Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible opachki.ru remnants


  • This topic is locked This topic is locked
21 replies to this topic

#1 dking88

dking88

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 31 January 2010 - 07:33 PM

First, thanks so much for this help.

My computer has slowed down, but what got me going is that my keyboard, specifically my numeric keyboard, stopped responding appropriately.

I have not been able to run Adaware for a couple of months - it always stops, asks for a report and I send that with no feedback.

I have been concerned about both of the above and ran additional virus scans to no apparent effect.

Today I noticed that the last object Spyware removed was opachki.ru on 10/23/09. As it happens, that was the last day Adaware was run through to completion.

My daughter on the same network also had the opachki.ru virus removed the same day and has also not been able to run Adaware since.

Posting DDS.txt report:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Deb at 18:08:25.54 on Sun 01/31/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1167 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100131-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\IBackup for Windows\IBackupWebM.exe
C:\IBackup for Windows\IBWin Service_955.exe
C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$DELORMEMAPPING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\IBackup for Windows\IBackground_955.exe
C:\IBackup for Windows\IBMonitor.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Askarya\Taskbar Manager\TaskbarManager.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\freeCommander2006\freeCommander.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\0-User\0-Common\z-Install\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://www.timeslipsecenter.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Download Guard for Internet Explorer: {20c1a7f0-528e-444f-bac5-5804a61cca7f} - c:\program files\lavasoft\download guard for internet explorer\DownloadGuardBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Taskbar Manager] c:\program files\askarya\taskbar manager\TaskbarManager.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] ;rundll32.exe nvHotkey.dll,Start
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [eFax 4.3] ;"c:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
mRun: [IBWIN] "c:\program files\ibackup for windows\IBackupForWindows_952.exe"
mRun: [Task Manager] c:\windows\system32\taskmgr.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [Adobe Reader Speed Launcher] ;"c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Ad-Watch] ;c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [IBWin Background process] "c:\ibackup for windows\IBackground_955.exe"
mRun: [IBWin Monitor] "c:\ibackup for windows\IBMonitor.exe" Min
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
StartupFolder: c:\docume~1\deb\startm~1\programs\startup\dialog~1.lnk - c:\program files\vcom\powerdesk\pddlghlp.exe
StartupFolder: c:\docume~1\deb\startm~1\programs\startup\mailwa~1.lnk - c:\program files\firetrust\mailwasher pro\MailWasher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\comman~1.lnk - c:\program files\freecommander2006\freeCommander.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Service Manager.norun
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177882108259
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178678284675
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B151B524-F451-4036-9663-B3944FA710DF} - hxxp://r7.help20.com/149/LoadClient/ENUclientPro.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://computershare.webex.com/client/T26L10NSP49EP12/event/ieatgpc.cab
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist express customer\148\g2ax_winlogon.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deb\applic~1\mozilla\firefox\profiles\mj0o8enz.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-1-15 40560]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-25 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-6-1 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-6-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-6-1 138680]
R2 IBackupWeb;IBackupWeb;c:\ibackup for windows\IBackupWebM.exe [2009-12-6 54760]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 MSSQL$DELORMEMAPPING;MSSQL$DELORMEMAPPING;c:\program files\microsoft sql server\mssql$delormemapping\binn\sqlservr.exe -sdelormemapping --> c:\program files\microsoft sql server\mssql$delormemapping\binn\sqlservr.exe -sDELORMEMAPPING [?]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-6-1 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-6-1 352920]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2010-1-16 41504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-6 135664]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\seagate\sync\seasyncservices.exe" --> c:\program files\seagate\sync\SeaSyncServices.exe [?]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\citrix\gotoassist express customer\148\g2ax_service.exe [2009-2-24 72504]
S3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [2004-6-15 7882]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\24.tmp --> c:\windows\system32\24.tmp [?]
S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlservr.exe -slacertedb --> c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlservr.exe -sLACERTEDB [?]
S3 RET55;RET55 NDIS Protocol Driver;\??\c:\program files\eeye digital security\blink\scanner\scanner\ret55.sys --> c:\program files\eeye digital security\blink\scanner\scanner\RET55.sys [?]
S3 SQLAgent$DELORMEMAPPING;SQLAgent$DELORMEMAPPING;c:\program files\microsoft sql server\mssql$delormemapping\binn\sqlagent.exe -i delormemapping --> c:\program files\microsoft sql server\mssql$delormemapping\binn\sqlagent.EXE -i DELORMEMAPPING [?]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlagent.exe -i lacertedb --> c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlagent.EXE -i LACERTEDB [?]
S4 AYTRACK;AY Track 2 Trial Edition;c:\program files\ay mail 2\AYTRACK.EXE [2008-12-5 427944]
S4 TSScheduleBackup;TimeslipsBackup;c:\windows\system32\TSSchBkpService.exe [2007-5-1 705024]

=============== Created Last 30 ================

2010-01-31 22:33:41 0 --sha-w- C:\DkHyperbootSync
2010-01-28 23:33:14 0 d-----w- c:\program files\Sophos
2010-01-28 23:27:25 0 d-----w- c:\documents and settings\deb\DoctorWeb
2010-01-27 23:48:22 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-24 10:03:20 0 d-----w- c:\program files\TheTaxBook 2009 WebCD
2010-01-24 00:05:52 328192 ----a-w- c:\windows\LinkManager.exe
2010-01-20 15:00:11 0 d-----w- c:\docume~1\deb\applic~1\4Team
2010-01-19 17:54:09 0 d-----w- c:\docume~1\deb\applic~1\MAPILab Ltd
2010-01-19 16:29:49 0 d-----w- c:\program files\MAPILab Ltd
2010-01-19 16:29:49 0 d-----w- c:\program files\common files\Outlook Security Manager
2010-01-19 16:29:49 0 d-----w- c:\program files\common files\MAPILab Ltd
2010-01-18 10:19:36 0 d-----w- C:\ISOs
2010-01-18 10:12:14 0 d-----w- c:\program files\Elaborate Bytes
2010-01-17 18:11:20 3250 ----a-w- c:\windows\system32\wbem\Outlook_01ca97a078b0fa0a.mof
2010-01-17 00:32:55 0 d-sh--w- C:\Diskeeper
2010-01-16 22:07:06 41504 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys
2010-01-16 22:07:01 0 d-----w- c:\program files\common files\Diskeeper Corporation
2010-01-16 22:06:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2010-01-16 22:06:52 0 d-----w- c:\program files\Windows Home Server
2010-01-16 22:06:52 0 d-----w- c:\program files\Diskeeper Corporation
2010-01-16 21:04:48 0 d-----w- c:\program files\jv16 PowerTools 2009
2010-01-16 06:30:14 0 d-----w- C:\archive_db
2010-01-15 20:13:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Paragon
2010-01-15 18:37:36 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2010-01-15 18:35:30 0 d-----w- c:\program files\Paragon Software
2010-01-10 21:58:27 0 d-----w- c:\docume~1\deb\applic~1\Kernel for Outlook

==================== Find3M ====================

2010-01-31 17:48:10 152530 ----a-w- c:\windows\system32\nvModes.dat
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 20:27:18 4254224 ----a-w- c:\windows\system32\qtp-mt334.dll
2009-12-28 20:26:46 249872 ----a-w- c:\windows\system32\prgiso.dll
2009-12-28 20:26:44 385544 ----a-w- c:\windows\system32\drivers\Uim_IM.sys
2009-12-28 20:26:44 34392 ----a-w- c:\windows\system32\drivers\UimBus.sys
2009-12-28 20:26:44 261416 ----a-w- c:\windows\system32\drivers\UimFIO.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 22:25:12 26024 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-10-25 09:29:00 38912 ----a-w- c:\program files\wizmo.exe
2009-08-19 09:11:38 2503 ------w- c:\program files\common files\pr_404.html
2009-07-22 23:22:32 4344 ------w- c:\program files\common files\tr3_lacerte.png
2009-01-10 20:13:03 23 --sha-w- c:\windows\system32\ebffeeffcbac_z.dll
2008-05-09 12:02:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050920080510\index.dat

============= FINISH: 18:09:37.06 ===============


Not sure if you want the rootrepeal report at this time, but here it is:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/31 18:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 00000104
Image Path: \Driver\00000104
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: aps8f49e.SYS
Image Path: C:\WINDOWS\System32\Drivers\aps8f49e.SYS
Address: 0xB920B000 Size: 303104 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB697A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA606000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB3748000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Deb\Local Settings\Apps\2.0\LZHM0HPB.4B1\DNVGVGQL.YPT\manifests\DevExpress.XtraEditors.v9.2.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Deb\Local Settings\Apps\2.0\LZHM0HPB.4B1\DNVGVGQL.YPT\manifests\DevExpress.XtraEditors.v9.2.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Deb\Local Settings\Apps\2.0\LZHM0HPB.4B1\DNVGVGQL.YPT\manifests\DevExpress.Data.v9.2.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Deb\Local Settings\Apps\2.0\LZHM0HPB.4B1\DNVGVGQL.YPT\manifests\DevExpress.Data.v9.2.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Deb\Local Settings\Apps\2.0\LZHM0HPB.4B1\DNVGVGQL.YPT\manifests\DevExpress.Utils.v9.2.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Deb\Local Settings\Apps\2.0\LZHM0HPB.4B1\DNVGVGQL.YPT\manifests\DevExpress.Utils.v9.2.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Deb\Local Settings\Apps\2.0\LZHM0HPB.4B1\DNVGVGQL.YPT\manifests\DevExpress.XtraBars.v9.2.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Deb\Local Settings\Apps\2.0\LZHM0HPB.4B1\DNVGVGQL.YPT\manifests\DevExpress.XtraBars.v9.2.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Deb\Local Settings\Apps\2.0\LZHM0HPB.4B1\DNVGVGQL.YPT\manifests\RothAnalyzer.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Deb\Local Settings\Apps\2.0\LZHM0HPB.4B1\DNVGVGQL.YPT\manifests\RothAnalyzer.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Deb\Local Settings\Apps\2.0\LZHM0HPB.4B1\DNVGVGQL.YPT\manifests\SpreadsheetGear.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Deb\Local Settings\Apps\2.0\LZHM0HPB.4B1\DNVGVGQL.YPT\manifests\SpreadsheetGear.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6a656b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6a65574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6a65a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6a6514c

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xb9ed684c

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xb9ed6bec

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6a6564e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6a6508c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6a650f0

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xb9ed6cc4

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6a6576e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6a6572e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6a658ae

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a6c91d8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8a227980 Size: 463

Object: Hidden Code [Driver: usbe, IRP_MJ_CREATE]
Process: System Address: 0x8a4541d8 Size: 463

Object: Hidden Code [Driver: usbe, IRP_MJ_CLOSE]
Process: System Address: 0x8a4541d8 Size: 463

Object: Hidden Code [Driver: usbe, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4541d8 Size: 463

Object: Hidden Code [Driver: usbe, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4541d8 Size: 463

Object: Hidden Code [Driver: usbe, IRP_MJ_POWER]
Process: System Address: 0x8a4541d8 Size: 463

Object: Hidden Code [Driver: usbe, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4541d8 Size: 463

Object: Hidden Code [Driver: usbe, IRP_MJ_PNP]
Process: System Address: 0x8a4541d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a4581d8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a4581d8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a4581d8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a4581d8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4581d8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4581d8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4581d8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4581d8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a4581d8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4581d8 Size: 194

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a4581d8 Size: 194

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x8a2b0980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x8a2b0980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x8a2b0980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x8a2b0980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2b0980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2b0980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x8a2b0980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2b0980 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x8a2b0980 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a65a1d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a65a1d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a65a1d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a65a1d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a65a1d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a65a1d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a65a1d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a65a1d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a65a1d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a65a1d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a65a1d8 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a49e980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a49e980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a49e980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a49e980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a49e980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a49e980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a49e980 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a6cb1d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a6cb1d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a6cb1d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a6cb1d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6cb1d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6cb1d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a6cb1d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a6cb1d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a6cb1d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6cb1d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a6cb1d8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a246378 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a246378 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a246378 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a246378 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a246378 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a246378 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a4a0980 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a4a0980 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4a0980 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4a0980 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a4a0980 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4a0980 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a4a0980 Size: 463

Object: Hidden Code [Driver: VClone, IRP_MJ_CREATE]
Process: System Address: 0x8a2321d8 Size: 463

Object: Hidden Code [Driver: VClone, IRP_MJ_CLOSE]
Process: System Address: 0x8a2321d8 Size: 463

Object: Hidden Code [Driver: VClone, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2321d8 Size: 463

Object: Hidden Code [Driver: VClone, IRP_MJ_POWER]
Process: System Address: 0x8a2321d8 Size: 463

Object: Hidden Code [Driver: VClone, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2321d8 Size: 463

Object: Hidden Code [Driver: VClone, IRP_MJ_PNP]
Process: System Address: 0x8a2321d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a3811d8 Size: 463

Object: Hidden Code [Driver: CdfsЅఛ楄И醈, IRP_MJ_CREATE]
Process: System Address: 0x8a34d980 Size: 463

Object: Hidden Code [Driver: CdfsЅఛ楄И醈, IRP_MJ_CLOSE]
Process: System Address: 0x8a34d980 Size: 463

Object: Hidden Code [Driver: CdfsЅఛ楄И醈, IRP_MJ_READ]
Process: System Address: 0x8a34d980 Size: 463

Object: Hidden Code [Driver: CdfsЅఛ楄И醈, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a34d980 Size: 463

Object: Hidden Code [Driver: CdfsЅఛ楄И醈, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a34d980 Size: 463

Object: Hidden Code [Driver: CdfsЅఛ楄И醈, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a34d980 Size: 463

Object: Hidden Code [Driver: CdfsЅఛ楄И醈, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a34d980 Size: 463

Object: Hidden Code [Driver: CdfsЅఛ楄И醈, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a34d980 Size: 463

Object: Hidden Code [Driver: CdfsЅఛ楄И醈, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a34d980 Size: 463

Object: Hidden Code [Driver: CdfsЅఛ楄И醈, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a34d980 Size: 463

Object: Hidden Code [Driver: CdfsЅఛ楄И醈, IRP_MJ_CLEANUP]
Process: System Address: 0x8a34d980 Size: 463

Object: Hidden Code [Driver: CdfsЅఛ楄И醈, IRP_MJ_PNP]
Process: System Address: 0x8a34d980 Size: 463

==EOF==

Thanks so much!

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:42 AM

Posted 08 February 2010 - 12:08 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 dking88

dking88
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 09 February 2010 - 07:39 AM

Since my first post, I ran Dr Web for the first time and it uncovered some suspicious files. After that Avast and Malwarebytes also found something. For the last few months any scan I ran has come up clean, so maybe something was unblocked. I have posted those results below.

I am still experiencing unusual slowness and I am having a lot of trouble with entering numbers - not letters as far as I can tell. Numbers are frequently skipped and I have to try several times to get them to register. On some occasions I hit a number and it repeats off the screen. This happens with the numeric pad on my wireless keyboard, which I use most often, with the number row at the top, and also with the number row on the laptop itself. For that reason I do not think it is a problem with the physical keyboard.

This number-skipping issue leads me to believe something is still wrong.

These are the malware scanning results. I'm not sure they were all infected files, but they have all been quarantined or deleted.

Dr Web:

1/31/10

7DEB3D9Dd01;C:\0-User\Deb\Accounting Practice\Research\mail\011610\Cache;Probably SCRIPT.Virus;Incurable.Deleted.;
7DEB3D9Dd01;C:\0-User\Deb\Accounting Practice\Research\mail\011610\Cache;Probably SCRIPT.Virus;Incurable.Deleted.;
TAXPLN07.XLT;C:\DRAKE07\DTP;W97M.Verlor;Cured.;
W02COMGR.EXE;C:\Program Files\Common Files\Lacerte Shared;Probably DLOADER.Trojan;;
tpdlib.dll;C:\Program Files\TreePadXSU;Trojan.PWS.Banker.26816;;
tpzlib.dll;C:\Program Files\TreePadXSU;Trojan.MulDrop.26154;;
A0146220.msi\stream001;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1075\A0146220.msi;Program.PsKill.101;;
A0146220.msi;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1075;Archive contains infected objects;;
A0149579.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1087;Trojan.PWS.Banker.26816;;
9eab.msi\stream000;C:\WINDOWS\Installer\9eab.msi;Trojan.DownLoader.origin;;
9eab.msi;C:\WINDOWS\Installer;Archive contains infected objects;;

Avast found:

1/31/2010 8:22:15 AM SYSTEM 356 Sign of "Win32:Malware-gen" has been found in "C:\Program Files\TreePadXSU\tpdlib.dll" file.
1/31/2010 7:25:27 AM SYSTEM 448 Sign of "Win32:Malware-gen" has been found in "C:\Program Files\TreePadXSU\tpdlib.dll" file.
1/30/2010 12:45:53 AM SYSTEM 448 Sign of "Win32:Malware-gen" has been found in "C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1087\A0149579.dll" file.
1/30/2010 12:37:26 AM SYSTEM 448 Sign of "Win32:Malware-gen" has been found in "C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1033\A0142738.rbf" file.
1/29/2010 10:49:52 PM SYSTEM 448 Sign of "Win32:Malware-gen" has been found in "C:\DRAKE07\FT\TAX136.DLL" file.

Malwarebytes

2/6/10
Files Infected:
C:\Program Files\05WebSetup\w05web.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.

Spybot did not find anything

After running all this Ad-Aware was able to run to completion for the first time in months, so something seems to have improved. The only thing it found was a bunch of tracking cookies, which I left because they were actually put there deliberately by Firefox extension Targeted Advertising Cookie Opt-out. I mostly have cookies blocked anyway.


DDS:



DDS (Ver_09-12-01.01) - NTFSx86
Run by Deb at 6:17:41.76 on Tue 02/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1195 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100208-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
C:\IBackup for Windows\IBackupWebM.exe
C:\IBackup for Windows\IBWin Service_955.exe
C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$DELORMEMAPPING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\IBackup for Windows\IBackground_955.exe
C:\IBackup for Windows\IBMonitor.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Askarya\Taskbar Manager\TaskbarManager.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\freeCommander2006\freeCommander.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\0-User\0-Common\z-Install\BleepingComputer debugging programs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://www.timeslipsecenter.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Download Guard for Internet Explorer: {20c1a7f0-528e-444f-bac5-5804a61cca7f} - c:\program files\lavasoft\download guard for internet explorer\DownloadGuardBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Taskbar Manager] c:\program files\askarya\taskbar manager\TaskbarManager.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] ;rundll32.exe nvHotkey.dll,Start
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [eFax 4.3] ;"c:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
mRun: [IBWIN] "c:\program files\ibackup for windows\IBackupForWindows_952.exe"
mRun: [Task Manager] c:\windows\system32\taskmgr.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [Adobe Reader Speed Launcher] ;"c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Ad-Watch] ;c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [IBWin Background process] "c:\ibackup for windows\IBackground_955.exe"
mRun: [IBWin Monitor] "c:\ibackup for windows\IBMonitor.exe" Min
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
StartupFolder: c:\docume~1\deb\startm~1\programs\startup\dialog~1.lnk - c:\program files\vcom\powerdesk\pddlghlp.exe
StartupFolder: c:\docume~1\deb\startm~1\programs\startup\mailwa~1.lnk - c:\program files\firetrust\mailwasher pro\MailWasher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\comman~1.lnk - c:\program files\freecommander2006\freeCommander.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Service Manager.norun
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177882108259
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178678284675
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B151B524-F451-4036-9663-B3944FA710DF} - hxxp://r7.help20.com/149/LoadClient/ENUclientPro.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://computershare.webex.com/client/T26L10NSP49EP12/event/ieatgpc.cab
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist express customer\148\g2ax_winlogon.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deb\applic~1\mozilla\firefox\profiles\mj0o8enz.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-1-15 40560]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-25 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-6-1 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-6-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-6-1 138680]
R2 IBackupWeb;IBackupWeb;c:\ibackup for windows\IBackupWebM.exe [2009-12-6 54760]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 MSSQL$DELORMEMAPPING;MSSQL$DELORMEMAPPING;c:\program files\microsoft sql server\mssql$delormemapping\binn\sqlservr.exe -sdelormemapping --> c:\program files\microsoft sql server\mssql$delormemapping\binn\sqlservr.exe -sDELORMEMAPPING [?]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2010-1-16 41504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-6 135664]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\seagate\sync\seasyncservices.exe" --> c:\program files\seagate\sync\SeaSyncServices.exe [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-6-1 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-6-1 352920]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\citrix\gotoassist express customer\148\g2ax_service.exe [2009-2-24 72504]
S3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [2004-6-15 7882]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\24.tmp --> c:\windows\system32\24.tmp [?]
S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlservr.exe -slacertedb --> c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlservr.exe -sLACERTEDB [?]
S3 RET55;RET55 NDIS Protocol Driver;\??\c:\program files\eeye digital security\blink\scanner\scanner\ret55.sys --> c:\program files\eeye digital security\blink\scanner\scanner\RET55.sys [?]
S3 SQLAgent$DELORMEMAPPING;SQLAgent$DELORMEMAPPING;c:\program files\microsoft sql server\mssql$delormemapping\binn\sqlagent.exe -i delormemapping --> c:\program files\microsoft sql server\mssql$delormemapping\binn\sqlagent.EXE -i DELORMEMAPPING [?]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlagent.exe -i lacertedb --> c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlagent.EXE -i LACERTEDB [?]
S4 AYTRACK;AY Track 2 Trial Edition;c:\program files\ay mail 2\AYTRACK.EXE [2008-12-5 427944]
S4 TSScheduleBackup;TimeslipsBackup;c:\windows\system32\TSSchBkpService.exe [2007-5-1 705024]

=============== Created Last 30 ================

2010-02-09 04:23:43 0 d-----w- C:\Sch
2010-02-08 23:48:02 0 --sha-w- C:\DkHyperbootSync
2010-02-08 23:33:22 20 ----a-w- c:\documents and settings\deb\defogger_reenable
2010-02-07 19:11:20 0 d-----w- c:\program files\SmartDraw 2010
2010-01-28 23:33:14 0 d-----w- c:\program files\Sophos
2010-01-28 23:27:25 0 d-----w- c:\documents and settings\deb\DoctorWeb
2010-01-27 23:48:22 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-24 10:03:20 0 d-----w- c:\program files\TheTaxBook 2009 WebCD
2010-01-24 00:05:52 328192 ----a-w- c:\windows\LinkManager.exe
2010-01-20 15:00:11 0 d-----w- c:\docume~1\deb\applic~1\4Team
2010-01-19 17:54:09 0 d-----w- c:\docume~1\deb\applic~1\MAPILab Ltd
2010-01-19 16:29:49 0 d-----w- c:\program files\MAPILab Ltd
2010-01-19 16:29:49 0 d-----w- c:\program files\common files\Outlook Security Manager
2010-01-19 16:29:49 0 d-----w- c:\program files\common files\MAPILab Ltd
2010-01-18 10:19:36 0 d-----w- C:\ISOs
2010-01-18 10:12:14 0 d-----w- c:\program files\Elaborate Bytes
2010-01-17 18:11:20 3250 ----a-w- c:\windows\system32\wbem\Outlook_01ca97a078b0fa0a.mof
2010-01-17 00:32:55 0 d-sh--w- C:\Diskeeper
2010-01-16 22:07:06 41504 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys
2010-01-16 22:07:01 0 d-----w- c:\program files\common files\Diskeeper Corporation
2010-01-16 22:06:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2010-01-16 22:06:52 0 d-----w- c:\program files\Windows Home Server
2010-01-16 22:06:52 0 d-----w- c:\program files\Diskeeper Corporation
2010-01-16 21:04:48 0 d-----w- c:\program files\jv16 PowerTools 2009
2010-01-16 06:30:14 0 d-----w- C:\archive_db
2010-01-15 20:13:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Paragon
2010-01-15 18:37:36 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2010-01-15 18:35:30 0 d-----w- c:\program files\Paragon Software
2010-01-10 21:58:27 0 d-----w- c:\docume~1\deb\applic~1\Kernel for Outlook

==================== Find3M ====================

2010-01-31 17:48:10 152530 ----a-w- c:\windows\system32\nvModes.dat
2010-01-27 10:44:16 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 20:27:18 4254224 ----a-w- c:\windows\system32\qtp-mt334.dll
2009-12-28 20:26:46 249872 ----a-w- c:\windows\system32\prgiso.dll
2009-12-28 20:26:44 385544 ----a-w- c:\windows\system32\drivers\Uim_IM.sys
2009-12-28 20:26:44 34392 ----a-w- c:\windows\system32\drivers\UimBus.sys
2009-12-28 20:26:44 261416 ----a-w- c:\windows\system32\drivers\UimFIO.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 22:25:12 26024 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-10-25 09:29:00 38912 ----a-w- c:\program files\wizmo.exe
2009-08-19 09:11:38 2503 ------w- c:\program files\common files\pr_404.html
2009-07-22 23:22:32 4344 ------w- c:\program files\common files\tr3_lacerte.png
2009-01-10 20:13:03 23 --sha-w- c:\windows\system32\ebffeeffcbac_z.dll
2008-05-09 12:02:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050920080510\index.dat

============= FINISH: 6:18:15.18 ===============





Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:42 AM

Posted 10 February 2010 - 12:16 AM

Hello, dking88
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 dking88

dking88
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 10 February 2010 - 08:20 AM

Thanks Tom.

I am in the process of disabling malware scanners. At the link that explains how to disable antivirus programs, the section under Spybot S&D says to uncheck the teatimer box in system startup, but I do not see teatimer there at all. The link to ResetTeaTimer.zip goes to an error page. Possibly I never activated TeaTimer or something disabled it since only the SDHelper box was checked in the Resident section.

Can these steps be skipped? If not please give me some more information about how to accomplish them.

Deborah

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:42 AM

Posted 10 February 2010 - 03:47 PM

Hi,


We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 dking88

dking88
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 10 February 2010 - 04:15 PM

I have done that part. What I could not do is the part in red below (copied from http://www.bleepingcomputer.com/forums/topic114351.html)

SPYBOT TEATIMER

* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident Icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted
.
* Exit Spybot S&D when done and reboot your computer.
(When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

Please download ResetTeaTimer.zip and save to your Desktop. Extract (unzip) the file and double-click ResetTeaTimer.bat to run the script. This will remove all entries set by TeaTimer and it from restoring them upon reactivation).

TeaTimer does not appear in the System Startup section, and the link to ResetTeaTimer.zip does not work. If those parts can be skipped I can continue with the rest of the process.


#8 dking88

dking88
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 11 February 2010 - 07:14 AM

Would it be okay if I installed NoScript? I have to keep using my computer while this is going on, and I'm feeling rather insecure...


#9 dking88

dking88
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 12 February 2010 - 04:14 AM

Hi Tom. TeaTimer is disabled in the Resident section and I skipped the ResetTeaTimer step. Here is the Combofix log:

ComboFix 10-02-11.04 - Deb 02/11/2010 18:18:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1412 [GMT -5:00]
Running from: c:\0-user\0-Common\z-Install\schrauber.exe
AV: avast! antivirus 4.8.1368 [VPS 100211-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Commander.lnk
c:\documents and settings\Deb\Application Data\EurekaLog
c:\windows\EventSystem.log
c:\windows\system32\bszip.dll
c:\windows\system32\zip32.dll
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-11 to 2010-02-11 )))))))))))))))))))))))))))))))
.

2010-02-09 04:23 . 2010-02-09 04:23 -------- d-----w- C:\Sch
2010-02-07 19:11 . 2010-02-07 19:22 -------- d-----w- c:\program files\SmartDraw 2010
2010-02-01 00:52 . 2010-02-01 00:52 2855 ----a-w- c:\documents and settings\Deb\Application Data\Microsoft\Office\Recent\My post to bleepingcomputer.com.pif
2010-01-31 23:06 . 2010-01-31 23:06 -------- d-----w- c:\program files\ERUNT
2010-01-28 23:33 . 2010-01-28 23:33 -------- d-----w- c:\program files\Sophos
2010-01-28 23:27 . 2010-01-29 18:54 -------- d-----w- c:\documents and settings\Deb\DoctorWeb
2010-01-27 23:48 . 2010-01-27 23:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-27 23:48 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-27 23:45 . 2010-01-27 23:45 503808 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72552866-n\msvcp71.dll
2010-01-27 23:45 . 2010-01-27 23:45 499712 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72552866-n\jmc.dll
2010-01-27 23:45 . 2010-01-27 23:45 348160 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-72552866-n\msvcr71.dll
2010-01-27 23:45 . 2010-01-27 23:45 61440 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-26cfcaa5-n\decora-sse.dll
2010-01-27 23:45 . 2010-01-27 23:45 12800 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-26cfcaa5-n\decora-d3d.dll
2010-01-24 12:36 . 2010-01-11 12:37 3746304 ----a-w- c:\temp\TaxScripts-v2_8_4.msi
2010-01-24 10:03 . 2010-01-24 10:09 -------- d-----w- c:\program files\TheTaxBook 2009 WebCD
2010-01-24 00:05 . 2009-04-21 14:57 328192 ----a-w- c:\windows\LinkManager.exe
2010-01-20 15:00 . 2010-01-20 15:00 -------- d-----w- c:\documents and settings\Deb\Application Data\4Team
2010-01-19 17:54 . 2010-01-19 17:54 -------- d-----w- c:\documents and settings\Deb\Application Data\MAPILab Ltd
2010-01-19 16:29 . 2010-01-19 17:54 -------- d-----w- c:\program files\Common Files\Outlook Security Manager
2010-01-19 16:29 . 2010-01-19 17:54 -------- d-----w- c:\program files\MAPILab Ltd
2010-01-19 16:29 . 2010-01-19 16:29 -------- d-----w- c:\program files\Common Files\MAPILab Ltd
2010-01-18 10:19 . 2010-01-26 09:07 -------- d-----w- C:\ISOs
2010-01-18 10:12 . 2010-01-18 10:12 -------- d-----w- c:\program files\Elaborate Bytes
2010-01-17 00:32 . 2010-01-17 00:32 -------- d-----w- C:\Diskeeper
2010-01-16 22:07 . 2009-12-10 19:48 41504 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys
2010-01-16 22:07 . 2010-01-16 22:07 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
2010-01-16 22:06 . 2010-01-16 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2010-01-16 22:06 . 2010-01-16 22:06 -------- d-----w- c:\program files\Windows Home Server
2010-01-16 22:06 . 2010-01-16 22:06 -------- d-----w- c:\program files\Diskeeper Corporation
2010-01-16 21:04 . 2010-01-16 21:08 -------- d-----w- c:\program files\jv16 PowerTools 2009
2010-01-16 06:30 . 2010-01-16 06:30 -------- d-----w- C:\archive_db
2010-01-15 20:13 . 2010-01-16 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Paragon
2010-01-15 18:37 . 2009-12-28 20:26 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2010-01-15 18:35 . 2010-01-15 18:35 -------- d-----w- c:\program files\Paragon Software
2010-01-13 09:29 . 2010-01-13 20:58 -------- d-----w- c:\documents and settings\Deb\Local Settings\Application Data\RothSettings
2010-01-13 09:26 . 2010-01-21 12:00 -------- d-----w- c:\documents and settings\Deb\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-11 23:01 . 2007-04-30 16:24 -------- d-----w- c:\documents and settings\Deb\Application Data\MailWasherPro
2010-02-11 22:56 . 2007-04-30 14:18 -------- d-----w- c:\program files\freeCommander2006
2010-02-11 22:48 . 2008-01-12 22:36 -------- d-----w- c:\documents and settings\Deb\Application Data\FileZilla
2010-02-11 17:24 . 2007-05-01 22:19 -------- d-----w- c:\program files\Common Files\Lacerte Shared
2010-02-11 16:36 . 2007-04-30 21:27 -------- d-----w- c:\documents and settings\Deb\Application Data\AdobeUM
2010-02-11 13:51 . 2007-04-29 23:25 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-11 04:05 . 2007-12-13 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-10 12:40 . 2007-08-29 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-09 15:30 . 2007-04-29 18:48 -------- d-----w- c:\program files\Password Safe
2010-02-06 19:12 . 2007-05-01 22:42 -------- d-----w- c:\program files\05WebSetup
2010-02-04 16:43 . 2009-06-17 15:59 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2010-02-04 16:43 . 2009-09-21 15:58 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2010-02-04 16:43 . 2009-06-17 15:58 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2010-02-04 16:43 . 2009-06-17 15:58 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2010-02-01 09:59 . 2007-05-02 22:24 -------- d-----w- c:\program files\XMap 4.5
2010-01-31 17:48 . 2007-04-19 02:15 152530 ----a-w- c:\windows\system32\nvModes.dat
2010-01-31 13:22 . 2007-04-30 22:17 -------- d-----w- c:\program files\TreePadXSU
2010-01-27 23:45 . 2007-04-19 02:27 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 23:45 . 2007-04-19 02:27 -------- d-----w- c:\program files\Java
2010-01-27 10:43 . 2009-06-17 15:58 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2010-01-24 12:38 . 2009-12-30 20:38 -------- d-----w- c:\program files\TaxScripts
2010-01-24 00:06 . 2007-05-26 21:44 -------- d-----w- c:\program files\Common Files\PPC
2010-01-23 23:10 . 2009-11-05 17:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 15:25 . 2007-05-06 13:59 -------- d-----w- c:\program files\TradeLog
2010-01-18 09:59 . 2007-04-29 18:24 83744 ----a-w- c:\documents and settings\Deb\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-16 21:52 . 2010-01-16 21:52 1363968 ----a-w- c:\documents and settings\NetworkService\NTUSER.DAT.tmp
2010-01-16 21:52 . 2010-01-16 21:52 1363968 ----a-w- c:\documents and settings\LocalService\NTUSER.DAT.tmp
2010-01-16 20:07 . 2008-05-02 13:57 -------- d-----w- c:\program files\TPS
2010-01-16 19:50 . 2007-05-14 10:43 -------- d-----w- c:\program files\TechHit.com
2010-01-16 19:44 . 2007-04-19 02:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-16 19:27 . 2009-11-16 09:03 -------- d-----w- c:\program files\BackStreet Browser 3.1
2010-01-15 18:43 . 2009-08-14 14:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 13:20 . 2009-09-20 08:56 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-13 09:20 . 2007-04-30 21:45 -------- d-----w- c:\program files\Agent
2010-01-10 21:58 . 2010-01-10 21:58 -------- d-----w- c:\documents and settings\Deb\Application Data\Kernel for Outlook
2010-01-07 21:07 . 2009-08-14 14:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-08-14 14:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 14:44 . 2008-01-12 22:35 -------- d-----w- c:\program files\FileZilla FTP Client
2009-12-28 20:27 . 2009-12-28 20:27 4254224 ----a-w- c:\windows\system32\qtp-mt334.dll
2009-12-28 20:26 . 2009-12-28 20:26 249872 ----a-w- c:\windows\system32\prgiso.dll
2009-12-28 20:26 . 2009-12-28 20:26 385544 ----a-w- c:\windows\system32\drivers\Uim_IM.sys
2009-12-28 20:26 . 2009-12-28 20:26 34392 ----a-w- c:\windows\system32\drivers\UimBus.sys
2009-12-28 20:26 . 2009-12-28 20:26 261416 ----a-w- c:\windows\system32\drivers\UimFIO.sys
2009-12-26 17:45 . 2007-04-30 22:23 -------- d-----w- c:\program files\7-Zip
2009-12-25 14:40 . 2009-12-25 14:40 2855 ----a-w- c:\documents and settings\Deb\Application Data\Microsoft\Office\Recent\2009 organizer from yourcpapartners.com.pif
2009-12-21 19:14 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-20 11:02 . 2007-04-19 02:30 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-20 11:01 . 2007-05-01 21:46 -------- d-----w- c:\program files\Timeslips
2009-12-17 22:25 . 2009-12-17 22:25 26024 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-12-17 22:14 . 2009-11-14 18:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-14 00:07 . 2009-12-14 00:07 -------- d-----w- c:\program files\Investintech.com Inc
2009-11-24 23:54 . 2008-06-01 18:04 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-06-01 18:05 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-06-01 18:05 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-06-01 18:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-06-01 18:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-06-01 18:05 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-06-01 18:05 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-06-01 18:05 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-06-01 18:05 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 18:48 . 2009-11-14 18:48 152576 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-25 09:29 . 2009-10-25 09:28 38912 ----a-w- c:\program files\wizmo.exe
2009-08-19 09:11 . 2009-11-06 14:37 2503 ------w- c:\program files\Common Files\pr_404.html
2009-07-22 23:22 . 2009-11-06 14:37 4344 ------w- c:\program files\Common Files\tr3_lacerte.png
2008-11-27 14:03 . 2008-11-27 14:03 62872 ----a-w- c:\program files\mozilla firefox\plugins\ateccli.dll
2008-11-27 14:03 . 2007-11-27 20:03 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-11-27 14:03 . 2007-11-27 20:03 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-11-27 14:03 . 2008-11-27 14:03 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-01-10 20:13 . 2009-01-10 20:13 23 --sha-w- c:\windows\system32\ebffeeffcbac_z.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@="{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}"
[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Manager"="c:\program files\Askarya\Taskbar Manager\TaskbarManager.exe" [2007-04-24 385024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"nwiz"="nwiz.exe" [2006-01-19 1519616]
"NVHotkey"="nvHotkey.dll" [2006-01-19 73728]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 55824]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-01-27 788880]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-04-17 169256]
"IBWin Background process"="c:\ibackup for windows\IBackground_955.exe" [2009-11-27 38376]
"IBWin Monitor"="c:\ibackup for windows\IBMonitor.exe" [2009-11-27 1893864]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]

c:\documents and settings\Deb\Start Menu\Programs\Startup\
Dialog Helper.lnk - c:\program files\VCOM\PowerDesk\pddlghlp.exe [2005-9-8 40960]
MailWasherPro.lnk - c:\program files\FireTrust\MailWasher Pro\MailWasher.exe [2007-4-30 5661696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-18 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-11 784912]
Service Manager.norun [2007-5-1 1908]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2009-02-24 22:20 71992 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\148\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 15:10 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\deepinvent\\MailStore Home\\MailStoreLocal.exe"=
"c:\\IBackup for Windows\\ibackup_ssl_sch_955.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"RemoteAddresses"= *
"Enabled"= 1 (0x1)

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [1/15/2010 1:37 PM 40560]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2009 10:58 AM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/1/2008 1:05 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/1/2008 1:05 PM 20560]
R2 IBackupWeb;IBackupWeb;c:\ibackup for windows\IBackupWebM.exe [12/6/2009 5:12 PM 54760]
R2 MSSQL$DELORMEMAPPING;MSSQL$DELORMEMAPPING;c:\program files\Microsoft SQL Server\MSSQL$DELORMEMAPPING\Binn\sqlservr.exe -sDELORMEMAPPING --> c:\program files\Microsoft SQL Server\MSSQL$DELORMEMAPPING\Binn\sqlservr.exe -sDELORMEMAPPING [?]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [1/16/2010 5:07 PM 41504]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/6/2009 9:25 AM 135664]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\Seagate\Sync\SeaSyncServices.exe" --> c:\program files\Seagate\Sync\SeaSyncServices.exe [?]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\148\g2ax_service.exe [2/24/2009 5:20 PM 72504]
S3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [6/15/2004 2:55 PM 7882]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1181328]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\24.tmp --> c:\windows\system32\24.tmp [?]
S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB [?]
S3 RET55;RET55 NDIS Protocol Driver;\??\c:\program files\eEye Digital Security\Blink\Scanner\Scanner\RET55.sys --> c:\program files\eEye Digital Security\Blink\Scanner\Scanner\RET55.sys [?]
S3 SQLAgent$DELORMEMAPPING;SQLAgent$DELORMEMAPPING;c:\program files\Microsoft SQL Server\MSSQL$DELORMEMAPPING\Binn\sqlagent.EXE -i DELORMEMAPPING --> c:\program files\Microsoft SQL Server\MSSQL$DELORMEMAPPING\Binn\sqlagent.EXE -i DELORMEMAPPING [?]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB [?]
S4 AYTRACK;AY Track 2 Trial Edition;c:\program files\AY Mail 2\AYTRACK.EXE [12/5/2008 6:40 PM 427944]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/30/2007 3:45 PM 639224]
S4 TSScheduleBackup;TimeslipsBackup;c:\windows\system32\TSSchBkpService.exe [5/1/2007 4:46 PM 705024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-02-11 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:43]

2010-02-11 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:43]

2010-02-11 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:43]

2010-02-11 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:43]

2010-02-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:43]

2010-02-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-13 06:30]

2010-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-06 14:25]

2010-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-06 14:25]

2010-02-11 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 18:28]

2010-02-11 c:\windows\Tasks\Paragon File Archive name arc_150110203044359.job
- c:\program files\Paragon Software\Backup and Recovery 10 Compact Edition\program\scripts.exe [2009-12-28 20:26]

2010-02-11 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-02-07 16:21]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.timeslipsecenter.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
DPF: {B151B524-F451-4036-9663-B3944FA710DF} - hxxp://r7.help20.com/149/LoadClient/ENUclientPro.cab
FF - ProfilePath - c:\documents and settings\Deb\Application Data\Mozilla\Firefox\Profiles\mj0o8enz.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-IBWIN - c:\program files\IBackup for Windows\IBackupForWindows_952.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-11 18:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IBWin Monitor = "c:\ibackup for windows\IBMonitor.exe" Min?

scanning hidden files ...


c:\docume~1\Deb\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\24.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\program files\Citrix\GoToAssist Express Customer\148\g2ax_winlogon.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\COMRes.dll
.
Completion time: 2010-02-11 18:26:00
ComboFix-quarantined-files.txt 2010-02-11 23:25

Pre-Run: 18,206,138,368 bytes free
Post-Run: 18,218,409,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C13CAB28BA401185EEA32E682D6B5CB7


#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:42 AM

Posted 13 February 2010 - 01:04 PM

Hi,

How is it running now?

Please update your version of Malwarebytes and run a quick scan, post back with the content of the logfile.

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    safebootminimal
    safebootnetwork
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 dking88

dking88
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 14 February 2010 - 05:47 AM

Hi Tom,

I have not noticed any number input problems since I ran the Combofix program. New since then, though, is that my mouse has been hanging on occasion. Other times it frees up and operates normally. Otherwise all seems fine.

When we're done are you going to let me know what you found?

Thanks!

Deborah

Malwarebytes log:

Malwarebytes' Anti-Malware 1.44
Database version: 3734
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/14/2010 2:45:16 AM
mbam-log-2010-02-14 (02-45-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 418129
Time elapsed: 1 hour(s), 55 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



OTL logfile created on: 2/14/2010 2:55:23 AM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\0-User\0-Common\z-Install\BleepingComputer debugging programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.10 Gb Total Space | 17.09 Gb Free Space | 18.35% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 149.05 Gb Total Space | 42.34 Gb Free Space | 28.41% Space Free | Partition Type: NTFS
Drive G: | 7.53 Gb Total Space | 7.49 Gb Free Space | 99.45% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Y: | 74.53 Gb Total Space | 20.47 Gb Free Space | 27.47% Space Free | Partition Type: NTFS

Computer Name: DELL-LAT01
Current User Name: Deb
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/13 15:35:14 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\0-User\0-Common\z-Install\BleepingComputer debugging programs\OTL.exe
PRC - [2010/01/11 15:21:52 | 000,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe
PRC - [2009/12/24 08:55:22 | 001,732,960 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2009/12/17 17:14:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/11/27 14:26:36 | 000,128,488 | ---- | M] (Pro Softnet Corporation) -- C:\IBackup for Windows\IBWin Service_955.exe
PRC - [2009/11/27 14:25:40 | 001,893,864 | ---- | M] (Pro Softnet Corporation) -- C:\IBackup for Windows\IBMonitor.exe
PRC - [2009/11/27 14:22:56 | 000,038,376 | ---- | M] (Pro Softnet Corporation) -- C:\IBackup for Windows\IBackground_955.exe
PRC - [2009/11/24 18:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/09/21 05:43:33 | 000,085,184 | ---- | M] (Macrovision ) -- C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
PRC - [2009/06/17 06:44:11 | 000,085,160 | ---- | M] (Elaborate Bytes AG) -- C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
PRC - [2009/03/25 19:20:00 | 000,054,760 | ---- | M] ( Pro-Softnet) -- C:\IBackup for Windows\IBackupWebM.exe
PRC - [2009/03/05 15:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/09 15:13:28 | 001,951,376 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
PRC - [2009/01/09 15:13:26 | 000,669,840 | R--- | M] (Carbonite, Inc.) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
PRC - [2008/04/21 07:08:15 | 000,215,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows NT\Accessories\wordpad.exe
PRC - [2008/04/17 03:33:14 | 000,181,544 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe
PRC - [2008/04/17 03:31:54 | 000,169,256 | ---- | M] (Maxtor Corporation) -- C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/06 19:54:52 | 001,160,192 | ---- | M] (Marek Jasinski - www.FreeCommander.com) -- C:\Program Files\freeCommander2006\FreeCommander.exe
PRC - [2007/11/15 10:12:04 | 000,784,912 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2007/11/15 10:08:26 | 000,055,824 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2007/06/19 12:57:38 | 000,069,632 | ---- | M] (Software 2000 Limited) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE
PRC - [2007/04/24 11:58:22 | 000,385,024 | ---- | M] (Askarya Technologies) -- C:\Program Files\Askarya\Taskbar Manager\TaskbarManager.exe
PRC - [2006/11/22 17:35:50 | 001,392,640 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\WLTRAY.EXE
PRC - [2006/11/22 17:35:50 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\WLTRYSVC.EXE
PRC - [2006/11/22 17:32:58 | 001,253,376 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2006/06/29 12:13:32 | 001,032,192 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2006/06/29 12:12:34 | 000,376,832 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2006/03/24 16:30:44 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006/01/19 08:14:00 | 000,143,428 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2005/10/07 12:13:38 | 000,176,128 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2005/09/08 10:50:22 | 000,040,960 | ---- | M] (Avanquest Publishing USA, Inc.) -- C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
PRC - [2005/07/27 14:41:08 | 000,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2005/06/16 11:11:42 | 000,049,152 | ---- | M] () -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
PRC - [2005/04/01 20:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
PRC - [2004/06/28 21:56:12 | 000,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\hidfind.exe
PRC - [2003/10/29 02:06:00 | 000,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2002/12/17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
PRC - [2002/12/17 16:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$DELORMEMAPPING\Binn\sqlservr.exe
PRC - [2002/04/02 09:00:00 | 001,851,392 | ---- | M] (IDM Computer Solutions, Inc.) -- C:\Program Files\UltraEdit\UEDIT32.EXE


========== Modules (SafeList) ==========

MOD - [2010/02/13 15:35:14 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\0-User\0-Common\z-Install\BleepingComputer debugging programs\OTL.exe
MOD - [2009/11/24 18:50:32 | 000,139,264 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\AhJsctNs.dll
MOD - [2008/07/25 11:17:20 | 000,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
MOD - [2008/07/25 11:17:20 | 000,558,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll
MOD - [2008/04/13 19:12:01 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2007/11/15 10:10:38 | 000,062,480 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2005/09/08 10:50:04 | 000,081,920 | ---- | M] (Avanquest Publishing USA, Inc.) -- C:\Program Files\VCOM\PowerDesk\pddlghlp.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Seagate Sync Service)
SRV - File not found [Auto | Stopped] -- -- (DataSvr2)
SRV - [2010/02/04 11:43:55 | 001,181,328 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/12/24 08:55:22 | 001,732,960 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2009/12/17 17:14:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/12/06 09:25:24 | 000,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/11/27 14:26:36 | 000,128,488 | ---- | M] (Pro Softnet Corporation) [Auto | Running] -- C:\IBackup for Windows\IBWin Service_955.exe -- (IBWin Service)
SRV - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/09/21 05:43:33 | 000,085,184 | ---- | M] (Macrovision ) [Auto | Running] -- C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe -- (InstallShield Licensing Service)
SRV - [2009/03/25 19:20:00 | 000,054,760 | ---- | M] ( Pro-Softnet) [Auto | Running] -- C:\IBackup for Windows\IBackupWebM.exe -- (IBackupWeb)
SRV - [2009/03/24 01:30:59 | 000,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/02/24 17:20:46 | 000,072,504 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist Express Customer\148\g2ax_service.exe -- (GoToAssist Express Customer)
SRV - [2009/01/09 15:13:28 | 001,951,376 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) [Auto | Running] -- C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe -- (CarboniteService)
SRV - [2008/12/05 18:40:29 | 000,427,944 | ---- | M] (AY Software Corporation) [Disabled | Stopped] -- C:\Program Files\AY Mail 2\AYTRACK.EXE -- (AYTRACK)
SRV - [2008/04/17 03:33:14 | 000,181,544 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2008/02/28 10:53:18 | 000,053,248 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2008/02/28 10:53:18 | 000,043,520 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2007/11/15 10:09:42 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2006/11/22 17:35:50 | 000,020,480 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2006/06/29 12:12:34 | 000,376,832 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2006/06/15 17:17:00 | 000,705,024 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\TSSchBkpService.exe -- (TSScheduleBackup)
SRV - [2006/01/19 08:14:00 | 000,143,428 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2005/08/30 17:36:00 | 000,188,416 | ---- | M] (Cambridge Silicon Radio) [Disabled | Stopped] -- C:\Program Files\BlueTooth\HidSwitchService\HidSw.exe -- (Bluetooth Hid Switch Service)
SRV - [2005/04/01 20:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe -- (StarWindService)
SRV - [2003/07/28 11:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2002/12/17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -- (MSSQLSERVER)
SRV - [2002/12/17 17:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE -- (SQLSERVERAGENT)
SRV - [2002/12/17 16:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -- (MSSQL$LACERTEDB)
SRV - [2002/12/17 16:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$DELORMEMAPPING\Binn\sqlservr.exe -- (MSSQL$DELORMEMAPPING)
SRV - [2002/12/17 16:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -- (SQLAgent$LACERTEDB)
SRV - [2002/12/17 16:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$DELORMEMAPPING\Binn\sqlagent.EXE -- (SQLAgent$DELORMEMAPPING)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.timeslipsecenter.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/21 11:39:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/21 11:38:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/08/21 16:05:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2008/11/23 08:34:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Mozilla\Extensions
[2007/04/30 08:12:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Mozilla\Firefox\Profiles\mj0o8enz.default\extensions
[2007/04/30 08:12:53 | 000,001,406 | ---- | M] () -- C:\Documents and Settings\Deb\Application Data\Mozilla\Firefox\Profiles\mj0o8enz.default\searchplugins\siteadvisor.gif
[2007/04/30 08:12:54 | 000,000,276 | ---- | M] () -- C:\Documents and Settings\Deb\Application Data\Mozilla\Firefox\Profiles\mj0o8enz.default\searchplugins\siteadvisor.src
[2010/02/13 10:21:55 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/15 06:23:16 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\Access Privileges Test
[2008/11/27 09:03:55 | 000,062,872 | ---- | M] (WebEx Comminucations, Inc) -- C:\Program Files\Mozilla Firefox\plugins\ateccli.dll
[2008/11/27 09:03:26 | 000,027,976 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
[2008/11/27 09:03:26 | 000,126,360 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
[2008/11/27 09:03:55 | 000,098,712 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\ieatgpc.dll
[2008/11/27 09:03:24 | 000,060,824 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll

O1 HOSTS File: ([2010/02/05 17:53:38 | 000,378,542 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 13044 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Download Guard for Internet Explorer) - {20C1A7F0-528E-444F-BAC5-5804A61CCA7F} - C:\Program Files\Lavasoft\Download Guard for Internet Explorer\DownloadGuardBHO.dll (Lavasoft AB)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [eFax 4.3] C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe (j2 Global Communications, Inc.)
O4 - HKLM..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe ()
O4 - HKLM..\Run: [IBWin Background process] C:\IBackup for Windows\IBackground_955.exe (Pro Softnet Corporation)
O4 - HKLM..\Run: [IBWin Monitor] C:\IBackup for Windows\IBMonitor.exe (Pro Softnet Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [mxomssmenu] C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe (Maxtor Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [Taskbar Manager] C:\Program Files\Askarya\Taskbar Manager\TaskbarManager.exe (Askarya Technologies)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.norun ()
O4 - Startup: C:\Documents and Settings\Deb\Start Menu\Programs\Startup\Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe (Avanquest Publishing USA, Inc.)
O4 - Startup: C:\Documents and Settings\Deb\Start Menu\Programs\Startup\MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe (Firetrust Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: 65 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: 66 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/9/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1177882108259 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1178678284675 (MUWebControl Class)
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} http://aerial.leepa.org/ecwplugins/NCS.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} http://r7.help20.com/149/LoadClient/ENUclientPro.cab (ExecuteAgent2p Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://computershare.webex.com/client/T26L...ent/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 205.152.150.23 205.152.37.23
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist Express Customer: DllName - C:\Program Files\Citrix\GoToAssist Express Customer\148\g2ax_winlogon.dll - C:\Program Files\Citrix\GoToAssist Express Customer\148\g2ax_winlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Deb\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Deb\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/02/05 16:15:08 | 000,000,034 | ---- | M] () - F:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2007/11/02 18:51:14 | 000,000,000 | ---- | M] () - Y:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (autocheck lsdelete) - File not found
O34 - HKLM BootExecute: (autocheck lsdelete) - File not found
O34 - HKLM BootExecute: (autocheck lsdelete) - File not found
O34 - HKLM BootExecute: (autocheck lsdelete) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/11 17:02:12 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: WdfLoadGroup -
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\148\g2ax_service.exe (Citrix Online, a division of Citrix Systems, Inc.)
SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: WdfLoadGroup -
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891835792228352)

========== Files/Folders - Created Within 14 Days ==========

[2010/02/12 05:48:18 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/02/11 18:13:55 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/11 18:08:47 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/11 18:08:47 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/11 18:08:47 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/11 18:08:47 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/11 18:04:55 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/07 14:11:20 | 000,000,000 | ---D | C] -- C:\Program Files\SmartDraw 2010
[2010/01/31 18:07:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/31 18:06:22 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/06 17:07:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/12/06 09:25:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/12/01 06:16:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\VCOM
[2009/12/01 06:15:16 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/05/09 07:04:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/06/08 11:36:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2007/06/08 11:36:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2007/06/08 11:00:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\VCOM
[2007/05/27 05:13:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004/08/11 17:06:56 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/02/14 02:50:08 | 000,000,000 | -HS- | M] () -- C:\DkHyperbootSync
[2010/02/14 02:45:18 | 000,007,409 | ---- | M] () -- C:\WINDOWS\UEDIT32.INI
[2010/02/14 02:30:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/14 02:08:31 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/02/14 01:23:04 | 000,000,312 | ---- | M] () -- C:\WINDOWS\tasks\HP WEP.job
[2010/02/13 23:43:34 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/02/13 22:31:35 | 000,000,960 | ---- | M] () -- C:\WINDOWS\tasks\Paragon File Archive name arc_150110203044359.job
[2010/02/13 19:13:02 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\SDMsgUpdate (TE).job
[2010/02/13 19:12:55 | 000,152,530 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/02/13 19:11:42 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\NvwsApps.xml
[2010/02/13 19:11:20 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/13 19:11:17 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/13 19:10:46 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/13 19:10:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/13 19:10:37 | 2145,509,376 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/13 19:10:01 | 012,845,056 | ---- | M] () -- C:\Documents and Settings\Deb\NTUSER.DAT
[2010/02/13 19:09:37 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Deb\ntuser.ini
[2010/02/13 17:43:16 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/02/13 11:43:14 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/02/13 10:20:35 | 000,000,822 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/13 05:49:32 | 000,006,501 | ---- | M] () -- C:\0-User\Deb\Report.html
[2010/02/13 05:43:12 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/02/12 11:44:02 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/02/11 18:23:39 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/11 18:14:01 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/11 17:47:01 | 000,015,111 | ---- | M] () -- C:\WINDOWS\w08tax.ini
[2010/02/11 12:03:39 | 000,008,442 | ---- | M] () -- C:\WINDOWS\W03Tax.INI
[2010/02/11 11:40:34 | 000,000,035 | ---- | M] () -- C:\WINDOWS\lacerte.ini
[2010/02/10 05:18:37 | 000,000,213 | ---- | M] () -- C:\WINDOWS\WTAXSYNC.INI
[2010/02/10 05:18:35 | 000,001,465 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\2009 Lacerte Tax.LNK
[2010/02/08 18:33:35 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Deb\defogger_reenable
[2010/02/08 18:12:17 | 000,020,504 | ---- | M] () -- C:\WINDOWS\w07tax.ini
[2010/02/07 14:13:07 | 000,000,729 | ---- | M] () -- C:\Documents and Settings\Deb\Desktop\SmartDraw 2010.lnk
[2010/02/07 08:41:49 | 000,000,587 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Medlin Accounting.lnk
[2010/02/06 11:57:26 | 000,020,367 | ---- | M] () -- C:\WINDOWS\W06Tax.ini
[2010/02/05 17:53:38 | 000,378,542 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/05 17:53:01 | 000,378,542 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100205-175338.backup
[2010/02/05 07:21:35 | 000,001,858 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Document eSort.lnk
[2010/02/05 07:21:04 | 000,000,046 | ---- | M] () -- C:\WINDOWS\LTBUI08.INI
[2010/02/05 07:21:00 | 000,001,465 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\2008 Lacerte Tax.LNK
[2010/02/05 07:21:00 | 000,000,047 | ---- | M] () -- C:\WINDOWS\TaxSetup.INI
[2010/02/01 05:00:01 | 000,000,041 | ---- | M] () -- C:\WINDOWS\loc2.INI
[2010/02/01 04:59:51 | 000,000,041 | ---- | M] () -- C:\WINDOWS\FindServ.INI
[2010/01/31 18:06:22 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Deb\Desktop\ERUNT.lnk
[2010/01/31 12:48:10 | 000,152,530 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/01/31 10:25:47 | 000,377,810 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100205-175301.backup
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/14 02:50:08 | 000,000,000 | -HS- | C] () -- C:\DkHyperbootSync
[2010/02/13 19:21:56 | 000,000,312 | ---- | C] () -- C:\WINDOWS\tasks\HP WEP.job
[2010/02/11 18:14:01 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/11 18:13:58 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/11 18:08:47 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/11 18:08:47 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/11 18:08:47 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/11 18:08:47 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/11 18:08:47 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/08 18:33:22 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Deb\defogger_reenable
[2010/02/07 14:13:07 | 000,000,729 | ---- | C] () -- C:\Documents and Settings\Deb\Desktop\SmartDraw 2010.lnk
[2010/02/07 14:13:05 | 000,000,460 | ---- | C] () -- C:\WINDOWS\tasks\SDMsgUpdate (TE).job
[2010/02/07 08:41:49 | 000,000,587 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Medlin Accounting.lnk
[2010/01/31 18:06:22 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Deb\Desktop\ERUNT.lnk
[2009/12/06 17:12:36 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\IBPatch.dll
[2009/12/06 17:12:33 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IBSSubTmr.dll
[2009/11/16 19:31:31 | 000,135,700 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\monFDE.log
[2009/11/15 18:21:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Deb\Application Data\monFDE.log
[2009/11/06 09:37:50 | 000,004,344 | ---- | C] () -- C:\Program Files\Common Files\tr3_lacerte.png
[2009/11/06 09:37:50 | 000,002,503 | ---- | C] () -- C:\Program Files\Common Files\pr_404.html
[2009/10/25 04:28:57 | 000,038,912 | ---- | C] () -- C:\Program Files\wizmo.exe
[2009/10/03 11:10:33 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2009/04/17 10:51:39 | 000,000,318 | ---- | C] () -- C:\WINDOWS\taxpln08.INI
[2009/01/10 16:06:57 | 000,007,409 | ---- | C] () -- C:\WINDOWS\UEDIT32.INI
[2009/01/10 15:13:03 | 000,000,023 | -HS- | C] () -- C:\WINDOWS\System32\ebffeeffcbac_z.dll
[2008/11/11 06:37:06 | 000,000,489 | ---- | C] () -- C:\WINDOWS\taxpln07.INI
[2008/11/05 18:15:32 | 000,000,047 | ---- | C] () -- C:\WINDOWS\W08Setup.INI
[2008/11/05 17:37:07 | 000,000,046 | ---- | C] () -- C:\WINDOWS\LTBUI08.INI
[2008/11/05 17:04:03 | 000,015,111 | ---- | C] () -- C:\WINDOWS\w08tax.ini
[2008/07/27 11:52:44 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll
[2008/05/22 12:44:31 | 000,000,091 | ---- | C] () -- C:\WINDOWS\05TAX.INI
[2008/05/02 08:57:17 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\Implode.dll
[2008/04/08 01:54:21 | 000,000,073 | ---- | C] () -- C:\WINDOWS\EurekaLog.ini
[2007/11/27 15:03:50 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2007/11/21 18:53:47 | 000,000,115 | ---- | C] () -- C:\WINDOWS\07TAX.INI
[2007/11/08 14:19:26 | 000,000,047 | ---- | C] () -- C:\WINDOWS\W07Setup.INI
[2007/11/08 14:19:06 | 000,000,114 | ---- | C] () -- C:\WINDOWS\LTBUI07.INI
[2007/11/08 14:19:00 | 000,000,047 | ---- | C] () -- C:\WINDOWS\TaxSetup.INI
[2007/11/08 14:09:17 | 000,020,504 | ---- | C] () -- C:\WINDOWS\w07tax.ini
[2007/11/01 08:43:03 | 000,000,187 | ---- | C] () -- C:\WINDOWS\Rpt.INI
[2007/11/01 07:46:42 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\isb.dll
[2007/08/07 16:18:34 | 000,000,042 | ---- | C] () -- C:\WINDOWS\01TAX.INI
[2007/08/07 15:44:33 | 000,004,293 | ---- | C] () -- C:\WINDOWS\W01Tax.INI
[2007/08/07 15:40:35 | 000,000,110 | ---- | C] () -- C:\WINDOWS\TAXPLN01.INI
[2007/08/07 15:40:35 | 000,000,047 | ---- | C] () -- C:\WINDOWS\W01UPDAT.INI
[2007/08/07 15:40:32 | 000,000,086 | ---- | C] () -- C:\WINDOWS\W01Comgr.INI
[2007/07/10 16:07:56 | 000,000,047 | ---- | C] () -- C:\WINDOWS\06clpack.INI
[2007/07/08 03:13:20 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Deb\Application Data\CarboniteAlert.html
[2007/06/11 13:24:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\hppatusg01.dll
[2007/06/02 21:20:36 | 000,000,091 | ---- | C] () -- C:\WINDOWS\06TAX.INI
[2007/05/26 17:08:33 | 000,000,120 | ---- | C] () -- C:\WINDOWS\System32\winsusrx.dll
[2007/05/26 17:08:32 | 000,000,264 | ---- | C] () -- C:\WINDOWS\System32\winsusrm.dll
[2007/05/26 16:44:46 | 000,000,276 | ---- | C] () -- C:\WINDOWS\PPCArc32.ini
[2007/05/14 18:37:58 | 000,000,572 | ---- | C] () -- C:\WINDOWS\CFSREG.INI
[2007/05/11 05:31:53 | 000,000,260 | ---- | C] () -- C:\WINDOWS\UpdNotif.INI
[2007/05/10 11:22:48 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007/05/09 04:04:11 | 000,000,041 | ---- | C] () -- C:\WINDOWS\loc2.INI
[2007/05/09 04:04:04 | 000,000,041 | ---- | C] () -- C:\WINDOWS\FindServ.INI
[2007/05/06 02:33:35 | 000,000,069 | ---- | C] () -- C:\WINDOWS\TaskbarManager.INI
[2007/05/04 09:40:38 | 000,000,263 | ---- | C] () -- C:\WINDOWS\w05updat.INI
[2007/05/04 09:23:49 | 000,000,035 | ---- | C] () -- C:\WINDOWS\lacerte.ini
[2007/05/03 12:48:57 | 000,000,047 | ---- | C] () -- C:\WINDOWS\W06Setup.INI
[2007/05/03 09:58:01 | 000,000,310 | ---- | C] () -- C:\WINDOWS\W02UPDAT.INI
[2007/05/03 09:58:01 | 000,000,047 | ---- | C] () -- C:\WINDOWS\W02Comgr.INI
[2007/05/03 09:58:01 | 000,000,047 | ---- | C] () -- C:\WINDOWS\TAXPLN02.INI
[2007/05/03 09:57:56 | 000,004,863 | ---- | C] () -- C:\WINDOWS\W02Tax.INI
[2007/05/03 09:55:33 | 000,002,786 | ---- | C] () -- C:\WINDOWS\setups02.ini
[2007/05/03 09:51:58 | 000,000,610 | ---- | C] () -- C:\WINDOWS\TAXPLN06.INI
[2007/05/03 09:49:49 | 000,000,110 | ---- | C] () -- C:\WINDOWS\TAXPLN05.INI
[2007/05/03 07:26:15 | 000,001,335 | ---- | C] () -- C:\WINDOWS\stock.INI
[2007/05/02 11:52:07 | 000,000,099 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2007/05/02 10:14:14 | 000,008,438 | ---- | C] () -- C:\WINDOWS\lviewpro.ini
[2007/05/01 17:54:29 | 000,000,114 | ---- | C] () -- C:\WINDOWS\LTBUI06.INI
[2007/05/01 17:43:05 | 000,020,367 | ---- | C] () -- C:\WINDOWS\W06Tax.ini
[2007/05/01 17:39:28 | 000,003,105 | ---- | C] () -- C:\WINDOWS\setups05.ini
[2007/05/01 17:36:36 | 000,012,068 | ---- | C] () -- C:\WINDOWS\W05Tax.ini
[2007/05/01 17:34:27 | 000,000,427 | ---- | C] () -- C:\WINDOWS\TIMESLIP.INI
[2007/05/01 17:29:06 | 000,000,047 | ---- | C] () -- C:\WINDOWS\TAXPLN04.INI
[2007/05/01 17:29:05 | 000,000,310 | ---- | C] () -- C:\WINDOWS\W04UPDAT.INI
[2007/05/01 17:28:56 | 000,010,241 | ---- | C] () -- C:\WINDOWS\W04Tax.INI
[2007/05/01 17:23:27 | 000,000,047 | ---- | C] () -- C:\WINDOWS\TAXPLN03.INI
[2007/05/01 17:23:26 | 000,000,310 | ---- | C] () -- C:\WINDOWS\W03UPDAT.INI
[2007/05/01 17:23:26 | 000,000,213 | ---- | C] () -- C:\WINDOWS\WTAXSYNC.INI
[2007/05/01 17:23:16 | 000,008,442 | ---- | C] () -- C:\WINDOWS\W03Tax.INI
[2007/05/01 17:20:37 | 000,003,057 | ---- | C] () -- C:\WINDOWS\setups03.ini
[2007/05/01 16:46:52 | 000,000,011 | ---- | C] () -- C:\WINDOWS\TSREMOTE.INI
[2007/05/01 16:46:47 | 000,244,984 | ---- | C] () -- C:\WINDOWS\System32\tutil32.dll
[2007/05/01 16:09:11 | 000,000,110 | ---- | C] () -- C:\WINDOWS\{58D37D67-36BA-4484-8E60-160BAE821F85}_WiseFW.ini
[2007/04/30 16:01:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/29 13:24:11 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\fusioncache.dat
[2007/04/18 21:43:42 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/04/18 21:41:02 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/04/18 21:39:49 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2007/04/18 21:39:10 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\SSCoInst.dll
[2007/04/18 21:39:10 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\SVSetup.dll
[2007/04/18 21:39:10 | 000,020,594 | ---- | C] () -- C:\WINDOWS\System32\Dels3LMK.DLL
[2007/04/18 21:39:10 | 000,020,594 | ---- | C] () -- C:\WINDOWS\System32\DELS3L3.DLL
[2007/04/18 21:30:06 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/04/18 21:30:05 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/04/18 21:11:29 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/04/18 21:11:29 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/04/18 21:11:29 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/04/18 21:11:28 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/04/18 21:11:26 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2007/04/18 21:10:16 | 000,000,390 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2007/04/05 14:00:06 | 000,119,296 | ---- | C] () -- C:\WINDOWS\System32\zlibwapi.dll
[2006/09/08 08:30:44 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\detoured.dll
[2006/06/09 14:38:30 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\htmlshell.dll
[2005/11/10 01:38:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/09/01 21:44:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 21:30:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/08/11 17:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 17:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/07/20 17:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 14:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1998/11/04 01:20:00 | 000,000,202 | ---- | C] () -- C:\WINDOWS\System32\Ic32.ini

========== LOP Check ==========

[2007/05/05 15:53:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Carbonite
[2010/01/16 17:06:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
[2007/06/13 06:45:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
[2007/06/13 06:45:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
[2008/11/17 12:25:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\j2 Messenger 4.4 Output
[2008/11/17 12:25:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\j2 Messenger 4.4 Setup
[2009/02/07 14:57:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lacerte
[2009/11/16 05:09:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2008/04/20 12:27:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OroLogic
[2010/01/15 22:00:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Paragon
[2007/04/30 16:37:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/04/18 21:37:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
[2009/11/29 05:35:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Web Cache Illuminator
[2009/09/01 05:03:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/10/22 16:41:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{BB36BADD-522D-4988-B24C-0D9C7F8078A1}
[2010/01/27 18:48:22 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2009/10/22 16:41:32 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2010/01/20 10:00:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\4Team
[2009/11/16 04:02:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Add-in Express
[2009/11/25 16:13:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Apago
[2007/05/14 05:32:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\BoxCloud
[2009/11/14 05:49:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Diskeeper Corporation
[2007/06/13 06:45:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\eFax Messenger
[2010/02/13 19:08:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\FileZilla
[2008/02/03 12:56:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\GT Remote
[2008/11/17 12:23:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\j2 Global
[2007/05/27 14:23:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\j2 Messenger
[2009/11/14 15:07:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\JGoodies
[2010/01/10 16:58:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Kernel for Outlook
[2007/05/10 21:12:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Leadertech
[2007/11/01 10:05:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Legal Billing
[2010/02/13 19:15:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\MailWasherPro
[2010/01/19 12:54:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\MAPILab Ltd
[2009/12/08 06:32:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\PGO
[2009/12/13 08:56:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\picpick
[2008/04/20 10:59:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\senomix
[2009/11/06 11:11:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\SmartDraw
[2009/07/17 17:15:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Smith Micro
[2009/11/14 17:11:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Softi Software
[2007/05/14 05:44:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\TechHit
[2007/04/30 09:11:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Thunderbird
[2007/04/30 07:57:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\VCOM
[2009/05/19 13:00:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\WebEx
[2009/01/10 13:54:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\WKForms
[2010/02/13 17:43:16 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2010/02/13 23:43:34 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2010/02/13 05:43:12 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2010/02/13 11:43:14 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2010/02/12 11:44:02 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/02/13 22:31:35 | 000,000,960 | ---- | M] () -- C:\WINDOWS\Tasks\Paragon File Archive name arc_150110203044359.job
[2010/02/13 19:13:02 | 000,000,460 | ---- | M] () -- C:\WINDOWS\Tasks\SDMsgUpdate (TE).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/05/09 06:37:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/05/09 06:37:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/05/09 06:37:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/05/09 06:37:45 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >



OTL Extras logfile created on: 2/14/2010 2:55:23 AM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\0-User\0-Common\z-Install\BleepingComputer debugging programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.10 Gb Total Space | 17.09 Gb Free Space | 18.35% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 149.05 Gb Total Space | 42.34 Gb Free Space | 28.41% Space Free | Partition Type: NTFS
Drive G: | 7.53 Gb Total Space | 7.49 Gb Free Space | 99.45% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Y: | 74.53 Gb Total Space | 20.47 Gb Free Space | 27.47% Space Free | Partition Type: NTFS

Computer Name: DELL-LAT01
Current User Name: Deb
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.ini [@ = UltraEdit.ini] -- C:\Program Files\UltraEdit\UEDIT32.EXE (IDM Computer Solutions, Inc.)
.txt [@ = UltraEdit.txt] -- C:\Program Files\UltraEdit\UEDIT32.EXE (IDM Computer Solutions, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with ACDSee] -- C:\Program Files\ACDSee32\ACDSee32.exe "%1" (ACD Systems, Ltd.)
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [File Finder...] -- C:\Program Files\VCOM\PowerDesk\pdfind.exe /PATH:%1 (Avanquest Publishing USA, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Basic 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Basic 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Basic 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Basic 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE" = C:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE:*:Enabled:SMLMProxy Module - HP1006MC.EXE -- (Software 2000 Limited)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\deepinvent\MailStore Home\MailStoreLocal.exe" = C:\Program Files\deepinvent\MailStore Home\MailStoreLocal.exe:*:Enabled:MailStore Home -- (deepinvent Software GmbH)
"C:\IBackup for Windows\ibackup_ssl_sch_955.exe" = C:\IBackup for Windows\ibackup_ssl_sch_955.exe:*:Enabled:ibackup_ssl_sch_955 -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{02C85EC5-E864-4847-AF55-42730861004C}" = MrvlUsgTracking
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{0E31CA83-8E2B-4B0D-A84D-F561B6CD482D}" = QBFC 5.0
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{15C77FC3-8137-4A5E-8F81-F559045DD6B0}" = Shipping Assistant 3.6
"{1FCC806A-5920-44B2-AA6A-81A67A31DDF3}" = Diskeeper 2010 Professional
"{25B384BF-C6ED-496C-BD97-FB2FE16F6208}" = MAPILab Toolbox
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 18
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Advanced Control Suite
"{27525601-6772-407E-89C5-B58F492A5166}" = Send Personally
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006
"{2BDFCEE7-68EC-4288-AEA3-4DB96841141B}" = j2 Messenger
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = erLT
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{4220E523-EDE1-449F-83F5-8267D20E1ED0}" = Maxtor Manager
"{44574EF1-F57D-4FE3-B577-B90B18892457}" = TaxScripts®
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B370CBC-CAEE-41F5-AA54-993D039FDC68}" = TaxTools 2009
"{5658CE44-2822-45C9-A5C0-F93AB4682BBF}" = Document eSort Components
"{58D37D67-36BA-4484-8E60-160BAE821F85}" = BillingTracker Pro 4
"{5999E160-C1BC-4C32-B2A0-4CB22E71594D}" = Lacerte DMS
"{5C92F2C1-3DF9-4BC7-962E-1844326E1789}" = Network Recording Player
"{5E11064C-41D6-4451-B45A-E36DFBCB84AC}" = Download Guard for Internet Explorer
"{64658686-0CD4-4CF6-983D-0A6BE32007DB}" = Business Complete Care Services Agreement
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.7
"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP
"{689404D2-1C94-44B3-9203-BEC5594FDA7A}" = Microsoft SQL Server Desktop Engine (DELORMEMAPPING)
"{69B02159-7623-4DBB-B9EE-F933039830AD}" = QuickBooks Premier: Accountant Edition 2006
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}" = Intuit Runtime Components 6.0.16
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7902E313-FF0F-4493-ACB1-A8147B78DCD0}" = HPSSupply
"{7B02BF60-796D-4616-908B-B31A63CFDEFB}" = HPCarePackCore
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{7FEE267E-003F-43B0-95D2-534D4213D4BA}" = Lacerte Runtime Components
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9074AFC0-CFDA-11DE-B484-005056806466}" = Google Earth
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E9CAC61-DB2E-11DE-BE15-005056C00008}" = Paragon Backup and Recovery™ 10 Compact Edition
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9DDF86A-913A-45B0-AEE0-9786282F7A54}" = MaGlobe Prepaid Internet Access
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-0000-7EC8-7489-000000000603}" = Adobe Acrobat and Reader 6.0.3 Update
"{AC76BA86-0000-7EC8-7489-000000000604}" = Adobe Acrobat and Reader 6.0.4 Update
"{AC76BA86-0000-7EC8-7489-000000000605}" = Adobe Acrobat and Reader 6.0.5 Update
"{AC76BA86-0000-7EC8-7489-000000000606}" = Adobe Acrobat and Reader 6.0.6 Update
"{AC76BA86-1033-0000-7760-000000000001}" = Adobe Acrobat 6.0.1 Professional
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B11D1777-DC68-496D-BA0B-4E3DD4B5979F}" = DeLorme World Vector 2004
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B3076A28-345A-4d89-90A3-B68866C0DFB8}" = eFax Messenger 4.3
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B93251B5-9209-4DAB-867C-AA98D91584CD}" = PowerDesk 6
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C423AABE-A319-46C3-9F83-7319B84D6BDF}" = DeLorme USA Topographic 2005 DVD
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC391AF8-8D72-428D-89AD-FDF0EBA8BCD6}" = PGO Lite
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{CEE2252C-4035-4B27-8EC6-0B085DD3A413}" = Dell Support 3.2.1
"{D3E103DF-E70A-4374-B46D-7286E7BF7907}" = DeLorme USA Street Network 2005
"{DA80700F-068D-11DF-9686-005056806466}" = Google Earth Plug-in
"{DD2DA30A-8174-46DE-B677-6323FBF00175}" = AllNetic Working Time Tracker
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (LACERTEDB)
"{E3D46A82-F476-43DE-ABF0-C2718D3868DC}" = XMap 4.5
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{ECA31632-C2AD-4774-A3CA-2813D47E4DD0}" = HPCarePackProducts
"{EDCB2A45-0DDC-11D7-8379-0080C86745AF}" = TaskTracker
"{EFB70B01-B1F3-4960-AB69-4A280084A60C}" = Microsoft SQL Server Desktop Engine
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}" = Microsoft WSE 2.0 SP3 Runtime
"{F7B0E599-C114-4493-BC4D-D8FC7CBBABBB}" = 32 Bit HP CIO Components Installer
"2001 Lacerte Tax" = 2001 Lacerte Tax
"2002 Lacerte Tax" = 2002 Lacerte Tax
"2003 Lacerte Tax" = 2003 Lacerte Tax
"2004 Lacerte Tax" = 2004 Lacerte Tax
"2005 Lacerte Tax" = 2005 Lacerte Tax
"2006 Lacerte Tax" = 2006 Lacerte Tax
"2006 Lacerte Tax Planner" = 2006 Lacerte Tax Planner
"2007 Lacerte Tax" = 2007 Lacerte Tax
"2008 Lacerte Tax" = 2008 Lacerte Tax
"2009 Lacerte Tax" = 2009 Lacerte Tax
"7-Zip" = 7-Zip 4.65
"Able2Extract Professional v6.0" = Able2Extract Professional v6.0
"ACDSee 32" = ACDSee 32
"ActiveTouchMeetingClient" = WebEx
"Ad-Aware" = Ad-Aware
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe PDF IFilter 6.0" = Adobe PDF IFilter 6.0
"Apago PDF Shrink" = Apago PDF Shrink 4.5
"Askarya Taskbar Manager 3.5.1_is1" = Askarya Taskbar Manager 3.5.1
"avast!" = avast! Antivirus
"AYMail2" = AY Mail 2
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"Carbonite Backup" = Carbonite
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Download Guard for Internet Explorer" = Download Guard for Internet Explorer
"Duplicate Cleaner_is1" = Duplicate Cleaner 1.4.3
"ERUNT_is1" = ERUNT 1.1j
"ExamDiff Pro_is1" = ExamDiff Pro 3.5
"EZDetach" = EZDetach (remove only)
"FileZilla Client" = FileZilla Client 3.3.1
"Forte Agent" = Forté Agent
"FreeCommander_is1" = FreeCommander 2007.10a
"Google Updater" = Google Updater
"GoToAssist Express Customer" = GoToAssist Express Customer 1.0.0.148
"GPL Ghostscript 8.64" = GPL Ghostscript 8.64
"HP LaserJet P1500 series" = HP LaserJet P1500 series
"IBackup for Windows_is1" = IBackup for Windows Version - 9.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{4220E523-EDE1-449F-83F5-8267D20E1ED0}" = Maxtor Manager
"JDiskReport 1.3.1" = JGoodies JDiskReport 1.3.1
"jv16 PowerTools 2008_is1" = jv16 PowerTools 2008
"jv16 PowerTools 2009_is1" = jv16 PowerTools 2009
"MailStore Home_is1" = MailStore Home 4.0.0.3493
"MailWasher Pro_is1" = MailWasher Pro
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Medlin Accounting Shareware_is1" = Medlin Accounting
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)
"MSCSR" = Microsoft Speech Recognition Engine 4.0 (English)
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Password Safe" = Password Safe
"PicPick" = PicPick
"PPC Library" = PPC Library
"PSPad editor_is1" = PSPad editor
"QVP" = Quick View Plus
"RealPlayer 6.0" = RealPlayer
"Registry Workshop" = Registry Workshop
"SearchAssist" = SearchAssist
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0
"TheTaxBook 2009 WebCD_is1" = TheTaxBook 2009 WebCD 3.3
"TradeLog_is1" = Tradelog
"TreePadXEnterprise_384Gb" = TreePad X Enterprise 384 Gb (single-user) 7.10.4
"TurboTax Basic 2004" = TurboTax Basic 2004
"TurboTax Basic 2006" = TurboTax Basic 2006
"Tweak UI 2.10" = Tweak UI
"UltraEdit-32" = UltraEdit-32 Uninstall
"Uninstaller_60003CCB_Quick View Plus" = Quick View Plus (Shared Components)
"Universal Extractor_is1" = Universal Extractor 1.6
"VirtualCloneDrive" = VirtualCloneDrive
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"42458e4d25a5e3b6" = Roth IRA Conversion Evaluator™
"GoToMeeting" = GoToMeeting 4.0.0.320
"Image Web Server IE Plugin" = Image Web Server 8.1 IE Plugins (Build:3,4,0,242)
"SmartDraw 2010" = SmartDraw 2010

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/9/2010 6:07:34 AM | Computer Name = DELL-LAT01 | Source = VSS | ID = 12289
Description = Volume Shadow Copy Service error: Unexpected error DeviceIoControl(00000230,0x0053c008,00039CD8,0,00038CD0,4096,[0]).
hr = 0x800705aa.

Error - 2/9/2010 6:41:04 AM | Computer Name = DELL-LAT01 | Source = VSS | ID = 12289
Description = Volume Shadow Copy Service error: Unexpected error DeviceIoControl(000001CC,0x0053c008,00039CD8,0,00038CD0,4096,[0]).
hr = 0x800705aa.

Error - 2/9/2010 7:08:21 PM | Computer Name = DELL-LAT01 | Source = VSS | ID = 12289
Description = Volume Shadow Copy Service error: Unexpected error CreateFileW(\\?\Volume{3652a3bf-d1d9-11de-b72b-0019b968b12d},0xc0000000,0x00000003,...).
hr = 0x8007045d.

Error - 2/10/2010 6:32:23 AM | Computer Name = DELL-LAT01 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft SQL Server Desktop Engine -- Error 1706. An installation
package for the product Microsoft SQL Server Desktop Engine cannot be found. Try
the installation again using a valid copy of the installation package 'SqlRun03.msi'.

Error - 2/11/2010 12:36:39 PM | Computer Name = DELL-LAT01 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft SQL Server Desktop Engine -- Error 1706. An installation
package for the product Microsoft SQL Server Desktop Engine cannot be found. Try
the installation again using a valid copy of the installation package 'SqlRun03.msi'.

Error - 2/11/2010 12:45:30 PM | Computer Name = DELL-LAT01 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 2/11/2010 1:16:06 PM | Computer Name = DELL-LAT01 | Source = Application Error | ID = 1000
Description = Faulting application w09tax.exe, version 30.0.0.0, faulting module
xmlrtl60.bpl, version 6.0.6.240, fault address 0x0007c01a.

Error - 2/11/2010 6:50:36 PM | Computer Name = DELL-LAT01 | Source = Application Error | ID = 1000
Description = Faulting application mailwasher.exe, version 5.3.0.1, faulting module
mailwasher.exe, version 5.3.0.1, fault address 0x00003fce.

Error - 2/13/2010 11:06:54 AM | Computer Name = DELL-LAT01 | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x8007041d.

Error - 2/13/2010 11:46:39 AM | Computer Name = DELL-LAT01 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft SQL Server Desktop Engine -- Error 1706. An installation
package for the product Microsoft SQL Server Desktop Engine cannot be found. Try
the installation again using a valid copy of the installation package 'SqlRun03.msi'.

[ System Events ]
Error - 2/11/2010 6:55:30 PM | Computer Name = DELL-LAT01 | Source = Service Control Manager | ID = 7000
Description = The DataSvr2 service failed to start due to the following error: %%3

Error - 2/11/2010 6:57:11 PM | Computer Name = DELL-LAT01 | Source = Service Control Manager | ID = 7022
Description = The StarWind iSCSI Service service hung on starting.

Error - 2/11/2010 7:18:30 PM | Computer Name = DELL-LAT01 | Source = Service Control Manager | ID = 7034
Description = The Dell Wireless WLAN Tray Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 2/13/2010 11:04:43 AM | Computer Name = DELL-LAT01 | Source = Service Control Manager | ID = 7000
Description = The DataSvr2 service failed to start due to the following error: %%3

Error - 2/13/2010 11:06:20 AM | Computer Name = DELL-LAT01 | Source = Service Control Manager | ID = 7022
Description = The StarWind iSCSI Service service hung on starting.

Error - 2/13/2010 11:06:54 AM | Computer Name = DELL-LAT01 | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service VSS with arguments
"" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}

Error - 2/13/2010 11:06:54 AM | Computer Name = DELL-LAT01 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Volume Shadow Copy service
to connect.

Error - 2/13/2010 11:06:54 AM | Computer Name = DELL-LAT01 | Source = Service Control Manager | ID = 7000
Description = The Volume Shadow Copy service failed to start due to the following
error: %%1053

Error - 2/13/2010 8:11:04 PM | Computer Name = DELL-LAT01 | Source = Service Control Manager | ID = 7000
Description = The DataSvr2 service failed to start due to the following error: %%3

Error - 2/13/2010 8:12:42 PM | Computer Name = DELL-LAT01 | Source = Service Control Manager | ID = 7022
Description = The StarWind iSCSI Service service hung on starting.


< End of report >

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:42 AM

Posted 14 February 2010 - 08:37 AM

Hi,

Combofix took care of some trojan leftovers, now we will run an onlinescan to check for some remnants.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 dking88

dking88
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 14 February 2010 - 10:47 AM

I started this, but if it is going to scan every kind of archive it will find 5 million files in chm files and will take a few days to complete the scan. I'm sure it's not ideal, but can I use my computer and keep Avast running while it is scanning? Otherwise I will have to find a way to move the chm files because I can't put my computer out of commission for longer than overnight.

#14 dking88

dking88
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 14 February 2010 - 01:10 PM

Never mind, it is not splitting up the chm files, so it might be able to run overnight.

#15 dking88

dking88
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 15 February 2010 - 04:31 AM

Here is the ESET log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=aa80f7cc346f764f96d38199adf0f935
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-15 03:02:15
# local_time=2010-02-14 10:02:15 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=769 16775141 100 93 0 201525273 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=283689
# found=0
# cleaned=0
# scan_time=44410





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users