:01:12 0 d-----w- c:\temp\plugtmp-25
2009-10-25 19:12:03 0 d-----w- c:\temp\plugtmp-24
2009-10-23 22:57:55 0 d-----w- c:\temp\plugtmp-23
2009-10-23 04:10:04 0 d-----w- c:\temp\plugtmp-22

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 9:36:31.23 ===============

Can some one help me , please ?

Thx in advance
AarKay

[CatByte]

Hi,

Please do the following:

Download Combofix from either of the links below. You must rename it to combo.com before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  
  -----------------------------------------------------------
• NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.
  
  
  -----------------------------------------------------------

• Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------

[AarKay]

Hello

Thanks for looking into this

Followed your instructions and copied the ComboFix.txt below.

a) When running Comb.com, i was instructed to install the Recovery console.
b) After installing the recovery console, i ran the renamed Combofix.exe and a pop-up displayed "Combofix detected Rootkit activity and the computer needs to be rebooted"
c) After rebooting the Combofix completed successfully and here's the output of Combofix.txt

ComboFix 09-11-22.04 - Raghu 11/22/2009 23:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.150 [GMT -6:00]
Running from: c:\documents and settings\Raghu\Desktop\combo.com.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Raghu\Application Data\inst.exe
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\temp\svchost.exe
c:\windows\run.log
c:\windows\system32\__c005A807.dat
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat
c:\windows\system32\daqdrv.sys
c:\windows\system32\drrq5c.dll
c:\windows\system32\tdlcmd.dll
c:\windows\system32\uniq.tll
C:\xcrashdump.dat

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4
-------\Legacy_daqdrv
-------\Service_daqdrv


((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-23 05:21 . 2009-11-23 05:21 -------- d-----w- c:\temp\WPDNSE
2009-11-23 05:21 . 2009-11-23 05:21 53248 ----a-w- c:\temp\catchme.dll
2009-11-21 15:34 . 2009-11-23 05:17 -------- d-----w- c:\temp\B.tmp
2009-11-21 15:30 . 2009-11-21 15:30 -------- d-----w- c:\documents and settings\Raghu\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-21 15:30 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\Raghu\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-11-21 01:44 . 2009-11-23 05:17 -------- d-----w- c:\temp\Rar$EX00.875
2009-11-20 23:26 . 2009-11-20 23:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-20 23:26 . 2009-11-20 23:26 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-11-05 04:07 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-05 04:04 . 2009-11-23 05:17 -------- d-----w- c:\temp\HouseCall
2009-11-05 03:55 . 2009-11-23 05:17 -------- d-----w- c:\temp\HCBackup
2009-11-04 16:48 . 2009-11-04 16:48 -------- d-----w- c:\documents and settings\Raghu\Application Data\Malwarebytes
2009-11-04 16:47 . 2009-11-04 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-04 05:15 . 2009-11-04 05:15 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2009-11-04 05:15 . 2009-11-04 05:15 -------- d-----w- c:\documents and settings\Raghu\Local Settings\Application Data\TVU Networks
2009-11-04 05:15 . 2009-11-04 05:15 -------- d-----w- c:\windows\system32\TVUAx
2009-11-02 01:36 . 2009-11-03 02:26 -------- d-----w- c:\temp\plugtmp-28
2009-10-31 19:18 . 2009-11-01 23:30 -------- d-----w- c:\temp\plugtmp-27
2009-10-31 10:28 . 2009-10-31 10:28 -------- d-----w- c:\documents and settings\Raghu\LocalLow
2009-10-31 10:28 . 2009-10-31 10:28 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2009-10-27 23:26 . 2009-11-04 03:37 -------- d-----w- c:\temp\plugtmp-26
2009-10-27 00:23 . 2009-10-27 00:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-27 00:22 . 2009-10-27 00:22 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-26 23:55 . 2009-11-23 05:17 -------- d-----w- c:\temp\WSDDSys
2009-10-26 23:52 . 2009-10-26 23:52 -------- d-sh--w- c:\documents and settings\Raghu\PrivacIE
2009-10-25 20:01 . 2009-11-04 06:10 -------- d-----w- c:\temp\plugtmp-25
2009-10-25 19:12 . 2009-10-25 19:49 -------- d-----w- c:\temp\plugtmp-24

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 05:23 . 2008-10-05 13:42 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-04 16:14 . 2008-10-05 14:03 -------- d-----w- c:\program files\Google
2009-10-22 03:40 . 2008-10-06 18:27 -------- d-----w- c:\program files\Quicken
2009-10-16 03:55 . 2009-06-21 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-10 05:17 . 2009-10-10 05:17 -------- d-----w- c:\documents and settings\Guest\Application Data\Apple Computer
2009-09-29 23:11 . 2009-09-29 23:11 -------- d-----w- c:\documents and settings\Raghu\Application Data\Pavtube
2009-09-29 22:54 . 2009-09-29 22:54 -------- d-----w- c:\documents and settings\Raghu\Application Data\Moyea
2009-09-29 22:51 . 2009-09-29 22:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-29 22:50 . 2009-09-29 22:50 -------- d-----w- c:\program files\ffdshow
2009-09-28 22:27 . 2008-10-12 15:04 -------- d-----w- c:\documents and settings\Raghu\Application Data\dvdcss
2009-09-13 22:24 . 2009-09-13 22:24 1924440 ----a-w- c:\documents and settings\Raghu\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-08 185872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [7/4/2009 12:54 PM 181120]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [7/4/2009 12:54 PM 51072]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [8/29/2009 9:01 PM 102448]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [10/6/2008 12:04 PM 111072]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Motorola MVP\Extranet_serv.exe [10/6/2008 12:04 PM 561152]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 12:40 AM 115952]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1123561945-839522115-1003Core.job
- c:\documents and settings\Raghu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-05 13:46]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1123561945-839522115-1003UA.job
- c:\documents and settings\Raghu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-05 13:46]

2009-11-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.mot.com;access.motorola.com
uInternet Settings,ProxyServer = wwwgate0.mot.com:1080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\documents and settings\Raghu\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 23:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2724)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-11-22 23:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-23 05:28

Pre-Run: 67,110,502,400 bytes free
Post-Run: 67,345,240,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A8CE19002C3FA294A9FEFB0A305FAE59

[CatByte]

Hi,

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:

Folder::
c:\temp\B.tmp

DirLook::
c:\documents and settings\Raghu\LocalLow
c:\temp\Rar$EX00.875

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

• Please open your MalwareBytes AntiMalware Program
• Click the Update Tab and search for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

• ComboFix Log
• MBAM Log
• Kaspersky report

[AarKay]

Hi

I have posted below the logs for:
CFScript-ComboFix.exe
Malwarebytes Anti-Malware Scan report
Kaspersky Report

I have also attached a zip file of the three logs

While running the CFScript-Combofix.exe, there was a pop-up window displaying the message "Newer version of Combofix exists, do you want to update" - For this i selected "No"

Here's the logs for all 3:

Combofix.exe (CFScript) Log
*********************

ComboFix 09-11-22.04 - Raghu 11/23/2009 13:22.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.138 [GMT -6:00]
Running from: c:\documents and settings\Raghu\Desktop\combo.com.exe
Command switches used :: c:\documents and settings\Raghu\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\B.tmp

.
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-23 19:29 . 2009-11-23 19:29 53248 ----a-w- c:\temp\catchme.dll
2009-11-23 19:23 . 2009-11-23 19:23 -------- d-----w- c:\temp\WPDNSE
2009-11-23 19:18 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-23 19:18 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 19:18 . 2009-11-23 19:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-23 06:18 . 2009-11-23 19:28 -------- d-----w- c:\temp\Rar$EX00.390
2009-11-21 15:30 . 2009-11-21 15:30 -------- d-----w- c:\documents and settings\Raghu\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-21 15:30 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\Raghu\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-11-20 23:26 . 2009-11-20 23:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-20 23:26 . 2009-11-20 23:26 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-11-05 04:07 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-05 04:04 . 2009-11-23 05:17 -------- d-----w- c:\temp\HouseCall
2009-11-05 03:55 . 2009-11-23 05:17 -------- d-----w- c:\temp\HCBackup
2009-11-04 16:48 . 2009-11-04 16:48 -------- d-----w- c:\documents and settings\Raghu\Application Data\Malwarebytes
2009-11-04 16:47 . 2009-11-04 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-04 05:15 . 2009-11-04 05:15 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2009-11-04 05:15 . 2009-11-04 05:15 -------- d-----w- c:\documents and settings\Raghu\Local Settings\Application Data\TVU Networks
2009-11-04 05:15 . 2009-11-04 05:15 -------- d-----w- c:\windows\system32\TVUAx
2009-11-02 01:36 . 2009-11-03 02:26 -------- d-----w- c:\temp\plugtmp-28
2009-10-31 19:18 . 2009-11-01 23:30 -------- d-----w- c:\temp\plugtmp-27
2009-10-31 10:28 . 2009-10-31 10:28 -------- d-----w- c:\documents and settings\Raghu\LocalLow
2009-10-31 10:28 . 2009-10-31 10:28 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2009-10-27 23:26 . 2009-11-04 03:37 -------- d-----w- c:\temp\plugtmp-26
2009-10-27 00:23 . 2009-10-27 00:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-27 00:22 . 2009-10-27 00:22 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-26 23:55 . 2009-11-23 05:17 -------- d-----w- c:\temp\WSDDSys
2009-10-26 23:52 . 2009-10-26 23:52 -------- d-sh--w- c:\documents and settings\Raghu\PrivacIE
2009-10-25 20:01 . 2009-11-04 06:10 -------- d-----w- c:\temp\plugtmp-25
2009-10-25 19:12 . 2009-10-25 19:49 -------- d-----w- c:\temp\plugtmp-24

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 19:19 . 2008-10-05 13:42 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-04 16:14 . 2008-10-05 14:03 -------- d-----w- c:\program files\Google
2009-10-22 03:40 . 2008-10-06 18:27 -------- d-----w- c:\program files\Quicken
2009-10-16 03:55 . 2009-06-21 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-10 05:17 . 2009-10-10 05:17 -------- d-----w- c:\documents and settings\Guest\Application Data\Apple Computer
2009-09-29 23:11 . 2009-09-29 23:11 -------- d-----w- c:\documents and settings\Raghu\Application Data\Pavtube
2009-09-29 22:54 . 2009-09-29 22:54 -------- d-----w- c:\documents and settings\Raghu\Application Data\Moyea
2009-09-29 22:51 . 2009-09-29 22:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-29 22:50 . 2009-09-29 22:50 -------- d-----w- c:\program files\ffdshow
2009-09-28 22:27 . 2008-10-12 15:04 -------- d-----w- c:\documents and settings\Raghu\Application Data\dvdcss
2009-09-13 22:24 . 2009-09-13 22:24 1924440 ----a-w- c:\documents and settings\Raghu\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Raghu\LocalLow ----

2009-10-31 11:04 . 2009-10-31 13:21 13184 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\DownDatabase.Xml
2009-10-31 10:29 . 2009-10-31 10:29 746 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\mitene.png
2009-10-31 10:29 . 2009-10-31 10:29 645 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\hmtv.png
2009-10-31 10:29 . 2009-10-31 10:29 566 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\ARTSMAGIC.png
2009-10-31 10:29 . 2009-10-31 10:29 767 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\6888.png
2009-10-31 10:28 . 2009-10-31 10:29 511 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\Telemundo.png
2009-10-31 10:28 . 2009-10-31 10:28 597 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\3715.png
2009-10-31 10:28 . 2009-10-31 10:28 518 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\VOA_10172.png
2009-10-31 10:28 . 2009-10-31 10:28 775 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\manorama.png
2009-10-31 10:28 . 2009-10-31 10:28 637 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\3992.png
2009-10-31 10:28 . 2009-10-31 10:28 982 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\TV9.png
2009-10-31 10:28 . 2009-10-31 10:28 851 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\5455.png
2009-10-31 10:28 . 2009-10-31 10:28 898 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\5225.png
2009-10-31 10:28 . 2009-10-31 10:28 585 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\9000.png
2009-10-31 10:28 . 2009-10-31 10:28 748 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\dwtv.png
2009-10-31 10:28 . 2009-10-31 10:28 531 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\3615.png
2009-10-31 10:28 . 2009-10-31 10:28 554 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\MorningsideTV.png
2009-10-31 10:28 . 2009-10-31 10:28 284 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\omni.png
2009-10-31 10:28 . 2009-10-31 10:28 536 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\CNA.png
2009-10-31 10:28 . 2009-10-31 10:28 485 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\212.png
2009-10-31 10:28 . 2009-10-31 10:28 402 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\Nostalgia.png
2009-10-31 10:28 . 2009-10-31 10:28 574 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\640.png
2009-10-31 10:28 . 2009-10-31 10:28 547 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\620.png
2009-10-31 10:28 . 2009-10-31 10:28 1339 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\530.png
2009-10-31 10:28 . 2009-10-31 10:28 1434 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\570.png
2009-10-31 10:28 . 2009-10-31 10:28 611 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\5500.png
2009-10-31 10:28 . 2009-10-31 10:28 1348 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\270.png
2009-10-31 10:28 . 2009-10-31 10:28 566 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\4000.png
2009-10-31 10:28 . 2009-10-31 10:28 409 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\PDTV.png
2009-10-31 10:28 . 2009-10-31 10:28 666 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\4940.png
2009-10-31 10:28 . 2009-10-31 10:28 675 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\SaveTV.png
2009-10-31 10:28 . 2009-10-31 10:28 594 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\logo\nfv.png
2009-10-31 10:28 . 2009-10-31 13:20 228 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\PeerList.xml
2009-10-31 10:28 . 2009-10-31 13:20 694756 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\ChannelList.xml
2009-10-31 10:28 . 2009-10-31 13:18 23552 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\player.ms
2009-10-31 10:28 . 2009-10-31 13:16 17986560 ----a-w- c:\documents and settings\Raghu\LocalLow\TVU Networks\TVUPlayer\TVU

---- Directory of c:\temp\Rar$EX00.875 ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-08 185872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [7/4/2009 12:54 PM 181120]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [7/4/2009 12:54 PM 51072]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [8/29/2009 9:01 PM 102448]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [10/6/2008 12:04 PM 111072]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Motorola MVP\Extranet_serv.exe [10/6/2008 12:04 PM 561152]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 12:40 AM 115952]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1123561945-839522115-1003Core.job
- c:\documents and settings\Raghu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-05 13:46]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1123561945-839522115-1003UA.job
- c:\documents and settings\Raghu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-05 13:46]

2009-11-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.mot.com;access.motorola.com
uInternet Settings,ProxyServer = wwwgate0.mot.com:1080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\documents and settings\Raghu\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-23 13:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3496)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-23 13:33
ComboFix-quarantined-files.txt 2009-11-23 19:33
ComboFix2.txt 2009-11-23 05:28

Pre-Run: 67,320,524,800 bytes free
Post-Run: 67,293,224,960 bytes free

- - End Of File - - 607A6D41E29CF891EAB24746A04F9E1A

Malwarebytes - AntiMalware Log:
************************

Malwarebytes' Anti-Malware 1.41
Database version: 3219
Windows 5.1.2600 Service Pack 3

11/23/2009 1:45:23 PM
mbam-log-2009-11-23 (13-45-23).txt

Scan type: Quick Scan
Objects scanned: 230120
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Active Security (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Kaspersky Log:
***********

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, November 23, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 23, 2009 18:13:05
Records in database: 3281231
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
E:\
F:\
G:\
H:\
I:\
V:\

Scan statistics:
Objects scanned: 58467
Threats found: 19
Infected objects found: 54
Suspicious objects found: 0
Scan duration: 02:23:28


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00F00000\4AF7D963.VBN Infected: Exploit.JS.Pdfka.adc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00F00001\4AF7D992.VBN Infected: Exploit.JS.Pdfka.adc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03040000\4BEDE24F.VBN Infected: Packed.Win32.Krap.x 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03040001\4BEEC0C8.VBN Infected: Packed.Win32.Krap.x 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03040002\4BEF9359.VBN Infected: Packed.Win32.Krap.x 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03040003\4BF4874B.VBN Infected: Packed.Win32.Krap.x 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03100000\4BF8299A.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03100001\4BF88BEE.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03100002\4BF88BF6.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03400000\4BF223CB.VBN Infected: Packed.Win32.Krap.x 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03400001\4BF22B8B.VBN Infected: Packed.Win32.Krap.x 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03900000\4B971FF8.VBN Infected: Trojan-Downloader.Win32.VB.rrl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03900001\4B97200E.VBN Infected: Trojan-Downloader.Win32.VB.rrl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03900002\4B97201B.VBN Infected: Trojan-Downloader.Win32.VB.rrl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03900003\4B972028.VBN Infected: Trojan-Downloader.Win32.VB.rrl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03900004\4B972035.VBN Infected: Packed.Win32.Krap.ah 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03940000.VBN Infected: Packed.Win32.TDSS.z 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03940001.VBN Infected: Packed.Win32.TDSS.z 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03940002\4B96069F.VBN Infected: Packed.Win32.Krap.ag 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03940003.VBN Infected: Packed.Win32.TDSS.z 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03980000\4BDC626D.VBN Infected: Exploit.JS.Pdfka.gv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03980001\4BD87386.VBN Infected: Exploit.JS.Pdfka.gv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04380000.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04380001.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05600000\4DF92C1F.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05F80000\4FF9B7F7.VBN Infected: Packed.Win32.Krap.x 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06EC0000\4FFD9122.VBN Infected: Exploit.JS.Pdfka.adw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80000.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80001.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08740000.VBN Infected: Packed.Win32.TDSS.z 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580000.VBN Infected: Rootkit.Win32.PMax.h 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580001.VBN Infected: Packed.Win32.Krap.x 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580002.VBN Infected: Packed.Win32.Krap.x 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09E00000\4BF26860.VBN Infected: Packed.Win32.Krap.x 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E640061.VBN Infected: Backdoor.Win32.Bredolab.azc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E640062.VBN Infected: Backdoor.Win32.Bredolab.azc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E680000.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E680001.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E840000\4EFE2841.VBN Infected: Exploit.JS.Pdfka.al 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F4C0000\4F4DBC9A.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F4C0001\4F4DBCA2.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40000\4FFE2C17.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ehp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40001\4FFE2C30.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ehp 1
C:\Documents and Settings\Raghu\Desktop\Motorola\vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir Infected: Backdoor.Win32.Agent.ampk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\daqdrv.sys.vir Infected: Rootkit.Win32.Agent.zuf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.u 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drrq5c.dll.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdlcmd.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\612XGNO7\atdnabbc[1].htm Infected: Packed.Win32.Krap.x 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\612XGNO7\dktqrriwfx[1].htm Infected: Packed.Win32.TDSS.aa 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E94TCVE3\djgtguhvvf[1].htm Infected: Packed.Win32.Krap.ah 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E94TCVE3\jcmjwxthui[1].htm Infected: Packed.Win32.Krap.ah 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IR2F0D2B\lrylmmfcz[1].htm Infected: Trojan.Win32.Scar.aose 1

Selected area has been scanned.

Let me know if you need more information

Thanks again !

[AarKay]

Forgot to attach the zip file of the logs for earlier post

[CatByte]

Hi,

You can delete the quarantined files in your Symantec Antivirus. The other items are in ComboFix quarantine, which we will be cleaning up shortly and there are files in your temporary internet files that need deleting:

Please do the following:

to delete the Temporary Internet Files folder, follow these steps:.

1. Quit Internet Explorer and quit any instances of Windows Explorer.
2. Click Start, click Control Panel, and then double-click Internet Options.
3. On the General tab, click Delete Files under Temporary Internet Files.
4. In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
5. Click OK.


NEXT

Please post a fresh DDS and Attach.txt and advise how your computer is running now and if there are any outstanding issues.

[AarKay]

For deleting the Quarantined items in Symantec , do i just delete the "Quarantine" directory or should i delete all entries in that directory.

I cleaned the Temporary Internet files folder..

I will post the DDS and Attach.txt after cleaning out the Quarantine dir

Thx

[CatByte]

These are the instructions from the Symantec site as to how to delete the files in quarantine:

How to delete a Quarantined file

1. Double-click on the SAV shield icon in your Notification Area (lower right-hand corner of screen).
2. From the View menu choose Quarantine.
3. Select the file you want to delete.
* NOTE: If in .mbx is listed Do NOT delete this file. This is your Eudora inbox. Contact Computer Support.
* To select all files, click on the first file. Scroll to the end of the Quarantined files list. Hold down the SHIFT key and click on the last file.
4. Click the Delete button in the toolbar (looks like a red x).
5. In the take action dialog box, click Start Delete.
6. When status has changed to succeeded click Close button.
7. If more documents appear in the list, repeat steps 3 - 6 until finished.
8. When done, click Close. Click Exit to exit SAV

[AarKay]

Cleaned the Symantec Quarantine directory

Here's the latest DDS.txt output:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Raghu at 17:18:51.79 on Mon 11/23/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.316 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Raghu\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.mot.com;access.motorola.com
uInternet Settings,ProxyServer = wwwgate0.mot.com:1080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /M "Stylus CX3800" /EF "HKCU"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\raghu\applic~1\mozilla\firefox\profiles\bvwstg9n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\documents and settings\raghu\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2009-7-4 181120]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2009-7-4 51072]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-10-6 111072]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\motorola mvp\Extranet_serv.exe [2008-10-6 561152]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]

=============== Created Last 30 ================

2009-11-23 23:18:51 0 d-----w- c:\temp\77.tmp
2009-11-23 23:04:54 0 d-sh--w- c:\documents and settings\raghu\IECompatCache
2009-11-23 19:55:38 0 d-----w- c:\temp\KAV Updater update files
2009-11-23 19:55:22 0 d-----w- c:\temp\jkos-Raghu
2009-11-23 19:53:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-23 19:33:06 0 d-----w- c:\temp\WPDNSE
2009-11-23 19:18:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-23 19:18:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 19:18:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-23 05:01:25 0 d-sha-r- C:\cmdcons
2009-11-23 04:56:54 98816 ----a-w- c:\windows\sed.exe
2009-11-23 04:56:54 77312 ----a-w- c:\windows\MBR.exe
2009-11-23 04:56:54 260608 ----a-w- c:\windows\PEV.exe
2009-11-23 04:56:54 161792 ----a-w- c:\windows\SWREG.exe
2009-11-21 15:30:50 0 d-----w- c:\docume~1\raghu\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-05 04:07:12 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-05 04:04:36 0 d-----w- c:\temp\HouseCall
2009-11-05 03:55:23 0 d-----w- c:\temp\HCBackup
2009-11-04 16:48:09 0 d-----w- c:\docume~1\raghu\applic~1\Malwarebytes
2009-11-04 16:47:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-04 05:15:15 0 d-----w- c:\windows\system32\TVUAx
2009-11-02 01:36:18 0 d-----w- c:\temp\plugtmp-28
2009-10-31 19:18:36 0 d-----w- c:\temp\plugtmp-27
2009-10-31 10:28:47 0 d-----w- c:\documents and settings\raghu\LocalLow
2009-10-31 10:28:47 0 d-----w- c:\docume~1\alluse~1\applic~1\TVU Networks
2009-10-27 23:26:47 0 d-----w- c:\temp\plugtmp-26
2009-10-27 00:22:26 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-26 23:55:32 0 d-----w- c:\temp\WSDDSys
2009-10-26 23:52:54 0 d-sh--w- c:\documents and settings\raghu\PrivacIE
2009-10-25 20:01:12 0 d-----w- c:\temp\plugtmp-25
2009-10-25 19:12:03 0 d-----w- c:\temp\plugtmp-24

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 17:19:38.89 ===============


I have attached the Attach.zip file containing the "Attach.txt" file

I have some questions based on the latest Attach.txt file:

1) There is a section of Disabled Device Manager Items. Anything to be done here ?
2) In the section under Event Viewer messages, there are a number of error messages .. Should these be of concern ?

Thx

[CatByte]

Hi,

Please do the following:


Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

NEXT

Go to Start > Control Panel > Add/Remove programs:

A list of installed programs will populate.

Please scroll down to the following program and REMOVE:

Java(TM) 6 Update 7



NEXT

Visit ADOBEand download the latest version of Acrobat Reader (version 9.2)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT

The event log issues should be resolved now.

The rest of your log is clean, we just need to do some housekeeping now:

You can delete the DDS and GMER folders from your desktop.

NEXT

Follow these steps to uninstall Combofix

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

• It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
  Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe.
  
  
• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
• Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  WOT has an addon available for both Firefox and IE
  
  
• For Firefox, I highly recommend this add-on to keep your PC even more secure.
  • NoScript - for blocking ads and other potential website attacks
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
• In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
  Think Prevention.
  PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

[AarKay]

I will follow the cleanup procedures and send you an reply.

I have couple of questions. I would appreciate it if you could let me know if these are ok or if they are related to the viruses i had..

a) C:\Temp - i see a bunch of empty directories and some files.. Is it safe to delete them

b) C:\Windows\Temp - Are the files in this dir safe to be delete.. or is there a tool to automatically cleanup all these temp dirs ?

c) I see a file in C:\Windows\system32 folder - "wpa.dbl" is this a valid file ?

d) During the last month or so (after my PC was infected with viruses) it looks like the PC startup has been modified. I ran "msconfig" and disabled these entries.. Is there a way to remove these entries ? Some of these entries point to C:\temp\win16.exe, C:\temp\wow64main.exe etc....

e) C:\Windows\Prefetch - In this dir, there are a bunch of "*.pf" files whose timestamp is being updated. Is this is a valid dir or is it also related to some virus

Thanks for your help.. I will send a reply after performing cleanup

Thx

[CatByte]

Hi,

Run this program to clean up all your temp directories:

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

HTML Code:

"wpa.dbl" is this a valid file

Yes, that file is good. http://www.extremetech.com/article2/...1151566,00.asp has infor on that file.

return msconfig to normal startup and clean out the temp files with TFC.


C:\Windows\Prefetch
This is valid ---> info here http://en.wikipedia.org/wiki/Prefetcher

[AarKay]

Ran TFC and cleaned the system
Uninstalled Java 6 Update 7
Updated Adobe
Made a backup of the registry using ERUNT

Also, restored msconfig to Normal Startup
The msconfig shows that wow64main and win16 are still enabled in the Startup Item column but the command which has the location of these exes is not valid anymore (ie the C:\temp dir does not contain these exes)


Is it ok to leave them there ?

I ran TFC but the C:\Temp still has lot of directories most of which are empty dirs..

Other than that everything looks ok for now..

Thanks for your help.

[CatByte]

Hi,

You should be OK, but let me take another look,

please run this following program

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

[AarKay]

This is the output of OTL.txt file

OTL logfile created on: 11/23/2009 9:00:03 PM - Run 1
OTL by OldTimer - Version 3.1.8.0 Folder = C:\Documents and Settings\Raghu\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.36 Mb Total Physical Memory | 150.16 Mb Available Physical Memory | 29.36% Memory free
1.22 Gb Paging File | 0.87 Gb Available in Paging File | 71.33% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.03 Gb Total Space | 62.88 Gb Free Space | 43.96% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RAGHUSONY
Current User Name: Raghu
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Raghu\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe (Yahoo! Inc.)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIACA.EXE (SEIKO EPSON CORPORATION)
PRC - C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Raghu\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\mslbui.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (gusvc) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)
SRV - (WMPNetworkSvc) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (SavRoam) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (DefWatch) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (SPBBCSvc) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE (Symantec Corporation)
SRV - (SNDSrvc) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (MDM) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (ExtranetAccess) -- C:\Program Files\Motorola MVP\Extranet_serv.exe (Nortel Networks NA, Inc.)


========== Driver Services (SafeList) ==========

DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091122.003\navex15.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091122.003\naveng.sys (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\eengine\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (pcouffin) -- C:\WINDOWS\system32\drivers\pcouffin.sys (VSO Software)
DRV - (Ext2fs) -- C:\WINDOWS\system32\drivers\ext2fs.sys (Stephan Schreiber)
DRV - (IfsMount) -- C:\WINDOWS\system32\drivers\ifsmount.sys (Stephan Schreiber)
DRV - (mcdbus) -- C:\WINDOWS\system32\drivers\mcdbus.sys (MagicISO, Inc.)
DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SymEvent) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (SAVRTPEL) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (SAVRT) -- C:\Program Files\Symantec AntiVirus\savrt.sys (Symantec Corporation)
DRV - (drvnddm) -- C:\WINDOWS\system32\drivers\drvnddm.sys (Sonic Solutions)
DRV - (tfsnudfa) -- C:\WINDOWS\system32\dla\tfsnudfa.sys (Sonic Solutions)
DRV - (tfsnudf) -- C:\WINDOWS\system32\dla\tfsnudf.sys (Sonic Solutions)
DRV - (tfsnifs) -- C:\WINDOWS\system32\dla\tfsnifs.sys (Sonic Solutions)
DRV - (tfsncofs) -- C:\WINDOWS\system32\dla\tfsncofs.sys (Sonic Solutions)
DRV - (tfsnboio) -- C:\WINDOWS\system32\dla\tfsnboio.sys (Sonic Solutions)
DRV - (tfsnopio) -- C:\WINDOWS\system32\dla\tfsnopio.sys (Sonic Solutions)
DRV - (tfsnpool) -- C:\WINDOWS\system32\dla\tfsnpool.sys (Sonic Solutions)
DRV - (tfsndrct) -- C:\WINDOWS\system32\dla\tfsndrct.sys (Sonic Solutions)
DRV - (tfsndres) -- C:\WINDOWS\system32\dla\tfsndres.sys (Sonic Solutions)
DRV - (drvmcdb) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (sscdbhk5) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys (Sonic Solutions)
DRV - (ssrtln) -- C:\WINDOWS\system32\drivers\ssrtln.sys (Sonic Solutions)
DRV - (smwdm) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (E100B) Intel(R) -- C:\WINDOWS\system32\drivers\e100b325.sys (Intel Corporation)
DRV - (aeaudio) -- C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)
DRV - (IPSECSHM) -- C:\WINDOWS\system32\drivers\ipsecw2k.sys (Nortel Networks)
DRV - (IPSECEXT) -- C:\WINDOWS\system32\drivers\ipsecw2k.sys (Nortel Networks)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.mot.com;access.motorola.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = wwwgate0.mot.com:1080

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {daf44bf7-a45e-4450-979c-91cf07434c3d}:1.5.3
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:5.0.20090122Wb2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.15
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5
FF - prefs.js..google.toolbar.linkdoctor.backup.keyword.URL: "chrome://browser-region/locale/region.properties"
FF - prefs.js..google.toolbar.linkdoctor.backup.keyword.enabled: true
FF - prefs.js..keyword.URL: "about:neterror?e=query&u="


FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/11/23 13:52:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/20 11:00:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/23 19:39:23 | 00,000,000 | ---D | M]

[2008/10/05 07:08:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Extensions
[2008/10/05 07:08:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/23 19:49:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\extensions
[2009/02/12 23:20:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/10/05 10:57:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009/06/21 22:44:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/11/23 19:49:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2008/10/05 10:57:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\extensions\{daf44bf7-a45e-4450-979c-91cf07434c3d}
[2009/11/23 19:48:09 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/20 11:00:42 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/11/23 13:53:24 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
[2009/11/20 11:00:25 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/20 11:00:25 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2008/08/06 15:22:02 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
[2009/11/23 13:52:55 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2008/09/15 18:11:52 | 01,335,600 | ---- | M] (DivX,Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
[2009/05/18 16:41:32 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
[2009/11/20 11:00:28 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2003/07/14 21:56:52 | 00,013,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
[2009/02/27 13:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2008/10/08 17:14:50 | 00,144,960 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2008/10/08 17:14:57 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
[2008/10/08 17:14:47 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
[2009/07/30 01:24:20 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/07/30 01:24:20 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/07/30 01:24:20 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/07/30 01:24:20 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/07/30 01:24:20 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/07/30 01:24:20 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/07/30 01:24:20 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [Active Security] C:\Program Files\Active Security\asecurity.exe File not found
O4 - HKCU..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\temp\win16.exe File not found
O4 - HKCU..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Raghu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [wow64main.exe] C:\temp\wow64main.exe File not found
O4 - Startup: C:\Documents and Settings\Raghu\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/04 21:53:20 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/23 20:58:19 | 00,529,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Raghu\Desktop\OTL.exe
[2009/11/23 19:53:04 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/11/23 19:42:04 | 00,000,000 | --SD | C] -- C:\combo.com
[2009/11/23 19:38:24 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/11/23 19:36:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2009/11/23 17:04:54 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Raghu\IECompatCache
[2009/11/23 13:53:16 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/11/23 13:53:16 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/11/23 13:53:16 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/11/23 13:53:16 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/11/23 13:33:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/11/23 13:18:34 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/23 13:18:33 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/23 13:18:32 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/22 23:01:25 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/11/22 22:56:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/11/21 09:30:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raghu\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/11/21 09:25:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raghu\Desktop\Win Virus Removal
[2009/11/04 22:07:12 | 00,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/11/04 22:04:24 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\housecall.guid.cache
[2009/11/04 10:48:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raghu\Application Data\Malwarebytes
[2009/11/04 10:47:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/04 10:17:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/11/03 23:15:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raghu\Local Settings\Application Data\TVU Networks
[2009/11/03 23:15:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\TVUAx
[2009/10/31 04:28:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TVU Networks
[2009/10/31 04:28:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raghu\LocalLow
[2009/10/26 17:52:54 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Raghu\PrivacIE
[2008/10/13 17:36:44 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Raghu\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2009/11/23 20:58:20 | 00,529,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Raghu\Desktop\OTL.exe
[2009/11/23 20:12:02 | 00,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1123561945-839522115-1003UA.job
[2009/11/23 20:03:49 | 04,718,592 | ---- | M] () -- C:\Documents and Settings\Raghu\ntuser.dat
[2009/11/23 20:02:28 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/23 20:02:07 | 00,000,258 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/11/23 20:01:44 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/23 20:01:34 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/23 20:01:30 | 53,626,8800 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/23 20:00:28 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Raghu\ntuser.ini
[2009/11/23 19:59:24 | 00,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/23 19:59:24 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/23 19:59:24 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/11/23 19:53:44 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\Raghu\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/11/23 19:39:24 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/11/23 19:12:00 | 00,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1123561945-839522115-1003Core.job
[2009/11/23 17:42:57 | 00,222,208 | ---- | M] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/23 13:52:53 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/11/23 13:52:53 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/11/23 13:52:53 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/11/23 13:52:53 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/11/23 13:52:53 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/11/22 23:20:46 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/21 09:26:27 | 05,892,638 | -H-- | M] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\IconCache.db
[2009/11/20 19:38:42 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/11/16 19:13:13 | 00,002,284 | ---- | M] () -- C:\Documents and Settings\Raghu\Desktop\Google Chrome.lnk
[2009/11/16 14:07:01 | 00,241,536 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/05 11:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/11/04 22:04:24 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\housecall.guid.cache
[2009/11/03 13:02:24 | 00,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/03 13:02:24 | 00,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/03 13:02:24 | 00,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/03 03:08:24 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

========== Files Created - No Company Name ==========

[2009/11/23 19:53:44 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\Raghu\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/11/23 19:39:24 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/11/22 23:01:46 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/11/22 23:01:31 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/11/12 17:39:42 | 53,626,8800 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/04 22:04:24 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\housecall.guid.cache
[2009/09/29 16:50:23 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/09/29 16:50:23 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/09/29 16:50:16 | 00,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/09/29 16:50:16 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/09/23 21:44:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2009/06/29 00:49:19 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/10/13 17:36:53 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\Raghu\Application Data\pcouffin.log
[2008/10/13 17:36:44 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\Raghu\Application Data\pcouffin.cat
[2008/10/13 17:36:44 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\Raghu\Application Data\pcouffin.inf
[2008/10/09 17:43:51 | 05,892,638 | -H-- | C] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\IconCache.db
[2008/10/08 17:23:35 | 00,064,368 | ---- | C] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/10/06 12:40:43 | 00,222,208 | ---- | C] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/06 12:39:25 | 00,000,050 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2008/10/06 12:28:02 | 00,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2008/10/05 18:46:56 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/10/05 09:29:02 | 00,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/10/05 09:27:25 | 00,000,044 | ---- | C] () -- C:\WINDOWS\EPCX3800.ini
[2008/10/05 08:28:21 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/10/05 07:47:15 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/10/05 07:02:13 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\cbldrm.dll
[2008/10/05 07:01:44 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2008/10/04 21:58:16 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Raghu\Application Data\desktop.ini
[2008/10/04 21:53:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\control.ini
[2008/10/04 21:50:16 | 00,000,037 | ---- | C] () -- C:\WINDOWS\vbaddin.ini
[2008/10/04 21:50:16 | 00,000,036 | ---- | C] () -- C:\WINDOWS\vb.ini
[2008/10/04 21:49:41 | 00,013,223 | ---- | C] () -- C:\WINDOWS\System32\tslabels.ini
[2008/10/04 21:49:41 | 00,001,931 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.ini
[2008/10/04 16:35:22 | 00,356,120 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/10/04 16:35:21 | 00,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/10/04 16:34:54 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2008/09/15 18:14:24 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/09/15 18:12:02 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2006/02/28 06:00:00 | 01,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll
[2006/02/28 06:00:00 | 01,015,477 | ---- | C] () -- C:\WINDOWS\System32\esentprf.ini
[2006/02/28 06:00:00 | 00,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll
[2006/02/28 06:00:00 | 00,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll
[2006/02/28 06:00:00 | 00,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll
[2006/02/28 06:00:00 | 00,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll
[2006/02/28 06:00:00 | 00,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll
[2006/02/28 06:00:00 | 00,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll
[2006/02/28 06:00:00 | 00,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll
[2006/02/28 06:00:00 | 00,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatui.dll
[2006/02/28 06:00:00 | 00,199,168 | ---- | C] () -- C:\WINDOWS\System32\ir32_32.dll
[2006/02/28 06:00:00 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll
[2006/02/28 06:00:00 | 00,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll
[2006/02/28 06:00:00 | 00,094,282 | ---- | C] () -- C:\WINDOWS\System32\msencode.dll
[2006/02/28 06:00:00 | 00,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll
[2006/02/28 06:00:00 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll
[2006/02/28 06:00:00 | 00,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini
[2006/02/28 06:00:00 | 00,042,809 | ---- | C] () -- C:\WINDOWS\System32\key01.sys
[2006/02/28 06:00:00 | 00,042,537 | ---- | C] () -- C:\WINDOWS\System32\keyboard.sys
[2006/02/28 06:00:00 | 00,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys
[2006/02/28 06:00:00 | 00,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys
[2006/02/28 06:00:00 | 00,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll
[2006/02/28 06:00:00 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys
[2006/02/28 06:00:00 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys
[2006/02/28 06:00:00 | 00,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys
[2006/02/28 06:00:00 | 00,029,370 | ---- | C] () -- C:\WINDOWS\System32\ntdos411.sys
[2006/02/28 06:00:00 | 00,029,274 | ---- | C] () -- C:\WINDOWS\System32\ntdos412.sys
[2006/02/28 06:00:00 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos804.sys
[2006/02/28 06:00:00 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos404.sys
[2006/02/28 06:00:00 | 00,027,866 | ---- | C] () -- C:\WINDOWS\System32\ntdos.sys
[2006/02/28 06:00:00 | 00,027,097 | ---- | C] () -- C:\WINDOWS\System32\country.sys
[2006/02/28 06:00:00 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\tsd32.dll
[2006/02/28 06:00:00 | 00,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll
[2006/02/28 06:00:00 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\win87em.dll
[2006/02/28 06:00:00 | 00,012,082 | ---- | C] () -- C:\WINDOWS\System32\rsvp.ini
[2006/02/28 06:00:00 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\scriptpw.dll
[2006/02/28 06:00:00 | 00,010,110 | ---- | C] () -- C:\WINDOWS\System32\mqperf.ini
[2006/02/28 06:00:00 | 00,009,029 | ---- | C] () -- C:\WINDOWS\System32\ansi.sys
[2006/02/28 06:00:00 | 00,006,877 | ---- | C] () -- C:\WINDOWS\System32\pschdprf.ini
[2006/02/28 06:00:00 | 00,004,768 | ---- | C] () -- C:\WINDOWS\System32\himem.sys
[2006/02/28 06:00:00 | 00,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll
[2006/02/28 06:00:00 | 00,003,458 | ---- | C] () -- C:\WINDOWS\System32\rasctrs.ini
[2006/02/28 06:00:00 | 00,002,891 | ---- | C] () -- C:\WINDOWS\System32\perfci.ini
[2006/02/28 06:00:00 | 00,002,732 | ---- | C] () -- C:\WINDOWS\System32\perfwci.ini
[2006/02/28 06:00:00 | 00,002,656 | ---- | C] () -- C:\WINDOWS\System32\netware.drv
[2006/02/28 06:00:00 | 00,001,405 | ---- | C] () -- C:\WINDOWS\msdfmap.ini
[2006/02/28 06:00:00 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\perffilt.ini
[2006/02/28 06:00:00 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/02/28 06:00:00 | 00,000,343 | ---- | C] () -- C:\WINDOWS\System32\prodspec.ini
[2006/02/28 06:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/09/22 13:17:35 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/17 16:36:28 | 00,157,696 | ---- | C] () -- C:\WINDOWS\System32\paqsp.dll

========== LOP Check ==========

[2009/11/23 20:02:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/10/05 09:20:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2008/10/05 09:22:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2008/10/04 16:34:54 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2009/08/18 21:50:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2009/11/04 10:17:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2008/10/11 14:46:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intuit
[2009/11/04 10:47:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/29 22:23:46 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2008/10/05 07:42:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/09/29 16:51:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/31 04:28:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TVU Networks
[2008/11/01 18:56:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2008/10/08 17:35:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/06/20 20:55:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2009/10/15 21:55:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2008/10/05 09:22:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/11/21 09:30:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Adobe
[2008/10/08 17:23:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Apple Computer
[2009/11/21 09:30:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2008/10/04 16:34:54 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Raghu\Application Data\desktop.ini
[2008/10/08 17:56:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\DivX
[2009/04/10 07:31:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\DVD Flick
[2009/09/28 16:27:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\dvdcss
[2009/02/13 00:05:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\EPSON
[2008/10/05 11:08:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Google
[2008/10/04 21:58:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Identities
[2008/10/11 14:48:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Intuit
[2008/10/05 09:30:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Leadertech
[2008/10/05 10:50:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Macromedia
[2009/11/04 10:48:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Malwarebytes
[2008/12/01 14:31:07 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Raghu\Application Data\Microsoft
[2009/09/29 16:54:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Moyea
[2008/10/05 07:08:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla
[2009/09/29 17:11:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Pavtube
[2008/10/13 17:36:44 | 00,007,887 | ---- | M] () -- C:\Documents and Settings\Raghu\Application Data\pcouffin.cat
[2008/10/13 17:36:44 | 00,001,144 | ---- | M] () -- C:\Documents and Settings\Raghu\Application Data\pcouffin.inf
[2008/10/13 17:36:53 | 00,000,034 | ---- | M] () -- C:\Documents and Settings\Raghu\Application Data\pcouffin.log
[2008/10/13 17:36:44 | 00,047,360 | ---- | M] (VSO Software) -- C:\Documents and Settings\Raghu\Application Data\pcouffin.sys
[2009/09/05 00:46:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Real
[2008/10/06 12:52:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Sonic
[2008/10/05 10:55:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Sun
[2008/10/12 09:08:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\vlc
[2008/11/06 22:51:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Vso
[2008/10/08 22:58:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\WinRAR
[2009/06/20 20:52:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Yahoo!
[2006/02/28 06:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/23 19:12:00 | 00,000,926 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1123561945-839522115-1003Core.job
[2009/11/23 20:12:02 | 00,000,978 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1123561945-839522115-1003UA.job
[2009/11/23 20:01:44 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/11/23 20:02:07 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0AA053B7
< End of report >

[AarKay]

This is the output of the Extras.txt file:

OTL Extras logfile created on: 11/23/2009 9:00:03 PM - Run 1
OTL by OldTimer - Version 3.1.8.0 Folder = C:\Documents and Settings\Raghu\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.36 Mb Total Physical Memory | 150.16 Mb Available Physical Memory | 29.36% Memory free
1.22 Gb Paging File | 0.87 Gb Available in Paging File | 71.33% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.03 Gb Total Space | 62.88 Gb Free Space | 43.96% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RAGHUSONY
Current User Name: Raghu
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{03CDDD00-BD57-4326-9480-4C74449AF597}" = PhotoStitch
"{093625E3-7B87-49D3-AA53-AD0FCFABAF49}" = Camera Window
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B0F52AC-EF5C-4831-B221-06C782E41280}" = Quicken 2008
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{78D891EF-9E2D-4FC8-A71F-E6F897BA1B21}" = Symantec AntiVirus
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow! Plus
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}" = RemoteCapture 2.7.0
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon Utilities ZoomBrowser EX
"{C7C895CA-331B-4D7D-A0FB-D3BC637949F9}" = Apple Mobile Device Support
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{EA418519-2160-43A0-AABD-6608DDD8D87F}" = iTunes
"{EF0DD8B7-471C-463B-A298-6066C2FABAF5}" = File Viewer Utility 1.2
"{EF964A78-078C-11D1-B7A7-0000C0134CE6}" = Motorola MVP Client 4.66
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DVD Flick_is1" = DVD Flick
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5_is1" = DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.1.1.0
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"ERUNT_is1" = ERUNT 1.1j
"Ext2Ifs_for_NT501" = Ext2 IFS 1.11a for Windows XP
"ffdshow_is1" = ffdshow [rev 1723] [2007-12-24]
"FreeMeter" = FreeMeter
"ie8" = Windows Internet Explorer 8
"InstallShield_{03CDDD00-BD57-4326-9480-4C74449AF597}" = Canon Utilities PhotoStitch 3.1
"InstallShield_{093625E3-7B87-49D3-AA53-AD0FCFABAF49}" = Canon Camera Window for ZoomBrowser EX
"InstallShield_{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}" = Canon Utilities RemoteCapture 2.7
"InstallShield_{EF0DD8B7-471C-463B-A298-6066C2FABAF5}" = Canon Utilities File Viewer Utility 1.2
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"MagicDisc 2.7.105" = MagicDisc 2.7.105
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PhotoRecord" = Canon PhotoRecord
"Picasa 3" = Picasa 3
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer
"Silent Package Run-Time Sample" = EPSON CX 3800 Guide
"Tweak UI 2.10" = Tweak UI
"VLC media player" = VLC media player 0.9.2
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Cisco Unified Presenter Add-in" = Cisco Unified Presenter Add-in
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/23/2009 9:59:56 PM | Computer Name = RAGHUSONY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\Raghu\Desktop\Win Virus Removal\TFC.exe (PID 1592) Time:
Monday, November 23, 2009 7:59:56 PM

Error - 11/23/2009 9:59:56 PM | Computer Name = RAGHUSONY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\Raghu\Desktop\Win Virus Removal\TFC.exe (PID 1592) Time:
Monday, November 23, 2009 7:59:56 PM

Error - 11/23/2009 9:59:56 PM | Computer Name = RAGHUSONY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\Raghu\Desktop\Win Virus Removal\TFC.exe (PID 1592) Time:
Monday, November 23, 2009 7:59:56 PM

Error - 11/23/2009 9:59:56 PM | Computer Name = RAGHUSONY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\Raghu\Desktop\Win Virus Removal\TFC.exe (PID 1592) Time:
Monday, November 23, 2009 7:59:56 PM

Error - 11/23/2009 9:59:56 PM | Computer Name = RAGHUSONY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\Raghu\Desktop\Win Virus Removal\TFC.exe (PID 1592) Time:
Monday, November 23, 2009 7:59:56 PM

Error - 11/23/2009 9:59:56 PM | Computer Name = RAGHUSONY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\Raghu\Desktop\Win Virus Removal\TFC.exe (PID 1592) Time:
Monday, November 23, 2009 7:59:56 PM

Error - 11/23/2009 9:59:56 PM | Computer Name = RAGHUSONY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\Raghu\Desktop\Win Virus Removal\TFC.exe (PID 1592) Time:
Monday, November 23, 2009 7:59:56 PM

Error - 11/23/2009 9:59:56 PM | Computer Name = RAGHUSONY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\Raghu\Desktop\Win Virus Removal\TFC.exe (PID 1592) Time:
Monday, November 23, 2009 7:59:56 PM

Error - 11/23/2009 9:59:56 PM | Computer Name = RAGHUSONY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\Raghu\Desktop\Win Virus Removal\TFC.exe (PID 1592) Time:
Monday, November 23, 2009 7:59:56 PM

Error - 11/23/2009 9:59:56 PM | Computer Name = RAGHUSONY | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Thread Action Taken: Blocked Actor Process:
C:\Documents and Settings\Raghu\Desktop\Win Virus Removal\TFC.exe (PID 1592) Time:
Monday, November 23, 2009 7:59:56 PM

[ System Events ]
Error - 11/23/2009 9:29:42 PM | Computer Name = RAGHUSONY | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 11/23/2009 9:29:42 PM | Computer Name = RAGHUSONY | Source = Service Control Manager | ID = 7034
Description = The Machine Debug Manager service terminated unexpectedly. It has
done this 1 time(s).

Error - 11/23/2009 9:29:44 PM | Computer Name = RAGHUSONY | Source = Service Control Manager | ID = 7034
Description = The Yahoo! Updater service terminated unexpectedly. It has done this
1 time(s).

Error - 11/23/2009 9:29:45 PM | Computer Name = RAGHUSONY | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 11/23/2009 9:59:55 PM | Computer Name = RAGHUSONY | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 11/23/2009 9:59:55 PM | Computer Name = RAGHUSONY | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 11/23/2009 9:59:56 PM | Computer Name = RAGHUSONY | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 11/23/2009 9:59:56 PM | Computer Name = RAGHUSONY | Source = Service Control Manager | ID = 7034
Description = The Machine Debug Manager service terminated unexpectedly. It has
done this 1 time(s).

Error - 11/23/2009 9:59:58 PM | Computer Name = RAGHUSONY | Source = Service Control Manager | ID = 7034
Description = The Yahoo! Updater service terminated unexpectedly. It has done this
1 time(s).

Error - 11/23/2009 9:59:58 PM | Computer Name = RAGHUSONY | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).


< End of report >

[CatByte]

Hi,

This should tidy things up for you.

please do the following:

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  Code:

  :OTL
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) 
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O4 - HKCU..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\temp\win16.exe File not found
  O4 - HKCU..\Run: [Active Security] C:\Program Files\Active Security\asecurity.exe File not found
  O4 - HKCU..\Run: [wow64main.exe] C:\temp\wow64main.exe File not found
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post the OTL log

[AarKay]

Hi

I ran the OTL.exe with the Run Fix option and the computer rebooted after the operation completed. I have copied the OTL log below. After rebooting, i re-ran the OTL scan and i also copied the output of OTL.txt below.


1) OTL log for "Run Fix" option:

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\asg984jgkfmgasi8ug98jgkfgfb deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Active Security deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\wow64main.exe deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Raghu
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 23364674 bytes
->Google Chrome cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 22.38 mb


OTL by OldTimer - Version 3.1.8.0 log created on 11232009_220450

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


2) OTL Log after the computer rebooted:

OTL logfile created on: 11/23/2009 10:15:45 PM - Run 2
OTL by OldTimer - Version 3.1.8.0 Folder = C:\Documents and Settings\Raghu\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.36 Mb Total Physical Memory | 81.89 Mb Available Physical Memory | 16.01% Memory free
1.22 Gb Paging File | 0.87 Gb Available in Paging File | 71.34% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.03 Gb Total Space | 62.88 Gb Free Space | 43.96% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RAGHUSONY
Current User Name: Raghu
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Raghu\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe (Yahoo! Inc.)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIACA.EXE (SEIKO EPSON CORPORATION)
PRC - C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Raghu\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\mslbui.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (gusvc) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)
SRV - (WMPNetworkSvc) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (SavRoam) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (DefWatch) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (SPBBCSvc) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE (Symantec Corporation)
SRV - (SNDSrvc) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (MDM) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (ExtranetAccess) -- C:\Program Files\Motorola MVP\Extranet_serv.exe (Nortel Networks NA, Inc.)


========== Driver Services (SafeList) ==========

DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091123.005\navex15.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091123.005\naveng.sys (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\eengine\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (pcouffin) -- C:\WINDOWS\system32\drivers\pcouffin.sys (VSO Software)
DRV - (Ext2fs) -- C:\WINDOWS\system32\drivers\ext2fs.sys (Stephan Schreiber)
DRV - (IfsMount) -- C:\WINDOWS\system32\drivers\ifsmount.sys (Stephan Schreiber)
DRV - (mcdbus) -- C:\WINDOWS\system32\drivers\mcdbus.sys (MagicISO, Inc.)
DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SymEvent) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (SAVRTPEL) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (SAVRT) -- C:\Program Files\Symantec AntiVirus\savrt.sys (Symantec Corporation)
DRV - (drvnddm) -- C:\WINDOWS\system32\drivers\drvnddm.sys (Sonic Solutions)
DRV - (tfsnudfa) -- C:\WINDOWS\system32\dla\tfsnudfa.sys (Sonic Solutions)
DRV - (tfsnudf) -- C:\WINDOWS\system32\dla\tfsnudf.sys (Sonic Solutions)
DRV - (tfsnifs) -- C:\WINDOWS\system32\dla\tfsnifs.sys (Sonic Solutions)
DRV - (tfsncofs) -- C:\WINDOWS\system32\dla\tfsncofs.sys (Sonic Solutions)
DRV - (tfsnboio) -- C:\WINDOWS\system32\dla\tfsnboio.sys (Sonic Solutions)
DRV - (tfsnopio) -- C:\WINDOWS\system32\dla\tfsnopio.sys (Sonic Solutions)
DRV - (tfsnpool) -- C:\WINDOWS\system32\dla\tfsnpool.sys (Sonic Solutions)
DRV - (tfsndrct) -- C:\WINDOWS\system32\dla\tfsndrct.sys (Sonic Solutions)
DRV - (tfsndres) -- C:\WINDOWS\system32\dla\tfsndres.sys (Sonic Solutions)
DRV - (drvmcdb) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (sscdbhk5) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys (Sonic Solutions)
DRV - (ssrtln) -- C:\WINDOWS\system32\drivers\ssrtln.sys (Sonic Solutions)
DRV - (smwdm) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (E100B) Intel(R) -- C:\WINDOWS\system32\drivers\e100b325.sys (Intel Corporation)
DRV - (aeaudio) -- C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)
DRV - (IPSECSHM) -- C:\WINDOWS\system32\drivers\ipsecw2k.sys (Nortel Networks)
DRV - (IPSECEXT) -- C:\WINDOWS\system32\drivers\ipsecw2k.sys (Nortel Networks)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.mot.com;access.motorola.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = wwwgate0.mot.com:1080

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {daf44bf7-a45e-4450-979c-91cf07434c3d}:1.5.3
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:5.0.20090122Wb2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.15
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5
FF - prefs.js..google.toolbar.linkdoctor.backup.keyword.URL: "chrome://browser-region/locale/region.properties"
FF - prefs.js..google.toolbar.linkdoctor.backup.keyword.enabled: true
FF - prefs.js..keyword.URL: "about:neterror?e=query&u="


FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/11/23 13:52:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/20 11:00:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/23 19:39:23 | 00,000,000 | ---D | M]

[2008/10/05 07:08:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Extensions
[2008/10/05 07:08:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/23 19:49:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\extensions
[2009/02/12 23:20:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/10/05 10:57:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009/06/21 22:44:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/11/23 19:49:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2008/10/05 10:57:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla\Firefox\Profiles\bvwstg9n.default\extensions\{daf44bf7-a45e-4450-979c-91cf07434c3d}
[2009/11/23 19:48:09 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/20 11:00:42 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/11/23 13:53:24 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
[2009/11/20 11:00:25 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/20 11:00:25 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2008/08/06 15:22:02 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
[2009/11/23 13:52:55 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2008/09/15 18:11:52 | 01,335,600 | ---- | M] (DivX,Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
[2009/05/18 16:41:32 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
[2009/11/20 11:00:28 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2003/07/14 21:56:52 | 00,013,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
[2009/02/27 13:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2008/10/08 17:14:50 | 00,144,960 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2008/10/05 09:21:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2008/10/08 17:14:57 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
[2008/10/08 17:14:47 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
[2009/07/30 01:24:20 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/07/30 01:24:20 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/07/30 01:24:20 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/07/30 01:24:20 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/07/30 01:24:20 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/07/30 01:24:20 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/07/30 01:24:20 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Raghu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\Raghu\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/04 21:53:20 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/23 22:04:50 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/11/23 20:58:19 | 00,529,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Raghu\Desktop\OTL.exe
[2009/11/23 19:53:04 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/11/23 19:42:04 | 00,000,000 | --SD | C] -- C:\combo.com
[2009/11/23 19:38:24 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/11/23 19:36:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2009/11/23 17:04:54 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Raghu\IECompatCache
[2009/11/23 13:53:16 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/11/23 13:53:16 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/11/23 13:53:16 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/11/23 13:53:16 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/11/23 13:33:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/11/23 13:18:34 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/23 13:18:33 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/23 13:18:32 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/22 23:01:25 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/11/22 22:56:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/11/21 09:30:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raghu\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/11/21 09:25:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raghu\Desktop\Win Virus Removal
[2009/11/04 22:07:12 | 00,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/11/04 22:04:24 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\housecall.guid.cache
[2009/11/04 10:48:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raghu\Application Data\Malwarebytes
[2009/11/04 10:47:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/04 10:17:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/11/03 23:15:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raghu\Local Settings\Application Data\TVU Networks
[2009/11/03 23:15:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\TVUAx
[2009/10/31 04:28:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TVU Networks
[2009/10/31 04:28:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raghu\LocalLow
[2009/10/26 17:52:54 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Raghu\PrivacIE
[2008/10/13 17:36:44 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Raghu\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2009/11/23 22:12:01 | 00,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1123561945-839522115-1003UA.job
[2009/11/23 22:09:34 | 00,000,258 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/11/23 22:08:33 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/23 2258 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/23 2249 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/23 2244 | 53,626,8800 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/23 2204 | 04,718,592 | ---- | M] () -- C:\Documents and Settings\Raghu\ntuser.dat
[2009/11/23 22:05:41 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Raghu\ntuser.ini
[2009/11/23 20:58:20 | 00,529,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Raghu\Desktop\OTL.exe
[2009/11/23 19:59:24 | 00,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/23 19:59:24 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/23 19:59:24 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/11/23 19:53:44 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\Raghu\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/11/23 19:39:24 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/11/23 19:12:00 | 00,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1123561945-839522115-1003Core.job
[2009/11/23 17:42:57 | 00,222,208 | ---- | M] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/23 13:52:53 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/11/23 13:52:53 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/11/23 13:52:53 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/11/23 13:52:53 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/11/23 13:52:53 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/11/22 23:20:46 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/21 09:26:27 | 05,892,638 | -H-- | M] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\IconCache.db
[2009/11/20 19:38:42 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/11/16 19:13:13 | 00,002,284 | ---- | M] () -- C:\Documents and Settings\Raghu\Desktop\Google Chrome.lnk
[2009/11/16 14:07:01 | 00,241,536 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/05 11:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/11/04 22:04:24 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\housecall.guid.cache
[2009/11/03 13:02:24 | 00,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/03 13:02:24 | 00,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/03 13:02:24 | 00,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/03 03:08:24 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

========== Files Created - No Company Name ==========

[2009/11/23 19:53:44 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\Raghu\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/11/23 19:39:24 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/11/22 23:01:46 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/11/22 23:01:31 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/11/12 17:39:42 | 53,626,8800 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/04 22:04:24 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\housecall.guid.cache
[2009/09/29 16:50:23 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/09/29 16:50:23 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/09/29 16:50:16 | 00,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/09/29 16:50:16 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/09/23 21:44:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2009/06/29 00:49:19 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/10/13 17:36:53 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\Raghu\Application Data\pcouffin.log
[2008/10/13 17:36:44 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\Raghu\Application Data\pcouffin.cat
[2008/10/13 17:36:44 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\Raghu\Application Data\pcouffin.inf
[2008/10/09 17:43:51 | 05,892,638 | -H-- | C] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\IconCache.db
[2008/10/08 17:23:35 | 00,064,368 | ---- | C] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/10/06 12:40:43 | 00,222,208 | ---- | C] () -- C:\Documents and Settings\Raghu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/06 12:39:25 | 00,000,050 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2008/10/06 12:28:02 | 00,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2008/10/05 18:46:56 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/10/05 09:29:02 | 00,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/10/05 09:27:25 | 00,000,044 | ---- | C] () -- C:\WINDOWS\EPCX3800.ini
[2008/10/05 08:28:21 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/10/05 07:47:15 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/10/05 07:02:13 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\cbldrm.dll
[2008/10/05 07:01:44 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2008/10/04 21:58:16 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Raghu\Application Data\desktop.ini
[2008/10/04 21:53:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\control.ini
[2008/10/04 21:50:16 | 00,000,037 | ---- | C] () -- C:\WINDOWS\vbaddin.ini
[2008/10/04 21:50:16 | 00,000,036 | ---- | C] () -- C:\WINDOWS\vb.ini
[2008/10/04 21:49:41 | 00,013,223 | ---- | C] () -- C:\WINDOWS\System32\tslabels.ini
[2008/10/04 21:49:41 | 00,001,931 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.ini
[2008/10/04 16:35:22 | 00,356,120 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/10/04 16:35:21 | 00,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/10/04 16:34:54 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2008/09/15 18:14:24 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/09/15 18:12:02 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2006/02/28 06:00:00 | 01,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll
[2006/02/28 06:00:00 | 01,015,477 | ---- | C] () -- C:\WINDOWS\System32\esentprf.ini
[2006/02/28 06:00:00 | 00,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll
[2006/02/28 06:00:00 | 00,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll
[2006/02/28 06:00:00 | 00,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll
[2006/02/28 06:00:00 | 00,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll
[2006/02/28 06:00:00 | 00,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll
[2006/02/28 06:00:00 | 00,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll
[2006/02/28 06:00:00 | 00,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll
[2006/02/28 06:00:00 | 00,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatui.dll
[2006/02/28 06:00:00 | 00,199,168 | ---- | C] () -- C:\WINDOWS\System32\ir32_32.dll
[2006/02/28 06:00:00 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll
[2006/02/28 06:00:00 | 00,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll
[2006/02/28 06:00:00 | 00,094,282 | ---- | C] () -- C:\WINDOWS\System32\msencode.dll
[2006/02/28 06:00:00 | 00,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll
[2006/02/28 06:00:00 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll
[2006/02/28 06:00:00 | 00,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini
[2006/02/28 06:00:00 | 00,042,809 | ---- | C] () -- C:\WINDOWS\System32\key01.sys
[2006/02/28 06:00:00 | 00,042,537 | ---- | C] () -- C:\WINDOWS\System32\keyboard.sys
[2006/02/28 06:00:00 | 00,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys
[2006/02/28 06:00:00 | 00,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys
[2006/02/28 06:00:00 | 00,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll
[2006/02/28 06:00:00 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys
[2006/02/28 06:00:00 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys
[2006/02/28 06:00:00 | 00,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys
[2006/02/28 06:00:00 | 00,029,370 | ---- | C] () -- C:\WINDOWS\System32\ntdos411.sys
[2006/02/28 06:00:00 | 00,029,274 | ---- | C] () -- C:\WINDOWS\System32\ntdos412.sys
[2006/02/28 06:00:00 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos804.sys
[2006/02/28 06:00:00 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos404.sys
[2006/02/28 06:00:00 | 00,027,866 | ---- | C] () -- C:\WINDOWS\System32\ntdos.sys
[2006/02/28 06:00:00 | 00,027,097 | ---- | C] () -- C:\WINDOWS\System32\country.sys
[2006/02/28 06:00:00 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\tsd32.dll
[2006/02/28 06:00:00 | 00,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll
[2006/02/28 06:00:00 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\win87em.dll
[2006/02/28 06:00:00 | 00,012,082 | ---- | C] () -- C:\WINDOWS\System32\rsvp.ini
[2006/02/28 06:00:00 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\scriptpw.dll
[2006/02/28 06:00:00 | 00,010,110 | ---- | C] () -- C:\WINDOWS\System32\mqperf.ini
[2006/02/28 06:00:00 | 00,009,029 | ---- | C] () -- C:\WINDOWS\System32\ansi.sys
[2006/02/28 06:00:00 | 00,006,877 | ---- | C] () -- C:\WINDOWS\System32\pschdprf.ini
[2006/02/28 06:00:00 | 00,004,768 | ---- | C] () -- C:\WINDOWS\System32\himem.sys
[2006/02/28 06:00:00 | 00,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll
[2006/02/28 06:00:00 | 00,003,458 | ---- | C] () -- C:\WINDOWS\System32\rasctrs.ini
[2006/02/28 06:00:00 | 00,002,891 | ---- | C] () -- C:\WINDOWS\System32\perfci.ini
[2006/02/28 06:00:00 | 00,002,732 | ---- | C] () -- C:\WINDOWS\System32\perfwci.ini
[2006/02/28 06:00:00 | 00,002,656 | ---- | C] () -- C:\WINDOWS\System32\netware.drv
[2006/02/28 06:00:00 | 00,001,405 | ---- | C] () -- C:\WINDOWS\msdfmap.ini
[2006/02/28 06:00:00 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\perffilt.ini
[2006/02/28 06:00:00 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/02/28 06:00:00 | 00,000,343 | ---- | C] () -- C:\WINDOWS\System32\prodspec.ini
[2006/02/28 06:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/09/22 13:17:35 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/17 16:36:28 | 00,157,696 | ---- | C] () -- C:\WINDOWS\System32\paqsp.dll

========== LOP Check ==========

[2009/11/23 20:02:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/10/05 09:20:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2008/10/05 09:22:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2008/10/04 16:34:54 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2009/08/18 21:50:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2009/11/04 10:17:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2008/10/11 14:46:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intuit
[2009/11/04 10:47:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/29 22:23:46 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2008/10/05 07:42:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/09/29 16:51:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/31 04:28:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TVU Networks
[2008/11/01 18:56:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2008/10/08 17:35:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/06/20 20:55:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2009/10/15 21:55:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2008/10/05 09:22:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/11/21 09:30:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Adobe
[2008/10/08 17:23:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Apple Computer
[2009/11/21 09:30:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2008/10/04 16:34:54 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Raghu\Application Data\desktop.ini
[2008/10/08 17:56:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\DivX
[2009/04/10 07:31:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\DVD Flick
[2009/09/28 16:27:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\dvdcss
[2009/02/13 00:05:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\EPSON
[2008/10/05 11:08:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Google
[2008/10/04 21:58:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Identities
[2008/10/11 14:48:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Intuit
[2008/10/05 09:30:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Leadertech
[2008/10/05 10:50:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Macromedia
[2009/11/04 10:48:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Malwarebytes
[2008/12/01 14:31:07 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Raghu\Application Data\Microsoft
[2009/09/29 16:54:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Moyea
[2008/10/05 07:08:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Mozilla
[2009/09/29 17:11:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Pavtube
[2008/10/13 17:36:44 | 00,007,887 | ---- | M] () -- C:\Documents and Settings\Raghu\Application Data\pcouffin.cat
[2008/10/13 17:36:44 | 00,001,144 | ---- | M] () -- C:\Documents and Settings\Raghu\Application Data\pcouffin.inf
[2008/10/13 17:36:53 | 00,000,034 | ---- | M] () -- C:\Documents and Settings\Raghu\Application Data\pcouffin.log
[2008/10/13 17:36:44 | 00,047,360 | ---- | M] (VSO Software) -- C:\Documents and Settings\Raghu\Application Data\pcouffin.sys
[2009/09/05 00:46:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Real
[2008/10/06 12:52:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Sonic
[2008/10/05 10:55:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Sun
[2008/10/12 09:08:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\vlc
[2008/11/06 22:51:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Vso
[2008/10/08 22:58:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\WinRAR
[2009/06/20 20:52:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raghu\Application Data\Yahoo!
[2006/02/28 06:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/23 19:12:00 | 00,000,926 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1123561945-839522115-1003Core.job
[2009/11/23 22:12:01 | 00,000,978 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1123561945-839522115-1003UA.job
[2009/11/23 2258 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/11/23 22:09:34 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0AA053B7
< End of report >

[CatByte]

Hi,

Log is clean,

Please do the following:

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

next

• Double-click My Computer.
• Click the Tools menu, and then click Folder Options.
• Click the View tab.
• Click the Reset Defaults button
• Click Apply, and then click OK.

next

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
We need to set a new system restore point:

Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create,
when the confirmation screen shows the restore point has been created click Close.

Now remove all previous Restore Points:

Click Start > Run > copy and paste the following into the run box:

cleanmgr

At the top, click on More Options tab. Click the Clean up button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.



Now you should be good to go.

stay safe

~CB