Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE8 redirect "Message from webpage":"Personal Security".


  • This topic is locked This topic is locked
26 replies to this topic

#1 bt_pcsecurity

bt_pcsecurity

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 25 January 2010 - 01:09 PM

When opening a new tab (to go to Yahoo or other seemingly safe sites), the address in the address box is sometimes redirected to:
"http://live-antivirus-prox1.com/scn1/?id=%3DHGy9z..."
And a "Message from webpage" dialog box opens offering to provide a free scan using Personal Security. Seeing that dialog msg, I kill the iexplorer process. But at least once I hit the msg box cancel X and the fake scanner started. I killed iexplorer (taskmanager) at that point without clicking any more buttons offered in IE.

MalwareBytes runs but FINDS NOTHING in quick nor full scan in normal Windows mode (after using rkill.com to stop suspect processes). I even uninstalled MalwareBytes and redownloaded and installed it in Safe Mode. Runs in Safe Mode but NOTHING FOUND. Also, the downloaded Microsoft Malware scanner runs but FINDS NOTHING. Also, NOTHING FOUND by ZoneAlarme Extreme Security when using the following scan modes; rootkit, or ultradeep, or deep, or normal. Also, on my PC, there appears to be none of the files or registry entries associated with Personal Security (none of the ones I've seen so far described online).

I have also checked files and registry for Total Security, Cyber Security, Internet Security 2010 and can't find any.

I am fairly certain that I have not visited sites that might be suspicious due to their nature after clearing ZA virtualization and rebooting the PC. So, it would seem that there should not have been any remnants hanging around the browser from risky visits.

I have used CCleaner to clear Temporary Files and Temporary Internet Files and Recycle Bin.

I run ZoneAlarm Extreme Security in virtualization mode and clear its virtual data after seeing the fake antivirus pop-up. I had trouble with a recent ZA upgrade -- I couldn't open IE when ZA virtualization was enabled. But I did find an odd sequence of clicking ZA buttons that allowed IE to open with virtualization. But, after a test, I suspect virtualization wasn't actually working properly. I see there is reference to KLIF in log files I'm providing to you. When I recently upgraded ZoneAlarm, I had trouble with the installation because an automatic KLIF registry edit being attempted by the ZA installer was not permitted. I eventually got ZA to install without that error, though.

I don't see any suspicious browser Add-ons listed in "Manage Add-ons".

Bottom line, the dialog box "Message from webpage": "...Personal Security..." keeps popping up (seemingly random). And I don't know what is compromised on my PC. Can you help and also tell me what might have been compromised? Thank you.


DDS (Ver_09-12-01.01) - NTFSx86
Run by btaylor at 9:04:36.50 on Mon 01/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.984 [GMT -5:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\agrsmsvc.exe
svchost.exe
C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\adedevlp\altera\quartus_61\quartus\bin\jtagserver.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\ProtectTools\Embedded Security Software\SpTna.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTServs.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\Sminst\Recguard.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Direct Folders\df.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Refinate\Refinate3\EKAG20NT.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\PC Magazine Utilities\InstaBack 2\InstaBack.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\btaylor\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\DeskPins\DeskPins.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\IrfanView\i_view32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\btaylor\Desktop\HOW_TO\PC_Security\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll
BHO: {E02E86EB-220B-4B59-A251-F849405E1D64} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [PCMagInstaback2] "c:\program files\pc magazine utilities\instaback 2\InstaBack.exe" /m
uRun: [Google Update] "c:\documents and settings\btaylor\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [PTHOSTTR] c:\program files\hpq\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hpq\iam\bin\AsTsVcc.dll,RegisterModule
mRun: [PDF4 Registry Controller] "c:\program files\scansoft\pdf professional 4.0\\RegistryController.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [OpScheduler] "c:\program files\scansoft\omnipage15.0\OpScheduler.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DirectFolders] "c:\program files\direct folders\df.exe"
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [EKAN0200B03FD1305A4B] "c:\program files\refinate\refinate3\EKAG20NT.EXE" 0200B03FD1305A4B 1
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\btaylor\startm~1\programs\startup\button~1.lnk - c:\program files\pc magazine utilities\buttonboogie\ButtonBoogie.exe
StartupFolder: c:\docume~1\btaylor\startm~1\programs\startup\cpu_ds~1.lnk - c:\windows\system32\perfmon_processor1_2_diskRdWr.msc
StartupFolder: c:\docume~1\btaylor\startm~1\programs\startup\deskpins.lnk - c:\program files\deskpins\DeskPins.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a}\Certificates
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxps://a248.e.akamai.net/f/248/14778/2h/dlmanager.download.akamai.com/14778/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185496221460
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186516506781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll
AppInit_DLLs: APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli AsWlnPkg
Hosts: 192.168.1.101 HP0015604CA995
Hosts: 195.245.119.131 browser-security.microsoft.com

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-1-22 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-1-22 317072]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-10-25 35488]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-1-22 486280]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 HBService;HBService;c:\program files\pc magazine utilities\hd heartbeat 2\HBSrvApp.exe [2007-8-1 570368]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-4-25 88192]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-10-14 35448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-6-10 36608]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2006-11-15 37296]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2008-4-5 39048]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2007-8-17 18048]

=============== Created Last 30 ================

2010-01-25 00:55:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 00:55:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 00:55:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 22:28:14 0 d-----w- c:\program files\PC Magazine Password Profiler
2010-01-22 19:16:01 0 d-----w- c:\docume~1\btaylor\applic~1\#ISW.FS#
2010-01-22 19:09:19 0 d-----w- c:\docume~1\btaylor\applic~1\MailFrontier
2010-01-22 19:01:13 0 d-----w- c:\program files\Zone Labs
2010-01-22 19:00:48 0 d-----w- c:\windows\Internet Logs
2010-01-22 16:15:35 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-22 00:34:48 0 d-----w- c:\windows\ie8updates
2010-01-22 00:33:53 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-22 00:33:52 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-20 17:47:46 0 d-sh--w- c:\documents and settings\btaylor\PrivacIE
2010-01-20 17:39:09 0 d-sh--w- c:\documents and settings\btaylor\IETldCache
2010-01-20 17:30:55 0 dc-h--w- c:\windows\ie8
2010-01-19 21:43:45 6912054 ----a-w- c:\windows\HP Cityscape Wide_auto_switch.bmp
2010-01-19 19:50:42 0 d-----w- c:\docume~1\btaylor\applic~1\GrabPro
2010-01-07 02:05:05 470528 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-06 21:48:49 0 d-----w- c:\docume~1\btaylor\applic~1\Foxit Software
2010-01-01 21:33:15 0 d-----w- c:\program files\CheckPoint

==================== Find3M ====================

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:14:05 1208832 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:14:04 5942784 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:14:04 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:14:03 594432 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-21 19:14:03 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-21 19:14:03 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:14:03 1985536 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2009-12-21 19:14:03 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:14:02 11070464 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2009-12-21 19:14:01 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-29 07:46:51 133120 ------w- c:\windows\system32\dllcache\extmgr.dll
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

============= FINISH: 9:06:05.82 ===============

Attached Files


Edited by bt_pcsecurity, 25 January 2010 - 04:51 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,095 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:44 PM

Posted 01 February 2010 - 12:42 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 bt_pcsecurity

bt_pcsecurity
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 01 February 2010 - 02:26 PM

I am still getting the annoying "Personal Security" popups for which I must kill the IE8 process to continue using IE.

I have scanned my PC with the latest MalwareBytes and latest SuperAntispyware. They appear to scan normally but they find nothing. It is possible that the popup is embedded along with an advertisement at Yahoo or some other site I visit (I do not visit many sites). However, with only one exception recently, the multiple times the popup has already appeared, it is always the same (it's for "Personal Security" -- but recently got one for a different type "Security" fake antivirus). I have never given permission to have something downloaded to my PC as a result of these popups.

Can you tell whether or not there's something on my computer that is re-activating this popup? I will be reluctant to run utility programs that might change things on my PC, but, as you can see, I am more receptive to running report generators. Thanks for any assistance.


DDS (Ver_09-12-01.01) - NTFSx86
Run by btaylor at 13:48:55.64 on Mon 02/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1297 [GMT -5:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\agrsmsvc.exe
svchost.exe
C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\ProtectTools\Embedded Security Software\SpTna.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTServs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\Sminst\Recguard.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Direct Folders\df.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Refinate\Refinate3\EKAG20NT.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\PC Magazine Utilities\InstaBack 2\InstaBack.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\btaylor\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\DeskPins\DeskPins.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Documents and Settings\btaylor\Desktop\HOW_TO\PC_Security\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll
BHO: {E02E86EB-220B-4B59-A251-F849405E1D64} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [PCMagInstaback2] "c:\program files\pc magazine utilities\instaback 2\InstaBack.exe" /m
uRun: [Google Update] "c:\documents and settings\btaylor\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [PTHOSTTR] c:\program files\hpq\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hpq\iam\bin\AsTsVcc.dll,RegisterModule
mRun: [PDF4 Registry Controller] "c:\program files\scansoft\pdf professional 4.0\\RegistryController.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [OpScheduler] "c:\program files\scansoft\omnipage15.0\OpScheduler.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DirectFolders] "c:\program files\direct folders\df.exe"
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [EKAN0200B03FD1305A4B] "c:\program files\refinate\refinate3\EKAG20NT.EXE" 0200B03FD1305A4B 1
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\btaylor\startm~1\programs\startup\button~1.lnk - c:\program files\pc magazine utilities\buttonboogie\ButtonBoogie.exe
StartupFolder: c:\docume~1\btaylor\startm~1\programs\startup\cpu_ds~1.lnk - c:\windows\system32\perfmon_processor1_2_diskRdWr.msc
StartupFolder: c:\docume~1\btaylor\startm~1\programs\startup\deskpins.lnk - c:\program files\deskpins\DeskPins.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a}\Certificates
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxps://a248.e.akamai.net/f/248/14778/2h/dlmanager.download.akamai.com/14778/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185496221460
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186516506781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll
AppInit_DLLs: APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli AsWlnPkg
Hosts: 192.168.1.101 HP0015604CA995
Hosts: 195.245.119.131 browser-security.microsoft.com

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-1-22 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-1-22 317072]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-10-25 35488]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-1-22 486280]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 HBService;HBService;c:\program files\pc magazine utilities\hd heartbeat 2\HBSrvApp.exe [2007-8-1 570368]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-4-25 88192]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-10-14 35448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-6-10 36608]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2006-11-15 37296]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2008-4-5 39048]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2007-8-17 18048]

=============== Created Last 30 ================

2010-01-28 18:33:58 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-28 18:33:40 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-28 18:33:40 0 d-----w- c:\docume~1\btaylor\applic~1\SUPERAntiSpyware.com
2010-01-28 18:32:30 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-25 00:55:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 00:55:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 00:55:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 22:28:14 0 d-----w- c:\program files\PC Magazine Password Profiler
2010-01-22 19:16:01 0 d-----w- c:\docume~1\btaylor\applic~1\#ISW.FS#
2010-01-22 19:09:19 0 d-----w- c:\docume~1\btaylor\applic~1\MailFrontier
2010-01-22 19:01:13 0 d-----w- c:\program files\Zone Labs
2010-01-22 19:00:48 0 d-----w- c:\windows\Internet Logs
2010-01-22 16:15:35 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-22 00:34:48 0 d-----w- c:\windows\ie8updates
2010-01-22 00:33:53 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-22 00:33:52 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-20 17:47:46 0 d-sh--w- c:\documents and settings\btaylor\PrivacIE
2010-01-20 17:39:09 0 d-sh--w- c:\documents and settings\btaylor\IETldCache
2010-01-20 17:30:55 0 dc-h--w- c:\windows\ie8
2010-01-19 21:43:45 6912054 ----a-w- c:\windows\HP Cityscape Wide_auto_switch.bmp
2010-01-19 19:50:42 0 d-----w- c:\docume~1\btaylor\applic~1\GrabPro
2010-01-07 02:05:05 470528 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-06 21:48:49 0 d-----w- c:\docume~1\btaylor\applic~1\Foxit Software

==================== Find3M ====================

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:14:05 1208832 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:14:04 5942784 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:14:04 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:14:03 594432 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-21 19:14:03 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-21 19:14:03 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:14:03 1985536 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2009-12-21 19:14:03 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:14:02 11070464 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2009-12-21 19:14:01 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 13:51:19.54 ===============

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,095 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:44 PM

Posted 01 February 2010 - 02:44 PM

Hello, bt_pcsecurity
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 bt_pcsecurity

bt_pcsecurity
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 02 February 2010 - 02:37 AM

In GMER, when I clicked on SCAN, I got an hour glass. Thinking the hourglass meant it was scanning, I didn't want to risk disturbing it and so I waited for a while. After an hour, when I clicked a gmer button, it said "not responding" in the title bar. It would have been nice if I had been given a description of what it was suppose to look like after clicking SCAN so I wouldn't have wasted that hour watching a hung system.

Anyway, then I ran it in safe mode. It was still scanning files after 6 hours. Is that a "normal" amount of time?

After I saved the log file, I clicked OK and the GMER window closed but the system hung with "winlogon.exe" consuming all of one cpu (50) and System Idle Processes also at 50. I could not shut down the PC without powering it down.

The "Date Modified" dates for the files in the "etc" folder listed below are 8/4/2004 except "host" which is from 3/18/2009 (which is way before I started seeing popups a couple months ago).

Here's the whole log file that was saved.



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-02 02:00:38
Windows 5.1.2600 Service Pack 2
Running: huc750bq.exe; Driver: C:\DOCUME~1\btaylor\LOCALS~1\Temp\kfliiaow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \FileSystem\Cdfs \Cdfs F6210400

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641caef21
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641caef21 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\etc\hosts 814 bytes
File C:\WINDOWS\system32\drivers\etc\lmhosts.sam 3683 bytes
File C:\WINDOWS\system32\drivers\etc\networks 407 bytes
File C:\WINDOWS\system32\drivers\etc\protocol 799 bytes
File C:\WINDOWS\system32\drivers\etc\services 7116 bytes
File C:\WINDOWS\system32\DRVSTORE\gtipci21_26B0C4BCF12C032FF80FBE59F6AA4B2DEA55305F\cttib1.dll 28672 bytes executable
File C:\WINDOWS\system32\DRVSTORE\gtipci21_26B0C4BCF12C032FF80FBE59F6AA4B2DEA55305F\gtipci21.cat 8854 bytes
File C:\WINDOWS\system32\DRVSTORE\gtipci21_26B0C4BCF12C032FF80FBE59F6AA4B2DEA55305F\gtipci21.inf 3149 bytes
File C:\WINDOWS\system32\DRVSTORE\gtipci21_26B0C4BCF12C032FF80FBE59F6AA4B2DEA55305F\gtipci21.sys 88192 bytes executable
File C:\WINDOWS\system32\DRVSTORE\gtipci21_26B0C4BCF12C032FF80FBE59F6AA4B2DEA55305F\tiscfw.deb 17120 bytes
File C:\WINDOWS\system32\GroupPolicy\Adm 0 bytes

---- EOF - GMER 1.0.15 ----

Edited by bt_pcsecurity, 02 February 2010 - 02:47 AM.


#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,095 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:44 PM

Posted 02 February 2010 - 03:14 PM

Hi,


Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 bt_pcsecurity

bt_pcsecurity
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 02 February 2010 - 03:34 PM

Thank you for your response. Could you please inform me what it is that Combofix will change on my machine?

From all of the scans and reports generated so far, it does not appear there is much of anything found.

Can you give me your thoughts about what might be going on with these popups (because nothing has been found yet on my machine, seems I'm not conspicuously infected)?

Is it possible that I have simply been revisiting a website that has the fake antivirus popup and so it keeps popping up (albiet not necessarily at the contaminated webpage)?

I am going to hold off on using Combofix until I learn a little more about it from you.

Thank you.

Edited by bt_pcsecurity, 02 February 2010 - 03:35 PM.


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,095 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:44 PM

Posted 02 February 2010 - 03:46 PM

Hi,

All tools we used were only scanners, now we will start removing: Combofix will take out a few, also we have to fix the altered hostfile.

Please run it smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 bt_pcsecurity

bt_pcsecurity
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 02 February 2010 - 04:01 PM

Please know that I do very much appreciate your assistance.

I notice that Combofix has caused some serious issues in the recent past. Frankly, I am concerned about ANY and ALL software that I install on my machine. I have only installed software that I have fairly good reason to trust.

So, I have to wonder... aside from the hostfile issue you mention, are there other issues that have been indicated in any of the reports I've provided? Is there another way to fix the hostfile without using Combofix?

Is Combofix going to look for anything that the other tools haven't looked for already?

Are there manual methods I could use for making necessary changes rather than running a whole debugging and system modifying piece of software?

I don't have the Recovery Console Installed and I'd have to have that done as well. Again, I'd rather not change my system unless there is a serious problem with it that ca not be remedied manually in a reliable fashion.

#10 bt_pcsecurity

bt_pcsecurity
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 02 February 2010 - 05:21 PM

Although my PC does not seem to be tangled badly in a virus at this point (as the person at the following link was experiencing), this is what I'm afraid of when you ask that I use Combofix:
http://www.bleepingcomputer.com/forums/t/292567/combofix-crashed-pc-will-not-boot/

So, I ask very respectfully, is there a way that you can show me why I must use Combofix instead of using basic manual steps?

For instance, would it be okay to either comment out or delete from the hostfile the following and then see if it comes back afer reboots?:
"195.245.119.131 browser-security.microsoft.com"

If it didn't come back, would that indicate whether or not there really is an infestation?

**Can you tell me why Malwarbytes and SuperAntispyware do NOT fix the hostfile?**

I've been burnt before after making changes to my PC so I like to do whatever is minimally intrusive while being as effective as necessary.

Thank you.

Edited by bt_pcsecurity, 02 February 2010 - 07:19 PM.


#11 bt_pcsecurity

bt_pcsecurity
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 02 February 2010 - 07:53 PM

Okay, because I wanted to get this done by the end of this night, I reluctantly double clicked the Combofix download that I had renamed to "schrauber" before downloading it to my desktop. I turned off ZoneAlarm using the tray icon to close it down.

But after starting Combofix by double clicking it, I only saw a progress bar scan a few times for maybe less than a minute and then it went away. Nothing happened after that. So within 5 minutes after I first started Combofix, I opened the performance monitor to see if anything was happening with the hard drive or with the CPU. Not much was going on.

So I opened Taskmanager and didn't see anything that looked like Combofix running -- SYstem Idle Process = 99%. There was no request that I install the Recovery Console even though I don't have it installed. No process named "schrauber" is shown to be loaded (what process name should I look for to see if combofix is still an active process)?

And there is no C:\ComboFix.txt file.

It appears that ComboFix terminated within only a couple of minutes after it was started without ever showing any display except for a small progress bar which I believe contained no text. I have not rebooted yet. Please advise about the next step I should take.

**I attached a screen capture of the ComboFix folder that was created (file creation times). It might give you a hint about what happened. Note that some files have timestamps that are 10 hours after I initially started ComboFix.

Is there anything I should do to be sure my system does not become unstable after a reboot (due to ComboFix or whatever that program was which got downloaded from the link you provided)?

IMPORTANT: (See attachment showing Combofix file properties) Looking at the properties of the downloaded file, I see a note that I've never seen before. It says:
Security: This file came from another computer and might be blocked to help protect this computer. UNBLOCK?

I'm suprised that I've never seen such a property shown for any other files before. What is that about? (I'm not going to research this by using my browser because ZoneAlarm is still turned off until I hear back from you).

Attached Files


Edited by bt_pcsecurity, 03 February 2010 - 11:59 AM.


#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,095 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:44 PM

Posted 03 February 2010 - 01:22 PM

Seem like any active protection has stopped Combofix.
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


With the above tool, we can fix some things manually smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 bt_pcsecurity

bt_pcsecurity
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 03 February 2010 - 01:27 PM

Concerning that failed attempt to run combofix (perhaps due to the OS blocking it), should I reboot before proceeding with anything else?

Do you think rebooting might cause a problem due to combofix running only partially?

My PC seems to be running fine without having rebooted yet. I have re-avtivated ZoneAlarm.

Update: I have begun the OTL scan without rebooting my PC. What is a typical amount of time it will take until the scan is finished? Can I use the computer for other things while it is running?

Edited by bt_pcsecurity, 03 February 2010 - 01:49 PM.


#14 bt_pcsecurity

bt_pcsecurity
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 03 February 2010 - 02:19 PM

OTL logfile created on: 2/3/2010 1:35:16 PM - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\btaylor\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 85.54 Gb Total Space | 26.69 Gb Free Space | 31.20% Space Free | Partition Type: NTFS
Drive D: | 7.61 Gb Total Space | 0.68 Gb Free Space | 8.92% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ADE-MOBILE1-HP
Current User Name: btaylor
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/03 13:31:06 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\btaylor\Desktop\OTL.exe
PRC - [2010/02/02 19:41:17 | 000,388,608 | ---- | M] (Microsoft Corporation) -- C:\32788R22FWJFW\cmd.cfxxe
PRC - [2010/01/11 15:21:52 | 000,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe
PRC - [2009/12/17 17:14:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/31 22:05:23 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Documents and Settings\btaylor\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
PRC - [2009/10/17 01:41:10 | 002,384,240 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/10/17 01:39:40 | 001,037,192 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2009/10/14 08:30:26 | 000,476,528 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2009/10/14 08:30:12 | 001,217,904 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
PRC - [2009/10/14 08:30:06 | 000,730,480 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2009/09/10 11:15:42 | 000,870,672 | ---- | M] (SonicWALL, Inc.) -- C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
PRC - [2009/07/01 22:05:58 | 001,713,152 | ---- | M] (Software Security System) -- C:\Program Files\Refinate\Refinate3\Ekag20nt.exe
PRC - [2009/06/22 06:49:23 | 000,117,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqtgsvc.exe
PRC - [2009/06/22 06:49:04 | 000,004,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqsvc.exe
PRC - [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/10/10 04:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/02 15:46:14 | 000,446,464 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2007/02/16 17:57:24 | 001,945,960 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2007/02/16 17:49:58 | 000,149,024 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2007/02/16 17:49:50 | 000,411,168 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2007/02/16 17:45:30 | 001,169,776 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2007/01/12 13:36:40 | 000,827,392 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2006/11/11 21:56:18 | 000,266,295 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PRC - [2006/10/18 19:05:26 | 000,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe
PRC - [2006/06/08 13:02:06 | 000,131,072 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HPQ\HP ProtectTools Security Manager\pthosttr.exe
PRC - [2006/06/07 17:12:26 | 000,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HPQ\HP ProtectTools Security Manager\PTServs.exe
PRC - [2006/05/04 13:05:00 | 000,055,808 | R--- | M] (Cognizance Corporation) -- C:\Program Files\HPQ\IAM\Bin\asghost.exe
PRC - [2006/05/02 14:41:28 | 000,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2006/03/30 08:15:44 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/03/02 17:39:42 | 000,131,072 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
PRC - [2006/02/15 17:43:16 | 000,892,928 | ---- | M] () -- C:\WINDOWS\SMINST\Scheduler.exe
PRC - [2006/02/14 12:49:22 | 000,454,656 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
PRC - [2006/01/29 20:00:04 | 000,088,203 | ---- | M] (Agere Systems) -- C:\WINDOWS\AGRSMMSG.exe
PRC - [2006/01/20 13:20:00 | 000,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2006/01/17 00:01:46 | 000,053,248 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\accelerometerST.exe
PRC - [2006/01/10 07:23:54 | 000,458,752 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\system32\IFXSPMGT.exe
PRC - [2006/01/10 07:23:16 | 000,136,736 | ---- | M] (Infineon Technologies AG) -- C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
PRC - [2005/12/23 14:44:26 | 000,491,606 | ---- | M] () -- C:\Program Files\HPQ\Shared\HpqToaster.exe
PRC - [2005/12/20 17:51:40 | 001,187,840 | ---- | M] () -- C:\WINDOWS\SMINST\Recguard.exe
PRC - [2005/09/02 06:59:02 | 000,647,168 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\system32\IFXTCS.exe
PRC - [2005/08/19 09:47:52 | 000,173,600 | ---- | M] (Infineon Technologies AG) -- C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
PRC - [2005/08/19 09:22:10 | 000,397,312 | ---- | M] (Infineon Technologies AG) -- C:\Program Files\ProtectTools\Embedded Security Software\SpTNA.exe
PRC - [2005/06/10 09:44:02 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2005/05/20 03:11:06 | 000,925,696 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2004/08/04 03:00:00 | 000,815,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mmc.exe
PRC - [2004/08/04 03:00:00 | 000,007,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\chcp.com
PRC - [2003/05/31 20:02:32 | 007,544,916 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe


========== Modules (SafeList) ==========

MOD - [2010/02/03 13:31:06 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\btaylor\Desktop\OTL.exe
MOD - [2009/10/14 08:30:36 | 000,628,080 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
MOD - [2009/10/14 08:30:06 | 000,546,160 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll
MOD - [2009/09/10 11:15:48 | 000,013,072 | ---- | M] () -- C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MlfHook.dll
MOD - [2008/07/25 10:17:20 | 000,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
MOD - [2008/07/25 10:17:20 | 000,558,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll
MOD - [2006/08/25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2006/06/15 01:41:00 | 000,086,016 | R--- | M] (Cognizance Corporation) -- C:\Program Files\HPQ\IAM\Bin\ItClient.dll
MOD - [2004/08/04 03:00:00 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/17 17:14:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/12/17 16:36:24 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/10/17 01:41:10 | 002,384,240 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2009/10/14 08:30:26 | 000,476,528 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV - [2009/08/27 13:48:34 | 000,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/06/22 06:49:23 | 000,117,248 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\mqtgsvc.exe -- (MSMQTriggers)
SRV - [2009/06/22 06:49:04 | 000,004,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\mqsvc.exe -- (MSMQ)
SRV - [2008/10/10 04:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2007/08/09 02:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2007/03/02 15:46:14 | 000,446,464 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2007/02/16 17:49:50 | 000,411,168 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/01/04 18:48:52 | 000,112,152 | ---- | M] (InterVideo) [On_Demand | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/11/20 22:05:04 | 000,139,264 | ---- | M] () [On_Demand | Stopped] -- c:\ADEdevlp\altera\Quartus_61\quartus\bin\jtagserver.exe -- (JTAGServer)
SRV - [2006/11/11 21:56:18 | 000,266,295 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2006/10/09 10:32:26 | 000,570,368 | ---- | M] (Ziff Davis Media, Inc) [On_Demand | Stopped] -- C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe -- (HBService)
SRV - [2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/09/09 01:15:00 | 000,063,488 | R--- | M] (Cognizance Corporation) [Auto | Running] -- C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll -- (ASBroker)
SRV - [2006/05/02 14:41:28 | 000,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Auto | Running] -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex)
SRV - [2006/03/30 08:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/03/07 04:36:00 | 000,132,096 | R--- | M] (Cognizance Corporation) [Auto | Running] -- C:\Program Files\HPQ\IAM\Bin\ASChnl.dll -- (ASChannel)
SRV - [2006/01/20 13:20:00 | 000,073,728 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2006/01/12 14:22:38 | 000,294,912 | ---- | M] (SoftThinks) [Auto | Stopped] -- C:\WINDOWS\SMINST\PCAngel.exe -- (PCA)
SRV - [2006/01/10 07:23:54 | 000,458,752 | ---- | M] (Infineon Technologies AG) [Auto | Running] -- C:\WINDOWS\system32\IFXSPMGT.exe -- (IFXSpMgtSrv)
SRV - [2005/09/02 06:59:02 | 000,647,168 | ---- | M] (Infineon Technologies AG) [Auto | Running] -- C:\WINDOWS\system32\IFXTCS.exe -- (IFXTCS)
SRV - [2005/08/19 09:47:52 | 000,173,600 | ---- | M] (Infineon Technologies AG) [Auto | Running] -- C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE -- (PersonalSecureDriveService)
SRV - [2004/10/22 05:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 14:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/05/31 20:02:32 | 007,544,916 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -- (MSSQL$MICROSOFTBCM)
SRV - [2003/04/01 21:08:30 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\IcdSptSv.exe -- (ICDSPTSV)
SRV - [2002/12/17 14:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -- (SQLAgent$MICROSOFTBCM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2010/01/22 14:01:59 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/03/18 15:18:02 | 000,000,814 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 192.168.1.101 HP0015604CA995
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems)
O2 - BHO: (ZoneAlarm Toolbar Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (HP Credential Manager for ProtectTools) - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll (Infineon Technologies AG)
O2 - BHO: (no name) - {E02E86EB-220B-4B59-A251-F849405E1D64} - No CLSID value found.
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems)
O3 - HKLM\..\Toolbar: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\accelerometerST.exe (Hewlett-Packard Corporation)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AGRSMMSG] C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [CognizanceTS] C:\Program Files\HPQ\IAM\Bin\AsTsVcc.dll (Cognizance Corporation)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [DirectFolders] C:\Program Files\Direct Folders\df.exe (Code Sector Inc.)
O4 - HKLM..\Run: [EKAN0200B03FD1305A4B] C:\Program Files\Refinate\Refinate3\EKAG20NT.EXE (Software Security System)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [OpScheduler] C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe File not found
O4 - HKLM..\Run: [PDF4 Registry Controller] C:\Program Files\ScanSoft\PDF Professional 4.0\RegistryController.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe ()
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\btaylor\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [PCMagInstaback2] C:\Program Files\PC Magazine Utilities\InstaBack 2\InstaBack.exe (Ziff Davis Media, Inc)
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe File not found
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\btaylor\Start Menu\Programs\Startup\ButtonBoogie.lnk = C:\Program Files\PC Magazine Utilities\ButtonBoogie\ButtonBoogie.exe (Ziff Davis Media, Inc.)
O4 - Startup: C:\Documents and Settings\btaylor\Start Menu\Programs\Startup\CPU_DskRdWr.lnk = C:\WINDOWS\system32\perfmon_processor1_2_diskRdWr.msc ()
O4 - Startup: C:\Documents and Settings\btaylor\Start Menu\Programs\Startup\DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe (Elias Fotinis)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: turbotax.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} https://a248.e.akamai.net/f/248/14778/2h/dl...vex-2.2.3.5.cab (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1185496221460 (WUWebControl Class)
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (HpProductDetection Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1186516506781 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab (DownloadManager Control)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\IfxWlxEN: DllName - IfxWlxEN.dll - C:\WINDOWS\System32\IfxWlxEN.dll (Infineon Technologies AG)
O20 - Winlogon\Notify\OneCard: DllName - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll (Cognizance Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\HP Cityscape Wide_auto_switch.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\HP Cityscape Wide_auto_switch.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/23 12:21:43 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 04:07:00 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 20:01:00 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{0153018a-60aa-11dc-ab8c-0014a5ff3a2f}\Shell - "" = AutoRun
O33 - MountPoints2\{0153018a-60aa-11dc-ab8c-0014a5ff3a2f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0153018a-60aa-11dc-ab8c-0014a5ff3a2f}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{83c2ca88-9e18-11dc-abcc-0014a5ff3a2f}\Shell - "" = AutoRun
O33 - MountPoints2\{83c2ca88-9e18-11dc-abcc-0014a5ff3a2f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9a29fe6e-cb4e-11dd-93d4-0014a5ff3a2f}\Shell - "" = AutoRun
O33 - MountPoints2\{9a29fe6e-cb4e-11dd-93d4-0014a5ff3a2f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9a29fe6e-cb4e-11dd-93d4-0014a5ff3a2f}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{ab55f7ba-6279-11dc-a1c2-0014a5ff3a2f}\Shell - "" = AutoRun
O33 - MountPoints2\{ab55f7ba-6279-11dc-a1c2-0014a5ff3a2f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk /p \??\I:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/07/26 20:22:36 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (72905356157648896)

========== Files/Folders - Created Within 14 Days ==========

[2010/02/03 13:31:04 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\btaylor\Desktop\OTL.exe
[2010/02/02 19:41:20 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/02 19:41:07 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/01/28 13:33:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/28 13:33:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\btaylor\Application Data\SUPERAntiSpyware.com
[2010/01/28 13:33:40 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/28 13:32:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/01/24 19:55:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/24 19:55:01 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/24 19:55:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/24 19:48:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/01/24 17:28:14 | 000,000,000 | ---D | C] -- C:\Program Files\PC Magazine Password Profiler
[2010/01/22 14:16:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\btaylor\Application Data\#ISW.FS#
[2010/01/22 14:09:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\btaylor\Application Data\MailFrontier
[2010/01/22 14:01:48 | 000,128,016 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\kl1.sys
[2010/01/22 14:01:41 | 000,317,072 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2010/01/22 14:01:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2010/01/22 14:01:13 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/01/22 14:00:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/01/21 19:34:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/01/21 14:58:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/01/20 13:48:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\btaylor\My Documents\ZoneAlarmInternet Logs
[2007/10/21 10:19:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/07/26 20:23:49 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/07/26 20:23:48 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/07/26 20:23:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\btaylor\My Documents\*.tmp files -> C:\Documents and Settings\btaylor\My Documents\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/02/03 13:31:06 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\btaylor\Desktop\OTL.exe
[2010/02/03 13:10:01 | 000,000,986 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1252682364-4217468778-4039539407-1006UA.job
[2010/02/03 12:11:31 | 000,000,144 | ---- | M] () -- C:\WINDOWS\System32\pdfl.dat
[2010/02/03 12:02:32 | 000,152,696 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\ComboFix_folder_content2.jpg
[2010/02/03 11:58:26 | 000,027,370 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\ComboFix_Properties.jpg
[2010/02/03 11:51:47 | 000,085,990 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\ComboFix_folder_content.jpg
[2010/02/02 23:10:00 | 000,000,934 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1252682364-4217468778-4039539407-1006Core.job
[2010/02/02 18:34:28 | 003,844,017 | ---- | M] () -- C:\Documents and Settings\btaylor\Desktop\schrauber.exe
[2010/02/02 18:11:26 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/02 18:09:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/02 18:09:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/02 18:08:04 | 012,058,624 | ---- | M] () -- C:\Documents and Settings\btaylor\ntuser.dat
[2010/02/02 18:07:44 | 000,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2010/02/02 18:07:35 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\btaylor\ntuser.ini
[2010/02/02 18:06:22 | 000,058,353 | ---- | M] () -- C:\WINDOWS\System32\perfmon_processor1_2_diskRdWr.msc
[2010/02/01 15:14:28 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\btaylor\Desktop\huc750bq.exe
[2010/01/30 16:20:13 | 000,504,320 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\java_script_cache_deleted_for_fakeantivirus.xls
[2010/01/30 09:47:28 | 000,000,632 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/30 09:47:28 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/30 09:47:28 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/01/29 09:57:30 | 000,072,192 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\BillPayScratchPad_all_dates_bak.xls
[2010/01/29 09:57:30 | 000,072,192 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\BillPayScratchPad_all_dates.xls
[2010/01/28 13:33:49 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/27 15:21:46 | 000,730,271 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\cookies.pae
[2010/01/26 20:11:00 | 000,002,300 | ---- | M] () -- C:\Documents and Settings\btaylor\Desktop\Google Chrome.lnk
[2010/01/26 10:41:50 | 000,003,344 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\Malware_FakeAntiVirus_redirect_02.jpg
[2010/01/25 11:18:37 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/01/25 08:17:16 | 000,003,374 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\Malware_FakeAntiVirus_redirect.jpg
[2010/01/23 11:20:49 | 000,007,224 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\Malware_FakeAntiVirus.jpg
[2010/01/22 14:03:02 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/01/22 14:02:29 | 000,423,563 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/01/22 14:01:57 | 000,000,080 | ---- | M] () -- C:\WINDOWS\System32\ibfl.dat
[2010/01/21 19:34:53 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/21 17:37:04 | 000,104,817 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\IE8_AdvancedTab_Restore.jpg
[2010/01/21 17:34:43 | 000,104,916 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\IE8_AdvancedTab_after_install.jpg
[2010/01/20 19:50:04 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/01/20 17:21:20 | 087,216,344 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\PriorToZoneAlarmReg.reg
[2010/01/20 17:19:34 | 000,004,361 | ---- | M] () -- C:\Documents and Settings\btaylor\My Documents\KLIF_REG.JPG
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\btaylor\My Documents\*.tmp files -> C:\Documents and Settings\btaylor\My Documents\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/03 12:02:32 | 000,152,696 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\ComboFix_folder_content2.jpg
[2010/02/03 11:58:26 | 000,027,370 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\ComboFix_Properties.jpg
[2010/02/03 11:50:04 | 000,085,990 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\ComboFix_folder_content.jpg
[2010/02/02 18:34:22 | 003,844,017 | ---- | C] () -- C:\Documents and Settings\btaylor\Desktop\schrauber.exe
[2010/02/01 16:44:50 | 006,912,054 | ---- | C] () -- C:\WINDOWS\HP Cityscape Wide_auto_switch.bmp
[2010/02/01 15:14:25 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\btaylor\Desktop\huc750bq.exe
[2010/01/30 16:20:13 | 000,504,320 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\java_script_cache_deleted_for_fakeantivirus.xls
[2010/01/29 10:59:32 | 000,072,192 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\BillPayScratchPad_all_dates_bak.xls
[2010/01/28 13:33:49 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/27 15:21:46 | 000,730,271 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\cookies.pae
[2010/01/26 10:41:49 | 000,003,344 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\Malware_FakeAntiVirus_redirect_02.jpg
[2010/01/25 11:18:37 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/01/25 08:17:16 | 000,003,374 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\Malware_FakeAntiVirus_redirect.jpg
[2010/01/23 11:20:49 | 000,007,224 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\Malware_FakeAntiVirus.jpg
[2010/01/22 14:01:57 | 000,000,144 | ---- | C] () -- C:\WINDOWS\System32\pdfl.dat
[2010/01/22 14:01:57 | 000,000,080 | ---- | C] () -- C:\WINDOWS\System32\ibfl.dat
[2010/01/22 14:01:14 | 000,423,563 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/01/22 11:15:35 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/01/21 17:37:04 | 000,104,817 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\IE8_AdvancedTab_Restore.jpg
[2010/01/21 17:34:43 | 000,104,916 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\IE8_AdvancedTab_after_install.jpg
[2010/01/20 17:21:10 | 087,216,344 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\PriorToZoneAlarmReg.reg
[2010/01/20 17:19:33 | 000,004,361 | ---- | C] () -- C:\Documents and Settings\btaylor\My Documents\KLIF_REG.JPG
[2009/10/13 12:40:58 | 000,959,488 | ---- | C] () -- C:\WINDOWS\System32\Hdlg20.dll
[2009/08/30 11:15:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\IROTVIEW.INI
[2009/01/24 17:22:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SPYXX.INI
[2008/09/24 17:48:05 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2008/07/08 12:50:03 | 000,000,054 | ---- | C] () -- C:\WINDOWS\CmdFile.INI
[2008/04/05 14:41:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI
[2008/04/05 11:26:32 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\trc.dll
[2008/04/05 11:26:32 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\dsp_trc.dll
[2008/04/05 11:26:32 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\IcdSptSvps.dll
[2007/12/26 15:51:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2007/08/29 21:04:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2007/08/29 14:09:43 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2007/08/17 14:47:29 | 000,953,344 | ---- | C] () -- C:\WINDOWS\System32\pg32.dll
[2007/08/17 14:47:29 | 000,193,024 | ---- | C] () -- C:\WINDOWS\System32\co2c40en.dll
[2007/08/17 14:47:29 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\implode.dll
[2007/08/16 16:02:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SPLASH.INI
[2007/08/15 17:31:06 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/08/11 22:25:12 | 000,053,760 | ---- | C] () -- C:\Documents and Settings\btaylor\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/09 16:10:55 | 000,000,213 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2007/08/07 12:44:40 | 000,001,004 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL_deleteThis.sys
[2007/08/01 16:33:56 | 000,000,399 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/07/27 09:00:44 | 000,000,147 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2007/07/27 09:00:43 | 000,003,399 | R--- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2007/07/27 08:58:11 | 000,001,114 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2007/07/27 08:29:03 | 000,000,845 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/07/26 18:52:22 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\btaylor\Local Settings\Application Data\fusioncache.dat
[2007/07/26 18:52:22 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\btaylor\Local Settings\Application Data\QSwitch.txt
[2007/07/26 18:52:22 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\btaylor\Local Settings\Application Data\DSwitch.txt
[2007/07/26 18:52:22 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\btaylor\Local Settings\Application Data\AtStart.txt
[2007/07/26 17:55:28 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2007/07/26 17:55:28 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2007/07/26 17:55:28 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2007/07/26 17:55:28 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2007/07/26 17:55:28 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2007/07/26 17:55:28 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/11/17 11:34:40 | 000,099,712 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2006/11/13 13:11:50 | 000,033,280 | ---- | C] () -- C:\WINDOWS\System32\Xkc3220.dll
[2006/11/11 21:50:38 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2006/04/25 02:19:47 | 000,000,271 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/04/25 02:12:52 | 000,000,636 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/04/25 02:09:02 | 000,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/12/01 14:11:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/02/17 11:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 11:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2004/08/07 08:19:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 08:12:40 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/06/01 04:39:56 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[1998/06/10 00:00:00 | 000,015,120 | ---- | C] () -- C:\WINDOWS\System32\REPUTIL.DLL
[1998/05/08 00:10:00 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\ODMA32.dll

========== LOP Check ==========

[2007/08/23 09:43:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2007/07/27 17:43:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ConeXware
[2007/07/26 20:23:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Infineon
[2007/07/27 16:58:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Insight Software Solutions
[2009/09/19 16:39:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky SDK
[2009/09/19 15:05:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2007/08/17 15:01:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\mgc
[2007/07/31 11:44:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2007/08/01 16:33:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2007/07/27 17:07:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\zeon
[2010/02/03 13:31:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\#ISW.FS#
[2008/06/09 08:32:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\Acronis
[2009/06/16 14:23:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\Canon
[2009/12/28 19:22:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\CheckPoint
[2007/08/14 16:57:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\Credential Manager
[2007/08/29 03:19:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\Direct Folders
[2009/09/12 21:56:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\Foxit
[2010/01/06 16:48:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\Foxit Software
[2010/01/19 16:08:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\GrabPro
[2007/07/26 20:23:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\Infineon
[2007/08/29 19:53:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\InterVideo
[2007/08/16 11:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\Leadertech
[2010/01/22 15:16:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\MailFrontier
[2009/03/22 10:07:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\PC Magazine Utilities
[2007/07/27 17:57:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\PCMagazine
[2006/04/25 02:57:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\SampleView
[2007/08/01 16:33:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\ScanSoft
[2009/07/29 12:52:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\Sciensoft
[2007/08/10 17:27:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\Visio
[2008/04/03 14:32:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\Xilinx
[2007/07/27 18:07:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\btaylor\Application Data\Zeon

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\i386\sp2.cab:atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\symbols\atapi.sys\41107B4D17480\atapi.sys
[2004/08/03 19:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/10/12 13:07:12 | 000,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\SMINST\RPFiles\MiniNT\System32\Drivers\iastor.sys
[2005/10/12 07:07:12 | 000,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467$\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\WgaTray.exe:SummaryInformation
< End of report >



OTL Extras logfile created on: 2/3/2010 1:35:16 PM - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\btaylor\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 85.54 Gb Total Space | 26.69 Gb Free Space | 31.20% Space Free | Partition Type: NTFS
Drive D: | 7.61 Gb Total Space | 0.68 Gb Free Space | 8.92% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ADE-MOBILE1-HP
Current User Name: btaylor
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Open in WMatch] -- C:\Program Files\PC Magazine Utilities\WMatch\WMatch.exe "%L" (Ziff Davis Media, Inc)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\mqsvc.exe" = C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\mqsvc.exe" = C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing -- (Microsoft Corporation)
"C:\WINDOWS\SMINST\Scheduler.exe" = C:\WINDOWS\SMINST\Scheduler.exe:*:Enabled:Scheduler -- ()
"E:\Setup\HPZnet01.exe" = E:\Setup\HPZnet01.exe:*:Enabled:Install Consumer Experience Network Plug in -- File not found
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe:*:Enabled:HP Digital Imaging Monitor -- (Hewlett-Packard Co.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw -- ()
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:HP CUE-Scanning Flow Component -- (Hewlett-Packard)
"C:\Program Files\Hp\HP Software Update\HPWUCli.exe" = C:\Program Files\Hp\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client -- (Hewlett-Packard)
"C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe" = C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner -- File not found
"C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpofxm08.exe:*:Enabled:HP AiO Fax Manager -- (Hewlett-Packard Co.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HDHBClient.exe" = C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HDHBClient.exe:*:Disabled:HD HeartBeat 2 -- (Ziff Davis Media, Inc)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008F546D-ECB9-586B-4FD1-AF675672299F}" = CCC Help Finnish
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{06CE9412-6714-44AE-A035-F4E9930009E1}" = Advanced Network Diagramming Help
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{077007F3-49B9-9533-823D-9C1E67A00411}" = ccc-utility
"{0827AE32-6D43-4625-8E70-17750C4EC52B}" = ModelSim-Altera 6.1g
"{08E35087-5448-641C-BC06-74C72099D18F}" = Catalyst Control Center Graphics Light
"{0993A7DC-5616-4DBA-A538-E6BFE0C94C1D}" = Directory Services Help
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0B5E0886-BC91-4E83-BB29-A664ED8F0285}" = Project Schedules Help
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{136498DE-6FBD-4F6F-B065-8E24118D351E}" = Internet Diagrams Help
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{14C59047-997A-3ED9-6280-A35967F2ACD8}" = CCC Help Czech
"{15ECF660-1BA6-1E0C-C9A7-C3D236D2487E}" = CCC Help German
"{1643CDBE-6202-E134-63BE-46F1B8B4DEEE}" = CCC Help Spanish
"{16C586A1-4ACB-11D3-8662-00C04F8DBAD9}" = Release Notes
"{171352B5-5B17-3088-D672-74ADB0AF2918}" = Catalyst Control Center Localization Dutch
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{172ED890-6982-4CCF-BD23-6949E553B860}" = Save as HTML
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18AEB4CD-4436-86D7-114F-5EE36CF5F67C}" = Catalyst Control Center Localization Thai
"{19B29943-2A85-11D3-8F74-00C04F8DD7E3}" = Solutions
"{19EB1250-0ED3-C57C-5B81-9B7CE49C5FBD}" = Catalyst Control Center Localization Hungarian
"{1A15507A-8551-4626-915D-3D5FA095CC1B}" = Corel Paint Shop Pro X
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
"{1BF9C245-5202-6452-C9DD-0542D31D149D}" = Catalyst Control Center Graphics Full Existing
"{1D66C1EB-9FC0-4363-A4B9-E44DDCBACD00}" = Organization Charts
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{214ED689-3F31-4ABC-A79D-870A73ECB086}" = TurboTax 2008 wctiper
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{2298055A-F5E6-4332-9A15-C5D99870E72F}" = HP Embedded Security for ProtectTools
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{241957BD-4436-42B1-ADCF-AE18144358D7}" = Office Layout
"{24A9B1E0-35A7-619B-F2E6-E3B39571EDC3}" = Catalyst Control Center Core Implementation
"{268FC299-C0BD-4230-9D00-FD7BBB71A2C7}" = Organization Charts Help
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 18
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2996D45D-854E-CCBD-ACD6-FCD4FD2C9A2A}" = CCC Help Swedish
"{2D329298-7BDD-476B-8F68-AE3F66EB6F8F}" = Flowcharts
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{2E9797C7-2840-4A14-F624-0EC99E9EC350}" = CCC Help Hungarian
"{2F05866B-CD80-9214-B4E7-6FB2E85AABD1}" = CCC Help Japanese
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{31AE315A-E06C-9FF5-11A5-C25A2ABDB786}" = CCC Help Thai
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{33268598-6AF4-C4FD-5A9F-2D1D4BFE0F2D}" = Catalyst Control Center Localization Japanese
"{3379BB86-49C2-11D3-80AC-00C04F6B854D}" = Network Diagrams Help
"{3388E964-4C4F-11D3-9F66-006008A88EC8}" = Microsoft Visio 2000 (IE)
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.00 D2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{380E3211-4549-42B3-8EE8-2B0561530061}" = Custom Properties Editor
"{390927CA-7D1F-44EB-95FF-FBB4B20822B4}" = Borders and Backgrounds Help
"{3912A629-0020-0005-3131-2FBA74D4DF0A}" = InterVideo WinDVD
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{3A52FF30-BC14-63AA-0783-EDA7832C281E}" = Catalyst Control Center Localization Portuguese
"{3A71AF7E-705C-40D3-9024-B63C00AB1772}" = Program Files Help
"{3F611FF4-B469-358E-F356-6F35235F81F5}" = Catalyst Control Center Localization Korean
"{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup and Recovery Manager Installer
"{40B0A7CC-1676-43E9-8444-2EF2377E87B8}" = ScanSoft PDF Professional 4
"{413CEBC4-ABA1-4AC4-ADFB-69FA195F09AB}" = 7300_Help
"{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}" = Acronis True Image Home
"{426C7CC1-5AC3-4758-A40C-6446F2CEA8C9}" = ccc-Branding
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 E1
"{43B6667D-7520-4186-B05B-F5C0494C495D}" = UltraEdit-32
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{46D2CC82-BEAE-4E47-A153-008E60E67BA2}" = Release Notes Professional
"{47DA5AC5-E271-B722-B806-B97799B57B37}" = Catalyst Control Center Localization Greek
"{4805E0FB-97DF-4C0E-A2D4-10BE5D305B08}" = Quartus II 6.1
"{483BC5C9-2F5C-C9DA-BC2E-5A7972BD5E49}" = Catalyst Control Center Localization Chinese Standard
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F31302F-A77C-4759-9803-E02696185089}" = Program Files Professional
"{51196320-99A0-4737-AE71-5BAF9489A855}" = Database Wizard
"{51315C2D-3BDB-3BDD-9B9C-7E3E46374752}" = ccc-core-static
"{55B39A89-795A-4E9F-AB38-15AB66125914}" = Borders and Backgrounds
"{55C98239-914A-46C1-B19D-83E90F7E00CC}" = Fingerprint Sensor Minimum Install
"{560976C5-925A-4AA2-B28D-0493FE886F5F}" = ScanSoft OmniPage 15.0
"{5BF9AE5B-D635-4BB6-9229-F863B28F9107}" = Graphics Filters
"{5C741A01-05D6-4306-BA6A-DC8401285AE8}" = Debugging Tools for Windows
"{5D38CE84-E726-4014-8725-218639872ADC}" = ElecKey 2.0 Enterprise
"{5D97A4A7-C274-4B63-86D9-07A33435F505}" = InterVideo DVD Check
"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone
"{60071A8D-0CB0-0F43-EBE9-B3B04E130991}" = CCC Help Danish
"{60692A39-4C61-11D3-A339-006097B6ECD2}" = Program Files
"{60692A40-4C61-11D3-A339-006097B6ECD2}" = Visio
"{60C8D1EA-CB39-44FF-BECA-9B1457898C9B}" = Office Layout Help
"{62E98CB2-2B1E-4E7D-8C3B-F6E7A3CB14E0}" = Network Diagrams
"{6360CF27-CBDB-3C8A-A99E-E159308DCF94}" = CCC Help Korean
"{63702CB3-38D5-11D4-9A93-00C04F281EE2}" = FlukeView Forms
"{639B050E-9ADC-44C4-B7FE-BA7DB59D4E4B}" = Forms and Charts
"{63A0A66B-3A50-4D3E-9B88-6459D699C700}" = Internet Diagrams
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{66563AD8-637B-407F-BCA7-0233A16891AB}" = Business Contact Manager for Outlook 2003
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{69FC7B0F-E59D-418B-A007-13F02DBB002E}" = Advanced Network Diagramming
"{6A4EABDC-B3AA-421D-AB8B-5678293C9235}" = Callouts and Connectors Help
"{6B766FD2-7EFE-2E09-D9FC-9E79CB8DFA7C}" = CCC Help Dutch
"{6C57DDE5-623F-4C0C-6652-E9574B26BFE7}" = Catalyst Control Center Localization German
"{6D48CC96-AC7C-449F-BD06-7C52A791848B}" = 7400
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{6EE4EC98-1AC2-C1BA-FCC5-F8ECB757CCC3}" = CCC Help Turkish
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{74EC78BC-B379-4E29-9006-8F161DCAABA6}" = Apple Software Update
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{75ECB75A-522C-4312-8DE7-597CDA9D96A3}" = HP Mobile Data Protection System
"{76002427-A479-EE39-6526-F3FE408C01BE}" = Catalyst Control Center Localization Turkish
"{7A6C7307-2E67-15D8-21ED-40751ED5838A}" = Catalyst Control Center Localization Chinese Traditional
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7F9A4ECA-F3FB-0634-050B-66B7CA6ACF8F}" = CCC Help Russian
"{804611CE-D86D-4EF0-257D-D54F82B16667}" = CCC Help Chinese Standard
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = HP Integrated Module with Bluetooth wireless technology
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{85BEF57D-4FD6-B701-A694-1440B96D4394}" = Catalyst Control Center Graphics Full New
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{865B8C2D-F1CC-4359-807F-EB277BE8A9C2}" = CCC Help Norwegian
"{865E2636-CFB9-4D7F-BF50-98161A1478B7}" = Cadence Allegro Free Physical Viewer 15.7
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{87E4170B-8D1D-CECD-B523-ACE08A5B35D9}" = CCC Help Chinese Traditional
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc
"{8C1D906C-D2DA-4E26-B0CF-EB79EEB1F946}" = Software Design Help
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{914E1AB1-DCA0-4A7D-935F-B58C4B887A2B}" = HP ProtectTools Security Manager 2.00 D3
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{9679F65E-E921-5316-69AB-6CF122B867F0}" = Skins
"{9AA3FA54-3CF1-45E9-8786-9E896B161379}" = HP Credential Manager for ProtectTools
"{9D25D3FD-A1DE-4CA0-BE6F-B5F65545DDB6}" = Directory Services
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{9EC41026-8399-47E4-9FE9-CFCCCB71F8C3}" = Property Reporting Wizard
"{9EF5B77F-703E-4953-9DA9-186E28A62568}" = 7300Trb
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4121C0A-438D-426D-986F-4E14BBBAB2A3}" = MGC Visual Studio 7 Runtime
"{A4DF8034-28B1-4967-9216-2B2BB435A7C1}" = Program Files Professional Help
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{A7016C76-6B65-428F-A2E8-F8A8007BECAF}" = Database Design
"{A79BF79B-E611-53FC-855B-32D418B3BE7F}" = CCC Help Italian
"{A7A6ACF2-AEAB-70D8-C44B-DAC7AFA27EDE}" = Catalyst Control Center Localization Finnish
"{A7AD8CEF-72D7-4FE4-8A14-DDD09DC86074}" = HP Notebook Accessories Product Tour
"{A8323532-49A2-4055-B424-EEB547E3D02E}" = Project Schedules
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AA0DD516-7ABA-3D8D-63FE-1C9F140D4D16}" = Catalyst Control Center Localization Spanish
"{AA12D4B2-1EAE-4DCA-9C5D-C0674A426758}" = MegaCore IP Library 6.1
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AD7914E1-6453-4440-AEC7-02C72AD6FE5F}" = TIPCI
"{AE052EF7-2640-48D7-8915-69B810D975CB}" = HP BIOS Configuration for ProtectTools 2.00 C3
"{B06E51F3-D04E-4898-9700-2E48788D5274}" = Clip Art and Symbols
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B5924CA6-24A7-48F5-BC9C-8BFA94ED4564}" = LightScribe 1.4.67.1
"{B5A344FB-EC76-B196-B40A-DD410DDD6A4C}" = CCC Help Greek
"{B6826FA8-04C8-4147-AA3C-5B900AB887A1}" = PowerArchiver 2007
"{B80DA153-D56F-4D80-AC29-CEBC8BB263B9}" = Callouts and Connectors
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{B9EF1B56-2E87-11D3-80A5-00C04F6B854D}" = Maps
"{BA04FFF0-F3A5-4D48-BD32-003D7E901178}" = Page Layout Wizard
"{BA275E90-6B63-EDD5-6A5C-A0E690585115}" = Catalyst Control Center Localization Norwegian
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BBC8E5CE-EBA6-AA71-03EF-A8E847EBC856}" = Catalyst Control Center Localization French
"{BBE93891-6608-11d3-9F6A-006008A88EC8}" = Help for Visio 2000 (HTML Help)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0C26E52-D52C-41ED-8F1C-D3D0DC941955}" = Software Design
"{C5E69312-4354-11D3-B0BC-00C04FC2B1B9}" = CAD Drawing Display
"{C8A6BD64-0FB7-4AE5-82DF-09B5C6161486}" = Database Design Help
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0EBA25A-78EC-B855-22AA-243D26524400}" = Catalyst Control Center Localization Russian
"{D177CEC6-ABF4-6C8E-0D8E-0C04530D0128}" = Catalyst Control Center Localization Polish
"{D2D89191-1BB5-42BF-863D-991347B36641}" = Block Diagrams
"{D537C817-BF8E-4746-9E1E-E2A67DAECE4E}" = Add-ons
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 Anniversary Edition
"{D982E7B4-4C62-11D3-A339-006097B6ECD2}" = Visio Core Files
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DE86D3FE-E40A-430E-7C9D-E896DBB6A5BC}" = Catalyst Control Center Localization Swedish
"{DFB8D937-5CC3-4555-9150-90E57459AF00}" = Block Diagrams Help
"{DFE81EB6-0287-4DFF-AE7D-14E664586905}" = Clip Art and Symbols Help
"{E019C464-063D-CCBD-5B1B-BB1DF0847266}" = CCC Help Polish
"{E0DBC47C-ED3F-4A1B-A929-9A26DAAA14B3}" = Application Installer 4.00.B5
"{E2057EE6-A559-40E3-AF8B-437866E0EDA9}" = Flowcharts Help
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E44BD710-B71A-11d3-9F79-006008A88EC8}" = VBA
"{E5764097-B506-D2A9-52F4-0D7B8D092F2A}" = Catalyst Control Center Localization Danish
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E7DE3D60-3FB8-11D3-8F79-00C04F8DD7E3}" = Developing Visio Solutions Help
"{E7E8B506-BF0F-64C7-401D-14C49719C214}" = CCC Help French
"{E8814A8F-3B06-11D3-8CD7-00C04F72C04D}" = Microsoft Visual Studio Service Pack 3
"{EE6824C7-84BC-0059-895F-9605010DB453}" = Catalyst Control Center Localization Czech
"{EF949584-D843-4F7F-A4B4-070CC9E48B45}" = UltraCompare Professional
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F28D0D4C-D522-43B1-9700-C896A76C6130}" = Maps Help
"{F500FE1A-5B52-4851-9813-7541E157ACC4}" = HP User Guides 0020
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"{F6302A1E-FE95-ADA7-92D6-FCB8A78343CF}" = Catalyst Control Center Localization Italian
"{F8AC5466-790B-12AA-B3F4-D25A54BCA758}" = CCC Help English
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"{FC588207-9B40-4800-92AD-EB4D48FB7726}" = Forms and Charts Help
"{FFFBD37E-2309-A927-59A7-7F5F007C0C23}" = CCC Help Portuguese
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"AI RoboForm" = AI RoboForm (All Users)
"ATI Display Driver" = ATI Display Driver
"Cadence PSD 14.2 Node-locked" = Cadence PSD 14.2 Node-locked
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner
"CSCLIB" = Canon Camera Support Core Library
"CutePDF Writer Installation" = CutePDF Writer 2.7
"DeskPins" = DeskPins (remove only)
"DirectFoldersAppID_is1" = Direct Folders
"EOS Utility" = Canon Utilities EOS Utility
"Excel VBA Code Cleaner 5.0" = Excel VBA Code Cleaner 5.0
"Foxit Reader" = Foxit Reader
"HP Photo & Imaging" = HP Image Zone 4.7
"HTPE3" = HyperTerminal Private Edition v6.3
"HyperSnap-DX 4" = HyperSnap-DX 4
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Inno Setup 5_is1" = Inno Setup version 5.2.3
"InstallShield_{AD7914E1-6453-4440-AEC7-02C72AD6FE5F}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"IrfanView" = IrfanView (remove only)
"Macro Express 3" = Macro Express 3
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MentorGraphicsJI" = Mentor Graphics Products
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Developer Network - Visual Studio 6.0a" = MSDN Library - Visual Studio 6.0a
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC Magazine ButtonBoogie 2_is1" = PC Magazine ButtonBoogie 2.1
"PC Magazine File Utility Pack_is1" = PC Magazine File Utility Pack
"PC Magazine File Warden" = PC Magazine File Warden
"PC Magazine HD HeartBeat 2_is1" = PC Magazine HD HeartBeat 2.0
"PC Magazine InstaBack_is1" = PC Magazine InstaBack 2.0
"PC Magazine Startup Cop Pro" = PC Magazine Startup Cop Pro
"PC Magazine's WinTidy_is1" = WinTidy 1.0.11
"PC Tune-Up" = PC Tune-Up
"PCMagazine WMatch_is1" = PCMagazine WMatch Version 3.0
"Performance Monitor v1.0" = Performance Monitor v1.0
"PhotoStitch" = Canon Utilities PhotoStitch
"Rainbow Sentinel Driver" = Sentinel System Driver
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"Refinate_is1" = Refinate version 2.0
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"SolarWinds TFTP Server" = SolarWinds TFTP Server
"Sony Digital Voice Editor 3" = Sony Digital Voice Editor 3
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TurboTax 2008" = TurboTax 2008
"TurboTax Home & Business 2007" = TurboTax Home & Business 2007
"Tweak UI 2.10" = Tweak UI
"Visual Studio 6.0 Professional Edition" = Microsoft Visual Studio 6.0 Professional Edition
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WebPost" = Microsoft Web Publishing Wizard 1.53
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xilinx ISE 10.1" = Xilinx ISE 10.1
"Xilinx ISE 8.1i" = Xilinx ISE 8.1i
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"ZoneAlarm Extreme Security" = ZoneAlarm Extreme Security
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/1/2010 9:40:22 AM | Computer Name = ADE-MOBILE1-HP | Source = HBSrvApp.exe | ID = 1
Description =

Error - 2/1/2010 5:25:07 PM | Computer Name = ADE-MOBILE1-HP | Source = Application Hang | ID = 1002
Description = Hanging application huc750bq.exe, version 1.0.15.15281, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/3/2010 1:10:05 AM | Computer Name = ADE-MOBILE1-HP | Source = Google Update | ID = 20
Description =

Error - 2/3/2010 2:10:05 AM | Computer Name = ADE-MOBILE1-HP | Source = Google Update | ID = 20
Description =

Error - 2/3/2010 3:10:05 AM | Computer Name = ADE-MOBILE1-HP | Source = Google Update | ID = 20
Description =

Error - 2/3/2010 4:10:05 AM | Computer Name = ADE-MOBILE1-HP | Source = Google Update | ID = 20
Description =

Error - 2/3/2010 5:10:05 AM | Computer Name = ADE-MOBILE1-HP | Source = Google Update | ID = 20
Description =

Error - 2/3/2010 6:10:05 AM | Computer Name = ADE-MOBILE1-HP | Source = Google Update | ID = 20
Description =

Error - 2/3/2010 7:10:05 AM | Computer Name = ADE-MOBILE1-HP | Source = Google Update | ID = 20
Description =

Error - 2/3/2010 8:10:05 AM | Computer Name = ADE-MOBILE1-HP | Source = Google Update | ID = 20
Description =

[ Credential Manager Events ]
Error - 12/28/2007 4:30:22 PM | Computer Name = ADE-MOBILE1-HP | Source = AuthServer | ID = 100811779
Description = The system failed to authenticate the submitted user credentials. User:
btaylor@. Client GUID: {Password} Error: 0xC516020B Client Host: localhost Client Address:
127.0.0.1 Authority: HP Server Host: localhost Protocol: HTTP

Error - 12/28/2007 4:30:22 PM | Computer Name = ADE-MOBILE1-HP | Source = AuthWiz | ID = 100796068
Description = The submitted credentials were rejected. User: btaylor@. Credentials:
Password Error: (0xC516020B) The system could not log you on. Verify your user
name and domain are correct and then type your password again. Letters in passwords
must be typed using the correct case. Verify that Caps Lock is off.

Error - 2/14/2008 10:21:28 AM | Computer Name = ADE-MOBILE1-HP | Source = AuthServer | ID = 100811779
Description = The system failed to authenticate the submitted user credentials. User:
btaylor@. Client GUID: {F01A31F7-51E5-4754-A9E9-47628503D6E2} Error: 0xC5161001 Client
Host: localhost Client Address: 127.0.0.1 Authority: HP Server Host: localhost Protocol:
HTTP

Error - 2/14/2008 10:21:28 AM | Computer Name = ADE-MOBILE1-HP | Source = AuthWiz | ID = 100796068
Description = The submitted credentials were rejected. User: btaylor@. Credentials:
Fingerprints Error: (0xC5161001) The fingerprints provided do not match.

Error - 2/14/2008 10:21:30 AM | Computer Name = ADE-MOBILE1-HP | Source = AuthServer | ID = 100811779
Description = The system failed to authenticate the submitted user credentials. User:
btaylor@. Client GUID: {Password} Error: 0xC516020B Client Host: localhost Client Address:
127.0.0.1 Authority: HP Server Host: localhost Protocol: HTTP

[ System Events ]
Error - 2/1/2010 6:18:55 PM | Computer Name = ADE-MOBILE1-HP | Source = Service Control Manager | ID = 7001
Description = The Message Queuing service depends on the Distributed Transaction
Coordinator service which failed to start because of the following error: %%1068

Error - 2/1/2010 6:18:55 PM | Computer Name = ADE-MOBILE1-HP | Source = Service Control Manager | ID = 7001
Description = The Message Queuing Triggers service depends on the Message Queuing
service which failed to start because of the following error: %%1068

Error - 2/1/2010 6:18:55 PM | Computer Name = ADE-MOBILE1-HP | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 2/1/2010 6:18:55 PM | Computer Name = ADE-MOBILE1-HP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec kl1 KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip vsdatant

Error - 2/2/2010 3:00:27 AM | Computer Name = ADE-MOBILE1-HP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 2/2/2010 3:05:41 AM | Computer Name = ADE-MOBILE1-HP | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\D.

Error - 2/2/2010 3:05:41 AM | Computer Name = ADE-MOBILE1-HP | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\D.

Error - 2/2/2010 3:05:41 AM | Computer Name = ADE-MOBILE1-HP | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk0\D.

Error - 2/2/2010 3:10:01 AM | Computer Name = ADE-MOBILE1-HP | Source = Service Control Manager | ID = 7000
Description = The DS1410D service failed to start due to the following error: %%2

Error - 2/2/2010 7:10:35 PM | Computer Name = ADE-MOBILE1-HP | Source = Service Control Manager | ID = 7000
Description = The DS1410D service failed to start due to the following error: %%2


< End of report >


#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,095 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:44 PM

Posted 03 February 2010 - 02:44 PM

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :OTL
    O2 - BHO: (no name) - {E02E86EB-220B-4B59-A251-F849405E1D64} - No CLSID value found.
    O32 - AutoRun File - [2004/04/30 20:01:00 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
    :Commands
    [emptytemp]
    [resethosts]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users