Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't run system restore, websites redirected


  • This topic is locked This topic is locked
52 replies to this topic

#1 agreenco

agreenco

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 13 April 2009 - 11:43 AM

Last week i clicked on what I thought was an update for a Flashplayer (at least I think it was flashplayer). Since then if I go to a website after going to my home page I get redirected to some ad website. In addition, my Kaspersky will not load on startup and if I click on the program to start it manually nothing happens. it doesn't start, there is no message, nothing. I tried a "System Restore" but I get to the " confirm restore point selection" step that starts the restore and I click "next" and again, nothing happens. No error message, just nothing. I tried running spybot but got the same result until I opened explorer, right clicked on C drive and got a drop down menu. One of the options was "scan with spybot". I clicked it and it did start a scan. It is now scanning every last file on the drive and has been doing it file by file for 2 days. It is still no where near finished. It does not show the normal spybot dialog box but instead just a loooooooong list of files. 99.99% of them have a status of "nothing found" after being scanned. There are a few that have given another status message. So far it has shown the following files and showing a particular status: Filename - regsvr.exe, Status - AD Destination; Filename - ijl12.dll, Status - Palsol; Filename - comctl.oxc, Status - stsatblaster.Memory; Filename - bdupd.dll.updpnd, Status - Winsotware.Winantivirus2005pro; Filename - syssetupinf, Status - TinyBar.C. I was able to download the HI Jack this program on another computer (which I am using to write this) and then load it on the screwed up computer. The log file it generate is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:12 AM, on 4/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SDFiles.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Owner\Application Data\U3\0000187DA5753480\LaunchPad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.agreenco.com/forsale.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0349BEB-0657-45B4-920F-1A4BB7C739E3}: NameServer = 85.255.112.64,85.255.112.225
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.64,85.255.112.225
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.64,85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.64,85.255.112.225
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe



Please help!.... How do I fix this?? Thank you!

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 14 April 2009 - 12:49 AM

Hi agreenco,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

You computer is infected at least with a DNS-Hijacker.

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O17 - HKLM\System\CCS\Services\Tcpip\..\{B0349BEB-0657-45B4-920F-1A4BB7C739E3}: NameServer = 85.255.112.64,85.255.112.225
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.64,85.255.112.225
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.64,85.255.112.225
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.64,85.255.112.225
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Set the list of files/folders created to 3 Months and click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).

      Note 1: If you have difficulty finding the logs, the logs are in this folder: C:\rsit

      Note 2: The tool takes not more than one minute to scan the system.
You might want to save this page on your favorites, so you can find it again when you return.

#3 agreenco

agreenco
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 14 April 2009 - 09:34 AM

Hello farbar,

Thank you for helping.

I did the "open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):"

All the entries below were present and I followed the directions
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0349BEB-0657-45B4-920F-1A4BB7C739E3}: NameServer = 85.255.112.64,85.255.112.225
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.64,85.255.112.225
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.64,85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.64,85.255.112.225
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

I clicked on them and checked FIX CHECKED. It did NOT then pop up a box asking if I wish to fix selected items.... It just did it and left me with the HiJack screen with the buttons below and a blank screen above. I did not know what happened so i ran another "system scan only" and all those entries you told me to check off were gone.


I assumed that Hi Jack had fixed them, so I closed HijackThis.

Then I downloaded Malwarebytes' Anti-Malware from MajorGeeks. I had done it yesterday and thus already had it on my computer. Before downloading I tried to remove yesterday's installation of Anti-Malware using add/remove programs and by using the "remove" from the drop down list for the program from the "Start/All Programs" list. Neither would work, It just sits there and I have to do CNTRL ALT DEL to stop it.
So I went ahead and enter the Malwarebyte URL in my firefox browser and downloaded the program to my desktop and clicked on it to install.
I Double Click mbam-setup.exe to install the application, and went through the various windows until I got to the "extracting files" panel. The green progress bar got abot 55%-60% across and stopped. it just hangs there. It is as far as I can get. It will not install. I have to do CNTRL ALT DEL to stop it.

So I went back to HIJack and got another Log file, see below:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:47 AM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.agreenco.com/forsale.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks\HelpAsyncPluggableProtocol.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 4909 bytes



Thanks again for your assistance

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 14 April 2009 - 01:17 PM

I have send you a PM did you received it?
You have tried to run MBAM many time and they are all running. Reboot the computer, run and update Malwarebytes' Anti-Malware as described in the PM.

Edited by farbar, 14 April 2009 - 03:59 PM.


#5 agreenco

agreenco
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 14 April 2009 - 02:15 PM

I don't know what a "PM" is. I assume it is a message. I would not know how to get a message since I am new to thi site and don't know my way around.

In any event, I rebooted and got Malwarebyte to install. The "update" box and the "launch" box were both checked. However, it did not lauch. It is running just as it has in the past but there is no eveidence of it unless i do a CNTRL ALT DEL and see it in the prcesses.... Basically, it is not doing an update or scan... just on in the background doing nothing.

I rebooted again after trying to start Malwarebyte, Kaspersky, and Sytem Restore but that hung up too so in orer to get it rebooted I had to press the "reset" button on the front of the computer. Now thatit is rebooted I ran another Hijack. The log is shown below.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:47 AM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.agreenco.com/forsale.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks\HelpAsyncPluggableProtocol.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 4909 bytes

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 14 April 2009 - 04:30 PM

agreenco,

I rebooted again after trying to start Malwarebyte, Kaspersky, and Sytem Restore but that hung up too so in orer to get it rebooted I had to press the "reset" button on the front of the computer. Now thatit is rebooted I ran another Hijack. The log is shown below.


I would like to remind you this from my first post:

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.


So either we do it together or you do this on your own.

Please don't post any logs and don't run any scans and don't change the system (like using system System Restore) unless it is consulted. I can't and don't follow you if you go too fast and I have to run to catch up with you. I don't expect you to clean the computer as I'm here to assist you with that. I expect you to use all your creativity to carry out the steps and post back if you had any trouble.


I don't know what a "PM" is. I assume it is a message. I would not know how to get a message since I am new to thi site and don't know my way around.


I understand this and take it into account, please feel free to remind me if the instructions are not clear. At the top of this page on the right side you see 1 New Messages. When you click on it a page opens. Under Message Title there is MBAM click on that and you see my Message.

Now to run MBAM first either reboot or open Task manager to stop all the running mbam.exe processes as there are 10 MBAM processes running ( to do that press Ctrl+Alt+Del then under Processes tab select mbam.exe and press End Process button).
Then run MBAM as I have described in my Personal Message, run it and wait for a couple of minutes to load, don't run it again and again.

Send me a PM if you faced any problem, otherwise post the log along with the RSIT logs.

Edited by farbar, 14 April 2009 - 04:33 PM.


#7 agreenco

agreenco
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 14 April 2009 - 04:46 PM

OK,

I understand that I need to follow your directions.

I clicked on the Anti-Malware icon once and checked to see that it was just running once. That was about 5 minutes ago.
I will just wait and won't touch anything else and hopefully the program will open and run.

i am sorry for having gone beyond what you instructed but the frustration is getting the best of me.

By the way I am writing to you from a different computer.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 14 April 2009 - 04:52 PM

Please reply me with a PM if you have got my PM.

#9 agreenco

agreenco
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 14 April 2009 - 04:55 PM

OOOOPS

OK, I read your message and have gotten the quick scan to run. i will post the log when it is done.

Thank you!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 14 April 2009 - 05:00 PM

Well done agreenco :thumbup2:

#11 agreenco

agreenco
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 14 April 2009 - 05:05 PM

It ran:

Here is the log:

Malwarebytes' Anti-Malware 1.36
Database version: 1983
Windows 5.1.2600 Service Pack 3

4/14/2009 5:56:52 PM
mbam-log-2009-04-14 (17-56-52).txt

Scan type: Quick Scan
Objects scanned: 81847
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\UNICCodecSoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 14 April 2009 - 05:15 PM

You did a good job.

Was this the log of the first run after updating? When you open MBAM the logs are saved under the Logs tab.

Also proceed with the step # 3 of my first post. (RSIT logs)

#13 agreenco

agreenco
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 14 April 2009 - 05:41 PM

Here are the 2 logs..... Please accept my profound apologies for not following directions.

Thank you soooo much!


LOG.TXT
Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-04-14 18:22:39
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 85 GB (78%) free of 108 GB
Total RAM: 479 MB (40% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:40 PM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Application Data\U3\0000187DA5753480\LaunchPad.exe
H:\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.agreenco.com/forsale.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks\HelpAsyncPluggableProtocol.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 4592 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"=C:\WINDOWS\system32\VTTimer.exe [2005-03-08 53248]
"EPSON Stylus Photo R220 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE [2005-03-09 98304]
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE [2002-02-04 53248]
"AVP"=C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe [2008-02-08 227856]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-03-09 515416]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
C:\WINDOWS\AGRSMMSG.exe [2005-03-04 88209]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R220 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE [2005-03-09 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe [2003-11-10 176128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2005-10-18 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
C:\Program Files\LogMeIn\LogMeInSystray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service]
C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitStopEraser]
C:\Program Files\PCPitstop\Erase\PCPitStopErase.exe /remindme []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe [2004-09-28 32881]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2004-10-13 180269]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 -reboot 1 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
C:\PROGRA~1\palmOne\Hotsync.exe [2004-06-09 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
C:\PROGRA~1\MICROS~2\Office\FINDFAST.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
C:\PROGRA~1\MICROS~2\Office\OSA.EXE -b []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
C:\PROGRA~1\Intuit\QUICKB~1\COMPON~1\QBAgent\QBDAGE~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
C:\PROGRA~1\COMMON~1\Intuit\QUICKB~1\QBUpdate\qbupdate.exe [2008-10-22 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
C:\PROGRA~1\MICROS~2\Office\FINDFAST.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Microsoft Office Shortcut Bar.lnk]
C:\PROGRA~1\MICROS~2\Office\MSOFFICE.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\MSOFFICE\MSOFFICE.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^palmOne Registration.lnk]
C:\PROGRA~1\palmOne\register.exe [2005-02-22 2301952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^WinFax Application Port Starter.lnk]
C:\WINDOWS\system32\wfxsnt40.exe [1996-11-05 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^WinFax PRO Controller.lnk]
C:\PROGRA~1\Symantec\WinFax\wfxctl32.exe [1997-03-01 351232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wfxsvc"=2
"Pml Driver HPZ12"=2
"iPodService"=3
"WMPNetworkSvc"=3
"SoundMAX Agent Service (default)"=2
"tmproxy"=2
"TmPfw"=2
"QBFCService"=3
"QBCFMonitorService"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
C:\WINDOWS\system32\klogon.dll [2008-02-08 219664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ASUS\AsusUpdate\Update.exe"="C:\Program Files\ASUS\AsusUpdate\Update.exe:*:Enabled:ASUS Update"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\GlobalSCAPE\CuteFTP\cutftp32.exe"="C:\Program Files\GlobalSCAPE\CuteFTP\cutftp32.exe:*:Enabled:Winsock FTP Client"
"C:\Program Files\Netscape\Netscape\Netscp.exe"="C:\Program Files\Netscape\Netscape\Netscp.exe:*:Enabled:Netscape"
"C:\WINDOWS\system32\fxsclnt.exe"="C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\SpamBayes\bin\sb_tray.exe"="C:\Program Files\SpamBayes\bin\sb_tray.exe:*:Enabled:sb_tray"
"C:\WINDOWS\system32\mshta.exe"="C:\WINDOWS\system32\mshta.exe:*:Enabled:Microsoft ® HTML Application host"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Intuit\QuickBooks\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager"
"C:\kav\kis\setup.exe"="C:\kav\kis\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3653be3b-e3c6-11dd-84ad-00112f463056}]
shell\AutoRun\command - StartPortableApps.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db583f2f-f1e5-11dd-84be-00112f463056}]
shell\AutoRun\command - G:\LaunchU3.exe -a


======List of files/folders created in the last 3 months======

2009-04-14 18:21:49 ----D---- C:\rsit
2009-04-14 17:50:47 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-04-14 16:54:37 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-14 16:54:36 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-14 14:28:26 ----D---- C:\Avenger
2009-04-14 14:28:26 ----A---- C:\avenger.txt
2009-04-13 22:08:31 ----A---- C:\WINDOWS\ymvm.txt
2009-04-13 11:00:57 ----D---- C:\Program Files\Trend Micro
2009-04-10 18:33:24 ----A---- C:\WINDOWS\system32\lsdelete.exe
2009-04-10 16:38:14 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-04-10 16:37:39 ----HDC---- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-10 14:58:12 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-04-02 06:11:52 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-04-01 07:43:14 ----D---- C:\WINDOWS\system32\XPSViewer
2009-04-01 07:43:10 ----D---- C:\Program Files\MSBuild
2009-04-01 07:43:01 ----D---- C:\Program Files\Reference Assemblies
2009-04-01 07:41:57 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-04-01 07:41:57 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-04-01 07:41:57 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-04-01 07:41:55 ----D---- C:\46cbebfca164e92cef59a197e6ff82
2009-03-11 21:01:55 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 21:01:46 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-11 21:00:32 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-03-02 12:21:28 ----D---- C:\Program Files\omniformat
2009-03-02 12:20:41 ----D---- C:\Documents and Settings\All Users\Application Data\pdf995
2009-03-02 12:20:40 ----A---- C:\WINDOWS\system32\pdfmona.dll
2009-03-02 12:20:40 ----A---- C:\WINDOWS\system32\pdf995mon.dll
2009-03-02 12:18:29 ----D---- C:\Program Files\pdf995
2009-02-25 17:27:47 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-16 14:37:53 ----D---- C:\Documents and Settings\Owner\Application Data\Arcsoft
2009-02-16 14:36:55 ----A---- C:\WINDOWS\QuickInstall.INI
2009-02-16 14:15:28 ----D---- C:\Documents and Settings\All Users\Application Data\HotSync
2009-02-16 14:15:10 ----A---- C:\WINDOWS\PalmDevC.dll
2009-02-16 14:13:31 ----D---- C:\Program Files\palmOne
2009-02-16 14:12:11 ----D---- C:\Documents and Settings\Owner\Application Data\HotSync
2009-02-11 22:48:08 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-09 16:35:00 ----D---- C:\Documents and Settings\Owner\Application Data\NCH Software
2009-02-09 16:15:32 ----D---- C:\Documents and Settings\All Users\Application Data\NCH Software
2009-02-09 16:14:42 ----D---- C:\Program Files\NCH Software
2009-02-03 07:57:35 ----D---- C:\Documents and Settings\Owner\Application Data\U3

======List of files/folders modified in the last 3 months======

2009-04-14 18:18:54 ----D---- C:\Program Files\Mozilla Firefox
2009-04-14 18:00:23 ----D---- C:\WINDOWS\Temp
2009-04-14 17:58:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-14 17:50:55 ----D---- C:\WINDOWS\Prefetch
2009-04-14 16:54:40 ----D---- C:\WINDOWS\system32\drivers
2009-04-14 16:54:36 ----AD---- C:\Program Files
2009-04-14 16:41:19 ----D---- C:\WINDOWS\system32
2009-04-14 16:41:19 ----D---- C:\Program Files\Absolute Recall
2009-04-14 16:18:52 ----AC---- C:\WINDOWS\ntbtlog.txt
2009-04-14 14:28:55 ----D---- C:\WINDOWS
2009-04-14 14:28:48 ----HD---- C:\Config.Msi
2009-04-14 09:12:43 ----SHD---- C:\WINDOWS\Installer
2009-04-14 09:08:56 ----HD---- C:\WINDOWS\inf
2009-04-13 22:09:51 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-13 09:34:36 ----D---- C:\Program Files\Mozilla Thunderbird
2009-04-12 09:23:46 ----A---- C:\WINDOWS\cdplayer.ini
2009-04-11 00:48:23 ----D---- C:\Program Files\Windows Defender
2009-04-11 00:46:00 ----D---- C:\Program Files\Microsoft AntiSpyware
2009-04-11 00:21:37 ----D---- C:\Program Files\Common Files
2009-04-11 00:20:39 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-11 00:19:52 ----D---- C:\Program Files\Citrix
2009-04-11 00:07:31 ----D---- C:\Program Files\Common Files\Adobe
2009-04-11 00:07:31 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-04-11 00:01:14 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-10 16:42:27 ----SD---- C:\WINDOWS\Tasks
2009-04-10 16:37:29 ----D---- C:\Program Files\Lavasoft
2009-04-10 16:37:29 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-04-10 16:37:24 ----D---- C:\WINDOWS\WinSxS
2009-04-10 16:09:27 ----D---- C:\Program Files\DivX
2009-04-10 15:48:03 ----ASH---- C:\boot.ini
2009-04-10 15:48:03 ----A---- C:\WINDOWS\win.ini
2009-04-10 15:48:03 ----A---- C:\WINDOWS\SYSTEM.INI
2009-04-10 14:58:12 ----D---- C:\Program Files\Google
2009-04-10 14:47:21 ----D---- C:\WINDOWS\pss
2009-04-10 08:40:53 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2009-04-08 11:24:08 ----D---- C:\Program Files\Absolute Recall97
2009-04-02 06:13:10 ----D---- C:\WINDOWS\system32\CatRoot
2009-04-01 08:14:43 ----D---- C:\WINDOWS\SxsCaPendDel
2009-04-01 08:05:51 ----RSD---- C:\WINDOWS\assembly
2009-04-01 08:02:11 ----D---- C:\WINDOWS\Microsoft.NET
2009-04-01 07:43:08 ----D---- C:\WINDOWS\system32\en-US
2009-04-01 07:43:06 ----RSD---- C:\WINDOWS\Fonts
2009-04-01 07:42:36 ----D---- C:\WINDOWS\system32\spool
2009-03-31 19:37:01 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-03-20 06:29:32 ----D---- C:\WINDOWS\Help
2009-03-11 06:43:14 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-09 07:34:20 ----D---- C:\WINDOWS\system32\config
2009-03-09 07:34:07 ----D---- C:\WINDOWS\system32\wbem
2009-03-09 07:34:06 ----D---- C:\WINDOWS\Registration
2009-03-02 12:21:13 ----D---- C:\WINDOWS\system32\FxsTmp
2009-02-25 12:55:00 ----A---- C:\WINDOWS\system32\MRT.exe
2009-02-11 22:47:42 ----D---- C:\Program Files\Internet Explorer
2009-01-16 22:35:14 ----A---- C:\WINDOWS\system32\mshtml.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 klif;Klif; \??\C:\WINDOWS\system32\drivers\klif.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-06-25 43520]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2005-02-02 14408]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 24592]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-07-15 578368]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 viagfx;viagfx; C:\WINDOWS\system32\DRIVERS\vtmini.sys [2005-03-08 172544]
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2008-04-13 48128]
S3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2008-03-21 1203776]
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2008-04-13 38912]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-06-25 43520]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5b.sys [2004-09-03 42496]
S3 FINEPIX_PCC;FinePix Digital Camera 020906; C:\WINDOWS\System32\Drivers\V4CB010F.SYS [2002-05-07 81700]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-03-08 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-03-08 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-03-08 21744]
S3 LMImirr;LMImirr; C:\WINDOWS\system32\DRIVERS\LMImirr.sys []
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2008-04-13 51200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys [2009-02-16 16694]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-13 121984]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\WINDOWS\system32\agrsmsvc.exe [2008-03-18 13312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-20 322120]
S2 AVP;Kaspersky Internet Security 7.0; C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe [2008-02-08 227856]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 iPodService;iPodService; C:\Program Files\iPod\bin\iPodService.exe []
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
S4 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2008-10-22 20480]
S4 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2007-05-24 61440]
S4 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
S4 wfxsvc;WinFax PRO; C:\WINDOWS\system32\WFXSVC.EXE [1997-03-01 90112]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------


INFO LOG

info.txt logfile of random's system information tool 1.06 2009-04-14 18:21:57

======Uninstall list======

-->C:\PROGRA~1\GlobalSCAPE\CuteFTP\UNWISE32.EXE C:\PROGRA~1\GLOBAL~1\CUTEFTP\CUTEHTML\INSTALL2.LOG
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->MsiExec.exe /I{8ED4E82B-8CEA-40DE-826C-37AC7B941F81}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
-->VTUninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Timer'
Absolute Recall-->C:\NEWRCL\FRONTEND\SETUP.EXE
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
Agere Systems PCI Soft Modem-->agrsmdel
AI - Series-->"C:\Program Files\AI - Series\AI - Series.scr" /S /Uninstall
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AsusUpdate-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ASUS\AsusUpdate\Uninst.isu"
CleanUp!-->C:\Program Files\CleanUp!\uninstall.exe
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
CuteFTP-->C:\PROGRA~1\GLOBAL~1\CUTEFTP\UNWISE32.EXE C:\PROGRA~1\GLOBAL~1\CUTEFTP\INSTALL.LOG
EPSON ESPR220 Reference Guide-->C:\Program Files\epson\guide\spr220_e\uninstall.exe
EPSON Print CD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\setup.exe" -l0x9 -SYSTEM
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Web-To-Page-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\setup.exe" -l0x9 -anything
FLV Player 2.0, build 23-->C:\Program Files\FLV Player\uninst.exe
FUJIFILM USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\Setup.exe"
Google Earth-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
iTunes-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{872653C6-5DDC-488B-B7C2-CF9E4D9335E5} /l1033
Java 2 Runtime Environment, SE v1.4.2_05-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Java 2 Runtime Environment, SE v1.4.2_06-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142060}
Kaspersky Internet Security 7.0-->MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Internet Security 7.0-->MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Mozilla Firefox (3.0.8)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.21)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
OmniFormat-->C:\Program Files\omniformat\thinsetup.exe - uninstall
palmOne-->MsiExec.exe /X{FF8157AA-F640-45BD-B7C2-BAA1016B267A}
Pdf995-->C:\Program Files\pdf995\setup.exe uninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Prism Video Converter-->C:\Program Files\NCH Software\Prism\uninst.exe
QuickBooks Pro 2008-->msiexec.exe /I {8ED4E82B-8CEA-40DE-826C-37AC7B941F81} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2008" ADDREMOVE=1
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
S3 S3Display-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Display'
S3 S3Gamma2-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Gamma2'
S3 S3Info2-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Info2'
S3 S3Overlay-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Overlay'
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy 1.4-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
SupportSoft Assisted Service-->MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VIA Rhine-Family Fast-Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver-->VTsetvga.exe -s -rRundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\system32\hg201hp.inf
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Defender Signatures-->MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinFax PRO-->C:\WINDOWS\WFUNINST.EXE /PWinFax /V7.0
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

=====HijackThis Backups=====

O17 - HKLM\System\CCS\Services\Tcpip\..\{B0349BEB-0657-45B4-920F-1A4BB7C739E3}: NameServer = 85.255.112.64,85.255.112.225 [2009-04-14]
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.64,85.255.112.225 [2009-04-14]
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing) [2009-04-14]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.64,85.255.112.225 [2009-04-14]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.64,85.255.112.225 [2009-04-14]

======Security center information======

AV: Kaspersky Internet Security
FW: Kaspersky Internet Security

======System event log======

Computer Name: AGREEN-HARVEY
Event Code: 59
Message: Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Record Number: 45439
Source Name: SideBySide
Time Written: 20090323091402.000000-240
Event Type: error
User:

Computer Name: AGREEN-HARVEY
Event Code: 32
Message: Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.


Record Number: 45438
Source Name: SideBySide
Time Written: 20090323091402.000000-240
Event Type: error
User:

Computer Name: AGREEN-HARVEY
Event Code: 59
Message: Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\MFC80.DLL.
Reference error message: The operation completed successfully.
.

Record Number: 45437
Source Name: SideBySide
Time Written: 20090323091402.000000-240
Event Type: error
User:

Computer Name: AGREEN-HARVEY
Event Code: 59
Message: Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Record Number: 45436
Source Name: SideBySide
Time Written: 20090323091402.000000-240
Event Type: error
User:

Computer Name: AGREEN-HARVEY
Event Code: 32
Message: Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.


Record Number: 45435
Source Name: SideBySide
Time Written: 20090323091402.000000-240
Event Type: error
User:

=====Application event log=====

Computer Name: AGREEN-HARVEY
Event Code: 4
Message: QuickBooks

Record Number: 10527
Source Name: QuickBooks
Time Written: 20080521130019.000000-240
Event Type: error
User:

Computer Name: AGREEN-HARVEY
Event Code: 4
Message: QuickBooks

Record Number: 10526
Source Name: QuickBooks
Time Written: 20080521130019.000000-240
Event Type: error
User:

Computer Name: AGREEN-HARVEY
Event Code: 4
Message: QuickBooks Pro 2008

Record Number: 10525
Source Name: QuickBooks
Time Written: 20080521123227.000000-240
Event Type: error
User:

Computer Name: AGREEN-HARVEY
Event Code: 4
Message: QuickBooks Pro 2008

Record Number: 10524
Source Name: QuickBooks
Time Written: 20080521123224.000000-240
Event Type: error
User:

Computer Name: AGREEN-HARVEY
Event Code: 4
Message: QuickBooks Pro 2008

Record Number: 10523
Source Name: QuickBooks
Time Written: 20080521123224.000000-240
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Intuit\QBPOSSDKRuntime;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"VERSION"=3.0.5.001
"SESSIONID"=1113240895965htx69410c69:1033c96b3c4:d03
"COLLECTIONID"=COL8143
"ITEMID"=dj-22741-15
"UPDATEDIR"=C:\DOCUME~1\Owner\LOCALS~1\Temp\radE9C13.tmp
"TOOLPATH"=/C:\Program%20Files\Hewlett-Packard\HP%20Software%20Update\install.htm
"HMSERVER"=https://wwss1pro.cce.hp.com/wuss/servlet/WUSSServlet
"SWUTVER"=1.0.18.30716
"OSVER"=winXPH
"LANG"=1033
"TIMEOUT"=0
"CLASSPATH"=.;C:\Program Files\Java\j2re1.4.2_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\j2re1.4.2_06\lib\ext\QTJava.zip

-----------------EOF-----------------

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 14 April 2009 - 06:11 PM

No need to apologize agreenco.
  • Please disable Ad-Watch in order not to interfere with our fixes. To disable Ad-Watch:
    • Right click on the Ad-Watch icon in the system tray.
    • At the bottom of the screen there will be two options called Active and Automatic.
      • o Active: This will turn Ad-Watch On\Off without closing it.
        o Automatic: Suspicious activity will be blocked automatically.
    • Uncheck both of those boxes.

      Note: When we are done and the computer is clean, you can re-enable it using the same steps but this time check both boxes.
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please copy and paste a fresh Hijackthis log to your reply.
Please include in your next reply:
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went. Tell me also how is your computer running and if you are able to run Kaspersky.


#15 agreenco

agreenco
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 14 April 2009 - 08:25 PM

Farbar,

I don't have an icon in the system tray for Ad-Watch, I have an icon for Ad-Aware. I don't get the "active" and "automatic" options when I right click the icon. There is a box with the following: Open Ad-Aware; Open ThreatWork; Disable Ad-Watch Live ! (which I can click on to disable); Run Scan; Update; Exit Ad-Aware.

What should I do? Just disable Ad-Watch!? I don't plan to keep it after I'm finished fixing the computer so if you want I can remove it completely now.

I await your instruction.

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users