Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection by Rootkit.Agent/Gen-DNSHack; WIN32.Downloader.Small.afwj; Win32.Trojan.Dropper.VB.TR


  • This topic is locked This topic is locked
26 replies to this topic

#1 earlin

earlin

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 28 June 2009 - 12:19 PM

I believe that I have been infected by the following Virus: Rootkit.Agent/Gen-DNSHack; WIN32.Downloader.Small.afwj; Win32.Trojan.Dropper.VB.TR. They were all removed by either Zone Alarm Anti-Spyware and SuperAntiSpyware. However, I continue to have the symptoms: sporadic hijack of my keyboard so keystrokes are exected in what appears to be a random fashion. I say it's random because most of the time what's typed by the virus doesn't make any sese.

I was working with FAX in the ZoneAlarm user forum who recomended the malware removal tools and suggested I post my Hijackthis log if all else failed. All else has failed. Following is the log. Thanks for your help.

Attached File  hijackthis.log   16.26KB   17 downloads

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:46 PM, on 6/28/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files (x86)\WinZip\WZQKPICK.EXE
C:\Program Files (x86)\WordWeb\wweb32.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\gbxApp.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\program files (x86)\hpq\hp connection manager 2\bin\gbx4log.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Windows Live\Toolbar\wltuser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10b.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=:;gopher=:;ftp=:;https=:;socks=:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
O4 - HKLM\..\Run: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe /TrayMode
O4 - HKLM\..\Run: [coreworks] "C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\gbxapp.exe" runatstartup
O4 - HKLM\..\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
O4 - HKLM\..\Run: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files (x86)\Quicken\bagent.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\Windows\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustChecker.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\Windows\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustChecker.dll" (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files (x86)\WinZip\WZQKPICK.EXE
O4 - Global Startup: WordWeb Pro.lnk = C:\Program Files (x86)\WordWeb\wweb32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: Password Generator - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html
O8 - Extra context menu item: Safenotes Editor - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComEditNote.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra 'Tools' menuitem: RoboForm Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\AESTSr64.exe (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: HP Connectivity Authentication Service (mdvauthsrv) - HP - C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\mdvauthsrv.exe
O23 - Service: HP Connection Manager Service (mdvsrv) - HP - C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\mdvsrv.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Qualcomm Gobi Download Service (QDLService) - QUALCOMM, Inc. - C:\QUALCOMM\QDLService\QDLService.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files (x86)\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
O23 - Service: RosettaStoneDaemon - Rosetta Stone Ltd. - C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\STacSV64.exe (file missing)
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 16649 bytes

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:34 PM

Posted 02 July 2009 - 05:00 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 earlin

earlin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 03 July 2009 - 09:54 PM

I still have the problem.

I used ZoneAlarem Anti-Virus/Anti-spyware to remove Rootkit.Agent/Gen-DNSHack, win32.trojan.dropper.vb.tr

and win32.downloader.small.afwj. But I think I'm still infected with something.

Somehow typed key strokes are being executed on my computer. I can open Notepad, give it focus by placeing

my cursor in the window and my computer will start typing. Most of the times it repeats keys, like w and a.

Twice it actually typed complete sentences that actually made sense. It happens sporadically. I saved two of the Notepad files if you want to see them. I just use Noetepad to trap the keystrokes so at least I know what's going on.

I've scanned my system with Malware Bytes Anti-malware program, SuperAntiSpywaReremover and ZoneAlarm. I am

using ZoneAlarm Extreme Security to protect my system. I've scanned my sytem with these programs in both

safe and normal mode.

I am not sure what a DDS log is - how do I get it?

The files that OTL generated are too large to paste here so I am attaching them. Please let me know if this doesn't work so I can get the files to you some other way.


OTL logfile created on: 7/3/2009 10:29:21 PM - Run 3
OTL by OldTimer - Version 3.0.6.4 Folder = C:\Users\earli\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18783)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.94 Gb Total Physical Memory | 2.24 Gb Available Physical Memory | 57.02% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 219.64 Gb Total Space | 157.85 Gb Free Space | 71.87% Space Free | Partition Type: NTFS
Drive D: | 13.24 Gb Total Space | 2.05 Gb Free Space | 15.52% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EARLIN
Current User Name: earli
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/05/28 20:25:50 | 02,414,984 | ---- | M] (Check Point Software Technologies LTD) -- C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
PRC - [2009/05/20 17:39:46 | 00,143,360 | ---- | M] (Kaspersky Lab.) -- C:\Windows\SysWOW64\ZoneLabs\avsys\ScanningProcess.exe
PRC - [2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files (x86)\Bonjour\mDNSResponder.exe
PRC - [2009/01/27 22:37:24 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
PRC - [2009/01/14 10:56:46 | 00,345,336 | ---- | M] (QUALCOMM, Inc.) -- C:\QUALCOMM\QDLService\QDLService.exe
PRC - [2008/12/17 20:11:40 | 00,365,952 | ---- | M] () -- C:\Program Files (x86)\SMINST\BLService.exe
PRC - [2008/09/15 10:13:38 | 00,241,734 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
PRC - [2009/04/25 20:45:34 | 00,443,712 | ---- | M] (Rosetta Stone Ltd.) -- C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
PRC - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/02/09 18:14:02 | 00,296,320 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
PRC - [2009/02/09 18:14:02 | 00,116,096 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
PRC - [2009/06/02 10:38:38 | 00,112,144 | ---- | M] ( Pro-Softnet) -- C:\ZoneAlarmBackup\ZABackupWebM.exe
PRC - [2009/06/04 18:01:30 | 00,149,008 | ---- | M] (Pro Softnet Corporation) -- C:\ZoneAlarmBackup\ZABackup Service.exe
PRC - [2009/01/30 19:45:04 | 00,399,848 | ---- | M] (HP) -- C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\mdvauthsrv.exe
PRC - [2009/01/30 19:45:04 | 00,281,064 | ---- | M] (HP) -- C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\mdvsrv.exe
PRC - [2009/05/10 17:07:09 | 00,160,592 | ---- | M] (Siber Systems) -- C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2004/02/11 09:00:00 | 00,118,784 | ---- | M] (WinZip Computing, Inc.) -- C:\Program Files (x86)\WinZip\WZQKPICK.EXE
PRC - [2008/06/12 22:16:23 | 00,042,176 | ---- | M] (Antony Lewis) -- C:\Program Files (x86)\WordWeb\wweb32.exe
PRC - [2008/11/28 21:04:26 | 01,148,200 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
PRC - [2008/12/25 16:41:16 | 01,316,136 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
PRC - [2008/12/25 16:41:20 | 00,189,736 | ---- | M] (CyberLink) -- C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
PRC - [2009/01/30 19:45:00 | 00,780,776 | ---- | M] (HP) -- C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\gbxApp.exe
PRC - [2008/10/10 16:24:44 | 00,206,128 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
PRC - [2009/06/18 12:31:03 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre6\bin\jusched.exe
PRC - [2008/12/08 19:34:24 | 00,054,576 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
PRC - [2009/02/09 18:13:36 | 00,206,120 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
PRC - [2009/05/28 20:25:50 | 01,005,960 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2009/05/20 17:39:46 | 00,143,360 | ---- | M] (Kaspersky Lab.) -- C:\Windows\SysWOW64\ZoneLabs\avsys\ScanningProcess.exe
PRC - [2008/10/23 16:46:02 | 00,223,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2008/11/19 13:14:06 | 00,222,512 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
PRC - [2009/01/30 19:45:02 | 00,272,872 | ---- | M] (HP) -- C:\program files (x86)\hpq\hp connection manager 2\bin\gbx4log.exe
PRC - [2009/06/04 18:04:02 | 01,898,000 | ---- | M] (Pro Softnet Corp.) -- C:\ZoneAlarmBackup\ZABackupTray.exe
PRC - [2009/06/04 18:02:04 | 00,042,512 | ---- | M] (Pro Softnet Corp.) -- C:\ZoneAlarmBackup\ZABackupBackground.exe
PRC - [2008/10/22 14:32:20 | 00,628,016 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
PRC - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/07/03 21:13:34 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\earli\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/03/02 18:42:58 | 00,089,600 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_6ef279c8\AESTSr64.exe -- (AESTFilters [Auto | Running])
SRV:64bit: - [2007/12/11 15:11:30 | 00,015,872 | ---- | M] (Agere Systems) -- C:\Windows\SysNative\agr64svc.exe -- (AgereModemAudio [Auto | Running])
SRV:64bit: - [2009/04/11 03:11:13 | 00,053,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\bthserv.dll -- (BthServ [Auto | Running])
SRV:64bit: - [2008/03/18 19:25:40 | 00,023,040 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\SysNative\Hpservice.exe -- (hpsrv [Auto | Running])
SRV:64bit: - [2009/04/17 04:12:00 | 00,670,088 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc [Auto | Running])
SRV:64bit: - [2009/06/03 20:43:18 | 00,239,104 | ---- | M] (IDT, Inc.) -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_6ef279c8\STacSV64.exe -- (STacSV [Auto | Running])
SRV:64bit: - [2008/01/20 22:47:32 | 00,383,544 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Running])
SRV:64bit: - [2009/03/30 17:19:56 | 02,297,216 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc [Auto | Running])
SRV:64bit: - [2008/01/20 22:52:15 | 01,216,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files (x86)\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2009/03/30 00:42:14 | 00,066,368 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/03/30 00:39:54 | 00,089,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64 [On_Demand | Stopped])
SRV - [2008/11/19 13:14:06 | 00,222,512 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe -- (Com4QLBEx [On_Demand | Running])
SRV - [2008/01/20 22:51:36 | 00,344,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])
SRV - [2008/01/20 22:51:36 | 00,153,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])
SRV - [2006/11/02 11:03:48 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])
SRV - [2009/05/26 21:33:09 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2009/02/18 14:40:04 | 00,042,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/02/06 18:08:58 | 00,533,360 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe -- (fsssvc [On_Demand | Stopped])
SRV - [2009/05/22 14:02:20 | 00,250,616 | ---- | M] (WildTangent, Inc.) -- C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe -- (GameConsoleService [On_Demand | Stopped])
SRV - [2008/10/09 11:56:48 | 00,094,208 | ---- | M] (Hewlett-Packard) -- c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe -- (HP Health Check Service [Auto | Running])
SRV - [2008/10/23 16:46:02 | 00,223,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex [On_Demand | Running])
SRV - [2004/10/22 07:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/02/18 14:39:11 | 00,857,432 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/10/10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService [Auto | Running])
SRV - [2006/11/02 05:46:05 | 00,018,944 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\keyiso.dll -- (KeyIso [On_Demand | Running])
SRV - [2009/01/27 22:37:24 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2009/01/30 19:45:04 | 00,399,848 | ---- | M] (HP) -- C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\mdvauthsrv.exe -- (mdvauthsrv [Auto | Running])
SRV - [2009/01/30 19:45:04 | 00,281,064 | ---- | M] (HP) -- C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\mdvsrv.exe -- (mdvsrv [Auto | Running])
SRV - [2006/11/02 09:34:14 | 00,000,000 | ---D | M] -- C:\Windows\SysWow64\Msdtc -- (MSDTC [Unknown | Stopped])
SRV - [2009/04/11 02:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\netlogon.dll -- (Netlogon [On_Demand | Stopped])
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2009/01/14 10:56:46 | 00,345,336 | ---- | M] (QUALCOMM, Inc.) -- C:\QUALCOMM\QDLService\QDLService.exe -- (QDLService [Auto | Running])
SRV - [2008/12/17 20:11:40 | 00,365,952 | ---- | M] () -- C:\Program Files (x86)\SMINST\BLService.exe -- (Recovery Service for Windows [Auto | Running])
SRV - [2008/09/15 10:13:38 | 00,241,734 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe -- (RichVideo [Auto | Running])
SRV - [2009/04/25 20:45:34 | 00,443,712 | ---- | M] (Rosetta Stone Ltd.) -- C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe -- (RosettaStoneDaemon [Auto | Running])
SRV - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort [Auto | Running])
SRV - [2009/02/09 18:14:02 | 00,296,320 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe -- (TVCapSvc [Auto | Running])
SRV - [2009/02/09 18:14:02 | 00,116,096 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe -- (TVSched [Auto | Running])
SRV - [2006/11/02 02:35:15 | 00,060,994 | ---- | M] () -- C:\Windows\SysWow64\Wbem\vds.mof -- (vds [On_Demand | Stopped])
SRV - [2009/05/28 20:25:50 | 02,414,984 | ---- | M] (Check Point Software Technologies LTD) -- C:\Windows\SysWOW64\ZoneLabs\vsmon.exe -- (vsmon [Auto | Running])
SRV - [2006/11/02 02:35:15 | 00,055,846 | ---- | M] () -- C:\Windows\SysWow64\Wbem\vss.mof -- (VSS [On_Demand | Stopped])
SRV - [2009/06/02 10:38:38 | 00,112,144 | ---- | M] ( Pro-Softnet) -- C:\ZoneAlarmBackup\ZABackupWebM.exe -- (ZABackupWebM [Auto | Running])
SRV - [2009/06/04 18:01:30 | 00,149,008 | ---- | M] (Pro Softnet Corporation) -- C:\ZoneAlarmBackup\ZABackup Service.exe -- (ZoneAlarmBackup Service [Auto | Running])

========== Driver Services (SafeList) ==========

DRV:64bit: - [2008/03/27 15:10:14 | 00,040,296 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\SysNative\DRIVERS\Accelerometer.sys -- (Accelerometer [On_Demand | Running])
DRV:64bit: - [2008/11/21 22:05:22 | 01,253,376 | ---- | M] (Agere Systems) -- C:\Windows\SysNative\DRIVERS\agrsm64.sys -- (AgereSoftModem [On_Demand | Running])
DRV:64bit: - [2008/01/31 19:23:14 | 00,195,120 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Windows\SysNative\DRIVERS\Apfiltr.sys -- (ApfiltrService [On_Demand | Running])
DRV:64bit: - [2009/02/23 01:40:40 | 00,026,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\DRIVERS\BthEnum.sys -- (BthEnum [On_Demand | Stopped])
DRV:64bit: - [2008/01/20 22:47:02 | 00,115,712 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\DRIVERS\bthpan.sys -- (BthPan [On_Demand | Stopped])
DRV:64bit: - [2009/02/23 01:40:40 | 00,694,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\Drivers\BTHport.sys -- (BTHPORT [On_Demand | Stopped])
DRV:64bit: - [2009/02/23 01:40:40 | 00,035,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\Drivers\BTHUSB.sys -- (BTHUSB [On_Demand | Stopped])
DRV:64bit: - [2008/01/20 22:46:51 | 00,017,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\DRIVERS\CmBatt.sys -- (CmBatt [On_Demand | Running])
DRV:64bit: - [2008/09/04 13:48:00 | 00,064,000 | ---- | M] (ENE TECHNOLOGY INC.) -- C:\Windows\SysNative\DRIVERS\enecir.sys -- (enecir [On_Demand | Running])
DRV:64bit: - [2009/02/06 18:42:12 | 00,061,808 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\DRIVERS\fssfltr.sys -- (fssfltr [On_Demand | Stopped])
DRV:64bit: - [2006/11/02 01:28:10 | 00,273,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\HdAudio.sys -- (HdAudAddService [On_Demand | Stopped])
DRV:64bit: - [2008/03/27 15:10:56 | 00,026,984 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\SysNative\DRIVERS\hpdskflt.sys -- (hpdskflt [Boot | Running])
DRV:64bit: - [2007/06/18 20:13:12 | 00,018,432 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Windows\SysNative\DRIVERS\HpqKbFiltr.sys -- (HpqKbFiltr [On_Demand | Running])
DRV:64bit: - [2008/09/02 09:21:04 | 08,034,592 | ---- | M] (Intel Corporation) -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx [On_Demand | Running])
DRV:64bit: - [2008/07/15 04:20:42 | 00,126,464 | ---- | M] (Intel® Corporation) -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService [On_Demand | Running])
DRV:64bit: - [2009/04/17 04:11:36 | 00,025,744 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL [Auto | Running])
DRV:64bit: - [2008/07/21 06:53:04 | 00,145,496 | ---- | M] (JMicron Technology Corporation) -- C:\Windows\SysNative\DRIVERS\jmcr.sys -- (JMCR [On_Demand | Stopped])
DRV:64bit: - [2009/02/17 21:49:58 | 00,202,768 | ---- | M] (Kaspersky Lab) -- C:\Windows\SysNative\DRIVERS\klif.sys -- (KLIF [System | Running])
DRV:64bit: - [2008/01/20 22:46:57 | 03,154,432 | ---- | M] (Intel Corporation) -- C:\Windows\SysNative\DRIVERS\NETw3v64.sys -- (NETw3v64 [On_Demand | Stopped])
DRV:64bit: - [2008/11/17 15:50:30 | 04,751,360 | ---- | M] (Intel Corporation) -- C:\Windows\SysNative\DRIVERS\NETw5v64.sys -- (NETw5v64 [On_Demand | Running])
DRV:64bit: - [2009/01/14 10:49:54 | 00,006,528 | ---- | M] (QUALCOMM Incorporated) -- C:\Windows\SysNative\DRIVERS\qcfilterhp.sys -- (QCFilterhp [On_Demand | Running])
DRV:64bit: - [2009/01/14 10:49:54 | 00,135,680 | ---- | M] (QUALCOMM Incorporated) -- C:\Windows\SysNative\DRIVERS\qcusbnethp.sys -- (qcusbnethp [On_Demand | Running])
DRV:64bit: - [2009/01/14 10:49:54 | 00,119,040 | ---- | M] (QUALCOMM Incorporated) -- C:\Windows\SysNative\DRIVERS\qcusbserhp.sys -- (qcusbserhp [On_Demand | Running])
DRV:64bit: - [2009/02/23 01:40:40 | 00,178,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\DRIVERS\rfcomm.sys -- (RFCOMM [On_Demand | Stopped])
DRV:64bit: - [2007/05/31 12:39:32 | 00,027,520 | ---- | M] (Research In Motion Limited) -- C:\Windows\SysNative\Drivers\RimUsb_AMD64.sys -- (RimUsb [On_Demand | Stopped])
DRV:64bit: - [2007/01/18 15:10:22 | 00,030,336 | ---- | M] (Research in Motion Ltd) -- C:\Windows\SysNative\DRIVERS\RimSerial_AMD64.sys -- (RimVSerPort [On_Demand | Running])
DRV:64bit: - [2008/01/20 22:49:47 | 00,011,264 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Running])
DRV:64bit: - [2009/03/06 09:06:18 | 00,197,120 | ---- | M] (Realtek Corporation ) -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169 [On_Demand | Running])
DRV:64bit: - [2008/01/20 22:46:55 | 00,111,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\DRIVERS\sdbus.sys -- (sdbus [On_Demand | Stopped])
DRV:64bit: - [2009/06/03 20:43:18 | 00,486,400 | ---- | M] (IDT, Inc.) -- C:\Windows\SysNative\DRIVERS\stwrt64.sys -- (STHDA [On_Demand | Running])
DRV:64bit: - [2008/01/20 22:47:25 | 00,012,288 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\DRIVERS\serscan.sys -- (StillCam [On_Demand | Running])
DRV:64bit: - [2008/01/20 22:47:27 | 00,168,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\Drivers\usbvideo.sys -- (usbvideo [On_Demand | Running])
DRV:64bit: - [2009/05/28 20:27:34 | 00,340,120 | ---- | M] (Check Point Software Technologies LTD) -- C:\Windows\SysNative\DRIVERS\vsdatant.sys -- (vsdatant [System | Running])
DRV:64bit: - [2008/01/20 22:47:28 | 00,046,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb [On_Demand | Stopped])
DRV:64bit: - [2006/10/03 21:45:36 | 00,273,408 | ---- | M] (Marvell) -- C:\Windows\SysNative\DRIVERS\yk60x64.sys -- (yukonx64 [On_Demand | Stopped])
DRV - [2006/09/18 17:35:23 | 00,001,088 | ---- | M] () -- C:\Windows\SysWow64\Wbem\mpsdrv.mof -- (mpsdrv [On_Demand | Running])
DRV - [2006/09/18 17:36:40 | 00,003,066 | ---- | M] () -- C:\Windows\SysWow64\Wbem\tcpip.mof -- (Tcpip [Boot | Running])
DRV - [2009/05/28 20:27:34 | 00,340,120 | ---- | M] (Check Point Software Technologies LTD) -- C:\Windows\SysWow64\DRIVERS\vsdatant.sys -- (vsdatant [System | Running])
DRV - [2008/11/28 21:04:24 | 00,146,928 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl -- ({55662437-DA8C-40c0-AADA-2C816A897A49} [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
IE - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://my.yahoo.com/ [binary data]
IE - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\S-1-5-21-3659337296-1482014480-721034036-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {FFB96CC1-7EB3-449D-B827-DB661701C6BB}:1.3.153.0
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.93
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10
FF - prefs.js..network.proxy.ftp: ":"
FF - prefs.js..network.proxy.gopher: ":"
FF - prefs.js..network.proxy.http: ":"
FF - prefs.js..network.proxy.socks: ":"
FF - prefs.js..network.proxy.ssl: ":"

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/24 17:40:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/05/10 21:58:38 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker [2009/07/01 15:55:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox [2009/05/10 17:07:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2009/05/26 21:42:32 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2009/06/18 12:32:09 | 00,000,000 | ---D | M]

[2009/05/15 22:54:23 | 00,000,000 | ---D | M] -- C:\Users\earli\AppData\Roaming\mozilla\Extensions
[2009/05/15 22:54:23 | 00,000,000 | ---D | M] -- C:\Users\earli\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/15 22:54:23 | 00,000,000 | ---D | M] -- C:\Users\earli\AppData\Roaming\mozilla\Firefox\Profiles\ij16lhzn.default\extensions
[2009/06/18 12:32:12 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions
[2009/05/15 22:54:03 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/06/18 12:32:12 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/04/24 00:38:30 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browserdirprovider.dll
[2009/04/24 00:38:32 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\brwsrcmp.dll
[2009/06/18 12:31:03 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeploytk.dll
[2009/04/24 00:38:33 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files (x86)\mozilla firefox\plugins\npnul32.dll
[2007/02/20 16:04:02 | 02,463,976 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\plugins\NPSWF32.dll
[2009/04/23 20:39:08 | 00,001,394 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/23 20:39:08 | 00,002,193 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\answers.xml
[2009/04/23 20:39:08 | 00,001,534 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/23 20:39:08 | 00,002,343 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay.xml
[2009/04/23 20:39:08 | 00,001,706 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\google.xml
[2009/04/23 20:39:08 | 00,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/23 20:39:08 | 00,000,792 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (761 bytes) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (Windows Live Family Safety Browser Helper Class) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)
O2:64bit: - BHO: (ForceField Toolbar Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (ForceField Toolbar Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3:64bit: - HKLM\..\Toolbar: (ForceField Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (ForceField Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3:64bit: - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\..\Toolbar\WebBrowser: (ForceField Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\..\Toolbar\WebBrowser: (ForceField Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4:64bit: - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe (Hewlett-Packard)
O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CLMLServer for HP TouchSmart] C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [coreworks] C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\gbxapp.exe (HP)
O4 - HKLM..\Run: [DVDAgent] C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe (CyberLink Corp.)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [QlbCtrl.exe] File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files (x86)\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TSMAgent] C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe (CyberLink Corp.)
O4 - HKLM..\Run: [TVAgent] C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UCam_Menu] C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePDIRShortCut] C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe (Hewlett-Packard)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.DLL (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.DLL (Microsoft Corporation)
O4 - HKU\S-1-5-21-3659337296-1482014480-721034036-1000..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3659337296-1482014480-721034036-1000..\Run: [QuickenScheduledUpdates] C:\Program Files (x86)\Quicken\bagent.exe (Intuit Inc.)
O4 - HKU\S-1-5-21-3659337296-1482014480-721034036-1000..\Run: [RoboForm] C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\S-1-5-21-3659337296-1482014480-721034036-1000..\Run: [ZoneAlarm Backup Startup] C:\ZoneAlarmBackup\ZABackupStartup.exe (Pro Softnet Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [ZAFFRegisterTrustChecker] C:\Windows\SysWow64\regsvr32.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [ZAFFRegisterTrustCheckerIE] C:\Windows\SysWow64\regsvr32.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [ZAFFRegisterTrustChecker] C:\Windows\SysWow64\regsvr32.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [ZAFFRegisterTrustCheckerIE] C:\Windows\SysWow64\regsvr32.exe (Microsoft Corporation)
O4 - Startup: C:\Users\earli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZoneAlarm Backup Tray.lnk = C:\ZoneAlarmBackup\ZABackupReg2ini.exe (Pro Softnet Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8:64bit: - Extra context menu item: Fill Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8:64bit: - Extra context menu item: Passcards Editor - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComEditPass.html ()
O8:64bit: - Extra context menu item: Password Generator - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html ()
O8:64bit: - Extra context menu item: Safenotes Editor - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComEditNote.html ()
O8:64bit: - Extra context menu item: Save Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Fill Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: Passcards Editor - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComEditPass.html ()
O8 - Extra context menu item: Password Generator - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html ()
O8 - Extra context menu item: Safenotes Editor - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComEditNote.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComOptions.html ()
O9 - Extra 'Tools' menuitem : RoboForm Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComOptions.html ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\SysNative\wshbth.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\SysWow64\wshbth.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-3659337296-1482014480-721034036-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.174.95.44 66.174.92.14
O18:64bit: - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files (x86)\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files (x86)\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\SysWow64\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/07/03 21:14:06 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Users\earli\Desktop\OTL.exe
[2009/07/02 06:57:10 | 00,034,275 | ---- | C] () -- C:\Users\earli\Documents\Paycheck 07.03.09.pdf
[2009/07/01 21:27:30 | 00,000,000 | ---D | C] -- C:\Users\earli\AppData\Local\ProSoftnet
[2009/07/01 17:02:19 | 00,225,280 | ---- | C] (TODO: <Company name>) -- C:\Windows\SysWow64\IDrLocale.dll
[2009/07/01 17:02:16 | 00,001,542 | ---- | C] () -- C:\Users\earli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZoneAlarm Backup Tray.lnk
[2009/07/01 17:02:16 | 00,001,506 | ---- | C] () -- C:\Users\earli\Desktop\ZoneAlarm Backup Powered by IDrive.lnk
[2009/07/01 17:02:14 | 00,569,368 | ---- | C] () -- C:\Windows\SysWow64\olelib.tlb
[2009/07/01 17:02:14 | 00,022,212 | ---- | C] () -- C:\Windows\SysWow64\olelib2.tlb
[2009/07/01 17:02:14 | 00,003,841 | ---- | C] () -- C:\Windows\SysWow64\server.pem
[2009/07/01 17:02:13 | 00,526,184 | ---- | C] (Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com) -- C:\Windows\SysWow64\XceedCry.dll
[2009/07/01 17:02:12 | 01,081,344 | ---- | C] (Pro Soft Net Corporation) -- C:\Windows\SysWow64\ZABackupService.dll
[2009/07/01 17:02:12 | 00,147,130 | ---- | C] () -- C:\Windows\SysWow64\CRYPT32.LIB
[2009/07/01 17:02:12 | 00,117,982 | ---- | C] () -- C:\Windows\SysWow64\ADVAPI32.LIB
[2009/07/01 17:02:12 | 00,026,128 | ---- | C] () -- C:\Windows\SysWow64\ZABackupXceedCryReg.exe
[2009/07/01 17:02:12 | 00,000,096 | ---- | C] () -- C:\Windows\SysWow64\RegisterZABackupDll.bat
[2009/07/01 17:02:11 | 00,608,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\COMCTL32.OCX
[2009/07/01 17:02:11 | 00,441,705 | ---- | C] () -- C:\Windows\SysWow64\sqlite3.dll
[2009/07/01 17:02:11 | 00,164,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\COMCT232.OCX
[2009/07/01 17:02:11 | 00,140,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\COMDLG32.OCX
[2009/07/01 17:02:11 | 00,135,168 | ---- | C] (Pro-Softnet Corporation) -- C:\Windows\SysWow64\LogMail.dll
[2009/07/01 17:02:11 | 00,109,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSWINSCK.OCX
[2009/07/01 17:02:11 | 00,055,808 | ---- | C] () -- C:\Windows\SysWow64\zlib1.dll
[2009/07/01 17:02:11 | 00,000,730 | ---- | C] () -- C:\Windows\SysWow64\rootcert.pem
[2009/07/01 17:02:10 | 00,644,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCOMCT2.OCX
[2009/07/01 17:02:10 | 00,143,360 | ---- | C] (Herman & Associates) -- C:\Windows\SysWow64\HLButton.ocx
[2009/07/01 17:02:10 | 00,103,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\asctrls.ocx
[2009/07/01 17:02:10 | 00,094,208 | ---- | C] () -- C:\Windows\SysWow64\IBColIml.ocx
[2009/07/01 17:02:10 | 00,086,016 | ---- | C] (Streamnet India) -- C:\Windows\SysWow64\IBwinUtil.ocx
[2009/07/01 17:02:10 | 00,028,672 | ---- | C] (Checks Unlimited) -- C:\Windows\SysWow64\Disable_X.ocx
[2009/07/01 17:02:10 | 00,024,576 | ---- | C] (Streamnet India) -- C:\Windows\SysWow64\IBcalendarser.ocx
[2009/07/01 17:02:10 | 00,000,000 | ---D | C] -- C:\ZoneAlarmBackup
[2009/07/01 16:02:18 | 00,000,000 | ---D | C] -- C:\Users\earli\AppData\Roaming\MailFrontier
[2009/07/01 15:54:32 | 00,202,768 | ---- | C] (Kaspersky Lab) -- C:\Windows\SysNative\drivers\klif.sys
[2009/07/01 15:54:18 | 00,103,816 | ---- | C] (Check Point Software Technologies LTD) -- C:\Windows\SysWow64\zlcommdb.dll
[2009/07/01 15:54:18 | 00,069,000 | ---- | C] (Check Point Software Technologies LTD) -- C:\Windows\SysWow64\zlcomm.dll
[2009/07/01 15:54:14 | 00,035,208 | ---- | C] (Check Point Software Technologies LTD) -- C:\Windows\SysWow64\vswmi.dll
[2009/07/01 15:54:13 | 01,221,512 | ---- | C] (Check Point Software Technologies LTD) -- C:\Windows\SysWow64\zpeng25.dll
[2009/07/01 15:54:12 | 00,310,152 | ---- | C] (Check Point Software Technologies LTD) -- C:\Windows\SysWow64\vspubapi.dll
[2009/07/01 15:54:12 | 00,107,400 | ---- | C] (Check Point Software Technologies LTD) -- C:\Windows\SysWow64\vsmonapi.dll
[2009/07/01 15:51:24 | 00,485,768 | ---- | C] (Check Point Software Technologies LTD) -- C:\Windows\SysWow64\vsutil.dll
[2009/07/01 15:51:24 | 00,228,744 | ---- | C] (Check Point Software Technologies LTD) -- C:\Windows\SysWow64\vsinit.dll
[2009/06/30 18:34:23 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/06/29 14:07:33 | 03,386,747 | -H-- | C] () -- C:\Users\earli\AppData\Local\IconCache.db
[2009/06/29 13:41:51 | 11,129,111 | ---- | C] () -- C:\Users\earli\Documents\AutoRuns.arn
[2009/06/29 13:31:21 | 42,267,64800 | -HS- | C] () -- C:\hiberfil.sys
[2009/06/28 13:50:52 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2009/06/28 12:49:51 | 00,001,928 | ---- | C] () -- C:\Users\earli\Desktop\HijackThis.lnk
[2009/06/28 12:49:50 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2009/06/28 12:48:16 | 00,000,000 | ---D | C] -- C:\Hijackthis
[2009/06/28 09:50:32 | 00,229,667 | ---- | C] () -- C:\Users\earli\Documents\Dr.Web LiveCD.pdf
[2009/06/28 09:34:06 | 00,001,676 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2009/06/28 00:26:21 | 00,107,350 | ---- | C] () -- C:\Users\earli\Documents\ZA Forum Support for ForceField Error on Boot.pdf
[2009/06/27 23:18:20 | 00,000,000 | ---D | C] -- C:\Users\earli\Documents\My muvees
[2009/06/27 23:18:20 | 00,000,000 | ---D | C] -- C:\ProgramData\muvee Technologies
[2009/06/27 23:17:37 | 00,000,000 | ---D | C] -- C:\Users\earli\AppData\Roaming\muvee Technologies
[2009/06/27 18:50:19 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2009/06/27 18:50:01 | 00,000,000 | ---D | C] -- C:\Users\earli\AppData\Roaming\SUPERAntiSpyware.com
[2009/06/27 18:50:01 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\SUPERAntiSpyware
[2009/06/27 13:32:45 | 00,000,732 | ---- | C] () -- C:\Users\earli\AppData\Local\d3d9caps64.dat
[2009/06/27 11:55:50 | 00,609,153 | ---- | C] () -- C:\Users\earli\Documents\How to start Windows in Safe Mode.pdf
[2009/06/27 09:36:05 | 00,000,000 | -HSD | C] -- C:\Users\Public\Documents\MCE Logs
[2009/06/26 21:35:57 | 00,596,788 | ---- | C] () -- C:\Users\earli\Documents\IBD__Chapter 1 - The Basics.pdf
[2009/06/26 21:34:12 | 00,672,321 | ---- | C] () -- C:\Users\earli\Documents\IBD_Chapter 1 - The Basics.xps
[2009/06/26 21:30:11 | 00,479,738 | ---- | C] () -- C:\Users\earli\Documents\IBD_Chapter 1 - The Basics.pdf
[2009/06/26 20:53:30 | 00,862,281 | ---- | C] () -- C:\Users\earli\Documents\Chapter 1 - IBD SmartSelect Ratings.pdf
[2009/06/24 20:44:51 | 00,000,000 | ---D | C] -- C:\Users\earli\Documents\My Received Files
[2009/06/24 18:28:07 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Office Outlook Connector
[2009/06/24 18:27:35 | 00,061,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\fssfltr.sys
[2009/06/24 18:27:35 | 00,000,000 | ---D | C] -- C:\Windows\SysNative\DRVSTORE
[2009/06/24 18:27:34 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2009/06/24 18:26:38 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Sync Framework
[2009/06/24 18:25:23 | 04,398,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx9_32.dll
[2009/06/24 18:25:23 | 03,426,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx9_32.dll
[2009/06/24 18:25:11 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
[2009/06/24 18:23:45 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Live SkyDrive
[2009/06/24 18:23:20 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Live
[2009/06/24 17:57:39 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Windows Live
[2009/06/24 17:40:46 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft
[2009/06/24 17:40:38 | 00,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft
[2009/06/24 17:25:56 | 23,635,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MRT.exe
[2009/06/23 22:11:40 | 00,159,159 | ---- | C] () -- C:\Users\earli\Documents\Check Point Software.pdf
[2009/06/22 23:03:30 | 00,000,000 | ---D | C] -- C:\Users\earli\AppData\Roaming\Malwarebytes
[2009/06/22 23:03:20 | 00,022,040 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2009/06/22 23:03:20 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/06/21 12:08:42 | 00,340,120 | ---- | C] (Check Point Software Technologies LTD) -- C:\Windows\SysWow64\drivers\vsdatant.sys
[2009/06/21 12:08:42 | 00,000,000 | ---D | C] -- C:\Windows\SysNative\ZoneLabs
[2009/06/20 13:50:58 | 00,078,150 | ---- | C] () -- C:\Users\earli\Documents\EZ Pass 06.20.09.pdf
[2009/06/20 12:58:45 | 00,050,170 | ---- | C] () -- C:\Users\earli\Documents\401K bal 06.19.09.pdf
[2009/06/18 12:32:09 | 00,410,984 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deploytk.dll
[2009/06/18 12:32:09 | 00,148,888 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2009/06/18 12:32:09 | 00,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2009/06/18 12:32:09 | 00,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2009/06/17 18:09:00 | 00,000,000 | ---D | C] -- C:\Users\earli\AppData\Roaming\EVP Systems
[2009/06/17 18:00:35 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\EVP Systems
[2009/06/16 22:49:59 | 00,016,523 | ---- | C] () -- C:\Users\earli\Documents\CREDITKEEPER Message.pdf
[2009/06/14 20:33:52 | 00,051,965 | ---- | C] () -- C:\Users\earli\Documents\Loan 004.pdf
[2009/06/14 20:32:46 | 00,047,753 | ---- | C] () -- C:\Users\earli\Documents\Loan 005.pdf
[2009/06/13 10:54:25 | 00,000,677 | ---- | C] () -- C:\Users\earli\Documents\ESTATES.INI
[2009/06/11 20:21:57 | 00,001,917 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2009/06/11 18:27:29 | 00,772,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\localspl.dll
[2009/06/11 18:27:28 | 00,623,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\localspl.dll
[2009/06/11 18:27:25 | 01,305,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rpcrt4.dll
[2009/06/11 18:27:25 | 00,677,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\rpcrt4.dll
[2009/06/11 18:27:19 | 09,234,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtml.dll
[2009/06/11 18:27:19 | 05,936,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtml.dll
[2009/06/11 18:27:16 | 11,064,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieframe.dll
[2009/06/11 18:27:15 | 12,454,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieframe.dll
[2009/06/11 18:27:14 | 02,332,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iertutil.dll
[2009/06/11 18:27:14 | 01,985,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iertutil.dll
[2009/06/11 18:27:14 | 01,484,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\urlmon.dll
[2009/06/11 18:27:14 | 01,207,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\urlmon.dll
[2009/06/11 18:27:14 | 00,915,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wininet.dll
[2009/06/11 18:27:13 | 01,146,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wininet.dll
[2009/06/11 18:27:13 | 00,457,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iedkcs32.dll
[2009/06/11 18:27:13 | 00,385,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iedkcs32.dll
[2009/06/11 18:27:12 | 01,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2009/06/11 18:27:10 | 01,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtml.tlb
[2009/06/11 18:27:10 | 01,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtml.tlb
[2009/06/11 18:27:10 | 01,538,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2009/06/11 18:27:10 | 00,219,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2009/06/11 18:27:10 | 00,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ie4uinit.exe
[2009/06/11 18:27:10 | 00,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2009/06/11 18:27:10 | 00,077,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2009/06/11 18:27:10 | 00,072,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2009/06/11 18:27:10 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2009/06/11 18:27:10 | 00,070,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2009/06/11 18:27:10 | 00,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2009/06/11 18:27:10 | 00,031,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jsproxy.dll
[2009/06/11 18:27:10 | 00,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jsproxy.dll
[2009/06/11 18:26:50 | 02,745,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32k.sys
[2009/06/11 11:30:06 | 00,080,808 | ---- | C] () -- C:\Users\earli\Desktop\ELVL.ZAC
[2009/06/10 10:37:00 | 00,014,979 | ---- | C] () -- C:\Users\earli\Documents\User.xlsm

========== Files - Modified Within 30 Days ==========

[1 C:\Windows\SysNative\drivers\*.tmp files]
[2009/07/03 22:25:05 | 19,204,5116 | -HS- | M] () -- C:\Windows\SysNative\drivers\fidbox.dat
[2009/07/03 22:24:02 | 00,000,144 | ---- | M] () -- C:\Windows\SysWow64\pdfl.dat
[2009/07/03 22:21:39 | 00,415,689 | ---- | M] () -- C:\Windows\SysNative\drivers\vsconfig.xml
[2009/07/03 22:21:29 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/07/03 22:21:27 | 00,003,344 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/07/03 22:21:27 | 00,003,344 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/07/03 22:21:19 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/07/03 22:21:16 | 42,267,64800 | -HS- | M] () -- C:\hiberfil.sys
[2009/07/03 22:20:30 | 03,431,116 | -HS- | M] () -- C:\Windows\SysNative\drivers\fidbox.idx
[2009/07/03 22:20:07 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2009/07/03 22:19:49 | 03,386,747 | -H-- | M] () -- C:\Users\earli\AppData\Local\IconCache.db
[2009/07/03 21:13:34 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\earli\Desktop\OTL.exe
[2009/07/03 20:49:35 | 00,001,113 | ---- | M] () -- C:\rollback.ini
[2009/07/03 06:10:37 | 00,000,430 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{1CCF2C8C-F72B-4757-8048-59CC8FCC1824}.job
[2009/07/02 06:57:15 | 00,034,275 | ---- | M] () -- C:\Users\earli\Documents\Paycheck 07.03.09.pdf
[2009/07/02 06:45:00 | 00,595,684 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2009/07/02 06:45:00 | 00,101,350 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2009/07/02 06:44:59 | 00,690,960 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2009/07/01 21:37:15 | 00,035,840 | ---- | M] () -- C:\Users\earli\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/01 17:02:16 | 00,001,542 | ---- | M] () -- C:\Users\earli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZoneAlarm Backup Tray.lnk
[2009/07/01 17:02:16 | 00,001,506 | ---- | M] () -- C:\Users\earli\Desktop\ZoneAlarm Backup Powered by IDrive.lnk
[2009/06/29 13:41:52 | 11,129,111 | ---- | M] () -- C:\Users\earli\Documents\AutoRuns.arn
[2009/06/29 09:21:52 | 00,000,732 | ---- | M] () -- C:\Users\earli\AppData\Local\d3d9caps64.dat
[2009/06/29 07:07:14 | 00,001,676 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2009/06/28 12:49:51 | 00,001,928 | ---- | M] () -- C:\Users\earli\Desktop\HijackThis.lnk
[2009/06/28 09:50:36 | 00,229,667 | ---- | M] () -- C:\Users\earli\Documents\Dr.Web LiveCD.pdf
[2009/06/28 00:26:26 | 00,107,350 | ---- | M] () -- C:\Users\earli\Documents\ZA Forum Support for ForceField Error on Boot.pdf
[2009/06/27 11:55:54 | 00,609,153 | ---- | M] () -- C:\Users\earli\Documents\How to start Windows in Safe Mode.pdf
[2009/06/26 21:38:01 | 00,479,738 | ---- | M] () -- C:\Users\earli\Documents\IBD_Chapter 1 - The Basics.pdf
[2009/06/26 21:36:02 | 00,596,788 | ---- | M] () -- C:\Users\earli\Documents\IBD__Chapter 1 - The Basics.pdf
[2009/06/26 21:34:14 | 00,672,321 | ---- | M] () -- C:\Users\earli\Documents\IBD_Chapter 1 - The Basics.xps
[2009/06/26 20:53:38 | 00,862,281 | ---- | M] () -- C:\Users\earli\Documents\Chapter 1 - IBD SmartSelect Ratings.pdf
[2009/06/23 22:11:46 | 00,159,159 | ---- | M] () -- C:\Users\earli\Documents\Check Point Software.pdf
[2009/06/20 13:51:02 | 00,078,150 | ---- | M] () -- C:\Users\earli\Documents\EZ Pass 06.20.09.pdf
[2009/06/20 12:58:48 | 00,050,170 | ---- | M] () -- C:\Users\earli\Documents\401K bal 06.19.09.pdf
[2009/06/20 08:02:10 | 00,002,358 | ---- | M] () -- C:\Users\earli\Documents\WRC4U.xml
[2009/06/18 12:31:01 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deploytk.dll
[2009/06/18 12:31:01 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2009/06/18 12:31:01 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2009/06/18 12:31:01 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2009/06/17 22:18:49 | 00,000,021 | ---- | M] () -- C:\Windows\FAS.INI
[2009/06/17 11:27:46 | 00,022,040 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2009/06/16 22:50:01 | 00,016,523 | ---- | M] () -- C:\Users\earli\Documents\CREDITKEEPER Message.pdf
[2009/06/16 20:27:15 | 00,000,128 | ---- | M] () -- C:\Windows\wpd99.drv
[2009/06/16 20:27:12 | 00,047,616 | ---- | M] () -- C:\Windows\SysWow64\pdf995mon64.dll
[2009/06/14 20:33:54 | 00,051,965 | ---- | M] () -- C:\Users\earli\Documents\Loan 004.pdf
[2009/06/14 20:32:54 | 00,047,753 | ---- | M] () -- C:\Users\earli\Documents\Loan 005.pdf
[2009/06/13 10:54:25 | 00,000,677 | ---- | M] () -- C:\Users\earli\Documents\ESTATES.INI
[2009/06/12 07:25:27 | 00,000,219 | ---- | M] () -- C:\Windows\win.ini
[2009/06/12 06:48:37 | 00,398,920 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2009/06/11 20:21:57 | 00,001,917 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2009/06/11 11:30:08 | 00,080,808 | ---- | M] () -- C:\Users\earli\Desktop\ELVL.ZAC
[2009/06/10 10:37:00 | 00,014,979 | ---- | M] () -- C:\Users\earli\Documents\User.xlsm
[2009/06/09 23:21:28 | 00,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
[2009/06/07 18:43:38 | 00,000,699 | ---- | M] () -- C:\Windows\SysWow64\PCTuneUp.config
[2009/06/06 12:56:26 | 00,005,120 | ---- | M] () -- C:\Users\earli\Documents\Glen & Dana @ 115 Asbury Ave, Ocean City, NJ 08226.est
[2009/06/05 21:05:55 | 00,020,592 | ---- | M] () -- C:\Users\earli\Documents\Portfolio of Earl D Linton.pfl
[2009/06/04 13:46:16 | 01,745,562 | ---- | M] () -- C:\Users\earli\Desktop\ConnectProSolutionBrief.pdf
[2009/06/04 13:43:34 | 00,397,491 | ---- | M] () -- C:\Users\earli\Desktop\A-Memorable-Demo.pdf
< End of report >

Edited by PropagandaPanda, 06 July 2009 - 12:21 PM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:34 AM

Posted 05 July 2009 - 07:18 PM

Sorry for the delay here. A team member should be with you shortly.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 earlin

earlin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 06 July 2009 - 12:49 PM

OK, Thanks Orange Blossom. I am patiently waiting for help and am appreciative of any help I can get!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:34 PM

Posted 06 July 2009 - 07:35 PM

Hi earlin,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 earlin

earlin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 06 July 2009 - 07:43 PM

Hi m0le,

I'm still here. And I still have the problem. Besides adding new documents (Word, Quicken, PDF's) I haven't made any changes. Just been running lotsa scans in the hope of finding the problem.

Thanks for your help!

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:34 PM

Posted 07 July 2009 - 03:53 PM

Okay, if Superantispyware has found a rootkit then let's try and remove that as quickly as we can.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 earlin

earlin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 07 July 2009 - 06:12 PM

I tried to run combofix but got a message saying that it was incompatible with my OS. I'm not sure if that message actually came from Windows.

I'm running 64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002). I've attached a jpeg of the message I got. Should I run it anyway or is there another version that I should be using?

Thanks for your help!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:34 PM

Posted 07 July 2009 - 06:51 PM

Ah,no. Combofix doesn't currently work on 64 bit. :)

We have to do this the harder way.

Please do the following.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Next

Please download Malwarebytes Anti-Malware and save it to your desktop. I know you have already run it but the results will give me an idea of what we're dealing with.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Then

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 earlin

earlin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 08 July 2009 - 02:06 PM

Hi m0le,

I ran all the scans in accordance with your instructions. Log file info from each scan is below.

Some notes about the results of the scans:

zabackupstartup.exe, a possible backdoor trojan found and moved by Dr. Web-CureIt might be part of

a backup file from ZoneAlarm backup, an online backup service that I use just to back up data

files (as opposed to program files.) I've never noticed a problem with the program and I've run it

since moving the file and it seemed to run ok.

The problem that Malwarebytes Anti-Malware found is something I've quarantined before but still

had a problem. From research I had previously done on the Malwarebytes website, I gathered that

this may be a valid policy setting, although I don't think I set the policy. Discussions in MBAM

forum suggests that it should be whitelisted so I didn't remove (or whitelist) it this time - just

ignored it. So the setting remains unchanged. I use ZoneAlarm's Extreme Security to protect my

machine so ZA might have set the policy.

Thanks for your help!



------------------------------------------------------------------------

Dr. Web-CureIt Log:

zabackupstartup.exe;c:\zonealarmbackup;Probably BACKDOOR.Trojan;Moved.;

------------------------------------------------------------------------

Malwarebytes Anti-Malware Log:

Malwarebytes' Anti-Malware 1.38
Database version: 2391
Windows 6.0.6002 Service Pack 2

7/8/2009 8:50:27 AM
mbam-log-2009-07-08 (08-50-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 327622
Time elapsed: 2 hour(s), 10 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChan

ges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------------------------------------------

GMER Log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-08 10:43:40
Windows 6.0.6002 Service Pack 2


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186cab1d2
Reg HKLM\SYSTEM\ControlSet015\Services\BTHPORT\Parameters\Keys\002186cab1d2

---- EOF - GMER 1.0.15 ----

----------------------------------------------------------------------------

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:34 PM

Posted 09 July 2009 - 07:05 PM

Well, that's not looking too bad, earlin. How's the computer running?

You are spot-on with the ZoneAlarm info and you should be fine to reset it to ZA's settings.

Let's run an online scan to search for remnants.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Please also post a new DDS log.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 earlin

earlin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 10 July 2009 - 06:30 AM

Hi m0le,

I did the bitdefender scan and it didn't find anything. However, while the scan was running, something was typing keystrokes. Every so often the bitdefender interface would ask if I am sure I want to cancel the scan. I had to open Notepad to trap the keystrokes. Below is the information that was typed while my machine was being scanned - following that is my bitdefender scan results. Can you think of anything else besides a virus that would do this?

THIS IS WHAT WAS TYPED DURING THE SCAN:

324214312412343214234342132234123234222143243212 412412344311224341234243412141212342341234142234124314124344224312122431212342124322143123412142431243232141234212342242412323412314123421424312341241`2312341234123414212341412412341224313424321243443124323214231241234121243234322422341212123443241234121212433412123413432134224212342123421223432314412344431223212341234442123412343121242431242214232341312341321432122412321243223423121212342231242423212212421423232134232432424242 343241344211234141234442324123412432144434142123412423124121232411234243122123432412342431211212342432412312342234212234124312324212234123424242121234243123421412345421421242431344321432142243412124114324123421234213424123442123443412422123141234243221234431243432112142431214overlor

This is the result of the Bitdefender scan result:

BitDefender Online Scanner - Real Time Virus Report
Generated at: Fri, Jul 10, 2009 - 07:05:43

Scan Info
Scanned Files 879804
Infected Files 0
Virus Detected
No virus found.


This summary of the scan process will be used by the BitDefender
Antivirus Lab to create agregate statistics about virus activity around
the world

Thanks for your help!

#14 earlin

earlin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 10 July 2009 - 07:34 AM

Hi m0le,

DDS doesn't run on 64bit systems so I ran Hijackthis instead. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:13 AM, on 7/10/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\WinZip\WZQKPICK.EXE
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\WordWeb\wweb32.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\gbxApp.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe
C:\program files (x86)\hpq\hp connection manager 2\bin\gbx4log.exe
C:\ZoneAlarmBackup\ZABackupTray.exe
C:\ZoneAlarmBackup\ZABackupBackground.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=:;gopher=:;ftp=:;https=:;socks=:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
O4 - HKLM\..\Run: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe /TrayMode
O4 - HKLM\..\Run: [coreworks] "C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\gbxapp.exe" runatstartup
O4 - HKLM\..\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
O4 - HKLM\..\Run: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files (x86)\Quicken\bagent.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\Windows\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustChecker.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\Windows\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustChecker.dll" (User 'Default user')
O4 - Startup: ZoneAlarm Backup Tray.lnk = C:\ZoneAlarmBackup\ZABackupReg2ini.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files (x86)\WinZip\WZQKPICK.EXE
O4 - Global Startup: WordWeb Pro.lnk = C:\Program Files (x86)\WordWeb\wweb32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: Password Generator - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html
O8 - Extra context menu item: Safenotes Editor - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComEditNote.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra 'Tools' menuitem: RoboForm Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComOptions.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\AESTSr64.exe (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: HP Connectivity Authentication Service (mdvauthsrv) - HP - C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\mdvauthsrv.exe
O23 - Service: HP Connection Manager Service (mdvsrv) - HP - C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\mdvsrv.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Qualcomm Gobi Download Service (QDLService) - QUALCOMM, Inc. - C:\QUALCOMM\QDLService\QDLService.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files (x86)\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
O23 - Service: RosettaStoneDaemon - Rosetta Stone Ltd. - C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\STacSV64.exe (file missing)
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: ZoneAlarmBackup WebManager (ZABackupWebM) - Pro-Softnet - C:\ZoneAlarmBackup\ZABackupWebM.exe
O23 - Service: ZoneAlarmBackup Service - Pro Softnet Corporation - C:\ZoneAlarmBackup\ZABackup Service.exe

--
End of file - 16809 bytes

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:34 PM

Posted 10 July 2009 - 08:13 PM

That's a clean Hijackthis log.

Let's see if we can find it using another tool.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users