GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


win32/nugel.E and Bankerfox.A

2 posters

descriptionwin32/nugel.E and Bankerfox.A Emptywin32/nugel.E and Bankerfox.A17th May 2010, 9:29 pm

more_horiz
Howdy,

I had the misfortune of downloading Win32/nugel.E and BankerFox.A and regwork onto my computer. I searched for and deleted all the files, both hidden and not, for regwork.

I still get security alerts for Bankerfox.A and win32/nugel.E. It is in the lower right hand corner of my screen. I have AVT Free installed so think it might be coming from it. I can't do an AVT scan because I get a bogus error message that says some exe file can't be exectued.

The security error message says: Infiltratation alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, trojan-dropper or similar.

Details
attack from:195.51.193.15 port 58877
attacked port 28038
Threat win32/Nugel.E

It askes if I would like to block this attack and gives me the choice of yes or no.

Another one I get is for Bankerfox.A with different port info.

It keeps starting new explorer windows every several minutes and trying to open various porn sites.

Also get a security alert window that says: Application can't execut file (always an exe file such as Control.exe) because it is infected. Do you want to active your antivirus software now? yes or no

The above happens when I try to invoke various programs such as Add/delete in the control panel or AVT antivirus or the Geek Police anti adware program or OTL.

Also I get a larger Security alert window that says:

Antifirus softwar alert
Attention Spyware Alert
Vulnerabilities Found.

Your computer is infected by spyware-34 threats have been found while scanning your files and registry. It is strongly recommended that you disinfect your computrer and activate realtime secure protection against future intrusions.

Upgrade to full version of antivirus software to clear your computer and prevent new security and privacy attacks. You will be able to download daily update and get online protection against interent attacks.

Two choices at bottom: Activate anti-virus software or Stay unprotected.



All this seems to occur everytime it starts another explorer window, every several minutes as previously mentioned.

I couldn't do any of the prerequisite updating for this forum because when I try to invoke add/remove for instance I get the alert that says the exe file is infected.

I downloaded the OTL but when it tried to run I got the infected exe alert and it wouldn't run.

I also downloaded the Geek Police program that sounded like it would fix this sort of thing, about 5.8M big, and it wouldn't run, again as I got the infected exe alert window for setup abam.exe (from memory on startup so maybe not accurate).

Bottom line everytime I try to run AVT antivirus or Geek Police antiadware or uninstall or add/remove something that might help, it's locked out by the bogus infected .exe file alert.

Can't do a system restore because of the same above infected file alert.

Thanks for any help you can give me.

Real mess,

DZ

descriptionwin32/nugel.E and Bankerfox.A EmptyRe: win32/nugel.E and Bankerfox.A17th May 2010, 9:48 pm

more_horiz
Hello.

We need to use the RKill Tool by Grinler

Rkill.com <--- Download site

  • Please Download Rkill.com. Save it to your Desktop.
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.

  • NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.

  • Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
  • Please be patient while the program looks for various malware programs and ends them.
  • When it has finished, the black window will automatically close and you can continue with the next step.
NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program, when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.

If you continue having problems running rkill.com, you can download:
iExplore.exe or eXplorer.exe
which are renamed copies of rkill.com, and try them instead.

Try OTL scan now.

descriptionwin32/nugel.E and Bankerfox.A EmptyOTL.txt Notepad log18th May 2010, 2:51 pm

more_horiz
You the Man. Running the RKill thing did make things work lots better. Had to do it multiple times to get it totally sorted out. Haven't shut down and restarted to see if it stays fixed, figured I'd send the logs first. Is there anythng else I need to do?

I will first copy and send the notepad log then the estra.txt log.

Thanks much for your help. I was stumped.

OTL logfile created on: 5/18/2010 12:54:41 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Compaq_Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

222.00 Mb Total Physical Memory | 41.00 Mb Available Physical Memory | 18.00% Memory free
553.00 Mb Paging File | 97.00 Mb Available in Paging File | 17.00% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 67.44 Gb Total Space | 44.22 Gb Free Space | 65.57% Space Free | Partition Type: NTFS
Drive D: | 7.07 Gb Total Space | 0.30 Gb Free Space | 4.18% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SLUG
Current User Name: Compaq_Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/17 13:29:40 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
PRC - [2010/04/23 14:26:16 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/03/19 09:29:49 | 002,046,816 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/12/09 08:27:48 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/12/09 08:27:45 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/12/09 08:27:37 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/12/09 08:27:31 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/12/09 08:27:13 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/18 13:08:02 | 003,032,472 | ---- | M] () -- C:\Program Files\Shrink Pic\shrink_pic.exe
PRC - [2006/11/03 11:01:16 | 000,319,488 | ---- | M] (PixArt Imaging Incorporation) -- C:\WINDOWS\PixArt\PAC207\Monitor.exe
PRC - [2004/11/01 01:55:40 | 000,057,344 | ---- | M] ( ) -- C:\WINDOWS\system32\slserv.exe


========== Modules (SafeList) ==========

MOD - [2010/05/17 13:29:40 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/04/18 07:49:56 | 000,143,441 | ---- | M] () -- C:\Program Files\Shrink Pic\shrinkpici.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Lavasoft Ad-Aware Service)
SRV - [2009/12/09 08:27:31 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/12/09 08:27:13 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2004/11/01 01:55:40 | 000,057,344 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\slserv.exe -- (SLService)


========== Driver Services (SafeList) ==========

DRV - [2009/12/09 08:27:49 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/12/09 08:27:46 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/05/15 09:33:11 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/06/12 11:39:38 | 000,508,416 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PFC027.SYS -- (PAC207)
DRV - [2006/06/14 11:04:12 | 004,299,264 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/04/04 21:58:44 | 001,536,000 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/02/27 05:46:20 | 000,081,408 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/12/06 11:20:50 | 000,241,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2005/12/06 11:20:42 | 000,670,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsx)
DRV - [2005/12/06 11:20:40 | 000,936,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DP.sys -- (HSX_DP)
DRV - [2004/11/01 01:27:02 | 000,224,888 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slnt7554.sys -- (Slnt7554)
DRV - [2004/11/01 01:26:38 | 000,014,520 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\RecAgent.sys -- (RecAgent)
DRV - [2004/11/01 01:24:02 | 000,229,720 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlmnt5.sys -- (Mtlmnt5)
DRV - [2004/11/01 01:19:02 | 000,100,176 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slnthal.sys -- (SlNtHal)
DRV - [2004/11/01 01:17:28 | 001,396,048 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlstrm.sys -- (Mtlstrm)
DRV - [2004/11/01 01:07:52 | 000,013,216 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slwdmsup.sys -- (SlWdmSup)
DRV - [2004/08/03 14:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2C 30 75 EA D0 79 CA 01 [binary data]
IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/04/07 10:20:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/04/23 14:29:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Components: C:\Program Files\Netscape\Netscape Browser\Components [2009/12/10 05:55:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Plugins: C:\Program Files\Netscape\Netscape Browser\Plugins [2009/04/05 18:50:48 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2004/08/04 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (hpWebHelper Class) - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll (Hewlett-Packard)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ftutil2] C:\WINDOWS\System32\ftutil2.dll (Promise Technology, Inc.)
O4 - HKLM..\Run: [gggbntjp] C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\yqmffomfa\qipjmfktssd.exe ()
O4 - HKLM..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [NetscapeClient] File not found
O4 - HKLM..\Run: [PCDrProfiler] File not found
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [gggbntjp] C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\yqmffomfa\qipjmfktssd.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe File not found
O4 - Startup: C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O9 - Extra Button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm File not found
O9 - Extra 'Tools' menuitem : Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm File not found
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab (SysData Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/12/04 23:50:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 08:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 00:01:14 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/18 00:54:20 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
[2010/05/17 12:45:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/17 12:45:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/17 12:45:39 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/17 12:45:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/16 10:03:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\yqmffomfa
[2010/05/14 16:51:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\AskToolbar
[2010/05/14 16:47:47 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2010/05/12 16:14:08 | 000,175,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\csamsp.dll
[2010/05/12 16:14:08 | 000,175,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\csamsp.dll
[2010/05/12 16:13:40 | 000,014,976 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\winddx.sys
[2010/05/12 15:58:58 | 000,073,796 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\slserv.exe
[2010/05/12 15:58:58 | 000,057,344 | ---- | C] ( ) -- C:\WINDOWS\System32\slserv.exe
[2010/05/12 15:58:58 | 000,013,240 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\slwdmsup.sys
[2010/05/12 15:58:58 | 000,013,216 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slwdmsup.sys
[2010/05/12 15:58:57 | 000,032,866 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\slrundll.exe
[2010/05/12 15:58:56 | 000,224,888 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slnt7554.sys
[2010/05/12 15:58:56 | 000,129,535 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\slnt7554.sys
[2010/05/12 15:58:56 | 000,100,176 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slnthal.sys
[2010/05/12 15:58:56 | 000,095,424 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\slnthal.sys
[2010/05/12 15:58:55 | 000,188,508 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\slgen.dll
[2010/05/12 15:58:53 | 000,286,792 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\slextspk.dll
[2010/05/12 15:58:50 | 000,073,832 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slcoinst.dll
[2010/05/12 15:58:50 | 000,073,832 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\slcoinst.dll
[2010/05/12 15:58:46 | 000,014,520 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\RecAgent.sys
[2010/05/12 15:58:46 | 000,013,776 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\recagent.sys
[2010/05/12 15:58:43 | 000,180,360 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\ntmtlfax.sys
[2010/05/12 15:58:43 | 000,180,360 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\ntmtlfax.sys
[2010/05/12 15:58:41 | 001,396,048 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlstrm.sys
[2010/05/12 15:58:41 | 001,309,184 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\mtlstrm.sys
[2010/05/12 15:57:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Modio
[2010/05/12 15:53:56 | 000,016,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MODEMCSA.sys
[2010/05/12 15:53:56 | 000,016,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\modemcsa.sys
[2010/04/30 07:28:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2010/04/30 07:26:22 | 000,000,000 | ---D | C] -- C:\Program Files\NCH Swift Sound
[2010/04/27 10:20:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Desktop\Iran
[2010/04/23 14:28:49 | 000,185,920 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2010/04/23 14:28:23 | 000,006,656 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2010/04/23 14:28:23 | 000,005,632 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2010/04/23 14:27:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2010/04/23 14:26:24 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/04/23 14:23:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2009/04/04 13:04:54 | 000,229,720 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlmnt5.sys
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/18 00:45:32 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\rkill.com
[2010/05/18 00:28:16 | 000,000,248 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2010/05/18 00:18:07 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/18 00:17:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/18 00:17:43 | 233,361,408 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/17 14:34:17 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Compaq_Owner\ntuser.ini
[2010/05/17 14:34:16 | 005,767,168 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\NTUSER.DAT
[2010/05/17 13:54:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/17 13:29:40 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe
[2010/05/17 12:45:48 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/15 12:10:44 | 060,009,113 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/05/12 00:32:43 | 000,000,316 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010/05/11 21:05:49 | 000,142,848 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/08 22:29:48 | 002,279,460 | -H-- | M] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\IconCache.db
[2010/05/08 06:38:27 | 000,000,364 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\Windows Live Hotmail.url
[2010/05/03 07:50:08 | 000,000,312 | ---- | M] () -- C:\WINDOWS\tasks\expressburnShakeIcon.job
[2010/04/30 07:30:17 | 000,000,318 | ---- | M] () -- C:\WINDOWS\tasks\expressburnSevenDaysInit.job
[2010/04/30 07:26:33 | 000,000,834 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Express Burn.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/23 14:29:16 | 000,000,747 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk
[2010/04/23 14:28:49 | 000,185,920 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2010/04/23 14:28:23 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2010/04/23 14:28:23 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2010/04/23 14:26:24 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/04/20 21:06:11 | 000,000,162 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/18 00:45:42 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\rkill.com
[2010/05/17 12:45:48 | 000,000,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/12 16:13:40 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\usb_cpl.dll
[2010/05/12 16:13:40 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\minirec.exe
[2010/05/12 16:13:40 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\SLMOHServ.dll
[2010/05/12 16:13:39 | 000,548,864 | ---- | C] () -- C:\WINDOWS\System32\slcpappl.cpl
[2010/05/12 16:13:39 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\SLLights.dll
[2010/05/12 16:13:39 | 000,380,928 | ---- | C] () -- C:\WINDOWS\System32\slmh.exe
[2010/05/12 16:13:39 | 000,351,183 | ---- | C] () -- C:\WINDOWS\System32\slmh.cab
[2010/05/12 16:13:39 | 000,151,740 | ---- | C] () -- C:\WINDOWS\System32\slcpappl.chm
[2010/05/12 16:13:39 | 000,077,824 | ---- | C] () -- C:\WINDOWS\SmCfg.exe
[2010/05/12 15:58:57 | 000,036,864 | ---- | C] () -- C:\WINDOWS\slrundll.exe
[2010/05/12 15:58:55 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\slgen.dll
[2010/05/12 15:58:53 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\slextspk.dll
[2010/05/08 06:38:25 | 000,000,364 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\Windows Live Hotmail.url
[2010/05/07 12:23:21 | 233,361,408 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/30 07:50:38 | 000,000,312 | ---- | C] () -- C:\WINDOWS\tasks\expressburnShakeIcon.job
[2010/04/30 07:30:14 | 000,000,318 | ---- | C] () -- C:\WINDOWS\tasks\expressburnSevenDaysInit.job
[2010/04/30 07:26:33 | 000,000,834 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Express Burn.lnk
[2010/04/23 14:29:16 | 000,000,747 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk
[2010/01/18 19:51:38 | 000,000,408 | ---- | C] () -- C:\WINDOWS\System32\Remover.ini
[2009/05/05 09:19:21 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/11/28 22:12:48 | 000,000,578 | ---- | C] () -- C:\WINDOWS\M3JPEG.INI
[2008/11/12 17:38:17 | 000,745,984 | ---- | C] () -- C:\WINDOWS\ir50_32.dll
[2008/10/27 14:08:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iexplorer.dll
[2008/08/09 15:22:21 | 000,030,464 | ---- | C] () -- C:\WINDOWS\macromix.dll
[2007/09/22 09:25:49 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/06/12 11:08:10 | 000,000,518 | ---- | C] () -- C:\WINDOWS\System32\SP207.ini
[2007/04/30 14:49:55 | 000,000,316 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/03/05 09:31:04 | 000,000,346 | ---- | C] () -- C:\WINDOWS\DcmLtBox.ini
[2006/12/28 18:57:41 | 000,001,550 | ---- | C] () -- C:\WINDOWS\MEING.INI
[2006/08/28 21:44:02 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/28 21:14:45 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2006/08/28 21:07:01 | 000,012,993 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2006/08/28 21:06:54 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2006/08/28 21:03:39 | 000,000,166 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/08/28 20:52:18 | 000,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/08/28 20:50:34 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/08/28 20:43:02 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/08/28 20:22:17 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/08/28 20:18:30 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll
[2006/08/28 20:18:30 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll
[2006/08/28 20:18:02 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2006/04/24 16:42:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/03/01 15:30:20 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2004/11/01 01:56:02 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\coinst.dll
[2004/08/04 04:00:00 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2004/08/04 04:00:00 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2004/08/04 04:00:00 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2004/08/04 04:00:00 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2004/08/04 04:00:00 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2004/06/15 14:38:00 | 000,000,592 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

descriptionwin32/nugel.E and Bankerfox.A EmptyExtras.txt Notepad18th May 2010, 2:53 pm

more_horiz
OTL Extras logfile created on: 5/18/2010 12:54:41 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Compaq_Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

222.00 Mb Total Physical Memory | 41.00 Mb Available Physical Memory | 18.00% Memory free
553.00 Mb Paging File | 97.00 Mb Available in Paging File | 17.00% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 67.44 Gb Total Space | 44.22 Gb Free Space | 65.57% Space Free | Partition Type: NTFS
Drive D: | 7.07 Gb Total Space | 0.30 Gb Free Space | 4.18% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SLUG
Current User Name: Compaq_Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe" = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Enabled:Compaq Connections -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Software Update\hpwucli.exe" = C:\Program Files\HP\HP Software Update\hpwucli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe" = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Enabled:Compaq Connections -- File not found
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- File not found
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Rhapsody\rhapsody.exe" = C:\Program Files\Rhapsody\rhapsody.exe:*:Enabled:Rhapsody -- (RealNetworks, Inc.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Software Update\hpwucli.exe" = C:\Program Files\HP\HP Software Update\hpwucli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{07FB17D8-7DB6-4F06-80C4-8BE1719CB6A1}" = hpWLPGInstaller
"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{1341D838-719C-4A05-B50F-49420CA1B4BB}" = HP Boot Optimizer
"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{2012D762-5DCA-455A-B5FE-EDF79BC93E18}" = HP Photosmart C4700 All-In-One Driver Software 13.0 Rel .6
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36D620AD-EEBA-4973-BA86-0C9AE6396620}" = OptionalContentQFolder
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 2.1
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{5B4F9F23-F9A7-47D3-BE92-BAB0D276C8C4}" = IC 435C Webcam
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{68A10D12-0D0F-4212-BDE6-D87FAD32A8FA}" = SmartWebPrinting
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{82081779-4175-4666-A457-AB711CD37EF0}" = cp_LightScribeConfig
"{829DAAD6-BB11-4BB7-921B-07FFB703F944}" = CP_Package_Variety3
"{82E55892-6FFD-403F-AA97-D726846768AA}" = CP_AtenaShokunin1Config
"{866A0078-DEA7-4348-9C9A-999AF2991EAA}" = SlideShowMusic
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8A534F71-3202-4464-A422-B767295E67B9}" = CP_Package_Variety2
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{922E8525-AC7E-4294-ACAA-43712D4423C0}" = Adobe Flash Player 10 ActiveX
"{93E5A317-24EC-4744-812C-16FECFE86E6A}" = CP_Package_Variety1
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{A55F4F9F-CCA8-4732-AA1F-0390A4A50947}" = C4700
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.5
"{AE8705FB-E13C-40A9-8A2D-68D6733FBFC2}" = Status
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B2455727-ED8F-4643-8A6E-F4AB8DE3633D}" = Network
"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery
"{C3FAA091-B278-44A7-BF48-190811C5F9F7}" = cp_UpdateProjectsConfig
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C75CDBA2-3C86-481e-BD10-BDDA758F9DFF}" = hpPrintProjects
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D7DBA21A-CDE5-42EC-BB1C-AE4B3E616B9A}_is1" = HP Support Overview
"{DAAD5187-62C5-4AD6-A526-803C18C4944D}" = HP Web Helper
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DC0A5F99-FD66-433F-9D3A-05DCBA64BE42}" = TrayApp
"{E36F3199-C282-47CA-BAC7-2B77D247E760}" = PS_AIO_06_C4700_SW_Min
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FDC17776-2CA4-48FA-964B-C5E8B6BB535B}" = RegWork
"ATI Display Driver" = ATI Display Driver
"AVG8Uninstall" = AVG 8.5
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Data Fax SoftModem with SmartCP
"ExpressBurn" = Express Burn
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Print Projects" = HP Print Projects 1.0
"HP Smart Web Printing" = HP Smart Web Printing 4.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"HPOOVClient-5577497 Uninstaller" = Compaq Connections (remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"InstallShield_{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"InstallShield_{5B4F9F23-F9A7-47D3-BE92-BAB0D276C8C4}" = IC 435C Webcam
"InstallShield_{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Money2006b" = Microsoft Money 2006
"MSNINST" = MSN
"Netscape Browser" = Netscape Browser (remove only)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OfficeTrial" = Microsoft Office Standard Edition 2003 60 days trial
"Python 2.2.3" = Python 2.2.3
"pywin32-py2.2" = Python 2.2 pywin32 extensions (build 203)
"RealPlayer 12.0" = RealPlayer
"Rhapsody" = Rhapsody
"Shop for HP Supplies" = Shop for HP Supplies
"TeLLmeMoreV40" = TeLL me More
"USB7554" = SmartUSB56 Voice Modem
"WildTangent CDA" = WildTangent Web Driver
"WildTangent compaq Master Uninstall" = My HP Games
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"Yahoo! Companion" = Yahoo! Toolbar for Internet Explorer
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/24/2010 1:18:01 PM | Computer Name = SLUG | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 4/24/2010 1:25:49 PM | Computer Name = SLUG | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/24/2010 1:26:58 PM | Computer Name = SLUG | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 4/24/2010 1:59:21 PM | Computer Name = SLUG | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/24/2010 2:00:01 PM | Computer Name = SLUG | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 4/28/2010 2:16:08 AM | Computer Name = SLUG | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/28/2010 2:17:09 AM | Computer Name = SLUG | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 4/29/2010 4:08:24 AM | Computer Name = SLUG | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/29/2010 4:08:24 AM | Computer Name = SLUG | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/3/2010 3:20:59 AM | Computer Name = SLUG | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 5/18/2010 3:30:09 AM | Computer Name = SLUG | Source = DCOM | ID = 10010
Description = The server {641B9FB0-C2B1-41BD-8563-5F484E3BE84A} did not register
with DCOM within the required timeout.

Error - 5/18/2010 3:30:41 AM | Computer Name = SLUG | Source = DCOM | ID = 10010
Description = The server {641B9FB0-C2B1-41BD-8563-5F484E3BE84A} did not register
with DCOM within the required timeout.

Error - 5/18/2010 3:31:11 AM | Computer Name = SLUG | Source = DCOM | ID = 10010
Description = The server {641B9FB0-C2B1-41BD-8563-5F484E3BE84A} did not register
with DCOM within the required timeout.

Error - 5/18/2010 3:32:09 AM | Computer Name = SLUG | Source = DCOM | ID = 10010
Description = The server {641B9FB0-C2B1-41BD-8563-5F484E3BE84A} did not register
with DCOM within the required timeout.

Error - 5/18/2010 3:34:29 AM | Computer Name = SLUG | Source = DCOM | ID = 10010
Description = The server {641B9FB0-C2B1-41BD-8563-5F484E3BE84A} did not register
with DCOM within the required timeout.

Error - 5/18/2010 3:40:34 AM | Computer Name = SLUG | Source = DCOM | ID = 10010
Description = The server {641B9FB0-C2B1-41BD-8563-5F484E3BE84A} did not register
with DCOM within the required timeout.

Error - 5/18/2010 3:41:58 AM | Computer Name = SLUG | Source = DCOM | ID = 10010
Description = The server {641B9FB0-C2B1-41BD-8563-5F484E3BE84A} did not register
with DCOM within the required timeout.

Error - 5/18/2010 3:42:36 AM | Computer Name = SLUG | Source = DCOM | ID = 10010
Description = The server {641B9FB0-C2B1-41BD-8563-5F484E3BE84A} did not register
with DCOM within the required timeout.

Error - 5/18/2010 3:44:47 AM | Computer Name = SLUG | Source = DCOM | ID = 10010
Description = The server {641B9FB0-C2B1-41BD-8563-5F484E3BE84A} did not register
with DCOM within the required timeout.

Error - 5/18/2010 3:46:45 AM | Computer Name = SLUG | Source = DCOM | ID = 10010
Description = The server {641B9FB0-C2B1-41BD-8563-5F484E3BE84A} did not register
with DCOM within the required timeout.


< End of report >

descriptionwin32/nugel.E and Bankerfox.A EmptyRe: win32/nugel.E and Bankerfox.A18th May 2010, 10:19 pm

more_horiz
Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [gggbntjp] C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\yqmffomfa\qipjmfktssd.exe ()
    O4 - HKCU..\Run: [gggbntjp] C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\yqmffomfa\qipjmfktssd.exe ()
    [2010/05/16 10:03:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\yqmffomfa



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

descriptionwin32/nugel.E and Bankerfox.A EmptyLog18th May 2010, 11:19 pm

more_horiz
Howdy,

I got a Resident Shield Alert from my AVG antivirus. I forgot to shut it off, as I suspect you would have assumed I should have. It said the following:

Accessed file is infected

Threat detected

file name C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\yqmffomfa\qipjmfktssd.exe (I think I got all the characters correct, couldn't copy and paste from that window)

Detected on Open

Gave three things I could do: Heal Move to Vault Ignore

Tried Heal but it said, couldn't do that. Something about couldn't find path and not all things could be healed. So I chose Ignore. That worked and the process finished and this is the log I got after it finished.

So far I haven't had enough nads to turn off the puter but think I will now. I was afraid I would get back to where I was before, and that wasn't pretty. Wasn't sure if the Kill thing was a temp fix or would get rid of the virus stuff. I assume this last event will be more perminet. Hey, was never accused of being the sharpest tool in the shed.

Again many thanks,

DZ



========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
C:\Program Files\Ask.com\GenericAskToolbar.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\gggbntjp deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\yqmffomfa\qipjmfktssd.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\gggbntjp deleted successfully.
File C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\yqmffomfa\qipjmfktssd.exe not found.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\yqmffomfa folder moved successfully.

OTL by OldTimer - Version 3.2.4.1 log created on 05182010_155432

descriptionwin32/nugel.E and Bankerfox.A EmptyAVG19th May 2010, 3:09 pm

more_horiz
Howdy,

With hindsight I shouldn't have done it, but last night I let my anti-virus run. Should have done nothing you didn't ask me to do, as it could make things more difficult for you. At any rate I did and this is the result.

It said it found and fixed two infections, both Trojan Horses and it said they were both removed and healed.

C:\_OTL\MovedFiles\05182010_1554\C_Documents and Settings\Compaq_Owner\Local Settings\ApplicationData\yqmffomfa\qipjmfktssd.exe

C:\Documents and Settings\Compaq_Owner\Local Settings|Temp\e.exe

Hopefully I got every character correct abd this didn't cause you extra work.

The computer, BTW, is operating still operating fine, after logging off and restarting it.

Thanks as always for all your help.

DZ

descriptionwin32/nugel.E and Bankerfox.A EmptyRe: win32/nugel.E and Bankerfox.A19th May 2010, 10:36 pm

more_horiz
Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

descriptionwin32/nugel.E and Bankerfox.A EmptyNother Log20th May 2010, 9:04 am

more_horiz
Howdy,

When I started the antivirus, I got two warning things. Clicked ok on both and it continued to run.

The first said VbAccelerator S Grid II Control

Run Timer error '0'

The second said: Malwarebyte anti melware

Run time error '440'
automotion error

Not sure what that's all about.

Thanks again for all your expert help.

DZ

Here's the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4119

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/20/2010 1:44:09 AM
mbam-log-2010-05-20 (01-44-09).txt

Scan type: Quick scan
Objects scanned: 140745
Time elapsed: 22 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Compaq_Owner\Application Data\ErrorSmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\ErrorSmart\Log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\ErrorSmart\Registry Backups (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\Program Files\GbPluggin (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Compaq_Owner\Application Data\ErrorSmart\Registry Backups\2008-10-06_10-48-55.reg (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\Program Files\GbPluggin\svchost (Trojan.Agent) -> Quarantined and deleted successfully.

descriptionwin32/nugel.E and Bankerfox.A EmptyRe: win32/nugel.E and Bankerfox.A20th May 2010, 10:42 pm

more_horiz
Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 7.0.5
    J2SE Runtime Environment 5.0 Update 6

Updating Java:

  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 20.
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe that you downloaded to install the newest version.

Then download and install Adobe Reader 9.3.2

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

descriptionwin32/nugel.E and Bankerfox.A EmptyRe: win32/nugel.E and Bankerfox.A23rd May 2010, 4:04 pm

more_horiz
Howdy,

I have dialup so this took me some time. Haven't got Adobe to re-install as it is a BIG file and my ISP timed out a couple of times. Did get the EST scanner to run. Didn't seem to have a recorded log whee you mentioned, but I did export and copy the finished results. Here they are:


C:\Program Files\Netscape\Netscape Browser\chrome\m3ntstbr.jar Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
D:\I386\APPS\APP04119\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined
D:\I386\APPS\APP04119\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined
D:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP175\A0186198.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined
D:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP175\A0186199.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined


It seemed to have found five things and fixed them.

If this isn't the log info you're looking for let me know and I will try to find it, some more. I will keep trying to install the new Adobe. Might have to go to the library or some other place with highspeed internet and put it on a memory stick or CD.

Thanks again,

DZ

descriptionwin32/nugel.E and Bankerfox.A EmptyRe: win32/nugel.E and Bankerfox.A23rd May 2010, 4:28 pm

more_horiz
Hello.
That's the log! Right On!


  1. Please download AskRemover from here
  2. Extract the zip file to your Desktop, then run AskRemover.bat
  3. Allow it to run, and select yes to the registry merge warning.
  4. Copy and paste the resulting log in your next post.

descriptionwin32/nugel.E and Bankerfox.A EmptyRe: win32/nugel.E and Bankerfox.A23rd May 2010, 4:42 pm

more_horiz
When I click on the Here thing I get an Internet Explorer cannot display the webpage. I did a multiple refreshes but still no go.

DZ

descriptionwin32/nugel.E and Bankerfox.A EmptyRe: win32/nugel.E and Bankerfox.A23rd May 2010, 5:15 pm

more_horiz
Darn Freewebs, added it to an attachment.

descriptionwin32/nugel.E and Bankerfox.A EmptyMore Logging23rd May 2010, 6:13 pm

more_horiz
Howdy Again,

Here ya go. That worked fine.

Thanks again for all the help.

DZ


Ask Remover Version 1.1 - Written by Belahzur

The current time and date is 11:08:23.07 Sun 05/23/2010

Microsoft Windows XP [Version 5.1.2600]


==== STARTING CHECK ====
C:\Program Files\Ask.com has been found!
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\AskToolbar has been found!

==== Starting removal of Ask ====
C:\Program Files\Ask.com Deleted.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\AskToolbar Deleted.

Applying removal of Ask Toolbar registry keys.

==== REGISTRY DUMP ====

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Start Page REG_SZ http://my.yahoo.com/


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Search Bar REG_SZ http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
Default_Search_URL REG_SZ http://go.microsoft.com/fwlink/?LinkId=54896


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
Default_Page_URL REG_SZ http://go.microsoft.com/fwlink/?LinkId=69157


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
Start Page REG_SZ http://go.microsoft.com/fwlink/?LinkId=69157


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

*** The above keys may not need fixing ***

==== FINAL CHECK ====

==== EOF ====

descriptionwin32/nugel.E and Bankerfox.A EmptyRe: win32/nugel.E and Bankerfox.A23rd May 2010, 11:04 pm

more_horiz
Hello.

How is the machine running now?

descriptionwin32/nugel.E and Bankerfox.A EmptyRe: win32/nugel.E and Bankerfox.A24th May 2010, 5:31 am

more_horiz
Howdy,

Puter seems to be working fine. The quantum leap came with the running of the Kill thing. It shut off a lot of the stuff that wasn't allowing me to get rid of the virus.

I think I forgot to mention. For some reason which I don't recall just now, I did a search for Adobe files and it came up with four of them, all 7.0 ones, even after the uninstall. I deleted them.

Now I gotta get the new Adobe Reader in thar. Dialup is painfully slow. Can't get wideband except via satilite in these parts.

Much thanks again for all your help, really appreciate it. When I couldn't do a system restore, things were looking pretty grim.

DZ

descriptionwin32/nugel.E and Bankerfox.A EmptyRe: win32/nugel.E and Bankerfox.A

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum