Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Total Security 2009 - New Variant?


  • This topic is locked This topic is locked
5 replies to this topic

#1 Blue Gascon

Blue Gascon

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 05 October 2009 - 11:41 AM

First - I need to say that I may have beaten this problem into submission over the weekend on these two machines by using a combination of windows updates, scans with the most recent updated vesions of MalwareBytes and Spybot S&D, and manual intervention and dll file deletions via remote connections across my network as admin while the machines were logged on as regular users and only logged on to the local machine rather than the domain. It appears that no reinfection has taken place after a few reboots. I am however posting this info in hopes that it may help identify what mechanisms this new variant of sleazeware is using, and subsequently help improve functionality of anti-malware tools.

I was advised to post here from my initial post titled Total Security 2009 - New Variant?. Following the instructions given in that post, here are the results of my OTL.txt and extras.txt files:
OTL.txt:
OTL logfile created on: 10/2/2009 9:08:52 AM - Run 1
OTL by OldTimer - Version 3.0.17.0 Folder = \\PDC\Homes$\RobinR\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.31 Gb Available Physical Memory | 65.82% Memory free
4.00 Gb Paging File | 3.49 Gb Available in Paging File | 87.27% Paging File free
Paging file location(s): C:\pagefile.sys 2304 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 5.71 Gb Free Space | 15.32% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive I: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive L: | 32.59 Gb Total Space | 16.46 Gb Free Space | 50.52% Space Free | Partition Type: NTFS
Drive M: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive N: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive R: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive S: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive T: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive U: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive V: | 15.75 Gb Total Space | 9.56 Gb Free Space | 60.67% Space Free | Partition Type: NTFS
Drive W: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive X: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS

Computer Name: WEBMASTER
Current User Name: RobinR
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2007/06/13 06:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2004/10/14 14:42:54 | 01,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2000/02/14 17:36:22 | 00,043,008 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wfxsnt40.exe
PRC - [2002/06/03 12:38:12 | 00,049,152 | ---- | M] (ScanSoft, Inc) -- C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
PRC - [2005/10/14 15:46:34 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\hkcmd.exe
PRC - [2005/10/14 15:50:30 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\igfxpers.exe
PRC - [2006/04/06 08:59:34 | 00,638,976 | ---- | M] (Sage Software SB, Inc) -- C:\Program Files\ACT\ACT for Windows\Act.Scheduler.UI.exe
PRC - [2006/02/18 13:55:52 | 01,015,808 | ---- | M] (Sage Software SB, Inc) -- C:\Program Files\ACT\ACT for Windows\Act8.exe
PRC - [2006/06/15 08:43:20 | 00,049,152 | ---- | M] (HP) -- C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
PRC - [2005/02/16 23:11:42 | 00,049,152 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
PRC - [2005/10/27 17:01:16 | 00,139,264 | ---- | M] (Alcor Micro, Corp.) -- C:\Program Files\Multimedia Card Reader\shwicon2k.exe
PRC - [2009/05/12 08:37:47 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswDisp.exe
PRC - [2009/09/08 21:09:42 | 00,305,440 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2004/10/17 20:53:08 | 01,051,136 | ---- | M] () -- C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
PRC - [2009/06/22 15:23:42 | 00,031,552 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe
PRC - [2003/10/24 00:37:56 | 00,217,194 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
PRC - [2009/06/22 15:23:42 | 00,031,552 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMeeting\366\g2mcomm.exe
PRC - [2009/06/22 15:23:42 | 00,031,552 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMeeting\366\g2mlauncher.exe
PRC - [2004/08/04 08:00:00 | 00,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\MSIMN.EXE
PRC - [2004/08/04 08:00:00 | 00,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\MSIMN.EXE
PRC - [2004/08/04 08:00:00 | 00,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\MSIMN.EXE
PRC - [2002/08/21 05:13:12 | 00,189,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\WISPTIS.EXE
PRC - [2009/09/17 09:10:43 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - File not found --

========== Win32 Services (SafeList) ==========


========== Driver Services (SafeList) ==========


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153\S-1-5-21-1597796046-2899545957-4185577106-1153\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153\S-1-5-21-1597796046-2899545957-4185577106-1153\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}:6.0.02
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}:6.0.01
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07076007
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.14

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/02/01 17:53:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/17 09:10:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/17 09:10:59 | 00,000,000 | ---D | M]

[2008/09/05 11:18:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\RobinR\Application Data\mozilla\Extensions
[2008/09/05 11:18:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\RobinR\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/10/01 11:07:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\RobinR\Application Data\mozilla\Firefox\Profiles\recao07v.default\extensions
[2008/05/30 12:24:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\RobinR\Application Data\mozilla\Firefox\Profiles\recao07v.default\extensions\moveplayer@movenetworks.com
[2009/10/01 11:07:28 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/09/17 09:10:59 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2007/04/26 23:37:11 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2007/08/23 22:37:57 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2007/11/26 23:25:31 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2009/09/17 09:10:39 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/17 09:10:39 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/02/25 12:01:06 | 00,027,976 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
[2008/02/25 12:01:06 | 00,125,848 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
[2008/02/25 12:01:37 | 00,098,712 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
[2006/09/03 14:12:48 | 00,049,152 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2008/02/25 12:01:04 | 00,060,824 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
[2009/03/27 11:30:34 | 00,155,648 | ---- | M] (Dassault Systèmes SolidWorks Corp.) -- C:\Program Files\mozilla firefox\plugins\npEModelPlugin.dll
[2009/09/17 09:10:45 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2007/03/22 20:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2007/05/10 23:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/09/10 08:43:06 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/09/10 08:43:06 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/09/10 08:43:06 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/09/10 08:43:06 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/09/10 08:43:07 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/09/10 08:43:07 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/09/10 08:43:07 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2006/01/18 13:50:00 | 00,319,488 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npsnapfish.dll
[2004/01/13 22:09:25 | 00,176,176 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
[2009/09/17 09:10:50 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/09/17 09:10:50 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/09/17 09:10:50 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/09/17 09:10:50 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/09/17 09:10:50 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/09/17 09:10:50 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/09/17 09:10:50 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (335291 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11490 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [Act! Preloader] C:\Program Files\ACT\ACT for Windows\Act8.exe (Sage Software SB, Inc)
O4 - HKLM..\Run: [ACTSchedulerUI] C:\Program Files\ACT\ACT for Windows\Act.Sch File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\aswDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
O4 - HKLM..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe ()
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\runthis.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe (ScanSoft, Inc)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime Alternative\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [rasufakeh] C:\WINDOWS\System32\japidahu.DLL ()
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE (FUJI PHOTO FILM CO., LTD.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
O4 - HKLM..\Run: [WinFaxAppPortStarter] C:\WINDOWS\System32\wfxsnt40.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\UltraVNC\WinVNC.exe (UltraVNC)
O4 - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153..\Run: [LDM] File not found
O4 - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153..\Run: [rasufakeh] C:\WINDOWS\System32\japidahu.DLL ()
O4 - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1597796046-2899545957-4185577106-1153\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1233518332100 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1233518299053 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.7.11 204.213.176.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = InCord.local
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\windows\system32\japidahu.dll) - C:\WINDOWS\System32\japidahu.dll ()
O20 - AppInit_DLLs: (lamujafi.dll) - C:\WINDOWS\System32\lamujafi.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: yisofalih - {4c0378b1-1a15-473b-bb07-59e8356f56be} - C:\WINDOWS\System32\japidahu.dll ()
O22 - SharedTaskScheduler: {4c0378b1-1a15-473b-bb07-59e8356f56be} - gahurihor - C:\WINDOWS\System32\japidahu.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {A213B520-C6C2-11d0-AF9D-008029E1027E} - C:\Program Files\Symantec\WinFax\WfxSeh32.Dll (Symantec Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/26 11:50:18 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2009/10/02 09:08:42 | 00,519,168 | ---- | C] (OldTimer Tools) -- \\PDC\Homes$\RobinR\Desktop\OTL.exe
[2009/09/28 18:28:43 | 00,000,000 | ---D | C] -- C:\Program Files\Sophos
[2009/09/28 14:18:32 | 00,159,600 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2009/09/28 14:18:22 | 00,206,256 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2009/09/28 14:18:22 | 00,086,888 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2009/09/28 14:18:22 | 00,007,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2009/09/28 14:18:13 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2009/09/28 14:18:12 | 00,064,392 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2009/09/28 14:18:04 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2009/09/28 14:18:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2009/09/28 14:11:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/09/28 14:09:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/09/25 16:38:36 | 00,991,941 | ---- | C] () -- \\PDC\Homes$\RobinR\My Documents\2009_MFIP_website.pdf
[2009/09/25 12:28:26 | 00,000,032 | ---- | C] () -- C:\WINDOWS\System32\thxcfg.ini
[2009/09/25 12:24:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\RobinR\Application Data\Malwarebytes
[2009/09/25 11:48:58 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/09/25 11:08:56 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/25 11:08:54 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/25 11:08:54 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/25 11:08:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/25 08:52:30 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/09/18 16:47:13 | 00,033,280 | ---- | C] () -- \\PDC\Homes$\RobinR\My Documents\SAFETY NETTING SOLUTIONS FOR HOME AND GARDEN.doc
[2009/09/16 16:43:06 | 00,026,196 | ---- | C] () -- \\PDC\Homes$\RobinR\Desktop\nobrain.jpg
[2009/09/11 16:50:36 | 00,030,208 | ---- | C] () -- \\PDC\Homes$\RobinR\My Documents\best of parks.doc
[2009/09/11 16:47:54 | 03,225,969 | ---- | C] () -- \\PDC\Homes$\RobinR\My Documents\2009 MFRG.pdf
[2009/09/10 16:47:57 | 02,826,520 | ---- | C] () -- \\PDC\Homes$\RobinR\My Documents\2009 MFIP.pdf
[2009/09/10 16:47:12 | 03,127,808 | ---- | C] () -- \\PDC\Homes$\RobinR\My Documents\2009 MFIP.pub
[2009/09/10 08:48:49 | 00,000,000 | ---D | C] -- C:\Program Files\iPhone Configuration Utility
[2009/09/10 08:47:47 | 00,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/09/10 08:46:16 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/09/10 08:45:54 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/09/10 08:45:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/09/10 08:42:49 | 00,001,670 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/09/05 01:54:48 | 00,094,208 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2009/09/05 01:54:48 | 00,069,632 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2009/07/02 08:30:59 | 00,050,176 | -HS- | C] () -- C:\WINDOWS\System32\tuzoyono.dll
[2009/07/02 08:30:59 | 00,050,176 | -HS- | C] () -- C:\WINDOWS\System32\lamujafi.dll
[2009/07/02 08:30:59 | 00,050,176 | -HS- | C] () -- C:\WINDOWS\System32\buyoziyi.dll
[2009/07/02 08:30:16 | 00,090,624 | -HS- | C] () -- C:\WINDOWS\System32\japidahu.dll
[2009/07/02 08:30:16 | 00,050,176 | -HS- | C] () -- C:\WINDOWS\System32\wifufulu.dll
[2009/07/02 08:30:16 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\pidokobo.dll
[2009/07/01 08:49:07 | 00,051,200 | -HS- | C] () -- C:\WINDOWS\System32\mikasova.dll
[2009/06/29 22:22:52 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\tihobaha.dll
[2009/05/20 08:25:10 | 00,000,083 | ---- | C] () -- C:\WINDOWS\TBPlugin.INI
[2009/05/20 08:25:10 | 00,000,059 | ---- | C] () -- C:\WINDOWS\avconfig.ini
[2009/05/06 12:48:44 | 00,000,019 | ---- | C] () -- C:\WINDOWS\PavRet.ini
[2009/02/16 12:51:11 | 00,000,038 | ---- | C] () -- C:\WINDOWS\PVX.INI
[2008/09/11 14:03:58 | 00,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2007/12/26 14:22:50 | 01,302,528 | ---- | C] () -- C:\WINDOWS\System32\90wres32.dll
[2007/06/04 22:07:19 | 00,000,462 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2007/06/04 22:07:00 | 00,001,343 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2007/05/15 01:17:34 | 00,059,392 | R--- | C] () -- C:\WINDOWS\System32\streamhlp.dll
[2007/03/05 13:34:28 | 00,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/01/16 23:19:37 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\FlpGrfADO.dll
[2007/01/09 12:49:56 | 00,000,036 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2007/01/09 12:49:54 | 00,000,056 | ---- | C] () -- C:\WINDOWS\Addrfixr.ini
[2007/01/09 12:49:49 | 00,009,391 | ---- | C] () -- C:\WINDOWS\System32\dymourl.ini
[2007/01/09 12:48:06 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\DYMOCFG.DLL
[2007/01/09 12:48:06 | 00,004,096 | ---- | C] () -- C:\WINDOWS\System32\lmmonres.dll
[2006/11/06 15:51:55 | 00,000,101 | ---- | C] () -- C:\WINDOWS\bi_group.ini
[2006/11/06 15:44:33 | 00,257,536 | ---- | C] () -- C:\WINDOWS\System32\biImg.dll
[2006/11/06 15:44:33 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\bimresNT.dll
[2006/11/06 15:44:32 | 00,282,715 | ---- | C] () -- C:\WINDOWS\System32\UMTransportSvr.dll
[2006/11/06 15:44:32 | 00,211,968 | ---- | C] () -- C:\WINDOWS\System32\Bitmani.dll
[2006/11/06 15:44:32 | 00,073,813 | ---- | C] () -- C:\WINDOWS\System32\CtsCP32.dll
[2006/11/06 15:44:31 | 00,102,489 | ---- | C] () -- C:\WINDOWS\System32\TiffUtil.dll
[2006/11/06 15:44:31 | 00,077,911 | ---- | C] () -- C:\WINDOWS\System32\Volume.dll
[2006/11/06 15:44:31 | 00,073,827 | ---- | C] () -- C:\WINDOWS\System32\UMFaxSettings.dll
[2006/09/18 14:37:50 | 00,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx12_ic.ini
[2006/09/18 14:37:48 | 00,667,280 | ---- | C] () -- C:\WINDOWS\System32\tx12.dll
[2006/06/22 09:38:35 | 00,000,040 | ---- | C] () -- C:\WINDOWS\opt_1440.ini
[2006/06/12 06:36:30 | 00,241,664 | ---- | C] () -- C:\WINDOWS\System32\hppapr04.DLL
[2006/04/11 15:21:51 | 00,025,601 | ---- | C] () -- C:\WINDOWS\CSTBox.INI
[2006/04/06 09:03:09 | 00,001,682 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/04/06 09:03:09 | 00,000,056 | RHS- | C] () -- C:\WINDOWS\System32\5659C9F67D.sys
[2006/03/31 12:56:12 | 00,000,230 | ---- | C] () -- C:\WINDOWS\ActiveActG.INI
[2006/03/30 15:12:02 | 00,000,230 | ---- | C] () -- C:\WINDOWS\ActiveAct.INI
[2006/01/27 09:29:19 | 00,000,239 | ---- | C] () -- C:\WINDOWS\prestopm.INI
[2006/01/27 09:25:27 | 00,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2006/01/27 09:25:04 | 00,000,166 | -H-- | C] () -- C:\WINDOWS\NsNetScan.ini
[2006/01/09 12:01:12 | 00,000,092 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2005/12/07 17:02:36 | 00,000,410 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2005/11/22 13:48:03 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\APCSnmp.dll
[2005/11/18 15:16:31 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2005/11/18 15:16:31 | 00,000,105 | ---- | C] () -- C:\WINDOWS\UMXADDIN.INI
[2005/11/18 15:16:31 | 00,000,081 | ---- | C] () -- C:\WINDOWS\PM20.INI
[2005/11/18 15:16:14 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2005/11/18 15:15:24 | 00,000,074 | ---- | C] () -- C:\WINDOWS\PMINI.ini
[2005/11/18 15:14:36 | 00,000,525 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2005/11/14 16:32:01 | 00,000,022 | ---- | C] () -- C:\WINDOWS\LoadConfig.ini
[2005/11/14 16:29:07 | 00,507,904 | ---- | C] () -- C:\WINDOWS\System32\libxml2.dll
[2005/11/14 12:32:02 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\libpq.dll
[2005/10/27 10:21:03 | 00,000,000 | ---- | C] () -- C:\WINDOWS\WTNSETUP.INI
[2005/10/27 10:11:59 | 00,037,888 | ---- | C] () -- C:\WINDOWS\System32\DCCWFP32.DLL
[2005/10/27 10:11:58 | 00,000,250 | ---- | C] () -- C:\WINDOWS\WINFAX.INI
[2005/10/27 10:11:56 | 00,017,920 | ---- | C] () -- C:\WINDOWS\System32\IMPLODE.DLL
[2005/10/27 01:26:20 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\EmailShared.dll
[2005/10/27 00:58:20 | 00,000,516 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/06/11 12:47:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\fpprintmon.dll
[2004/08/04 08:00:00 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/04 08:00:00 | 00,000,993 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 08:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/07/13 16:35:48 | 00,001,590 | ---- | C] () -- C:\WINDOWS\PCW130.ini
[2003/06/12 13:00:56 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[2003/06/04 17:10:48 | 00,000,332 | ---- | C] () -- C:\WINDOWS\ActiveSkin.ini
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/02/27 10:41:28 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\nsldappr32v50.dll
[2002/02/27 10:41:26 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll
[2002/02/27 10:41:26 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\nsldapssl32v50.dll
[2001/07/06 16:30:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2000/02/08 03:05:36 | 00,110,080 | R--- | C] () -- C:\WINDOWS\System32\W32MKRC.DLL
[2000/02/08 03:05:34 | 00,038,576 | ---- | C] () -- C:\WINDOWS\System32\NWLOCALE.DLL
[1999/03/30 10:53:50 | 00,000,793 | ---- | C] () -- C:\WINDOWS\BTI.INI

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/10/02 09:04:35 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\fumudumi
[2009/10/02 08:33:50 | 00,001,682 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/10/02 08:30:47 | 00,050,176 | -HS- | M] () -- C:\WINDOWS\System32\wifufulu.dll
[2009/10/02 08:30:17 | 00,090,624 | -HS- | M] () -- C:\WINDOWS\System32\japidahu.dll
[2009/10/02 08:30:17 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\pidokobo.dll
[2009/10/02 08:29:38 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/01 20:31:00 | 00,519,168 | ---- | M] (OldTimer Tools) -- \\PDC\Homes$\RobinR\Desktop\OTL.exe
[2009/10/01 16:49:31 | 00,199,680 | ---- | M] () -- \\PDC\Homes$\RobinR\My Documents\Sales Log 2009.xls
[2009/10/01 10:11:02 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/01 09:43:30 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/09/29 22:22:53 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\tihobaha.dll
[2009/09/29 19:24:24 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/29 18:56:13 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/09/29 16:58:02 | 00,004,096 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ScheduledItems
[2009/09/29 16:09:08 | 00,033,280 | ---- | M] () -- \\PDC\Homes$\RobinR\My Documents\SAFETY NETTING SOLUTIONS FOR HOME AND GARDEN.doc
[2009/09/29 11:31:45 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/09/28 14:44:29 | 00,000,993 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/09/28 14:44:29 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/09/28 14:44:29 | 00,000,211 | -H-- | M] () -- C:\boot.ini
[2009/09/28 14:29:49 | 00,335,291 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/09/25 16:38:37 | 00,991,941 | ---- | M] () -- \\PDC\Homes$\RobinR\My Documents\2009_MFIP_website.pdf
[2009/09/25 12:37:13 | 00,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2009/09/25 12:32:19 | 00,335,291 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090928-142949.backup
[2009/09/25 12:28:26 | 00,000,032 | ---- | M] () -- C:\WINDOWS\System32\thxcfg.ini
[2009/09/25 12:08:17 | 00,335,291 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090925-123219.backup
[2009/09/25 12:07:11 | 00,335,291 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090925-120817.backup
[2009/09/25 11:43:23 | 00,000,410 | ---- | M] () -- C:\WINDOWS\brwmark.ini
[2009/09/24 15:38:59 | 00,136,704 | ---- | M] () -- \\PDC\Homes$\RobinR\Desktop\CurrentPPI-M1250MC.xls
[2009/09/24 09:15:38 | 03,186,090 | -H-- | M] () -- C:\Documents and Settings\RobinR\Local Settings\Application Data\IconCache.db
[2009/09/24 08:54:11 | 00,026,624 | ---- | M] () -- \\PDC\Homes$\RobinR\Desktop\TO DO LIST.doc
[2009/09/23 09:50:48 | 00,000,036 | ---- | M] () -- C:\WINDOWS\iltwain.ini
[2009/09/19 22:56:48 | 00,001,819 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2009/09/18 23:58:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/09/16 16:43:00 | 00,026,196 | ---- | M] () -- \\PDC\Homes$\RobinR\Desktop\nobrain.jpg
[2009/09/11 16:50:37 | 00,030,208 | ---- | M] () -- \\PDC\Homes$\RobinR\My Documents\best of parks.doc
[2009/09/11 16:48:00 | 03,225,969 | ---- | M] () -- \\PDC\Homes$\RobinR\My Documents\2009 MFRG.pdf
[2009/09/10 16:55:09 | 00,418,459 | ---- | M] () -- C:\WINDOWS\System32\DllHost.htm
[2009/09/10 16:47:57 | 02,826,520 | ---- | M] () -- \\PDC\Homes$\RobinR\My Documents\2009 MFIP.pdf
[2009/09/10 16:47:13 | 03,127,808 | ---- | M] () -- \\PDC\Homes$\RobinR\My Documents\2009 MFIP.pub
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/10 08:47:47 | 00,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/09/10 08:42:50 | 00,001,670 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/09/05 01:54:48 | 00,094,208 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2009/09/05 01:54:48 | 00,069,632 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2009/09/03 12:51:44 | 00,024,576 | ---- | M] () -- \\PDC\Homes$\RobinR\My Documents\Wiring Instructions for InCord.doc

========== Alternate Data Streams ==========

@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >


Extras.txt:

OTL Extras logfile created on: 10/2/2009 9:08:53 AM - Run 1
OTL by OldTimer - Version 3.0.17.0 Folder = \\PDC\Homes$\RobinR\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.31 Gb Available Physical Memory | 65.82% Memory free
4.00 Gb Paging File | 3.49 Gb Available in Paging File | 87.27% Paging File free
Paging file location(s): C:\pagefile.sys 2304 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 5.71 Gb Free Space | 15.32% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive I: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive L: | 32.59 Gb Total Space | 16.46 Gb Free Space | 50.52% Space Free | Partition Type: NTFS
Drive M: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive N: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive R: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive S: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive T: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive U: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive V: | 15.75 Gb Total Space | 9.56 Gb Free Space | 60.67% Space Free | Partition Type: NTFS
Drive W: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Drive X: | 205.07 Gb Total Space | 37.44 Gb Free Space | 18.26% Space Free | Partition Type: NTFS

Computer Name: WEBMASTER
Current User Name: RobinR
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.js [@ = JSFile] -- C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe (Macromedia, Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)
jsfile [open] -- "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJI PHOTO FILM CO.,LTD.)
Directory [FinePixPrint] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" /p "%1" (FUJI PHOTO FILM CO.,LTD.)
Directory [Print_Directory_Listing] -- printdir.bat "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"5226:TCP" = 5226:TCP:*:Enabled:UltraVNC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe" = C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe -- File not found
"C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe" = C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe:*:Enabled:PowerChute Business Edition Agent -- (APC)
"C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Disabled:Dreamweaver MX -- (Macromedia, Inc.)
"C:\Program Files\ACT\ACT for Windows\Act8.exe" = C:\Program Files\ACT\ACT for Windows\Act8.exe:*:Enabled:ACT! 8.x/2006 Workgroup -- (Sage Software SB, Inc)
"C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager -- (iAnywhere Solutions, Inc.)
"C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe:*:Enabled:Dreamweaver 8 -- (Macromedia, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe" = C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe -- File not found
"C:\Program Files\ACT\ACT for Windows\Act8.exe" = C:\Program Files\ACT\ACT for Windows\Act8.exe:*:Enabled:ACT! 8.x/2006 Workgroup -- (Sage Software SB, Inc)
"C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX -- (Macromedia, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03F1CC67-5BD8-4C36-8394-76311B2AE69A}" = ArcSoft PhotoStudio 5
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{07B02BD4-E799-4945-B240-166CA9A9BE2D}" = Multimedia Card Reader
"{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{135BA9A6-495A-4FE9-B1A1-AB4DA449CAB1}" = hppLJP2015
"{1F73D672-6175-4A1D-B3C1-420439D03D0F}" = Product_SF_Full_QFolder
"{2323F08B-C4B3-46A3-B602-9A5AB1A1E525}" = Azalea Software Barcode UFL
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.4.3
"{268D8766-8280-4BE5-9680-2BC769E5855A}" = ACT! Premium 2006
"{2BD5C305-1B27-4D41-B690-7A61172D2FEB}" = Macromedia Flash 8
"{30960DCB-603B-4969-8387-4E869D199600}" = Sage MAS 200 Workstation (C:\Program Files\Sage Software\MAS 200 Client\Version4\MAS90\)
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3BC341BD-3736-45F0-B0E0-5664792AC528}" = HP Care Pack Core
"{414C803A-6115-4DB6-BD4E-FD81EA6BC71C}" = Product_SF_Min_QFolder
"{4712DD15-D681-4BDF-B623-9D4F33550F44}" = Peachtree Complete Accounting 2006
"{4B9535BF-CC90-4158-AF32-CAF57A8820CA}" = Macromedia Contribute 3.11
"{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}" = Macromedia Fireworks 8
"{4C7E5204-EE48-4F10-BC65-04FA36713B6D}" = Manual CanoScan 5000,5000F,8000F
"{5490882C-6961-11D5-BAE5-00E0188E010B}" = FUJIFILM USB Driver
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{561D20B1-766E-4EA5-8A1D-B7357D903673}" = hppIOFiles
"{580183A6-FF92-11D5-9294-0050BA073EEC}" = Presto! PageManager 6
"{5864B49E-03FC-481E-89B7-A6664CC2ACB4}" = eDrawings 2008
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5E55F3F1-2210-4CC9-A761-9E4B818D9FA7}" = HP Care Pack Products
"{6249C22D-E6A8-407B-BA8B-40298848ED94}" = OmniPage SE
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6441FECE-0E73-4326-81BF-68503E897820}" = CorePLS_Min_QFolder
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69E6C13B-CF6B-47A6-B7A5-77FE82B2CB40}" = hppFonts
"{6D4111AC-12C2-4169-87B2-6D9FFF4FD9A4}" = ACT!
"{6FFDFDB6-A660-41A3-997A-EB061C5F6C60}" = HP Marketing Assistant
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{761F472B-ABCE-4F20-B070-6C014E6B6CE3}" = JobOps MAS90 Workstation Help
"{7A178F2E-92F6-437C-A709-69685D1C0F2B}" = hppTLBXFXP2015
"{7E545666-F436-45FD-B3DF-C0B99A1A579F}" = QuickBooks Premier: Mfg and Whsle Edition 2007
"{885A63EA-382B-4DD4-A755-14809B8557D6}" = Macromedia Flash Player 8
"{8A4E54C8-90D5-474E-BBBF-5DD43A5A507C}" = Sage MAS 200 Workstation (C:\Program Files\Sage SoftwareV4.2\MAS 200 Client\Version4\MAS90\)
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = Macromedia Dreamweaver MX
"{8BCB844B-0814-4354-A413-1063DB4618E9}" = PeachTree Signature Ready Forms
"{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}" = Macromedia Flash 8 Video Encoder
"{8C0118CC-F720-45FF-A4DA-44AD77B2E73C}" = CorePLS_Full_QFolder
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91057632-CA70-413C-B628-2D3CDBBB906B}" = Macromedia Flash Player 8 Plugin
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91208A47-5D08-4C79-986F-1931940F51BB}" = QuickBooks Product Listing Service
"{93C069D4-2F86-4570-A6DF-BFABBA1E4AFD}" = hpzTLBXFX
"{A0DB4D2C-E85B-4C23-A4F2-F1B95D3C3BE8}" = Crystal Reports 10 for Sage
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A8AD990E-355A-4413-8647-A9B168978423}_is1" = UltraVNC v1.0.2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-0000-7EC8-7489-000000000603}" = Adobe Acrobat and Reader 6.0.3 Update
"{AC76BA86-0000-7EC8-7489-000000000604}" = Adobe Acrobat and Reader 6.0.4 Update
"{AC76BA86-0000-7EC8-7489-000000000605}" = Adobe Acrobat and Reader 6.0.5 Update
"{AC76BA86-0000-7EC8-7489-000000000606}" = Adobe Acrobat and Reader 6.0.6 Update
"{AC76BA86-1033-0000-BA7E-000000000001}" = Adobe Acrobat 6.0.1 Standard
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B29F049B-5776-4A62-9651-CD0CFBEA4DFD}" = JobOps MAS200 Workstation Extras
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
"{B8B4D43C-EAA0-4EEC-B93E-D4D012316286}" = Free DWG Viewer 5.4
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BCE46757-7674-4416-BEDB-68205A60409E}" = Canon CanoScan Toolbox 4.1
"{BCE9F441-9027-4911-82E0-5FB28057897D}" = APC PowerChute Business Edition Agent
"{BD868C41-BB9B-4AA7-A3F1-DB1FA1A02610}" = psqlODBC
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1B160F0-8BA8-408A-8407-5198F3B0B529}" = Sage Components
"{C1D14C0D-FDAA-4DF2-8441-A902805CCE8C}" = ArcSoft PhotoBase 3
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC016F21-3970-11DE-B878-005056806466}" = Google Earth
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D90AFDE3-3E67-407A-ACA8-F0BAAD012F08}" = Safari
"{E5F343DE-F5ED-4582-BAE2-C8ED548DFA46}" = Google SketchUp Viewer
"{EA528B2C-DF8F-45BB-BFDB-B588536992EB}" = SolidWorks eDrawings 2009
"{EC2A8F27-4FBF-4E41-B27B-FE822511B761}" = iTunes
"{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}" = HP Software Update
"{EDAE4F43-833C-443B-8DB5-129F897DF3E8}" = hppWebRegMM
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F38D0F99-1BFC-47AB-AC36-8D9D43700CFB}" = hppManualsP2015
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"ActiveTouchMeetingClient" = WebEx
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"avast!NET" = avast! Antivirus (managed)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"DYMO Label Software" = DYMO Label Software
"Google Chrome" = Google Chrome
"Google Updater" = Google Updater
"HP LaserJet P2015" = HP LaserJet P2015 Series 1.0
"InstallShield_{07B02BD4-E799-4945-B240-166CA9A9BE2D}" = Multimedia Card Reader
"InstallShield_{268D8766-8280-4BE5-9680-2BC769E5855A}" = ACT! Premium 2006
"InstallShield_{4712DD15-D681-4BDF-B623-9D4F33550F44}" = Peachtree Complete Accounting 2006
"Inter-Tel Unified Messaging" = Inter-Tel Unified Messaging
"LiveAdvisor" = LiveAdvisor (Symantec Corporation)
"LiveUpdate" = LiveUpdate
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.14)" = Mozilla Firefox (3.0.14)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Peachtree Complete Accounting" = Peachtree Complete Accounting 2006
"PocketSOAP" = PocketSOAP 1.5.4 (remove only)
"QuicktimeAlt_is1" = QuickTime Alternative 2.5.0
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0
"Spyware Doctor" = Spyware Doctor 6.1
"ST6UNST #1" = IPA
"Vim 7.0" = Vim 7.0 (self-installing)
"WebPosition 4" = WebPosition 4
"WIC" = Windows Imaging Component
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinFax" = Symantec WinFax PRO 10.0
"Winpopup LAN Messenger_is1" = Winpopup LAN Messenger 3.9
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1597796046-2899545957-4185577106-1153\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.1.0.366
"InstallShield_{6FFDFDB6-A660-41A3-997A-EB061C5F6C60}" = HP Marketing Assistant

< End of report >


Also - here is the DDS.txt file:


DDS (Ver_09-09-29.01) - NTFSx86
Run by Administrator at 16:16:37.01 on Sat 10/03/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1216 [GMT -4:00]

AV: avast! antivirus 4.8.1038 [VPS 091002-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\AvAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SysAid\IliAS.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ACT\ACT for Windows\Act.Scheduler.UI.exe
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe
C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ACTSchedulerUI] "c:\program files\act\act for windows\Act.Scheduler.UI.exe" -Dfalse
mRun: [Act! Preloader] "c:\program files\act\act for windows\Act8.exe" -stayrunning
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [WinVNC] "c:\program files\ultravnc\WinVNC.exe" -servicehelper
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\aswDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\runthis.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233518332100
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233518299053
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\symantec\winfax\WfxSeh32.Dll
LSA: Notification Packages = scecli buyoziyi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\kdp59162.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-28 206256]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-20 114768]
R2 APCPBEAgent;APC PBE Agent;c:\progra~1\apc\powerc~1\agent\pbeagent.exe [2005-11-22 28672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-20 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\aswServ.exe [2009-5-20 138680]
R2 avast! NetAgent;avast! NetAgent;c:\program files\alwil software\avast4\AvAgent.exe [2009-5-20 52160]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-3-14 6016]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\aswMaiSv.exe [2009-5-20 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\aswWebSv.exe [2009-5-20 352920]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\d.tmp --> c:\windows\system32\D.tmp [?]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2006-4-6 53248]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-9-28 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-9-28 1097096]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]
S4 Abel;Abel;c:\windows\Abel.exe [2006-11-22 27648]
S4 gupdate1c9f8c713989cc8;Google Update Service (gupdate1c9f8c713989cc8);c:\program files\google\update\GoogleUpdate.exe [2009-6-29 133104]

=============== Created Last 30 ================

2009-10-02 20:41 38,400 a---h--- c:\windows\system32\OLDBIT393.tmp
2009-09-28 18:28 --d----- c:\program files\Sophos
2009-09-28 14:18 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-09-28 14:18 206,256 a------- c:\windows\system32\drivers\PCTCore.sys
2009-09-28 14:18 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-28 14:18 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-28 14:18 --d----- c:\program files\common files\PC Tools
2009-09-28 14:18 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-09-28 14:18 --d----- c:\program files\Spyware Doctor
2009-09-28 14:18 --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-09-28 14:18 --d----- c:\docume~1\admini~1\applic~1\PC Tools
2009-09-28 14:11 --d----- c:\windows\pss
2009-09-28 11:13 --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-09-25 12:28 32 a------- c:\windows\system32\thxcfg.ini
2009-09-25 11:48 --d----- c:\program files\Spybot - Search & Destroy
2009-09-25 11:08 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-25 11:08 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-25 11:08 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-25 11:08 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-10 08:48 --d----- c:\program files\iPhone Configuration Utility
2009-09-10 08:46 --d----- c:\program files\iPod
2009-09-10 08:45 --d----- c:\program files\iTunes
2009-09-10 08:45 --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-10-03 13:08 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2006-04-06 09:03 56 ---shr-- c:\windows\system32\5659C9F67D.sys

============= FINISH: 16:17:20.69 ===============


I also have the attach.txt file, but did not include it as is stated when the file is generated. Thanks for your help- I believe my situation is less urgent than when I started, but I know others are posting about similar experiences with what appears to be a new variant.

BC AdBot (Login to Remove)

 


#2 Blue Gascon

Blue Gascon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 05 October 2009 - 11:57 AM

I may have found a further clue here - it looks like this may be the mechanism that was causing reinfection - a look at one of the machines reveals that the entry in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa under Notification Packages had been modified to a value of scecli
buyoziyi.dll. Since I had been successful at removing the named DLL it looks like I may have cut it off at the knees. I'd still like to get the loose ends of this thing cleaned up, but I may have defeated it for now.

#3 Blue Gascon

Blue Gascon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 06 October 2009 - 01:38 PM

Anyone? I was still hoping to get a little guidance and recommendations to help insure that these systems are clean of any artifacts from this malware. Neither machine shows any sign of reinfection as of now.

#4 Blue Gascon

Blue Gascon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 08 October 2009 - 12:11 PM

I guess I must have committed some kind of unforgivable offense here, as it is apparent that no one wants to even comment on my problem, let alone help me. I'm sorry for whatever I did to offend you all. Guess I'm truly on my own here. :(

Hello Blue Gascon,

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large, as are other comparable sites that help others with malware issues. Athough our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, you wouldn't want someone to assist you who is not familiar with your issue and attempt to fix it, would you?

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 09 October 2009 - 05:28 PM.


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:24 PM

Posted 22 October 2009 - 01:37 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

Edited by syler, 22 October 2009 - 01:38 PM.

unite.jpg


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:24 PM

Posted 26 October 2009 - 07:41 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users