I'm running windows XP on a 4-year old Dell Latitude D810.
I had some virus problems, so I bought Norton Antivirus and after some of the first scans caught and removed/quarantined viruses, the past few full scans have been clean (same for Ad-Aware). I have rebooted a couple times and re-run the full scans, and they come up clean.
However, at startup, after logging into Windows, right when Windows loads I get an error message:
RUNDLL
Error loading c:\windows\system32\mamapome.dll
The specified module could not be found
This error message only appeared after I got the viruses. I think it's a remnant from the viruses. In particular, I'm concerned that some of the viruses tweaked my registry, and that the problems could re-appear. I would like to do what is necessary to stop this error message from coming up each time I start up. I hope that in so doing we will be able to flush out any other remnants of these viruses. I attached a bmp file of the error window.
The viruses I had and that were treated by Norton Antivirus are:
a0142153.exe (Packed.Generic.261) [Quarantined]
1d.tmp (Packed.Generic.261) [Quarantined]
wow64main.exe (CoreGuardAntivirus2009)[Quarantined]
sdra64.exe (Packed.Generic.261) [Quarantined]
a0142085.dll (Suspicious.Cloud) [Quarantined]
a0142059.exe (Downloader) [Quarantined]
a0142058.dll (Suspicious.Cloud) [Quarantined]
a0141769.dll (Suspicious.Cloud) [Quarantined]
a0141597.dll (Suspicious.Cloud) [Quarantined]
installer.exe (Backdoor.Tidserv) [Quarantined]
rdl259.tmp.exe (Infostealer.Banker.C) [Quarantined]
zimzapa.dll (Suspicious.Cloud) [Quarantined]
tozewala.dll (Suspicious.Cloud) [Quarantined]
fohajifu.dll (Suspicious.Cloud) [Quarantined]
zelokore.dll (Suspicious.Cloud) [Quarantined]
logon.exe (Downloader) [Quarantined]
RootRepeal.txt
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/27 22:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xED968000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B15000 Size: 8192 File Visible: No Signed: -
Status: -
Name: Ironx86.SYS
Image Path: C:\WINDOWS\system32\drivers\NAV\1100000.088\Ironx86.SYS
Address: 0xEDA48000 Size: 126976 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEBF70000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SYMDS.SYS
Image Path: SYMDS.SYS
Address: 0xF7246000 Size: 352256 File Visible: No Signed: -
Status: -
Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7382000 Size: 180224 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x86ea4558
#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x86ec2160
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x86e736a0
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x86eb85b0
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86e90dd0
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xedb7c210
#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x86f8c0e0
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x86d86ba0
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8705e480
#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x86ef5b50
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xedb7c490
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xedb7c9f0
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x86eae008
#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86d3f3b8
#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x86e9e008
#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86ea4320
#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x86ec54f8
#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8707a518
#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x86ea46f0
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xedb7c7a0
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x86eb9f20
#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x86f04ac0
#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x86ebe0f8
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x86eb5da0
#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x86d7ce30
#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x86ea3838
#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86eb7c10
#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86fc52d8
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x86f26d70
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xedb7cc40
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86eb7df0
#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86ee0308
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86ef3008
#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86ea3d00
#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x86eb87c8
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86ddb720
==EOF==
DDS.txt
DDS (Ver_09-06-26.01) - NTFSx86
Run by Student at 22:26:40.71 on Tue 10/27/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.353 [GMT -4:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.14\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.14\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.law.virginia.edu/
uDefault_Page_URL = hxxp://www.dell.com/
uSearch Bar =
mDefault_Page_URL = hxxp://www.dell.com/
mStart Page = hxxp://www.dell.com/
mSearch Bar =
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchAssistant =
uCustomizeSearch =
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.1.0.14\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [OrderReminder] //~c:\program files\hewlett-packard\orderreminder\orderreminder\orderreminder.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Motive SmartBridge] //~c:\progra~1\virtua~1\smartb~1\sprintdslalert.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Acrobat Assistant 8.0] //~c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe
mRun: [<NO NAME>]
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [sepezahih] Rundll32.exe "c:\windows\system32\mamapome.dll",a
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
uPolicies-explorer: NoRecentDocsNetHood = 01000000
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/lib/uvalib/support/plugins/ebraryRdr.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111677828890
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {ECB67F57-8099-4DCC-AB8B-93852E494947} - hxxps://relativity.proskauer.com/Relativity/ActiveX/webclientmanager.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: PSDNtfy - c:\program files\broadcom\security platform software\PSDNtfy.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\windows\system32\zubadira.dll c:\windows\system32\mamapome.dll,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: vawodilah - {a4884e7a-4737-4a75-bd9a-9fac94dc1298} - c:\windows\system32\zubadira.dll
SSODL: rotibogup - {5fcfa6e1-433f-4591-beeb-ce4c76147779} - c:\windows\system32\mamapome.dll
STS: tokatiluy: {a4884e7a-4737-4a75-bd9a-9fac94dc1298} - c:\windows\system32\zubadira.dll
STS: jugezatag: {5fcfa6e1-433f-4591-beeb-ce4c76147779} - c:\windows\system32\mamapome.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\v68q23n2.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-25 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1101000.00e\SymDS.sys [2009-10-27 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1101000.00e\SymEFA.sys [2009-10-27 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20091013.001\BHDrvx86.sys [2009-10-27 508976]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1101000.00e\cchpx86.sys [2009-10-27 501888]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2004-3-25 29283]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1101000.00e\Ironx86.sys [2009-10-27 114736]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.1.0.14\ccSvcHst.exe [2009-10-27 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-25 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-3-14 80384]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20091021.001\IDSXpx86.sys [2009-10-25 329080]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1170768]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20091027.025\NAVENG.SYS [2009-10-27 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20091027.025\NAVEX15.SYS [2009-10-27 1323568]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [2005-10-27 17432]
=============== Created Last 30 ================
2009-10-25 22:33 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-25 22:33 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-10-25 22:33 7,443 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-25 22:33 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-25 22:32 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-10-25 22:32 <DIR> --d----- c:\program files\Norton AntiVirus
2009-10-25 22:02 <DIR> --d----- c:\program files\NortonInstaller
2009-10-25 22:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-10-25 21:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-10-25 21:07 <DIR> --d----- c:\windows\LMI24.tmp
2009-10-25 01:55 15,688 a------- c:\windows\system32\lsdelete.exe
2009-10-25 01:46 64,288 a------- c:\windows\system32\drivers\Lbd.sys
2009-10-24 22:02 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-03 15:54 49,152 a------- c:\windows\system32\PRTSERV.dll
2009-10-03 15:54 <DIR> --d----- c:\program files\Print Server
2009-10-03 15:51 <DIR> --d----- c:\program files\Linksys
==================== Find3M ====================
2009-09-25 01:37 667,136 a------- c:\windows\system32\wininet.dll
2009-09-25 01:37 667,136 -------- c:\windows\system32\dllcache\wininet.dll
2009-09-25 01:37 627,712 -------- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 01:37 3,070,976 -------- c:\windows\system32\dllcache\mshtml.dll
2009-09-25 01:37 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 01:37 81,920 a------- c:\windows\system32\ieencode.dll
2009-09-25 01:37 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-09-11 10:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 10:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 17:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 17:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-26 04:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 04:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-13 11:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 11:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 10:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 10:20 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 10:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2006-08-31 21:30 539 a------- c:\program files\INSTALL.LOG
2005-09-14 08:24 33,280 a------- c:\program files\EndProcess.exe
2009-07-24 19:59 38,912 a--sh--- c:\windows\system32\raritazu.dll
2009-07-25 16:22 38,912 a--sh--- c:\windows\system32\zizakohe.dll
============= FINISH: 22:27:25.96 ===============