Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Protect 2009 and Tojan Vundu H


  • This topic is locked This topic is locked
54 replies to this topic

#1 Brianandmolly

Brianandmolly

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Blackstone, MA
  • Local time:01:42 PM

Posted 26 April 2009 - 05:45 PM

My PC was infected with Spyware Protect 2009. I ran Malwarebytes Anti-Malware - Quick Scan.

After running the Malwarebytes, Spyware Protect 2009 appears to be gone. However 4 infected items appear to remain.

1 windows system32 file: qfsnljc.dll
3 Registry Keys

In addtion, some programs like web browsers and email won't run. They start, then say that it encountered an error and has to close.

I think I should run HijackThis and post a log. However, I'm not sure really sure what I need to do.

Any advice would be greattly appreciated.

Thanks

Brian

BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:42 PM

Posted 26 April 2009 - 06:19 PM

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

=
Download RootRepeal:
http://rootrepeal.googlepages.com/RootRepeal.zip
  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.
Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTListIt.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTListIt2 by clicking the X at top right.
Download Security Check by screen317 and save it to your Desktop: here or here
  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
Posted Image If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Post these next reports in-line {within body of reply box} and NOT as attachments.

Then copy/paste the following into your post (in order):
  • with copy of RootRepeal file scan log
  • the contents of OTListIt.txt;
  • the contents of Extras.txt ; and
  • the contents of checkup.txt
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 26 April 2009 - 06:37 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 Brianandmolly

Brianandmolly
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Blackstone, MA
  • Local time:01:42 PM

Posted 26 April 2009 - 09:48 PM

Hi Maurice, I followed your instructions. Thanks for your help. Here are the logs you requested.

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/26 21:15
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\ErrorRep\UserDumps\winlogon.exe.20090427-000551-00.hdmp
Status: Allocation size mismatch (API: 2105344, Raw: 0)

Path: C:\WINDOWS\PCHealth\ErrorRep\UserDumps\winlogon.exe.20090427-000551-00.mdmp
Status: Allocation size mismatch (API: 98304, Raw: 0)

Path: C:\Documents and Settings\Brian\My Documents\Pinnacle Studio\Auxiliary Files\my heart..
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\My Documents\Pinnacle Studio\Auxiliary Files\Sledding..
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rachel\My Documents\Pinnacle Studio\Auxiliary Files\my heart..
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\My Documents\Pinnacle Studio\Auxiliary Files\my heart..\_render.dat
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\My Documents\Pinnacle Studio\Auxiliary Files\my heart..\_z0000.wav
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\My Documents\Pinnacle Studio\Auxiliary Files\my heart..\_z0001.wav
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\My Documents\Pinnacle Studio\Auxiliary Files\my heart..\_z0002.wav
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\My Documents\Pinnacle Studio\Auxiliary Files\Sledding..\_render.dat
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\My Documents\Pinnacle Studio\Auxiliary Files\Sledding..\_z0000.wav
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian\My Documents\Pinnacle Studio\Auxiliary Files\Sledding..\_z0001.wav
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Rachel\My Documents\Pinnacle Studio\Auxiliary Files\my heart..\_z0000.wav
Status: Locked to the Windows API!

================================================================

OTListIt logfile created on: 4/26/2009 9:39:43 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Brian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.48 Mb Total Physical Memory | 706.99 Mb Available Physical Memory | 69.14% Memory free
1.28 Gb Paging File | 1.08 Gb Available in Paging File | 84.14% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.91 Gb Total Space | 1.76 Gb Free Space | 6.30% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 27.91 Gb Total Space | 1.76 Gb Free Space | 6.30% Space Free | Partition Type: NTFS

Computer Name: FLUFFY
Current User Name: Brian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/03/16 17:37:52 | 00,616,408 | ---- | M] () -- C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
PRC - [2008/09/10 16:50:26 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2005/10/06 15:06:59 | 00,071,168 | ---- | M] () -- C:\WINDOWS\system32\LxrJD31s.exe
PRC - [2008/04/24 13:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
PRC - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/03/30 09:15:44 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2009/02/06 06:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/04/13 20:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2003/08/29 04:59:24 | 00,122,880 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\BCMSMMSG.exe
PRC - [2008/05/29 17:18:26 | 00,323,216 | ---- | M] (Napster) -- C:\Program Files\Napster\napster.exe
PRC - [2008/04/24 13:25:22 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2002/11/18 06:17:10 | 00,094,208 | ---- | M] (Visioneer Inc) -- C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
PRC - [2008/09/06 15:09:14 | 00,413,696 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\qttask.exe
PRC - [2007/01/04 17:38:18 | 00,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2002/12/10 19:31:34 | 00,061,440 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\ImageStudio\LogiTray.exe
PRC - [2008/07/05 22:00:43 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/03/16 17:37:40 | 01,622,488 | ---- | M] () -- C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe
PRC - [2005/09/23 23:05:26 | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PRC - [2002/02/15 12:31:42 | 00,045,056 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2002/06/10 15:21:32 | 00,102,400 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\LVComS.exe
PRC - [2002/12/10 19:33:42 | 00,053,248 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\ImageStudio\LowLight.exe
PRC - [2009/04/26 21:34:55 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brian\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/03/16 17:37:52 | 00,616,408 | ---- | M] () -- C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe -- (AntiSpywareService [Auto | Running])
SRV - [2008/09/10 16:50:26 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2006/03/30 09:15:44 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8 [Auto | Running])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2007/03/07 15:47:46 | 00,076,848 | ---- | M] () -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService [On_Demand | Stopped])
SRV - [2009/01/14 19:17:01 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2009/03/23 19:50:20 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - File not found -- -- (LogWatch [Auto | Stopped])
SRV - [2005/10/06 15:06:59 | 00,071,168 | ---- | M] () -- C:\WINDOWS\system32\LxrJD31s.exe -- (LxrJD31s [Auto | Running])
SRV - [2008/04/24 13:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2 [Auto | Running])
SRV - [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2002/04/01 15:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [2001/08/17 15:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2008/04/13 14:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2004/03/10 17:27:18 | 00,011,264 | ---- | M] (Pinnacle Systems GmbH) -- C:\WINDOWS\system32\drivers\ASAPIW2k.sys -- (ASAPIW2k [On_Demand | Running])
DRV - [2001/08/17 15:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001/08/17 15:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [2002/09/19 09:44:02 | 00,041,728 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
DRV - [2003/08/29 04:59:24 | 01,101,696 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\BCMSM.sys -- (BCMModem [On_Demand | Running])
DRV - [2003/07/09 15:35:00 | 00,180,480 | ---- | M] (Pinnacle Systems GmbH) -- C:\WINDOWS\system32\drivers\bender.sys -- (BENDER [On_Demand | Running])
DRV - [2007/06/20 03:00:00 | 00,009,072 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Running])
DRV - [2007/06/20 03:00:00 | 00,009,200 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
DRV - [2002/04/10 18:48:04 | 00,236,032 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp [System | Running])
DRV - [2001/08/17 15:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2001/08/17 15:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2006/10/05 16:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct [On_Demand | Stopped])
DRV - [2007/02/25 12:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\system32\DRIVERS\dsunidrv.sys -- (dsunidrv [Auto | Running])
DRV - [2002/04/10 19:01:12 | 00,024,554 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K [On_Demand | Stopped])
DRV - [2001/08/17 14:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINDOWS\System32\DRIVERS\el90xbc5.sys -- (EL90XBC [On_Demand | Stopped])
DRV - [2004/08/04 01:29:36 | 00,161,020 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\i81xnt5.sys -- (i81x [On_Demand | Stopped])
DRV - [2004/08/04 01:29:37 | 00,012,415 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wADV01nt.sys -- (iAimFP0 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:37 | 00,012,127 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wADV02NT.sys -- (iAimFP1 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:37 | 00,011,775 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wADV05NT.sys -- (iAimFP2 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:47 | 00,012,063 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys -- (iAimFP3 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:49 | 00,019,455 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys -- (iAimFP4 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:41 | 00,029,311 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wATV01nt.sys -- (iAimTV0 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:42 | 00,019,551 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wATV02NT.sys -- (iAimTV1 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:43 | 00,033,599 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wATV04nt.sys -- (iAimTV3 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:45 | 00,023,615 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys -- (iAimTV4 [On_Demand | Stopped])
DRV - [2005/10/19 08:59:12 | 00,807,998 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2005/10/06 15:06:59 | 00,069,824 | ---- | M] () -- C:\WINDOWS\system32\Drivers\LxrJD31d.sys -- (LxrJD31d [Auto | Running])
DRV - [2004/03/29 05:06:24 | 00,090,464 | ---- | M] (Pinnacle Systems GmbH) -- C:\WINDOWS\System32\DRIVERS\MarvinBus.sys -- (MarvinBus [On_Demand | Running])
DRV - [2002/04/10 19:01:00 | 00,029,638 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K [On_Demand | Running])
DRV - [2001/08/17 15:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Stopped])
DRV - [2005/04/11 14:26:04 | 00,121,472 | R--- | M] (Mars Semiconductor Corp.) -- C:\WINDOWS\system32\DRIVERS\mr97310c.sys -- (mr97310c [On_Demand | Stopped])
DRV - [2001/08/17 15:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2001/02/28 12:42:44 | 00,034,712 | ---- | M] (Marimba, Inc.) -- C:\WINDOWS\System32\drivers\MrtRate.sys -- (mrtRate [Auto | Running])
DRV - [2004/08/04 01:29:54 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
DRV - [2002/07/19 12:22:08 | 00,017,153 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\System32\DRIVERS\omci.sys -- (omci [System | Running])
DRV - [2002/03/19 11:29:16 | 00,014,165 | ---- | M] (Pinnacle Systems GmbH) -- C:\WINDOWS\System32\drivers\pclepci.sys -- (PCLEPCI [System | Running])
DRV - [2002/03/29 15:58:24 | 00,091,520 | ---- | M] (Hewlett-Packard Co.) -- C:\WINDOWS\System32\drivers\ppscan.sys -- (PPSCAN [Auto | Stopped])
DRV - [2002/08/29 07:00:00 | 00,023,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\prbibnri.sys -- (prbibnri [Boot | Running])
DRV - [2002/08/29 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2002/04/10 19:00:44 | 00,117,898 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k [System | Running])
DRV - [2007/07/26 03:00:00 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DRIVERS\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2002/06/10 15:20:50 | 00,039,936 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\DRIVERS\LVCD.sys -- (QCDonner [On_Demand | Running])
DRV - [2001/08/17 15:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001/08/17 15:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001/08/17 15:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/04/13 14:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2002/08/05 11:23:58 | 00,545,208 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2001/08/17 16:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2001/08/17 16:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001/08/17 16:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2001/08/17 16:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001/08/17 16:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2002/04/10 18:45:16 | 00,206,336 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp [System | Running])
DRV - [2001/08/17 15:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
DRV - [2008/09/10 16:45:18 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2008/04/13 15:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2002/06/21 20:45:48 | 00,090,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [System | Stopped])
DRV - [2002/06/21 20:45:58 | 00,069,792 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default = 36 F5 D6 01 1E 59 70 46 A8 6C DB B1 38 9D C0 E6 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

========== FireFox ==========



FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: C:\PROGRA~1\MOZILLA FIREFOX\COMPONENTS [2008/12/20 21:05:20 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: C:\PROGRA~1\MOZILLA FIREFOX\PLUGINS [2008/12/20 21:05:20 | 00,000,000 | ---D | M]

[2009/04/24 04:22:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\mozilla\Extensions
[2009/04/25 17:42:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\mozilla\Firefox\Profiles\0inad2lx.default\extensions
[2009/04/25 17:42:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\mozilla\Firefox\Profiles\0inad2lx.default\extensions\{4E77EDAD-9566-4089-88D1-C81498CEE770}
[2008/03/13 12:25:09 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/12/20 21:05:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/07/31 09:37:10 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\talkback@mozilla.org
[2008/12/20 21:05:10 | 00,067,688 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2008/12/20 21:05:10 | 00,054,368 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2008/12/20 21:05:10 | 00,034,944 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\myspell.dll
[2008/12/20 21:05:10 | 00,046,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\spellchk.dll
[2008/12/20 21:05:10 | 00,172,136 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2008/07/31 09:36:56 | 00,001,514 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/07/31 09:36:56 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/12/01 12:50:26 | 00,004,946 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\comcast.xml
[2008/07/31 09:36:56 | 00,001,038 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/07/31 09:36:56 | 00,001,046 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/07/31 09:36:56 | 00,002,351 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/07/31 09:36:57 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (784 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Comcast Toolbar) - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O2 - BHO: () - {D8B0FCA6-2E3B-4567-907B-F87DDE03433E} - c:\windows\system32\qfsnljc.dll ()
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Comcast Toolbar) - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll ()
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2 (SupportSoft, Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe File not found
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe File not found
O4 - HKLM..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe (Logitech Inc.)
O4 - HKLM..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE (Logitech Inc.)
O4 - HKLM..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray (Napster)
O4 - HKLM..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe (Visioneer Inc)
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg File not found
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKCU..\Run: [BMUpdate] C:\WINDOWS\system32\BMUpdate.exe File not found
O4 - HKCU..\Run: [ComcastAntispyClient] "C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide ()
O4 - HKCU..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2 File not found
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (Adobe Systems Incorporated)
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINDOWS\SYSTEM32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" -"http://www.neopets.com/games/dgs/play_shockwave.phtml?va=&game_id=480&nc_referer=&age=1&hiscore=3259320&sp=0&questionSet=&r=36359&width=640&height=560&quality=high" (Adobe Systems, Inc.)
O4 - HKLM..\RunOnceEx: [] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe (TLC Productivity Properties LLC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe (Logitech)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [Neoteris DNS Provider] - C:\Program Files\Neoteris\Secure Application Manager\gapsp.dll (Neoteris)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab (Groove Control)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\rbmxipag: DllName - qfsnljc.dll - C:\WINDOWS\system32\qfsnljc.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\system32\zwebauth.dll ()
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/03/01 17:07:43 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/03/01 17:03:52 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.CAM -- [ NTFS ]
O33 - MountPoints2\{34c996b5-3bac-11dc-a161-000874c286b9}\Shell - "" = AutoRun
O33 - MountPoints2\{34c996b5-3bac-11dc-a161-000874c286b9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{34c996b5-3bac-11dc-a161-000874c286b9}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{840c5e2a-e982-11dd-a2e6-000874c286b9}\Shell - "" = AutoRun
O33 - MountPoints2\{840c5e2a-e982-11dd-a2e6-000874c286b9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{840c5e2a-e982-11dd-a2e6-000874c286b9}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2009/04/26 21:37:49 | 10,722,22208 | -HS- | C] () -- C:\hiberfil.sys
[2009/04/26 21:35:16 | 00,532,626 | ---- | C] () -- C:\Documents and Settings\Brian\Desktop\SecurityCheck.exe
[2009/04/26 21:34:53 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Brian\Desktop\OTListIt2.exe
[2009/04/26 20:40:46 | 00,000,000 | ---D | C] -- C:\Rootrepel
[2009/04/26 20:40:13 | 00,000,000 | ---- | C] () -- C:\settings.dat
[2009/04/26 20:36:35 | 00,440,104 | ---- | C] () -- C:\RootRepeal.zip
[2009/04/25 17:46:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/04/25 17:42:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Brian\Application Data\CallingID
[2009/04/25 17:41:44 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\scanner
[2009/04/25 17:41:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Brian\Application Data\comcasttb
[2009/04/25 17:41:09 | 00,000,000 | ---D | C] -- C:\Program Files\comcasttb
[2009/04/25 15:08:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Brian\Application Data\Malwarebytes
[2009/04/25 15:08:12 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/25 15:08:12 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/25 15:08:10 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/25 15:08:08 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/25 15:08:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/25 14:56:30 | 02,967,816 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Brian\Desktop\mbam-setup.exe
[2009/04/25 13:01:25 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2009/04/25 10:06:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Brian\Local Settings\Application Data\xkujkxxw
[2009/04/25 10:06:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Brian\Application Data\xkujkxxw
[2009/04/24 03:03:13 | 00,000,434 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2009/04/15 02:51:52 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 02:51:51 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 02:51:50 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 02:51:50 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 02:51:49 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 02:51:48 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 02:51:48 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 02:51:47 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 02:51:47 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 02:50:16 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 02:50:14 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/15 02:50:13 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/14 22:18:23 | 03,111,936 | ---- | C] () -- C:\Documents and Settings\Brian\My Documents\friends.doc
[2009/04/13 16:50:58 | 00,555,008 | ---- | C] () -- C:\Documents and Settings\Brian\My Documents\house.doc
[2009/04/10 21:22:33 | 00,031,744 | ---- | C] () -- C:\Documents and Settings\Brian\My Documents\survey.doc
[2009/04/10 01:16:39 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\Brian\My Documents\Fluff.doc
[2009/04/10 00:50:21 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Brian\My Documents\I WILL do these things.doc
[2009/04/09 18:05:23 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\Brian\My Documents\i will.doc
[2009/04/08 23:07:57 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\Brian\My Documents\Sunnysidofthestreet.doc
[2009/04/05 00:51:05 | 00,023,552 | ---- | C] () -- C:\Documents and Settings\Brian\My Documents\The Conspiracy Circle.doc
[2009/03/31 04:25:58 | 00,000,000 | ---D | C] -- C:\Program Files\Common
[2009/03/28 15:01:22 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Brian\My Documents\Album.doc
[2009/01/15 15:33:26 | 00,000,780 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2008/06/22 15:51:42 | 00,000,101 | ---- | C] () -- C:\WINDOWS\ImportClient.INI
[2008/03/12 03:05:57 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/06/27 17:15:08 | 00,000,026 | ---- | C] () -- C:\WINDOWS\marscam.ini
[2007/03/01 21:28:56 | 00,000,253 | ---- | C] () -- C:\WINDOWS\LHTTSSDK.INI
[2007/03/01 21:28:56 | 00,000,209 | ---- | C] () -- C:\WINDOWS\LHSTTS32.INI
[2007/03/01 21:28:56 | 00,000,204 | ---- | C] () -- C:\WINDOWS\UWCC.INI
[2006/10/14 19:06:38 | 00,180,224 | ---- | C] () -- C:\WINDOWS\keyboard.dll
[2006/10/14 19:06:37 | 00,471,040 | ---- | C] () -- C:\WINDOWS\dbengine.dll
[2006/10/14 19:06:37 | 00,245,760 | ---- | C] () -- C:\WINDOWS\dialogs.dll
[2006/05/16 16:52:38 | 00,000,083 | ---- | C] () -- C:\WINDOWS\KidCalc.INI
[2006/02/09 15:55:31 | 00,000,023 | ---- | C] () -- C:\WINDOWS\Edmark.ini
[2005/12/18 17:46:29 | 00,000,043 | ---- | C] () -- C:\WINDOWS\Tlcpromo.ini
[2005/10/12 11:06:18 | 00,000,216 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/10/09 19:08:18 | 00,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2005/10/09 18:20:22 | 00,010,545 | ---- | C] () -- C:\WINDOWS\hpdj3840.ini
[2005/09/10 19:51:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\JDSecure31.INI
[2005/09/10 19:51:18 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\LxrJD20Sat.dll
[2005/09/10 19:51:17 | 00,249,856 | ---- | C] () -- C:\WINDOWS\System32\LxrJD31.dll
[2005/09/10 19:51:17 | 00,069,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\LxrJD31d.sys
[2005/01/24 14:53:16 | 00,000,208 | ---- | C] () -- C:\WINDOWS\KA.INI
[2004/12/17 16:20:10 | 00,000,078 | ---- | C] () -- C:\WINDOWS\omv.INI
[2004/11/03 21:36:18 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/11/03 21:26:21 | 00,000,063 | ---- | C] () -- C:\WINDOWS\PixieTool.INI
[2004/08/09 10:38:02 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\WAVMIX32.DLL
[2004/08/09 10:38:02 | 00,002,570 | ---- | C] () -- C:\WINDOWS\wavemix.ini
[2004/08/09 10:30:54 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/05/27 12:19:56 | 00,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2004/03/18 09:44:29 | 01,663,068 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2004/02/15 16:47:18 | 00,000,045 | ---- | C] () -- C:\WINDOWS\STORYMKR.INI
[2004/02/08 13:31:46 | 00,000,651 | ---- | C] () -- C:\WINDOWS\TLCAPPS.INI
[2004/02/07 18:42:02 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2004/01/10 18:26:16 | 00,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2004/01/10 18:26:16 | 00,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
[2003/10/11 12:08:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PCCBrows.INI
[2003/08/15 22:47:00 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/08/15 22:23:26 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2003/05/24 11:40:29 | 00,000,134 | ---- | C] () -- C:\WINDOWS\LWBRWS32.INI
[2003/05/24 11:20:47 | 00,007,036 | ---- | C] () -- C:\WINDOWS\erwin40.ini
[2003/05/14 17:21:10 | 00,000,359 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2003/03/14 16:48:54 | 00,001,003 | ---- | C] () -- C:\WINDOWS\Corpscon.ini
[2003/03/08 17:19:16 | 00,012,126 | ---- | C] () -- C:\WINDOWS\System32\Pixpcz.dll
[2003/03/08 17:19:16 | 00,011,934 | ---- | C] () -- C:\WINDOWS\System32\Pixpnr.dll
[2003/03/08 15:37:39 | 00,000,022 | ---- | C] () -- C:\WINDOWS\BMUpdate.ini
[2003/03/08 15:36:24 | 00,001,038 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2003/03/08 15:36:24 | 00,000,090 | ---- | C] () -- C:\WINDOWS\calera.ini
[2003/03/08 15:36:18 | 00,269,312 | ---- | C] () -- C:\WINDOWS\System32\FPXIG.DLL
[2003/03/08 15:36:18 | 00,068,096 | ---- | C] () -- C:\WINDOWS\System32\IGFPX32P.DLL
[2003/03/08 15:36:18 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\JPEGACC.DLL
[2003/03/08 15:36:12 | 00,101,376 | ---- | C] () -- C:\WINDOWS\System32\WELSOF32.DLL
[2003/03/02 19:07:38 | 00,000,033 | ---- | C] () -- C:\WINDOWS\LVMMail.INI
[2003/03/02 18:48:19 | 00,000,241 | ---- | C] () -- C:\WINDOWS\QSync.INI
[2003/02/22 17:47:37 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/02/22 17:17:21 | 00,000,039 | ---- | C] () -- C:\WINDOWS\VTWAIN.INI
[2003/02/22 17:17:21 | 00,000,022 | ---- | C] () -- C:\WINDOWS\ppdrv.ini
[2003/02/22 17:15:16 | 00,306,688 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
[2003/02/22 17:15:16 | 00,095,232 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll
[2003/02/22 17:15:15 | 00,000,038 | ---- | C] () -- C:\WINDOWS\hpudrv.ini
[2003/02/18 12:19:29 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/02/18 12:06:50 | 00,001,070 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2003/02/18 12:06:48 | 00,000,983 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/02/18 12:01:29 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/02/18 11:36:54 | 00,000,550 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2002/09/03 15:36:02 | 00,001,249 | ---- | C] () -- C:\WINDOWS\WIN.INI
[2002/09/03 15:26:32 | 00,000,310 | ---- | C] () -- C:\WINDOWS\SYSTEM.INI
[2002/08/29 07:00:00 | 01,614,848 | ---- | C] () -- C:\WINDOWS\System32\sfcfiles.dll
[2002/08/29 07:00:00 | 00,143,872 | ---- | C] () -- C:\WINDOWS\System32\pxrppwfs.dll
[2002/08/29 07:00:00 | 00,103,936 | ---- | C] () -- C:\WINDOWS\System32\qfsnljc.dll
[2002/08/29 07:00:00 | 00,103,936 | ---- | C] () -- C:\WINDOWS\System32\omvddqs.dll
[2002/06/10 15:16:22 | 00,005,187 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2001/10/12 10:58:20 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\mr310exd.dll
[2001/10/12 10:57:18 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\mr310exv.dll
[2001/08/29 15:43:38 | 00,002,098 | ---- | C] () -- C:\WINDOWS\System32\FSClient.INI
[2001/08/28 16:44:36 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\BSTRegIT.dll
[2000/12/07 10:13:58 | 00,015,164 | ---- | C] () -- C:\WINDOWS\mr310twc.ini
[2000/09/08 18:53:50 | 00,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll
[1999/01/27 14:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1999/01/22 12:46:56 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1997/06/13 08:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[1980/01/01 02:00:00 | 00,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[17 C:\Documents and Settings\Brian\My Documents\*.tmp files]
[2009/04/26 21:38:47 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2009/04/26 21:38:09 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/04/26 21:37:55 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/26 21:37:50 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2009/04/26 21:37:49 | 10,722,22208 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/26 21:35:17 | 00,532,626 | ---- | M] () -- C:\Documents and Settings\Brian\Desktop\SecurityCheck.exe
[2009/04/26 21:34:55 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brian\Desktop\OTListIt2.exe
[2009/04/26 20:40:13 | 00,000,000 | ---- | M] () -- C:\settings.dat
[2009/04/26 20:36:37 | 00,440,104 | ---- | M] () -- C:\RootRepeal.zip
[2009/04/26 19:52:56 | 00,000,434 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2009/04/25 15:08:12 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/25 14:56:32 | 02,967,816 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Brian\Desktop\mbam-setup.exe
[2009/04/25 12:55:11 | 00,001,249 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2009/04/24 03:04:40 | 00,000,784 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\HOSTS
[2009/04/21 13:53:32 | 00,002,473 | ---- | M] () -- C:\Documents and Settings\Brian\Desktop\Microsoft Word.lnk
[2009/04/21 02:12:56 | 00,031,744 | ---- | M] () -- C:\Documents and Settings\Brian\My Documents\survey.doc
[2009/04/15 17:49:24 | 03,111,936 | ---- | M] () -- C:\Documents and Settings\Brian\My Documents\friends.doc
[2009/04/15 14:14:23 | 00,408,000 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2009/04/15 14:14:23 | 00,064,404 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2009/04/15 14:14:22 | 00,479,920 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/15 03:18:48 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/13 16:50:58 | 00,555,008 | ---- | M] () -- C:\Documents and Settings\Brian\My Documents\house.doc
[2009/04/13 01:07:31 | 00,066,048 | ---- | M] () -- C:\Documents and Settings\Brian\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/11 11:42:30 | 00,311,584 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/10 01:16:39 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Brian\My Documents\Fluff.doc
[2009/04/10 00:50:21 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Brian\My Documents\I WILL do these things.doc
[2009/04/09 18:26:22 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Brian\My Documents\i will.doc
[2009/04/08 23:16:42 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\Brian\My Documents\Sunnysidofthestreet.doc
[2009/04/08 00:33:02 | 00,023,552 | ---- | M] () -- C:\Documents and Settings\Brian\My Documents\The Conspiracy Circle.doc
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 10:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/28 18:56:03 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Brian\My Documents\Album.doc

========== LOP Check ==========

[2009/04/25 17:46:39 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2007/12/28 15:13:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/09/23 14:49:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2008/09/23 14:55:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2003/02/18 12:05:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2008/08/13 01:09:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Comcast
[2005/05/25 09:20:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dell
[2005/12/29 14:11:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Digital Praise
[2009/01/18 00:20:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2004/10/16 17:24:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GameHouse
[2009/01/17 19:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/04/25 13:11:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google Updater
[2005/05/23 09:58:06 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\GTek
[2004/11/01 13:13:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Individual Software
[2004/12/17 14:19:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2008/04/16 00:37:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intuit
[2006/10/13 16:01:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kodak
[2009/04/25 15:08:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/25 17:46:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2005/03/30 00:57:45 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2003/02/23 13:14:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2005/03/05 17:57:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2004/11/03 21:17:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2003/02/18 12:10:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2009/04/25 01:56:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
[2003/02/18 12:03:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2008/01/02 15:03:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2005/03/30 18:38:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/05/26 09:11:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2005/12/30 14:39:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2009/03/09 00:26:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
[2009/04/25 17:42:06 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Brian\Application Data
[2008/03/19 20:10:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Adobe
[2006/06/11 18:04:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\AdobeAUM
[2008/07/13 15:30:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\AdobeUM
[2009/03/04 01:42:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Apple Computer
[2003/11/20 22:49:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\ArcSoft
[2009/04/25 17:42:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\CallingID
[2009/04/25 17:47:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\comcasttb
[2006/03/31 22:39:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Corel
[2006/10/16 18:49:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Google
[2007/05/24 09:18:01 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Brian\Application Data\GTek
[2003/07/16 19:04:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Help
[2007/05/19 17:15:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Identities
[2007/11/14 22:59:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\InstallShield
[2008/04/16 00:52:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Intuit
[2005/03/24 23:49:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Juniper Networks
[2005/03/30 00:58:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Lavasoft
[2006/06/11 18:03:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Leadertech
[2008/08/10 15:28:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Macromedia
[2009/04/25 15:08:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Malwarebytes
[2006/08/29 14:02:08 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Brian\Application Data\Microsoft
[2003/02/22 17:42:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Microsoft Web Folders
[2008/09/03 20:56:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Move Networks
[2009/04/24 04:22:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Mozilla
[2006/06/23 12:24:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\MSN6
[2007/06/14 18:18:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Neopets Toolbar
[2008/08/01 17:41:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Printer Info Cache
[2005/08/12 19:00:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Real
[2005/06/16 14:48:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Roxio
[2009/04/01 07:00:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\U3
[2007/09/25 00:04:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Viewpoint
[2008/08/01 17:26:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Wal-Mart Digital Photo Manager
[2008/08/01 17:13:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\Wal-Mart Digital Photo Viewer
[2009/04/25 10:06:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\xkujkxxw
[2009/03/09 00:42:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Brian\Application Data\ZoomBrowser EX
[2009/04/26 19:52:56 | 00,000,434 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2002/08/29 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\DESKTOP.INI
[2009/04/26 21:38:09 | 00,000,868 | ---- | M] () -- C:\WINDOWS\Tasks\Google Software Updater.job
[2009/04/26 21:37:55 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Brian\Desktop\burp lois burp.txt:SummaryInformation
< End of report >

================================================================

OTListIt Extras logfile created on: 4/26/2009 9:39:43 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Brian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.48 Mb Total Physical Memory | 706.99 Mb Available Physical Memory | 69.14% Memory free
1.28 Gb Paging File | 1.08 Gb Available in Paging File | 84.14% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.91 Gb Total Space | 1.76 Gb Free Space | 6.30% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 27.91 Gb Total Space | 1.76 Gb Free Space | 6.30% Space Free | Partition Type: NTFS

Computer Name: FLUFFY
Current User Name: Brian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"80:TCP" = 80:TCP:*:Enabled:dll32
"7171:TCP" = 7171:TCP:*:Enabled:dll32

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/08/22 18:13:30 | 00,547,096 | ---- | M] (Rosetta Stone Ltd. ) -- C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Ltd Services
[2008/08/22 18:13:26 | 07,122,120 | ---- | M] (Rosetta Stone Ltd. ) -- C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone Version 3 Application

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
File not found -- C:\Program Files\Support.com\bin\tgcmd.exe:*:Disabled:Support.com Scheduler and Command Dispatcher
File not found -- C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe:*:Disabled:backWeb-7288971
[2009/02/28 00:54:41 | 00,636,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer
[2005/08/12 18:42:39 | 00,208,941 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer
[2004/02/13 15:12:08 | 00,016,423 | ---- | M] () -- C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater
[2005/10/27 12:04:23 | 00,319,488 | ---- | M] (Zero G) -- C:\Program Files\Critical Thinking Software\Punctuation Puzzler Commas and More B1\Punctuation Puzzler Commas & and More B1.exe:*:Disabled:LaunchAnywhere GUI
[2006/11/09 11:22:53 | 00,319,488 | ---- | M] (Zero G) -- C:\Program Files\Critical Thinking Software\Reading Detective B1 Software\rd_b1_s\bin\Reading Detective B1 Software.exe:*:Disabled:LaunchAnywhere GUI
[2005/02/05 18:49:09 | 00,319,488 | ---- | M] (Zero G) -- C:\Program Files\Critical Thinking Software\Reading Detective A1 Software\rd_a1_s\bin\Reading Detective A1 Software.exe:*:Disabled:LaunchAnywhere GUI
[2006/06/07 07:26:28 | 00,180,224 | ---- | M] () -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
[2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008/08/22 18:13:30 | 00,547,096 | ---- | M] (Rosetta Stone Ltd. ) -- C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Ltd Services
[2008/08/22 18:13:26 | 07,122,120 | ---- | M] (Rosetta Stone Ltd. ) -- C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone Version 3 Application
[2008/03/05 23:29:49 | 10,343,712 | ---- | M] (Intuit, Inc.) -- C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax
[2007/10/22 18:56:52 | 03,597,600 | ---- | M] (Intuit, Inc.) -- C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Premium
"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
"{018CDD01-EDF3-46B0-B0C2-ECAEE283B68F}" = Geosoft Oasis montaj Viewer
"{073F22CE-9A5B-4A40-A604-C7270AC6BF34}" = ESSSONIC
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{148E08FF-D7C4-46ED-8D4D-601C67FE0AFD}" = Rosetta Stone Version 3
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{151C555A-A9E7-4A2E-B6D7-165D04A3C956}" = Dell Picture Studio - Dell Image Expert
"{154508C0-07C5-4659-A7A0-E49968750D21}" = HLPPDOCK
"{15FE4D77-D717-4632-8EA8-B6BB258CFC7D}" = Wal-Mart® Mini Movie
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{1D1C7B00-EA0D-4804-A5C3-2792BBD1D7A7}" = UFX Animals
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{29D88826-2AB9-11D5-8854-00902761A46D}" = WordPerfect Office 2002
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}" = OTtBPSDK
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Dell Modem-On-Hold
"{432C3720-37BF-4BD7-8E49-F38E090246D0}" = CR2
"{45893FEB-30FD-4034-8661-3BA4238FE67A}" = Britannica Ready Reference
"{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = BACS
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4E5B5CC2-BE9E-42B7-AE3E-F534B82CD83A}" = Calendar Creator 8.0
"{54C8FE84-89C4-40E8-976C-439EB0729BD6}" = CardRd81
"{5A24DD7E-7B01-41AC-ADA8-F1776177A3BA}" = Logitech ImageStudio
"{5ABB5D02-BBAA-41D4-BDED-A52DB89A2D2F}" = Wal-Mart Digital Photo Manager
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{857343AD-9A00-4287-BF8B-F65C9633CA0C}" = CIF Dual-Mode Camera
"{87843A41-7808-4F2E-B13F-25C1E67CF2FD}" = ESShelp
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{9770A25C-45A7-478E-AF50-4FDE53EED270}" = American Greetings CreataCard Select 6
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore
"{9E491AB7-4589-48CA-9CBB-874CB2788391}" = Studio 9
"{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}" = SFR2
"{AA9768AA-FF0B-4C66-A085-31E934F77841}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B06667DD-C2A5-4BA6-9657-0248E2922195}" = Great Escape
"{B1591C79-1C35-4E09-AA15-F7D6923AFB96}" = HP Deskjet 3840
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B81023A5-71ED-46EB-BE3B-9F974D1155F1}" = HP Software Update
"{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D1973749-F5E7-40EB-B528-F2B78685B9FF}" = essvcpt
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7
"{D87149B3-7A1D-4548-9CBF-032B791E5908}" = Desktop Doctor
"{DA5873B5-6262-11D4-8ABC-00C04F5F14B8}" = AllFusion ERwin Data Modeler
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{E3436EE2-D5CB-4249-840B-3A0140CC34C3}" = Classic PhoneTools
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EA9A2BDE-D702-4B64-9C03-588409F82F81}" = Sapi
"{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}" = kgcbase
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F4D59B35-A902-41D3-9BE9-20534881D03D}" = ArcSoft PhotoImpression
"{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}" = OTtBP
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FDF9943A-3D5C-46B3-9679-586BD237DDEE}" = SKIN0001
"3DGroove" = OTOY
"3rdAdv32.exe" = Third Grade Adventures
"Academic Challenge Cup" = Academic Challenge Cup
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Amazon3" = Amazon3
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"Bewitched by TV Land" = Bewitched by TV Land Screen Saver
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"ChooseyChallenge" = ChooseyChallenge Screen Saver
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"comcasttb" = Comcast Toolbar 3.0
"Corpscon for Windows" = Corpscon for Windows
"CSCLIB" = Canon Camera Support Core Library
"Editor in Chief® Level A2 " = Editor in Chief® Level A2
"Editor in Chief® Level B1" = Editor in Chief® Level B1
"eKnowledge ACT Standard" = eKnowledge ACT Standard
"eKnowledge SAT Standard" = eKnowledge SAT Standard
"EOS Utility" = Canon Utilities EOS Utility
"Google Updater" = Google Updater
"Hollywood" = Hollywood
"Hollywood FX" = Pinnacle Hollywood FX
"hp deskjet 930c series" = hp deskjet 930c series (Remove only)
"HP PrecisionScan LT Software" = HP PrecisionScan LT Software
"I Dream of Jeannie by TV Land" = I Dream of Jeannie by TV Land Screen Saver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = Broadcom Advanced Control Suite
"JDSecure" = JD Secure 3.1
"JSTYPING_1.1" = JumpStart Typing v1.1
"Logical Journey of the Zoombinis V1.1.0" = Logical Journey of the Zoombinis V1.1.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"mbm32" = Math Blaster Pre-Algebra
"MCJeopardy" = MCJeopardy
"MFMA2 - Adding and Subtracting" = MFMA2 - Adding and Subtracting
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"Microsoft Internet Gaming Zone" = MSN Gaming Zone
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (2.0.0.20)" = Mozilla Firefox (2.0.0.20)
"mr97310c_e6b1f8ca93ed72ea043389d1fb2e937f663f6786" = Windows Driver Package - MARS (mr97310c) Image 04/11/2005 2.0.0.0
"MSN Music Assistant" = MSN Music Assistant
"Neoteris_Secure_Application_Manager" = Secure Application Manager
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OneTouch Version 3.0" = OneTouch Version 3.0
"Oregon Trail II" = Oregon Trail II
"Orly's Draw-A-Story" = Orly's Draw-A-Story
"PaperPort 6.5" = PaperPort 6.5
"PC4" = PC4
"Personalized Learning Center" = Personalized Learning Center
"PhotoStitch" = Canon Utilities PhotoStitch
"Punctuation Puzzler Commas and More B1" = Punctuation Puzzler Commas and More B1
"Quicken 2002 New User Edition" = Quicken 2002 New User Edition
"QuickTime32" = QuickTime for Windows (32-bit)
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"rb2000" = Reading Blaster Ages 6-9
"Read6932.exe" = Reader Rabbit's Reading Ages 6-9
"Reader Rabbit 1st Grade" = Reader Rabbit 1st Grade
"Reading Detective A1 Software" = Reading Detective A1 Software
"Reading Detective B1 Software" = Reading Detective B1 Software
"RealPlayer 6.0" = RealPlayer
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"RollerCoaster Tycoon Setup" = Roll
"rrm69_32.exe" = Reader Rabbit's Math Ages 6-9
"Shockwave" = Shockwave
"ssrwin32.exe" = Super Solvers Reading Ages 9-12
"TextBridge Pro 9.0" = TextBridge Pro 9.0
"The American Girls Premiere 2nd Edition" = The American Girls Premiere 2nd Edition
"The ClueFinders Math Ages 9-12" = The ClueFinders Math Ages 9-12
"The ClueFinders Reading Adventures Ages 9-12" = The ClueFinders Reading Adventures Ages 9-12
"ThinkAnalogy Level B" = ThinkAnalogy Level B
"Thinkin' Things Collection 1" = Thinkin' Things Collection 1 (Remove only)
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"Typing Quick & Easy" = Typing Quick & Easy
"UWCC32.exe" = Ultimate Writing & Creativity Center
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player (Remove Only)
"Visual Basic 6.0 Working Model Edition" = Microsoft Visual Basic 6.0 Working Model Edition
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"Word Roots Software A1" = Word Roots Software A1
"Word Roots Software B1" = Word Roots Software B1
"WordPerfect Office 2002" = WordPerfect Office 2002
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/26/2009 8:39:21 PM | Computer Name = FLUFFY | Source = Application Error | ID = 1004
Description = Faulting application winlogon.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x0059135f.

Error - 4/26/2009 8:39:23 PM | Computer Name = FLUFFY | Source = AntiSpywareService | ID = 0
Description =

Error - 4/26/2009 8:39:32 PM | Computer Name = FLUFFY | Source = Application Error | ID = 1004
Description = Faulting application winlogon.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x0059135f.

Error - 4/26/2009 8:39:49 PM | Computer Name = FLUFFY | Source = Application Error | ID = 1004
Description = Faulting application winlogon.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x0059135f.

Error - 4/26/2009 8:40:00 PM | Computer Name = FLUFFY | Source = Application Error | ID = 1004
Description = Faulting application winlogon.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x0059135f.

Error - 4/26/2009 8:41:06 PM | Computer Name = FLUFFY | Source = Application Error | ID = 1004
Description = Faulting application winlogon.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x0059135f.

Error - 4/26/2009 8:41:10 PM | Computer Name = FLUFFY | Source = Application Error | ID = 1004
Description = Faulting application winlogon.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x0059135f.

Error - 4/26/2009 8:46:22 PM | Computer Name = FLUFFY | Source = Ci | ID = 4124
Description = Content index on c:\system volume information\catalog.wci is corrupt.
Please shutdown and restart the Indexing Service (cisvc).

Error - 4/26/2009 8:46:22 PM | Computer Name = FLUFFY | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 4/26/2009 9:38:25 PM | Computer Name = FLUFFY | Source = AntiSpywareService | ID = 0
Description =

[ System Events ]
Error - 4/26/2009 8:20:50 PM | Computer Name = FLUFFY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/26/2009 8:21:46 PM | Computer Name = FLUFFY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdudf_xp Fips intelppm PCLEPCI

Error - 4/26/2009 8:26:17 PM | Computer Name = FLUFFY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/26/2009 8:36:28 PM | Computer Name = FLUFFY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/26/2009 8:37:13 PM | Computer Name = FLUFFY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/26/2009 8:38:40 PM | Computer Name = FLUFFY | Source = Service Control Manager | ID = 7000
Description = The WebClient service failed to start due to the following error:
%%1290

Error - 4/26/2009 9:29:29 PM | Computer Name = FLUFFY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/26/2009 9:30:14 PM | Computer Name = FLUFFY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdudf_xp Fips intelppm PCLEPCI

Error - 4/26/2009 9:35:46 PM | Computer Name = FLUFFY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/26/2009 9:38:01 PM | Computer Name = FLUFFY | Source = Service Control Manager | ID = 7000
Description = The WebClient service failed to start due to the following error:
%%1290


< End of report >

================================================================

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
WindowsLiveOneCaresafetyscanner
ECHO is off.
Error obtaining update status for antivirus!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Ad-Aware
Malwarebytes' Anti-Malware
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````


Scan took -78462 seconds.
`````````End of Log```````````

<Duplicate copies of logs edited out. ~ Maurice>

Edited by Maurice Naggar, 26 April 2009 - 11:27 PM.


#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:42 PM

Posted 26 April 2009 - 11:43 PM

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member Brianandmolly only. If you are a lurker, do NOT try this on your system!
If you are not Brianandmolly and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

There's multiple pieces of malware here.
SpyDefenderPro, a rogue (and just one of the malwares here), is a misleading malware and needs to be removed.
  • Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
    O2 - BHO: () - {D8B0FCA6-2E3B-4567-907B-F87DDE03433E} - c:\windows\system32\qfsnljc.dll ()
    O4 - HKCU..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2 File not found
    O20 - Winlogon\Notify\rbmxipag: DllName - qfsnljc.dll - C:\WINDOWS\system32\qfsnljc.dll ()
    
    :files
    C:\WINDOWS\system32\zwebauth.dll 
    c:\windows\system32\qfsnljc.dll
    C:\Program Files\SpyDefender Pro\SpyDefender.exe
    C:\Documents and Settings\Brian\Local Settings\Application Data\xkujkxxw
    C:\Documents and Settings\Brian\Application Data\xkujkxxw
    C:\WINDOWS\tasks\At1.job
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Return to OTLisIt2. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTListIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

Locate using My Computer {Windows Explorer} the MalwareBytes' AntiMalware exe file (mbam.exe) which is typically located here
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
..... right-Click mbam.exe and select Rename and RENAME it to Bravo.exe

Start your Bravo.exe {MBAM}.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2043 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with a copy of the OTListIt2 MovedFiles log
the C:\Combofix.txt
and the MBAM scan log
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 Brianandmolly

Brianandmolly
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Blackstone, MA
  • Local time:01:42 PM

Posted 27 April 2009 - 08:59 AM

Maurice,

My browser only works in Safe Mode. After I download ComboFix, can I run it in Safe Mode or do I need to go back to normal Windows? Do I need to run these programs for each user?

Thanks,

Brian

#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:42 PM

Posted 27 April 2009 - 09:19 AM

Brian,
You must run Combofix in Normal mode, run it only one time. Login to Windows with the account that has administrative rights (I assuming yours is one).
Run Combofix only ONE time.
The same goes for any other tools I ask you to run.

If you have a problem downloading, use another clean pc to do downloads and burn to CD or DVD and take to problem-pc, and copy the tools to Desktop of the pc.

For my benefit and yours, tell me how or why or how long your browser only works in Safe mode?
and if you mean "Safe Mode with Networking" rather than just plain "Safe mode"

If you have other issues, please ask here first and point them out to me.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 Brianandmolly

Brianandmolly
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Blackstone, MA
  • Local time:01:42 PM

Posted 27 April 2009 - 08:37 PM

Hi Marice,

I meant "Safe Mode with Networking". Our browser worked sporadically for a week or two, and hasn’t worked at all in at least a week. It starts up, then says it has encountered an error and has to close.

I can access the internet in "Safe Mode with Networking" and download and save files (i.e. ComboFix)

However, when I run ComboFix, I don’t know if it will be able to download Microsoft Windows Recovery.

Also, I don’t know if Bravo.exe {MBAM} will be able to "Check for Updates".

Sometimes it takes the virus a few minutes to disable the browser.

For a while we could use Mozilla after Internet Explorer stopped working, but now neither will work for long.

I have a laptop from work, but it just started to have an error on booting into XP. I may get it back tomorrow.

Brian

#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:42 PM

Posted 27 April 2009 - 08:48 PM

Run Combofix and MBAM in Normal mode. They won't use the browser to get updates.
We need normal mode run so that these very capable tools can catch malwares that are active in "normal mode".

Run what you can tonight and post the reports.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 Brianandmolly

Brianandmolly
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Blackstone, MA
  • Local time:01:42 PM

Posted 27 April 2009 - 09:59 PM

Hi Maurice,

I ran OTListIt2.exec

It got as far as

O2 - BHO: () - {D8B0FCA6-2E3B-4567-907B-F87DDE03433E} - c:\windows\system32\qfsnljc.dll ()

Then it locked up. At the top of the screen it said Not Responding. Iwaited about 15 - 20 min and then shut it down.

Can I try it again or re-name it and try again??

Brian

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:42 PM

Posted 28 April 2009 - 06:28 AM

Brian,
Skip the OTListit2 steps and proceed forward with the next steps for the Combofix run and the rest.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 Brianandmolly

Brianandmolly
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Blackstone, MA
  • Local time:01:42 PM

Posted 28 April 2009 - 10:40 PM

Hi Maurice,

I ran combofix and mbam (bravo).

They both seemed to work, although the only mbam log, looks like an old one. Combofix crashed as soon as it tried to access the internet. I re-downloaded and re-started it and it ran fine. Here they are tghe logs.

ComboFix 09-04-28.02 - Brian 04/28/2009 22:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.677 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\system32\drivers\fad.sys

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\sfcfiles.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFC
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 02:31 . 2009-04-28 02:31 -------- d-----w C:\_OTListIt
2009-04-27 00:40 . 2009-04-27 00:41 -------- d-----w C:\Rootrepel
2009-04-27 00:40 . 2009-04-27 00:40 0 ----a-w C:\settings.dat
2009-04-27 00:36 . 2009-04-27 00:36 440104 ----a-w C:\RootRepeal.zip
2009-04-25 21:46 . 2009-04-25 21:46 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-25 21:42 . 2009-04-25 21:42 -------- d-----w c:\documents and settings\Brian\Application Data\CallingID
2009-04-25 21:41 . 2009-04-25 21:44 -------- d-----w c:\program files\Common Files\scanner
2009-04-25 21:41 . 2009-04-25 21:47 -------- d-----w c:\documents and settings\Brian\Application Data\comcasttb
2009-04-25 21:41 . 2009-04-25 21:42 -------- d-----w c:\program files\comcasttb
2009-04-25 19:08 . 2009-04-25 19:08 -------- d-----w c:\documents and settings\Brian\Application Data\Malwarebytes
2009-04-25 19:08 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-25 19:08 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 19:08 . 2009-04-25 19:08 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-25 19:08 . 2009-04-25 19:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 14:06 . 2009-04-25 14:06 -------- d-----w c:\documents and settings\Brian\Application Data\xkujkxxw
2009-04-25 14:06 . 2009-04-25 14:06 -------- d-----w c:\documents and settings\Brian\Local Settings\Application Data\xkujkxxw
2009-04-15 06:51 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 06:51 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 06:51 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 06:51 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 06:51 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 06:51 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 06:51 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 06:51 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 06:51 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 06:50 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 06:50 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-03-31 08:25 . 2009-04-25 19:39 -------- d-----w c:\program files\Common

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 00:07 . 2003-04-11 22:57 -------- d-----w c:\program files\Web Publish
2009-04-24 22:00 . 2005-03-05 21:57 -------- d-----w c:\program files\Napster
2009-04-11 17:18 . 2003-02-18 16:04 106680 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 23:59 . 2009-03-20 15:23 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-20 19:07 . 2008-03-10 21:40 -------- d-----w c:\program files\eSoftware
2009-03-06 14:22 . 2002-08-29 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 02:19 . 2004-01-04 21:04 -------- d-----w c:\program files\Orly
2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2002-08-29 11:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-06-14 01:05 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 11:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2002-08-29 11:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 1980-01-01 06:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2002-08-29 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 1980-01-01 06:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2002-08-29 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2002-08-29 11:00 56832 ----a-w c:\windows\system32\secur32.dll
2003-03-16 19:48 . 2003-03-16 19:48 132 -c--a-w c:\program files\vcard.vcf
2008-12-21 01:05 . 2008-03-13 16:23 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 01:05 . 2008-03-13 16:23 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 01:05 . 2008-03-13 16:23 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-21 01:05 . 2008-03-13 16:23 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 01:05 . 2008-03-13 16:23 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8B0FCA6-2E3B-4567-907B-F87DDE03433E}]
2002-08-29 11:00 103936 ----a-w c:\windows\system32\qfsnljc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMUpdate"="c:\windows\system32\BMUpdate.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpyDefender Shield"="c:\program files\SpyDefender Pro\SpyDefender.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-06 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-03-16 1622488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\SYSTEM32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [N/A]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [N/A]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [N/A]
"NapsterShell"="c:\program files\Napster\napster.exe" [2008-05-29 323216]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2002-11-18 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-2-18 45056]
Forget Me Not.lnk - c:\program files\Broderbund\AG CreataCard\AGRemind.exe [2008-5-1 323584]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-3-2 169472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rbmxipag]
2002-08-29 11:00 103936 ----a-w c:\windows\SYSTEM32\qfsnljc.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Critical Thinking Software\\Punctuation Puzzler Commas and More B1\\Punctuation Puzzler Commas & and More B1.exe"=
"c:\\Program Files\\Critical Thinking Software\\Reading Detective B1 Software\\rd_b1_s\\bin\\Reading Detective B1 Software.exe"=
"c:\\Program Files\\Critical Thinking Software\\Reading Detective A1 Software\\rd_a1_s\\bin\\Reading Detective A1 Software.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

R2 LogWatch;Event Log Watch; [x]
R2 PPSCAN;PPSCAN; [x]
R3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\DRIVERS\mr97310c.sys [2005-04-11 121472]
S0 prbibnri;prbibnri;c:\windows\system32\drivers\prbibnri.sys [2002-08-29 23424]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-03-16 616408]
S2 mrtRate;mrtRate; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2003-07-09 180480]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dcifgehy

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34c996b5-3bac-11dc-a161-000874c286b9}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{840c5e2a-e982-11dd-a2e6-000874c286b9}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-26 c:\windows\Tasks\At1.job
- c:\windows\system32\qfsnljc.dll [2002-08-29 11:00]

2009-04-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-28 23:50]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://msn.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\0inad2lx.default\
FF - prefs.js: network.proxy.ftp - actsvr.comcastonline.com
FF - prefs.js: network.proxy.ftp_port - 8100
FF - prefs.js: network.proxy.gopher - actsvr.comcastonline.com
FF - prefs.js: network.proxy.gopher_port - 8100
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.socks - actsvr.comcastonline.com
FF - prefs.js: network.proxy.socks_port - 8100
FF - prefs.js: network.proxy.ssl - actsvr.comcastonline.com
FF - prefs.js: network.proxy.ssl_port - 8100
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 22:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,2c,54,f6,75,7c,
f9,66,5a,e2,63,26,f1,3f,c8,ff,68,3d,4d,cf,46,ea,14,7d,fc,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,a4,5a,a5,27,80,
54,4d,41,6a,9c,d6,61,af,45,84,18,b8,58,4e,ef,eb,bf,fb,5a,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,2b,51,08,8c,c6,
f8,4e,e2,ff,7c,85,e0,43,d4,0e,fe,4a,82,8e,75,44,9a,cb,7e,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,f4,ac,24,71,76,
64,fa,69,86,8c,21,01,be,91,eb,e7,33,e9,e7,4d,57,d4,5b,4e,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,3e,89,42,6f,0b,
6a,96,c7,f5,1d,4d,73,a8,13,5c,05,c1,13,4c,e5,da,f8,e1,7f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,92,5e,57,23,93,
18,4b,cd,df,20,58,62,78,6b,cf,c8,1b,ac,92,0e,cc,7b,25,ac,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,e0,1b,42,42,6b,
e9,1b,b1,fb,a7,78,e6,12,2f,9a,ea,33,8f,c4,d1,74,9e,81,ef,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,37,82,27,ea,ee,
f8,54,53,01,3a,48,fc,e8,04,4a,f1,17,13,cb,5f,e5,43,05,64,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,f9,11,a9,58,0c,
34,bb,d7,f6,0f,4e,58,98,5b,89,c9,e1,c6,a7,4a,3a,25,2b,43,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,d3,66,ce,69,85,
cb,c1,70,3d,ce,ea,26,2d,45,aa,78,9b,c4,3a,ed,57,59,6b,15,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,e1,2e,89,ca,6b,
ea,c7,93,2a,b7,cc,b5,b9,7f,41,e7,cf,06,a2,d4,be,5e,b7,64,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\System32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,9a,cb,a6,96,17,
99,f6,0c,6c,43,2d,1e,aa,22,2f,9c,40,f0,40,9e,68,3c,eb,68,6c,43,2d,1e,aa,22,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\LxrJD31s.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\LVComS.exe
c:\program files\Logitech\ImageStudio\LowLight.exe
.
**************************************************************************
.
Completion time: 2009-04-29 22:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 02:54

Pre-Run: 1,689,464,832 bytes free
Post-Run: 3,795,017,728 bytes free

272 --- E O F --- 2009-04-15 07:19

Malwarebytes' Anti-Malware 1.36
Database version: 2040
Windows 5.1.2600 Service Pack 3

4/25/2009 4:39:39 PM
mbam-log-2009-04-25 (16-39-30).txt

Scan type: Quick Scan
Objects scanned: 6132
Time elapsed: 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d8b0fca6-2e3b-4567-907b-f87dde03433e} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rbmxipag (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d8b0fca6-2e3b-4567-907b-f87dde03433e} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\qfsnljc.dll (Trojan.Vundo.H) -> No action taken.

PS - I'm on the internet now in normal mode.

Please let me know where we stand.

Thanks - Brian

#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:42 PM

Posted 29 April 2009 - 07:05 AM

The last MBAM run found items that really need removal. Looks as if you did not allow it to delete them ?

Start MBAM once more. Go slow, be thorough.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results !!! to view the results.
  • Make sure that everything is checked, and click Remove Selected button !!! .

  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
[/list]
As to where you stand, I'll have to see the next MBAM log and close review of your last log of Combofix.
There will be more to do. Be careful. Do not do indiscriminate web surfing.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#13 Brianandmolly

Brianandmolly
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Blackstone, MA
  • Local time:01:42 PM

Posted 29 April 2009 - 11:34 AM

Hi Maurice,

I will rerun MBAM tonight when I get home from work.

The MBAM log I sent you last night had an old date from a few days ago.

When I ran MBAM last night, I clicked OK after the scan was complete and I viewed the results. I checked off all items for removal, and clicked the Remove Selected button.

When disinfection was completed, a log opened in Notepad.

There were four items that were not removed with the comment (delete upon reboot).

I'm not sure if I re-booted or if MBAM rebooted itself. Then I looked for the MBAM log, and I could only find the old one, which I sent you.

I will run MBAM tonight and Copy & Paste the entire report in my next reply.

Thanks,

BK

#14 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:42 PM

Posted 29 April 2009 - 02:13 PM

yeah. The last MBAM log you posted was mbam-log-2009-04-25 (16-39-30).txt from the 25th


MBAM keeps all the logs. Here's how to get the latest one.
Start MBAM (if not already running). Click on the LOGS tab at the top.
Look at list. Click on the latest date. Then press Open button.
Copy and paste back here.

Edited by Maurice Naggar, 29 April 2009 - 02:16 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#15 Brianandmolly

Brianandmolly
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Blackstone, MA
  • Local time:01:42 PM

Posted 29 April 2009 - 07:49 PM

Malwarebytes' Anti-Malware 1.36
Database version: 2040
Windows 5.1.2600 Service Pack 3

4/28/2009 11:09:14 PM
mbam-log-2009-04-28 (23-09-14).txt

Scan type: Quick Scan
Objects scanned: 96122
Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d8b0fca6-2e3b-4567-907b-f87dde03433e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rbmxipag (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d8b0fca6-2e3b-4567-907b-f87dde03433e} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\qfsnljc.dll (Trojan.Vundo.H) -> Delete on reboot.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users