Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus on XP - options from ubuntu CD BEFORE booting Win?


  • This topic is locked This topic is locked
71 replies to this topic

#1 kghastie

kghastie

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 10 March 2010 - 11:00 PM

I have a pretty nasty virus on my XP machine. It is from a torrented .exe that i ran. Thought I was safe after scanning the .exe and it's extracted .jars with MalwareBytes, MSE, AVG and Spybot. I guess not X(

I have been trying to remove files using updated clamav off an Ubuntu LiveCD. That found nothing. fpscan has found a bunch of stuff, but keeps failing when it scans.

Before I reboot into Windows to do the whole HijackThis (or I guess it's DDS/GMER now?) thing, I want to do as much as I can from Linux so I don't do more damage from Win.

Here are my questions. This is my work machine and I will probably be up all night trying to fix this before getting fired sometime tomorrow when I have to tell my boss what I've done .... I realize you guys go in order of appearance, so that probably doesn't make a difference to anyone here smile.gif

1) I know procedure around here dictates that I run those and post the logs first. Is there a way for me to do this from an Ubuntu CD (I have internet access when in it)?

2) If not, do you have any other suggestions as to what I might try in Linux first (I'm going to try AVG if I can get it installed), or what might prevent fpscan from stopping it scan?

2-a) What about Ultimate Boot CD 4.11? Any suggestions on whether that's worth a shot or which built-in apps I could use for that?

3) Otherwise, is there any other forum you could direct me to where I could get some help in that area before I come back here?

4-a,b,c) Is it worth trying to do a system restore in windows before trying the log dumps (since I in a time-sensitive situation here)? Should I try that from an XP recovery disk or after booting win? (I don't have an XP disk, since this is my work machine. Is there a place I could d/l a recovery disk image?)

5) What happened to HijackThis? Do you not use that here anymore? Or am I in the wrong place?

6) Is it worth running an AVG virus and/or rootkit scan? What other virus-removal procedures could I take while waiting for a log analysis?

7) Any other pieces of software I might download and try? (I have Spybot, MSE and Malware Bytes on a different machine, but I could install them on the broken one).

A few more pieces of info that might help:

- I still have access to the files that installed the virus if that helps.
- Booting into safe mode, it seems to hang on an avg-related .sys file (I could try removing these and booting again)
- Have not yet discovered
- I am a web developer, so am pretty comfortable talking tech. Been using XP for a long time, and I have some basic linux skills
- Any tips will help, and I guess I am looking for a quicker solution (I really might get canned over this, and there are about 40GB of files on the disk, so a scan isn't ridiculous but it is timeconsuming)

Apologies if I have been out of order, and a huge THANKS in advance!

Sorry for all the questions but I'm trying to get help in any of those areas.

Here are some of the files I've removed manually after finding them with fpscan:

(The .exe in the Downloads dir are legit, but I kept them in there since that's when fpscan died):

[Found trojan] <W32/FakeSec.B.gen!Eldorado (generic, not disinfectable)> /media/windows/Documents and Settings/khastie/Local Settings/Application Data/av.exe
[Failed to disinfect] /media/windows/Documents and Settings/khastie/Local Settings/Application Data/av.exe
[Found possible virus] <W32/Sinowal-based!Maximus> /media/windows/Documents and Settings/khastie/Local Settings/Application Data/cryptp2pdev/cryptp2pdev.dll
[Failed to disinfect] /media/windows/Documents and Settings/khastie/Local Settings/Application Data/cryptp2pdev/cryptp2pdev.dll
[Found virus] <W32/Alureon.G!Generic> /media/windows/Documents and Settings/khastie/Local Settings/Temp/nfylrs.exe
[Failed to disinfect] /media/windows/Documents and Settings/khastie/Local Settings/Temp/nfylrs.exe
[Found possible virus] <W32/Dropper.gen8!Maximus (not disinfectable)> /media/windows/Documents and Settings/khastie/Local Settings/Temp/vqovnpnr.exe->(CAB)->winhelp.exe->(PecBundle)->(PECompact)
[Can not disinfect] /media/windows/Documents and Settings/khastie/Local Settings/Temp/vqovnpnr.exe
[Found virus] <W32/Alureon.G!Generic> /media/windows/Documents and Settings/khastie/Local Settings/Temporary Internet Files/Content.IE5/GHX9NDW3/admwk[1].htm
[Failed to disinfect] /media/windows/Documents and Settings/khastie/Local Settings/Temporary Internet Files/Content.IE5/GHX9NDW3/admwk[1].htm
[Found trojan] <W32/FakeSec.B.gen!Eldorado (generic, not disinfectable)> /media/windows/Documents and Settings/khastie/Local Settings/Temporary Internet Files/Content.IE5/RIU4IXKG/ekhrrfst[1].htm
[Failed to disinfect] /media/windows/Documents and Settings/khastie/Local Settings/Temporary Internet Files/Content.IE5/RIU4IXKG/ekhrrfst[1].htm
[Found possible virus] <W32/Dropper.gen8!Maximus (not disinfectable)> /media/windows/Documents and Settings/khastie/Local Settings/Temporary Internet Files/Content.IE5/TWLP1LLP/gmvsjkh[1].htm->(CAB)->winhelp.exe->(PecBundle)->(PECompact)
[Can not disinfect] /media/windows/Documents and Settings/khastie/Local Settings/Temporary Internet Files/Content.IE5/TWLP1LLP/gmvsjkh[1].htm
[Unscannable] <File is damaged> /media/windows/Documents and Settings/khastie/My Documents/Downloads/setup.exe->(CAB)
[Error] <Scanning error> /media/windows/Documents and Settings/khastie/My Documents/Downloads/Silverlight.exe->(CAB)->silverlight.7z
[Error] <Scanning error> /media/windows/Documents and Settings/khastie/My Documents/Downloads/Silverlight.exe->(CAB)
[Error] <Scanning error> /media/windows/Documents and Settings/khastie/My Documents/Downloads/Silverlight.exe
[Error] <Internal engine error> /media/windows/Documents and Settings/khastie/My Documents/Downloads/Silverlight.exe
[Error] <Scanning error> /media/windows/Documents and Settings/khastie/My Documents/Downloads/Thunderbird Setup 3.0.1.exe->(7Z)
[Error] <Scanning error> /media/windows/Documents and Settings/khastie/My Documents/Downloads/Thunderbird Setup 3.0.1.exe
[Error] <Internal engine error> /media/windows/Documents and Settings/khastie/My Documents/Downloads/Thunderbird Setup 3.0.1.exe
Killedng: -

Second try got me this:

[Found trojan] <W32/FakeSec.B.gen!Eldorado (generic, not disinfectable)> /media/windows/Documents and Settings/khastie/Local Settings/Application Data/av.exe

[Found virus] <W32/Alureon.G!Generic> /media/windows/Documents and Settings/khastie/Local Settings/Temp/nfylrs.exe

[Found possible virus] <W32/Sinowal-based!Maximus> /media/windows/Documents and Settings/khastie/Local Settings/Application Data/cryptp2pdev/cryptp2pdev.dll

[Found possible virus] <W32/Dropper.gen8!Maximus (not disinfectable)> /media/windows/Documents and Settings/khastie/Local Settings/Temp/vqovnpnr.exe->(CAB)->winhelp.exe->(PecBundle)->(PECompact)

[Found possible virus] <W32/Sinowal-based!Maximus> ./khastie/Local Settings/Application Data/cryptp2pdev/cryptp2pdev.dll


[Unscannable] <File is damaged> /media/windows/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/C1QF8X2B/PrintScanSetup[1].exe->(RAR)
[Unscannable] <File is damaged> /media/windows/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/OPIJ0LMJ/ScanSetup[1].exe->(RAR)


[Failed to disinfect] ./khastie/Local Settings/Application Data/cryptp2pdev/cryptp2pdev.dll

[Found virus] <W32/Alureon.G!Generic> ./khastie/Local Settings/Temporary Internet Files/Content.IE5/GHX9NDW3/admwk[1].htm
[Failed to disinfect] ./khastie/Local Settings/Temporary Internet Files/Content.IE5/GHX9NDW3/admwk[1].htm

[Found trojan] <W32/FakeSec.B.gen!Eldorado (generic, not disinfectable)> ./khastie/Local Settings/Temporary Internet Files/Content.IE5/RIU4IXKG/ekhrrfst[1].htm
[Failed to disinfect] ./khastie/Local Settings/Temporary Internet Files/Content.IE5/RIU4IXKG/ekhrrfst[1].htm

[Found possible virus] <W32/Dropper.gen8!Maximus (not disinfectable)> ./khastie/Local Settings/Temporary Internet Files/Content.IE5/TWLP1LLP/gmvsjkh[1].htm->(CAB)->winhelp.exe->(PecBundle)->(PECompact)

BC AdBot (Login to Remove)

 


#2 kghastie

kghastie
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 11 March 2010 - 10:39 AM

Unfortunately I have an update. I'm not sure if it was the original issue or something I removed during the virus scans, but I can't boot XP at all. I get a BSOD whether I boot regular, last working settings, safe mode, or safe mode with networking or cmd prompt.

I am afraid I might have removed a critical file, since it was not BSOD'ing before I did the virus scans from clam and fpscan (although it wouldn't boot into safe mode - it would just hang). So I am posting a couple more result logs. Basically anything marked as a potential virus or a virus I removed.

The only two that seem like they could be potentially in system-critical locations are av.exe and cryptp2pdev, but av.exe comes up as a potential virus on google, and cryptp2pdev has no results (except for another forum post I made), so I doubt that it is legit.

So I guess I am pretty hosed. I'd like to try a System Restore, but since this is a work machine I don't have an XP boot disk with a recovery console (except for my old personal Toshiba laptop, which is an OEM that I don't trust). Is there a way to get one? Like from allbootdisks.com or something?

Do I have any other options other than a reinstall?

Thanks sad.gif

Here's the other logs:


FRISK Software International © Copyright 1989-2009
Engine version: 4.5.1.85
Arguments: -y --adware --applications /media/windows/WINDOWS/
Virus signatures: 201003101051e8a4fe77bcd0dd1b84a1dafda2d128f9
(/tmp/f/f-prot/antivir.def)

[Found backdoor] <W32/Backdoor2.GXGE (exact)> /media/windows/WINDOWS/system32/6to4v32.dll
[Warning] <Error closing file: Success> /media/windows/WINDOWS/system32/6to4v32.dll
[Deleted] /media/windows/WINDOWS/system32/6to4v32.dll
[Found virus] <W32/Alureon.G!Generic> /media/windows/WINDOWS/system32/vokuharo.dll
[Failed to disinfect] /media/windows/WINDOWS/system32/vokuharo.dll
[Found virus] <W32/Alureon.G!Generic> /media/windows/WINDOWS/system32/javojosu.dll
[Failed to disinfect] /media/windows/WINDOWS/system32/javojosu.dll
[Found virus] <W32/Alureon.G!Generic> /media/windows/WINDOWS/system32/yevilido.dll
[Failed to disinfect] /media/windows/WINDOWS/system32/yevilido.dll
[Unscannable] <File is damaged> /media/windows/WINDOWS/Microsoft.NET/Framework/v3.5/Microsoft .NET Framework 3.5 SP1/vs_setup.cab (did not remove this)

=== AVG deleted these ===

/media/sda1/WINDOWS/system32/drivers/iaStor.sys Trojan horse Rootkit-Pakes.U
/media/sda1/WINDOWS/system32/drivers/ncikqjui.sys Trojan horse Rootkit-Agent.EG
/media/sda1/WINDOWS/system32/seagate.sys Trojan horse Small.BUL

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,591 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:38 AM

Posted 13 March 2010 - 04:10 AM

QUOTE
/media/sda1/WINDOWS/system32/drivers/iaStor.sys Trojan horse Rootkit-Pakes.U
Thats your harddisk controller you deleted there. Without it, no booting...

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,591 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:38 AM

Posted 21 March 2010 - 09:15 AM

Due to lack of feedback, this topic will now be closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,591 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:38 AM

Posted 22 March 2010 - 12:48 PM

Hello, I reopened this, and for good order, posting in your OTLPE log:

OTL logfile created on: 3/22/2010 1:27:51 PM - Run
OTLPE by OldTimer - Version 3.1.37.1 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 90.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 2046 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.00 Gb Total Space | 15.30 Gb Free Space | 30.60% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/01/19 09:42:20 | 000,057,344 | ---- | M] (Apache Software Foundation) [Disabled] -- c:\Development\apache-tomcat-6.0.24\bin\tomcat6.exe -- (Tomcat6)
SRV - [2010/01/15 14:46:52 | 005,820,416 | ---- | M] () [Auto] -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -- (MySQL)
SRV - [2010/01/15 11:50:17 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2010/01/15 11:50:16 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/12/16 03:12:00 | 000,132,456 | ---- | M] (Lenovo.) [Auto] -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE -- (DozeSvc)
SRV - [2009/12/16 03:12:00 | 000,053,248 | ---- | M] () [Auto] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)
SRV - [2009/11/18 16:04:18 | 000,038,248 | ---- | M] (Lenovo.) [Auto] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2009/10/29 14:27:54 | 001,074,568 | ---- | M] (LogMeIn Inc.) [Auto] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2009/10/09 14:12:30 | 000,039,976 | ---- | M] (Lenovo.) [On_Demand] -- C:\WINDOWS\system32\TPHDEXLG.exe -- (TPHDEXLGSVC)
SRV - [2009/09/21 16:55:12 | 000,858,384 | ---- | M] (Intel® Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2009/09/21 16:44:48 | 000,954,368 | ---- | M] (Intel® Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2009/09/21 16:31:36 | 000,473,360 | ---- | M] (Intel® Corporation) [Auto] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2009/08/14 13:48:52 | 000,349,528 | ---- | M] (Broadcom Corporation.) [Auto] -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2009/07/15 12:18:00 | 000,062,320 | ---- | M] (Lenovo Group Limited) [Auto] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2009/07/03 20:47:08 | 000,045,424 | ---- | M] (Lenovo Group Limited) [Auto] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)
SRV - [2009/06/12 12:55:48 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2009/03/19 06:55:36 | 000,118,784 | ---- | M] (AuthenTec,Inc) [Auto] -- C:\WINDOWS\system32\FpLogonServ.exe -- (FingerprintServer)
SRV - [2009/03/19 06:53:02 | 000,098,304 | ---- | M] () [Auto] -- C:\WINDOWS\system32\DTS.exe -- (dtsvc)
SRV - [2009/03/19 06:52:56 | 000,106,496 | ---- | M] () [On_Demand] -- C:\WINDOWS\system32\ADMonitor.exe -- (ADMonitor)
SRV - [2009/03/19 06:48:34 | 001,680,632 | ---- | M] (AuthenTec, Inc.) [Auto] -- C:\WINDOWS\system32\AtService.exe -- (ATService)
SRV - [2009/02/12 14:47:06 | 002,058,776 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS) Intel®
SRV - [2009/02/12 14:46:58 | 000,174,616 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel®
SRV - [2009/02/05 16:36:48 | 000,348,160 | ---- | M] (Red Bend Ltd.) [Disabled] -- C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe -- (DMAgent) Intel®
SRV - [2009/02/05 16:36:10 | 002,379,776 | ---- | M] (Intel® Corporation) [Disabled] -- C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe -- (WiMAXAppSrv) Intel®
SRV - [2008/07/16 14:43:00 | 000,107,800 | ---- | M] (EMC Corporation) [Auto] -- C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrorun.exe -- (RetroExpLauncher)
SRV - [2008/03/04 12:34:12 | 001,122,304 | ---- | M] (Lenovo Group Limited) [Auto] -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2007/09/26 19:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2004/08/17 22:00:00 | 000,073,748 | -H-- | M] () [Auto] -- C:\WINDOWS\system32\Iasex.dll -- (Ias)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | Boot] -- -- (ncikqjui)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | Boot] -- -- (iaStor)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/03/11 04:39:01 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/03/11 04:39:01 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/03/11 04:39:01 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/11 04:39:01 | 000,012,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2010/02/24 05:00:29 | 000,229,208 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\VMM.sys -- (vmm)
DRV - [2009/12/16 03:12:00 | 000,024,304 | ---- | M] (Lenovo.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\DOZEHDD.SYS -- (DozeHDD)
DRV - [2009/12/16 03:12:00 | 000,004,442 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2009/11/18 16:03:36 | 000,026,608 | ---- | M] (Lenovo.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2009/10/09 14:12:02 | 000,120,360 | ---- | M] (Lenovo.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\ApsX86.sys -- (Shockprf)
DRV - [2009/10/09 14:10:24 | 000,020,520 | ---- | M] (Lenovo.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\ApsHM86.sys -- (TPDIGIMN)
DRV - [2009/10/06 10:54:20 | 000,814,592 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)
DRV - [2009/09/23 11:41:58 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/09/15 13:34:10 | 005,977,216 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2009/08/17 16:00:26 | 000,533,152 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2009/08/10 02:46:38 | 000,013,952 | ---- | M] (Intel Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2009/08/04 06:32:00 | 000,004,608 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2009/07/10 14:38:48 | 004,125,696 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/07/09 14:45:00 | 000,991,264 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2009/06/21 11:56:14 | 000,045,984 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2009/03/27 06:33:56 | 000,239,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2009/03/20 21:03:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2009/03/19 23:09:40 | 000,482,176 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF)
DRV - [2009/02/01 20:39:14 | 000,018,560 | ---- | M] (Intel Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\bpprot.sys -- (BPPROT) Intel®
DRV - [2009/02/01 20:39:02 | 000,163,840 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\bpenum.sys -- (bpenum) Intel®
DRV - [2008/10/06 12:47:36 | 000,225,696 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/09/25 02:49:52 | 000,031,680 | R--- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2008/07/24 19:37:10 | 000,156,816 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2008/05/13 00:14:14 | 000,017,844 | ---- | M] (Lenovo Group Limited) [Kernel | System] -- C:\WINDOWS\system32\drivers\TPHKDRV.sys -- (TPHKDRV)
DRV - [2008/04/13 23:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/09 21:16:48 | 000,985,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2008/04/09 21:16:48 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2008/04/09 21:16:48 | 000,210,560 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2008/03/26 15:21:06 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2008/03/26 15:12:56 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2008/02/15 20:01:18 | 000,046,592 | ---- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/02/04 19:57:44 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2008/02/04 19:57:30 | 000,037,032 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btwmodem.sys -- (btwmodem)
DRV - [2007/07/30 13:54:02 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/07/30 12:42:58 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/01/29 08:20:34 | 000,059,280 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\VMNetSrv.sys -- (VPCNetS2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www-307.ibm.com/pc/support/site.wss...ocid=MIGR-70443
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\khastie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKU\khastie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\khastie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\khastie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B6 99 F2 18 7C B1 CA 01 [binary data]
IE - HKU\khastie_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/03 19:28:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/19 11:36:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/01/23 15:39:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/03/08 16:40:53 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/01/29 10:55:01 | 000,379,314 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 192.168.111.5 cappex-1
O1 - Hosts: 192.168.111.5 io-nas.cappex.local
O1 - Hosts: 192.168.111.201 one.cappex.local
O1 - Hosts: 192.168.111.202 two.cappex.local
O1 - Hosts: 192.168.111.202 two
O1 - Hosts: 192.168.111.205 five.cappex.local
O1 - Hosts: 127.0.0.1 meritaid.localhost
O1 - Hosts: 127.0.0.1 wolverine.cappex.local
O1 - Hosts: 127.0.0.1 facebook.cappex.local
O1 - Hosts: 127.0.0.1 college.cappex.localhost
O1 - Hosts: 127.0.0.1 university.cappex.localhost
O1 - Hosts: 127.0.0.1 admissions.cappex.localhost
O1 - Hosts: 127.0.0.1 collegedegree.cappex.localhost
O1 - Hosts: 127.0.0.1 collegecourses.cappex.localhost
O1 - Hosts: 127.0.0.1 collegesearch.cappex.localhost
O1 - Hosts: 127.0.0.1 collegeapplication.cappex.localhost
O1 - Hosts: 127.0.0.1 collegetuition.cappex.localhost
O1 - Hosts: 127.0.0.1 universityadmission.cappex.localhost
O1 - Hosts: 127.0.0.1 scholarships.meritaid.localhost
O1 - Hosts: 127.0.0.1 financialaid.meritaid.localhost
O1 - Hosts: 127.0.0.1 collegescholarships.meritaid.localhost
O1 - Hosts: 127.0.0.1 studentaid.meritaid.localhost
O1 - Hosts: 127.0.0.1 collegefinancialaid.meritaid.localhost
O1 - Hosts: 127.0.0.1 scholarshipsforcollege.meritaid.localhost
O1 - Hosts: 127.0.0.1 scholarshipapplication.meritaid.localhost
O1 - Hosts: 13059 more lines...
O2 - BHO: (C:\WINDOWS\system32\dat0rkki.dll) - {A3BA40A2-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\dat0rkki.dll ()
O2 - BHO: (no name) - {a6cd52dd-4639-43de-a771-95fff25a88e9} - File not found
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKU\khastie_ON_C\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe ()
O4 - HKLM..\Run: [EZEJMNAP] C:\Program Files\ThinkPad\Utilities\ezejmnap.exe ()
O4 - HKLM..\Run: [FingerPrintSoftware] C:\Program Files\Lenovo Fingerprint Software\fpapp.exe ()
O4 - HKLM..\Run: [jerajeyabo] File not found
O4 - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe ()
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe ()
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe ()
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\tposdsvc.exe ()
O4 - HKLM..\Run: [TpShocks] C:\WINDOWS\System32\TpShocks.exe (Lenovo.)
O4 - HKLM..\Run: [Xerox_WorkCenter_C2424] C:\Program Files\Xerox\WorkCentre C2424\xc24bgts.exe ()
O4 - HKU\khastie_ON_C..\Run: [cryptp2pdev] File not found
O4 - HKU\khastie_ON_C..\Run: [gdf498gtudsigjnsod8guifjgfhfhf] C:\DOCUME~1\khastie\LOCALS~1\Temp\ny9sv9l.exe File not found
O4 - HKU\khastie_ON_C..\Run: [NPDTRAY] C:\Program Files\Lenovo\NPDIRECT\npdtray.exe ()
O4 - HKU\khastie_ON_C..\Run: [Remote System Protection] C:\WINDOWS\System32\dat0rkki.DLL ()
O4 - HKU\khastie_ON_C..\Run: [TOY5KNQ8OC] C:\DOCUME~1\khastie\LOCALS~1\Temp\Usr.exe File not found
O4 - HKU\NetworkService_ON_C..\Run: [jerajeyabo] File not found
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2010/02/24 17:21:41 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\khastie\Start Menu\Programs\Startup\AutorunsDisabled [2010/02/24 17:21:43 | 000,000,000 | -H-D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\khastie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\user1_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 93.188.164.222,93.188.166.43
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (javojosu.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ATFUS: DllName - C:\WINDOWS\system32\FpWinLogonNp.dll - C:\WINDOWS\system32\FpWinlogonNp.dll (AuthenTec,Inc)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\tpfnf2: DllName - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll ()
O22 - SharedTaskScheduler: {A3BA40A2-74F1-52BD-F434-00B15A2C8953} - hs3t873tisghs837tgysu7 - C:\WINDOWS\system32\dat0rkki.dll ()
O27 - HKLM IFEO\MpCmdRun.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\MSASCui.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\MsMpEng.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\msseces.exe: Debugger - C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\Notepad.exe: Debugger - "C:\Program Files\TextPad 5\TextPad.exe" -n (Helios Software Solutions)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/15 11:19:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: AppSecDll - (C:\Documents and Settings\khastie\Local Settings\Application Data\Windows Server\fxlevx.dll) - C:\Documents and Settings\khastie\Local Settings\Application Data\Windows Server\fxlevx.dll ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/11 04:39:01 | 000,335,240 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/03/11 04:39:01 | 000,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/03/11 04:39:01 | 000,027,784 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/03/11 04:39:01 | 000,012,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2010/03/10 17:05:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\khastie\Local Settings\Application Data\Windows Server
[2010/03/10 16:42:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/03/10 16:26:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\khastie\.dbvis
[2010/03/10 16:25:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\khastie\invtmp
[2010/03/10 16:20:02 | 000,000,000 | ---D | C] -- C:\Program Files\DbVisualizer-7.0.4
[2010/03/09 17:14:17 | 000,000,000 | ---D | C] -- C:\Program Files\CollabNet
[2010/03/08 13:42:07 | 000,000,000 | ---D | C] -- C:\tmp
[2010/03/05 12:10:44 | 000,000,000 | ---D | C] -- C:\Program Files\LogMeIn Hamachi
[2010/02/26 10:27:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\khastie\Local Settings\Application Data\TechSmith
[2010/02/25 19:15:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\khastie\My Documents\PPTS
[2010/02/24 17:21:43 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\khastie\Start Menu\Programs\Startup\AutorunsDisabled
[2010/02/24 16:59:52 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/02/24 05:00:29 | 000,229,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\VMM.sys
[2010/02/23 13:01:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\khastie\My Documents\My Virtual Machines
[2010/02/23 12:56:08 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Virtual PC
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/11 04:39:01 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/03/11 04:39:01 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/03/11 04:39:01 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/03/11 04:39:01 | 000,012,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2010/03/10 17:09:30 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/10 17:09:29 | 000,001,024 | ---- | M] () -- C:\.rnd
[2010/03/10 17:09:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/10 17:09:19 | 3214,958,592 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/10 17:06:26 | 000,003,704 | -HS- | M] () -- C:\Documents and Settings\khastie\Local Settings\Application Data\VaA8uLj
[2010/03/10 17:06:13 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/03/10 17:06:13 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/03/10 17:06:11 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\khastie\rundll32.exe
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/03/10 17:06:06 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\khastie\tpshocks.exe
[2010/03/10 17:05:52 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\khastie\rundll32 .exe
[2010/03/10 17:05:42 | 000,020,000 | ---- | M] () -- C:\WINDOWS\System32\dat0rkki.dll
[2010/03/10 17:05:38 | 000,001,744 | -H-- | M] () -- C:\WINDOWS\System32\jemukozu
[2010/03/10 17:05:20 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/03/10 17:04:40 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/03/10 17:04:32 | 000,149,504 | ---- | M] () -- C:\WINDOWS\Ulozya.exe
[2010/03/10 16:48:26 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/10 16:48:26 | 000,437,504 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/10 16:48:26 | 000,069,274 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/10 16:44:07 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2010/03/10 16:44:01 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/10 07:35:35 | 056,963,630 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/03/09 18:02:33 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/03/09 18:02:33 | 000,237,568 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/03/09 18:02:13 | 001,909,712 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/03/09 18:02:10 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\khastie\ntuser.ini
[2010/03/09 18:02:09 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\khastie\NTUSER.DAT
[2010/03/09 18:01:58 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\khastie\Local Settings\Application Data\PUTTY.RND
[2010/03/09 17:57:13 | 003,778,476 | -H-- | M] () -- C:\Documents and Settings\khastie\Local Settings\Application Data\IconCache.db
[2010/03/07 05:42:29 | 005,258,649 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\1606_1.pdf
[2010/03/05 11:59:44 | 000,000,703 | ---- | M] () -- C:\Documents and Settings\khastie\Desktop\Laptop.lnk
[2010/03/05 11:13:51 | 008,607,213 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\1687_1.pdf
[2010/03/04 17:08:59 | 000,027,908 | ---- | M] () -- C:\Documents and Settings\khastie\Desktop\jobs_graph_large_feb10.gif
[2010/03/04 17:06:00 | 000,028,445 | ---- | M] () -- C:\Documents and Settings\khastie\Desktop\778931266_512.jpeg
[2010/03/03 17:38:10 | 000,018,375 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\Next Connect Requirements.docx
[2010/03/01 18:48:04 | 000,010,085 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\box.docx
[2010/02/26 16:53:17 | 000,856,576 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\Multivariate Testing.ppt
[2010/02/26 16:31:31 | 000,012,020 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\Multivariate Testing.xlsx
[2010/02/26 14:05:30 | 000,000,699 | ---- | M] () -- C:\Documents and Settings\khastie\Desktop\Work.lnk
[2010/02/26 11:44:39 | 000,010,385 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\Multivariate Testing.docx
[2010/02/26 10:32:53 | 000,095,526 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\OptInVariations.png
[2010/02/26 10:26:13 | 000,075,275 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\QuickApplyVariations.png
[2010/02/25 16:13:44 | 000,000,699 | ---- | M] () -- C:\Documents and Settings\khastie\Desktop\Home.lnk
[2010/02/25 11:19:40 | 006,009,452 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\AutoRunsCurrent.arn
[2010/02/24 21:12:56 | 003,445,868 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\AutoRunsSomeDisabled.arn
[2010/02/24 19:55:15 | 006,003,486 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\AutoRunsPreWipe2.arn
[2010/02/24 19:10:48 | 000,132,163 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\Multivariate Test Results.docx
[2010/02/24 17:28:02 | 006,003,486 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\AutoRunsMassDisable.arn
[2010/02/24 17:18:24 | 006,003,486 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\AutoRunsPreWipe.arn
[2010/02/24 16:59:53 | 000,001,786 | ---- | M] () -- C:\Documents and Settings\khastie\Desktop\HijackThis.lnk
[2010/02/24 15:30:35 | 000,020,439 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\LOGFILE1.csv
[2010/02/24 13:23:52 | 000,001,750 | ---- | M] () -- C:\Documents and Settings\khastie\Desktop\Hosts.lnk
[2010/02/24 05:00:42 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/24 05:00:29 | 000,229,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\VMM.sys
[2010/02/22 18:16:01 | 000,010,610 | ---- | M] () -- C:\Documents and Settings\khastie\My Documents\bubble-map.xlsx
[2010/02/22 17:53:45 | 000,010,757 | ---- | M] () -- C:\Documents and Settings\khastie\Desktop\e.tsv
[2010/02/22 17:53:34 | 000,010,757 | ---- | M] () -- C:\Documents and Settings\khastie\Desktop\b.tsv
[2010/02/22 17:40:52 | 000,005,158 | ---- | M] () -- C:\Documents and Settings\khastie\Desktop\b.csv
[2010/02/22 17:39:44 | 000,005,144 | ---- | M] () -- C:\Documents and Settings\khastie\Desktop\e.csv
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,001,744 | -H-- | C] () -- C:\WINDOWS\System32\jemukozu
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/03/10 17:06:06 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\khastie\tpshocks.exe
[2010/03/10 17:05:52 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\khastie\rundll32.exe
[2010/03/10 17:05:52 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\khastie\rundll32 .exe
[2010/03/10 17:05:42 | 000,020,000 | ---- | C] () -- C:\WINDOWS\System32\dat0rkki.dll
[2010/03/10 17:05:39 | 000,003,704 | -HS- | C] () -- C:\Documents and Settings\khastie\Local Settings\Application Data\VaA8uLj
[2010/03/10 17:04:36 | 000,149,504 | ---- | C] () -- C:\WINDOWS\Ulozya.exe
[2010/03/10 17:04:36 | 000,000,290 | -H-- | C] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/03/10 16:41:38 | 000,000,290 | -H-- | C] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/03/09 18:03:25 | 000,001,024 | ---- | C] () -- C:\.rnd
[2010/03/07 05:42:25 | 005,258,649 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\1606_1.pdf
[2010/03/05 11:12:59 | 008,607,213 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\1687_1.pdf
[2010/03/04 17:08:59 | 000,027,908 | ---- | C] () -- C:\Documents and Settings\khastie\Desktop\jobs_graph_large_feb10.gif
[2010/03/04 17:06:00 | 000,028,445 | ---- | C] () -- C:\Documents and Settings\khastie\Desktop\778931266_512.jpeg
[2010/03/01 18:48:04 | 000,010,085 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\box.docx
[2010/02/26 10:36:51 | 000,856,576 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\Multivariate Testing.ppt
[2010/02/26 10:11:36 | 000,095,526 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\OptInVariations.png
[2010/02/25 21:07:18 | 000,075,275 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\QuickApplyVariations.png
[2010/02/25 18:55:55 | 000,010,385 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\Multivariate Testing.docx
[2010/02/25 13:10:34 | 000,018,375 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\Next Connect Requirements.docx
[2010/02/25 11:19:39 | 006,009,452 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\AutoRunsCurrent.arn
[2010/02/24 21:12:55 | 003,445,868 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\AutoRunsSomeDisabled.arn
[2010/02/24 20:08:10 | 000,000,699 | ---- | C] () -- C:\Documents and Settings\khastie\Desktop\Home.lnk
[2010/02/24 20:07:57 | 000,000,699 | ---- | C] () -- C:\Documents and Settings\khastie\Desktop\Work.lnk
[2010/02/24 20:07:36 | 000,000,703 | ---- | C] () -- C:\Documents and Settings\khastie\Desktop\Laptop.lnk
[2010/02/24 19:55:14 | 006,003,486 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\AutoRunsPreWipe2.arn
[2010/02/24 18:33:36 | 000,132,163 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\Multivariate Test Results.docx
[2010/02/24 17:28:02 | 006,003,486 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\AutoRunsMassDisable.arn
[2010/02/24 17:18:24 | 006,003,486 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\AutoRunsPreWipe.arn
[2010/02/24 17:10:58 | 3214,958,592 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/24 16:59:53 | 000,001,786 | ---- | C] () -- C:\Documents and Settings\khastie\Desktop\HijackThis.lnk
[2010/02/24 14:13:08 | 000,020,439 | ---- | C] () -- C:\Documents and Settings\khastie\My Documents\LOGFILE1.csv
[2010/02/24 13:22:15 | 000,001,750 | ---- | C] () -- C:\Documents and Settings\khastie\Desktop\Hosts.lnk
[2010/02/23 13:38:14 | 2500,448,768 | ---- | C] () -- C:\Documents and Settings\khastie\IE7 on XP SP3.vhd
[2010/02/22 17:53:34 | 000,010,757 | ---- | C] () -- C:\Documents and Settings\khastie\Desktop\b.tsv
[2010/02/22 17:52:54 | 000,010,757 | ---- | C] () -- C:\Documents and Settings\khastie\Desktop\e.tsv
[2010/02/22 17:38:36 | 000,005,158 | ---- | C] () -- C:\Documents and Settings\khastie\Desktop\b.csv
[2010/02/22 17:38:24 | 000,005,144 | ---- | C] () -- C:\Documents and Settings\khastie\Desktop\e.csv
[2010/02/14 19:08:08 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\khastie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/12 09:43:08 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\khastie\Local Settings\Application Data\PUTTY.RND
[2010/02/05 18:02:03 | 000,000,083 | ---- | C] () -- C:\Documents and Settings\khastie\Local Settings\Application Data\FASTWiz.log
[2010/01/25 13:58:06 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2010/01/21 19:59:10 | 000,000,016 | -H-- | C] () -- C:\Program Files\SyncToy_ff15294d-c32f-4ae5-8780-de7da8f90cfb.dat
[2010/01/15 16:37:05 | 000,031,232 | ---- | C] () -- C:\WINDOWS\System32\xnetsrvc.dll
[2010/01/15 16:36:57 | 000,022,528 | ---- | C] () -- C:\WINDOWS\System32\xrxactvt.dll
[2010/01/15 15:01:59 | 000,004,608 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSMAPIP.SYS
[2010/01/15 14:45:23 | 001,909,712 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/15 14:35:00 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2009/08/14 13:47:34 | 002,854,976 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2009/08/03 17:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/02/05 16:35:34 | 000,002,048 | ---- | C] () -- C:\WINDOWS\System32\EventLogMessages.dll
[2006/11/22 22:02:19 | 000,000,244 | ---- | C] () -- C:\Program Files\INSTALL.LOG
[2006/10/27 10:32:00 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\softcoin.dll
[2006/10/27 10:32:00 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\gencoin.dll
[2005/02/17 14:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 14:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2004/08/17 22:00:00 | 000,073,748 | -H-- | C] () -- C:\WINDOWS\System32\Iasex.dll
[2001/11/14 15:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2010/01/15 14:43:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\CachedFiles
[2010/02/19 16:52:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khastie\Application Data\Console
[2010/01/16 12:49:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khastie\Application Data\Helios
[2010/01/25 19:52:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khastie\Application Data\Leadertech
[2010/02/04 13:08:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khastie\Application Data\Scooter Software
[2010/02/11 22:51:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khastie\Application Data\Smith Micro
[2010/02/04 13:42:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khastie\Application Data\Subversion
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2010/03/10 17:06:13 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2010/03/10 17:06:13 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[2010/03/10 16:44:07 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job
[2010/03/10 17:05:20 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/03/10 17:04:40 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

========== Purity Check ==========


< End of report >

To avoid confusion, I will post a fix in a next post in a short while.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#6 kghastie

kghastie
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 March 2010 - 12:58 PM

OK, thanks. Let me know if you need anything else.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,591 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:38 AM

Posted 22 March 2010 - 01:28 PM

Okay, there I am again smile.gif

A lot to fix there, but lets start with finding a replacement copy for that iastor.sys that got deleted.

Re-run OTLPE, and copy/paste the text in the codebox below into the "custom scan/fix" field. Click "None" and then "run scan".
CODE
/md5start
iastor.sys
/md5stop

Afterwards post me the log please.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#8 kghastie

kghastie
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 March 2010 - 01:39 PM

OK!

OTL logfile created on: 3/22/2010 2:29:24 PM - Run
OTLPE by OldTimer - Version 3.1.37.1 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 2046 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.00 Gb Total Space | 15.30 Gb Free Space | 30.60% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Custom Scans ==========



< MD5 for: IASTOR.SYS >
[2009/08/07 07:17:26 | 000,330,264 | ---- | M] (Intel Corporation) MD5=01446278D4563B3013C92830AE6CBB26 -- C:\DRIVERS\WIN\IMSM\IaStor.sys
[2009/06/03 12:11:18 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\WINDOWS\NLDRV\001\iastor.sys
< End of report >


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,591 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:38 AM

Posted 22 March 2010 - 02:57 PM

Okay, now lets start fixing things smile.gif

Re-run OTLPE and copy/paste the text in the codebox below in the "custom scan/fix" field and click "run fix".

CODE
:files
c:\windows\system32\drivers\iastor.sys|C:\DRIVERS\WIN\IMSM\IaStor.sys /replace

:otl
O2 - BHO: (C:\WINDOWS\system32\dat0rkki.dll) - {A3BA40A2-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\dat0rkki.dll ()
O4 - HKLM..\Run: [jerajeyabo] File not found
O4 - HKU\khastie_ON_C..\Run: [gdf498gtudsigjnsod8guifjgfhfhf] C:\DOCUME~1\khastie\LOCALS~1\Temp\ny9sv9l.exe File not found
O4 - HKU\khastie_ON_C..\Run: [Remote System Protection] C:\WINDOWS\System32\dat0rkki.DLL ()
O4 - HKU\khastie_ON_C..\Run: [TOY5KNQ8OC] C:\DOCUME~1\khastie\LOCALS~1\Temp\Usr.exe File not found
O4 - HKU\NetworkService_ON_C..\Run: [jerajeyabo] File not found
O20 - AppInit_DLLs: (javojosu.dll) - File not found
O22 - SharedTaskScheduler: {A3BA40A2-74F1-52BD-F434-00B15A2C8953} - hs3t873tisghs837tgysu7 - C:\WINDOWS\system32\dat0rkki.dll ()
O36 - AppCertDlls: AppSecDll - (C:\Documents and Settings\khastie\Local Settings\Application Data\Windows Server\fxlevx.dll) - C:\Documents and Settings\khastie\Local Settings\Application Data\Windows Server\fxlevx.dll ()
[2099/01/01 12:00:00 | 000,001,744 | -H-- | C] () -- C:\WINDOWS\System32\jemukozu
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/03/10 17:06:11 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/03/10 17:06:06 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\khastie\tpshocks.exe
[2010/03/10 17:05:52 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\khastie\rundll32.exe
[2010/03/10 17:05:52 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\khastie\rundll32 .exe
[2010/03/10 17:05:42 | 000,020,000 | ---- | C] () -- C:\WINDOWS\System32\dat0rkki.dll
[2010/03/10 17:05:39 | 000,003,704 | -HS- | C] () -- C:\Documents and Settings\khastie\Local Settings\Application Data\VaA8uLj
[2010/03/10 17:04:36 | 000,149,504 | ---- | C] () -- C:\WINDOWS\Ulozya.exe
[2010/03/10 17:04:36 | 000,000,290 | -H-- | C] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/03/10 16:41:38 | 000,000,290 | -H-- | C] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

:commands
[emptytemp]
[resethosts]

Afterwards boot normally and let me know how everything is running.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#10 kghastie

kghastie
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 March 2010 - 03:44 PM

It worked! You're bleeping awesome, Elise!

Here's what happened. On reboot it did a disk check on C. It did a bunch of repairs and I think said it was removing sectors or something (a lot), something about 0 and sector 25. Said it completed successfully. I didn't think to grab the log.

Then I got a couple of screens. Window was really low res, probably due to an ati driver i hosed. Then AVG started talking about several viruses. I tried to heal them, and restarted. Here are two screenshots:

Attached Files



#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,591 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:38 AM

Posted 22 March 2010 - 03:49 PM

Hi again,

Yes you need indeed to re-install those ATI drivers. Usually you get a drivers CD when you buy a new computer.

Indeed some malware that still needs to go.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 kghastie

kghastie
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 March 2010 - 05:17 PM

Also - it keeps looking for that missing crypt--something file on startup. Is that a startup entry i need to remove or a valid file i need to reinstall?

ComboFix 10-03-22.02 - khastie 03/22/2010 16:59:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2520.1684 [GMT -5:00]
Running from: c:\temp\ComboFix.exe
AV: AVG Anti-Virus Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\khastie\Local Settings\Application Data\Windows Server
c:\documents and settings\khastie\rundll32.exe
C:\LOG.TXT
c:\program files\INSTALL.LOG
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\app_dll.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\Iasex.dll
c:\windows\system32\spool\prtprocs\w32x86\00000dfe.tmp
c:\windows\system32\spool\prtprocs\w32x86\00001718.tmp
c:\windows\system32\spool\prtprocs\w32x86\00006a6a.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Service_6to4
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
.

2010-03-22 22:01 . 2010-03-22 22:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-03-22 21:57 . 2010-03-22 21:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-22 21:42 . 2010-03-22 21:41 3898018 ------r- c:\temp\ComboFix.exe
2010-03-22 20:24 . 2010-03-22 20:24 40448 ----a-w- c:\documents and settings\khastie\tpshocks.exe
2010-03-22 20:10 . 2010-03-22 20:10 -------- d-----w- C:\_OTL
2010-03-22 20:10 . 2009-08-07 11:17 330264 ----a-w- c:\windows\system32\drivers\iastor.sys
2010-03-11 08:39 . 2010-03-11 08:39 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 08:39 . 2010-03-11 08:39 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-11 08:39 . 2010-03-11 08:39 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-03-11 08:39 . 2010-03-11 08:39 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-10 20:26 . 2010-03-10 20:27 -------- d-----w- c:\documents and settings\khastie\.dbvis
2010-03-10 20:25 . 2010-03-10 20:27 -------- d-----w- c:\documents and settings\khastie\invtmp
2010-03-10 20:20 . 2010-03-10 20:20 -------- d-----w- c:\program files\DbVisualizer-7.0.4
2010-03-09 21:14 . 2010-03-09 21:14 -------- d-----w- c:\program files\CollabNet
2010-03-08 20:46 . 2010-03-08 20:46 -------- d-----w- c:\temp\http%3a%2f%2fcygwin.lowprofilelinks.com%2f
2010-03-08 20:45 . 2010-03-08 20:45 -------- d-----w- c:\temp\http%3a%2f%2fcygwin.lilengine.com%2f
2010-03-08 20:44 . 2010-03-08 21:42 -------- d-----w- c:\temp\http%3a%2f%2fcygwin.mirrors.hoobly.com%2f
2010-03-08 17:42 . 2010-03-08 17:42 -------- d-----w- C:\tmp
2010-03-08 17:06 . 2010-03-08 17:15 -------- d-----w- c:\temp\ftp%3a%2f%2fbo.mirror.garr.it%2fmirrors%2fsourceware.org%2fcygwin
2010-03-05 16:10 . 2010-03-05 16:10 -------- d-----w- c:\program files\LogMeIn Hamachi
2010-02-26 14:27 . 2010-02-26 14:27 -------- d-----w- c:\documents and settings\khastie\Local Settings\Application Data\TechSmith
2010-02-24 20:59 . 2010-02-24 20:59 -------- d-----w- c:\program files\Trend Micro
2010-02-24 09:00 . 2010-02-24 09:00 229208 ----a-w- c:\windows\system32\drivers\VMM.sys
2010-02-23 16:56 . 2010-02-23 16:56 -------- d-----w- c:\program files\Microsoft Virtual PC
1601-01-01 00:00 . 1601-01-01 00:00 0 ----a-w- c:\program files\87234.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-22 22:07 . 2010-01-15 18:44 -------- d-----w- c:\program files\Lenovo Fingerprint Software
2010-03-22 22:07 . 2010-03-22 22:07 40448 ----a-w- c:\documents and settings\khastie\rundll32.exe
2010-03-22 22:03 . 2010-01-15 18:45 1909712 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-22 22:01 . 2009-12-11 18:19 40448 ----a-w- c:\windows\system32\tpshocks.exe
2010-03-22 21:45 . 2010-01-30 17:49 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-22 20:24 . 2010-03-22 20:24 40448 ----a-w- c:\documents and settings\khastie\tpshocks .exe
2010-03-09 22:22 . 2010-02-23 17:01 165232 ---ha-w- c:\documents and settings\khastie\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2010-02-19 20:52 . 2010-02-19 20:52 -------- d-----w- c:\documents and settings\khastie\Application Data\Console
2010-02-19 20:38 . 2010-01-15 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-18 19:41 . 2010-02-18 19:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-17 21:15 . 2010-02-17 20:08 -------- d-----w- c:\documents and settings\khastie\Application Data\Skype
2010-02-17 20:10 . 2010-02-17 20:10 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-17 20:10 . 2010-02-17 20:10 -------- d-----w- c:\documents and settings\khastie\Application Data\skypePM
2010-02-17 20:08 . 2010-02-17 20:08 -------- d-----r- c:\program files\Skype
2010-02-17 20:08 . 2010-02-17 20:08 -------- d-----w- c:\program files\Common Files\Skype
2010-02-17 20:08 . 2010-02-17 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-16 15:21 . 2010-01-20 22:08 -------- d-----w- c:\program files\Digsby
2010-02-12 02:51 . 2010-02-12 02:51 -------- d-----w- c:\documents and settings\khastie\Application Data\Smith Micro
2010-02-11 21:56 . 2010-02-11 21:56 28020 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-11 19:20 . 2010-02-11 19:20 -------- d-----w- c:\program files\TechSmith
2010-02-11 19:19 . 2010-02-11 19:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-11 04:02 . 2010-01-15 20:47 26440 ----a-w- c:\documents and settings\khastie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-09 03:54 . 2010-02-03 17:38 -------- d-----w- c:\program files\MyDefrag v4.2.7
2010-02-05 23:05 . 2010-02-05 23:05 -------- d-----w- c:\program files\Support Tools
2010-02-05 16:23 . 2010-02-05 16:23 -------- d-----w- c:\documents and settings\khastie\Application Data\AVG8
2010-02-05 07:06 . 2010-02-05 07:06 -------- d-----w- c:\program files\Veign
2010-02-05 04:51 . 2010-02-05 04:51 -------- d-----w- c:\documents and settings\khastie\Application Data\Verizon Wireless
2010-02-05 04:50 . 2010-02-05 04:50 -------- d-----w- c:\program files\Verizon Wireless
2010-02-05 04:50 . 2010-02-05 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless
2010-02-05 04:49 . 2010-02-05 04:49 10134 ----a-r- c:\documents and settings\khastie\Application Data\Microsoft\Installer\{A1BC9F13-59FE-43E4-8498-DF5A721196C5}\ARPPRODUCTICON.exe
2010-02-05 04:49 . 2010-02-05 04:49 -------- d-----w- c:\program files\Common Files\Research in Motion
2010-02-05 04:49 . 2010-02-05 04:49 -------- d-----w- c:\documents and settings\khastie\Application Data\InstallShield
2010-02-05 03:48 . 2010-01-23 19:40 -------- d-----w- c:\documents and settings\khastie\Application Data\Apple Computer
2010-02-04 18:23 . 2010-02-04 17:42 -------- d-----w- c:\documents and settings\khastie\Application Data\TortoiseSVN
2010-02-04 17:42 . 2010-02-04 17:25 -------- d-----w- c:\documents and settings\khastie\Application Data\Subversion
2010-02-04 17:34 . 2010-02-04 17:34 -------- d-----w- c:\program files\TortoiseSVN
2010-02-04 17:34 . 2010-02-04 17:34 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2010-02-04 17:08 . 2010-02-04 17:08 -------- d-----w- c:\documents and settings\khastie\Application Data\Scooter Software
2010-02-04 17:08 . 2006-11-30 16:13 -------- d-----w- c:\program files\Beyond Compare 2
2010-02-04 00:47 . 2010-01-22 16:59 -------- d-----w- c:\program files\CCleaner
2010-02-03 23:01 . 2010-02-03 23:01 -------- d-----w- c:\program files\Syncplicity
2010-02-03 22:12 . 2010-01-22 16:48 -------- d-----w- c:\program files\PuTTY
2010-02-03 22:10 . 2010-02-03 22:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-03 22:10 . 2010-02-03 22:09 -------- d-----w- c:\program files\Java
2010-02-03 21:39 . 2010-02-03 21:39 -------- d-----w- c:\program files\MySQL
2010-02-03 19:19 . 2010-01-22 16:48 -------- d-----w- c:\program files\JetBrains
2010-02-03 16:51 . 2010-02-03 16:51 -------- d-----w- c:\program files\Windows Live
2010-01-29 20:31 . 2010-01-29 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Conexant
2010-01-29 20:14 . 2010-01-23 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\RetroExp
2010-01-27 08:41 . 2010-01-15 18:56 -------- d-----w- c:\program files\Lenovo
2010-01-27 08:40 . 2010-01-27 08:40 -------- d-----w- c:\program files\Common Files\Lenovo
2010-01-27 08:15 . 2010-01-27 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-25 23:52 . 2010-01-25 23:52 -------- d-----w- c:\documents and settings\khastie\Application Data\Leadertech
2010-01-25 17:58 . 2010-01-25 17:58 462848 ----a-w- c:\windows\system32\ractrlkeyhook.dll
2010-01-23 20:04 . 2010-01-23 19:57 -------- d-----w- c:\program files\Iomega
2010-01-23 20:03 . 2010-01-23 20:03 -------- d-----w- c:\program files\MozyHome
2010-01-23 20:03 . 2010-01-23 20:03 61440 ----a-r- c:\documents and settings\khastie\Application Data\Microsoft\Installer\{BCC57687-98A2-4C4C-B0F8-BC6B6F52D4E3}\NewShortcut1_5D652EC38AC041E7B337162BC7B01148.exe
2010-01-23 20:03 . 2010-01-23 20:03 5222 ----a-r- c:\documents and settings\khastie\Application Data\Microsoft\Installer\{BCC57687-98A2-4C4C-B0F8-BC6B6F52D4E3}\ARPPRODUCTICON.exe
2010-01-23 20:03 . 2010-01-23 20:03 -------- d-----w- c:\program files\Retrospect
2010-01-23 19:57 . 2010-01-23 19:57 40960 ----a-r- c:\documents and settings\khastie\Application Data\Microsoft\Installer\{90FF23FE-0E1B-40DF-A22E-B4C0372E5936}\ARPPRODUCTICON.exe
2010-01-23 19:40 . 2010-01-23 19:39 -------- d-----w- c:\program files\iTunes
2010-01-23 19:40 . 2010-01-23 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-23 19:39 . 2010-01-23 19:39 -------- d-----w- c:\program files\iPod
2010-01-23 19:39 . 2010-01-23 19:38 -------- d-----w- c:\program files\Common Files\Apple
2010-01-23 19:39 . 2010-01-23 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-23 19:39 . 2010-01-23 19:39 -------- d-----w- c:\program files\Bonjour
2010-01-23 19:39 . 2010-01-23 19:39 -------- d-----w- c:\program files\QuickTime
2010-01-23 19:39 . 2010-01-23 19:39 -------- d-----w- c:\program files\Apple Software Update
2010-01-23 19:38 . 2010-01-23 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-22 18:13 . 2010-02-05 16:13 3858432 ----a-w- c:\documents and settings\khastie\Application Data\Mozilla\Firefox\Profiles\y78dpd77.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
2010-01-22 17:49 . 2010-02-05 16:13 8520 ----a-w- c:\documents and settings\khastie\Application Data\Mozilla\Firefox\Profiles\y78dpd77.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll
2010-01-22 17:49 . 2010-02-05 16:13 70984 ----a-w- c:\documents and settings\khastie\Application Data\Mozilla\Firefox\Profiles\y78dpd77.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe
2010-01-22 17:46 . 2010-02-05 16:13 574768 ----a-w- c:\documents and settings\khastie\Application Data\Mozilla\Firefox\Profiles\y78dpd77.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianDll.dll
2010-01-22 17:46 . 2010-02-05 16:13 15664 ----a-w- c:\documents and settings\khastie\Application Data\Mozilla\Firefox\Profiles\y78dpd77.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianEvt.dll
2010-01-22 17:46 . 2010-02-05 16:13 83256 ----a-w- c:\documents and settings\khastie\Application Data\Mozilla\Firefox\Profiles\y78dpd77.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardian.exe
2010-01-22 16:58 . 2010-01-22 16:58 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-22 01:10 . 2007-06-14 17:10 -------- d-----w- c:\program files\SysInternals
2010-01-21 23:59 . 2010-01-21 23:59 16 ---h--w- c:\program files\SyncToy_ff15294d-c32f-4ae5-8780-de7da8f90cfb.dat
2010-01-20 22:23 . 2010-01-20 22:23 16 ---h--w- C:\SyncToy_023bb1f4-c903-481a-ab23-115df337683d.dat
2010-01-17 20:52 . 2010-01-17 20:52 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-17 17:58 . 2010-01-15 15:18 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-16 17:44 . 2010-01-16 17:44 0 ----a-w- c:\windows\nsreg.dat
2010-01-15 18:07 . 2010-01-15 18:07 23968 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 18:06 . 2010-01-15 18:06 0 ----a-w- c:\windows\ativpsrm.bin
2010-01-15 15:50 . 2010-01-15 15:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-15 15:17 . 2010-01-15 15:17 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-31 16:50 . 2008-04-14 05:45 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe
c:\program files\AVG\AVG8\avgtray .exe
c:\program files\CONEXANT\SAII\saiicpl .exe
c:\program files\Lenovo\HOTKEY\tpfnf6r .exe
c:\program files\Lenovo\HOTKEY\tposdsvc .exe
c:\program files\Lenovo\NPDIRECT\npdtray .exe
c:\program files\Lenovo\NPDIRECT\tpfnf7sp .exe
c:\program files\Lenovo Fingerprint Software\fpapp .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\ThinkPad\Utilities\ezejmnap .exe
c:\program files\xerox\WorkCentre C2424\xc24bgts .exe
c:\windows\system32\tpshocks .exe
</pre>


------- Sigcheck -------

[-] 2009-06-03 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 01:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 01:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 01:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 01:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 01:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 01:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 01:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 01:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-01-19 01:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4A9D-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-06-25 21:38 2401584 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-06-25 21:38 2401584 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Folder)]
@="{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}"
[HKEY_CLASSES_ROOT\CLSID\{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}]
2009-12-11 22:39 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Fully Synced)]
@="{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}"
[HKEY_CLASSES_ROOT\CLSID\{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}]
2009-12-11 22:39 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Not Latest Version)]
@="{284C090F-EB1D-4A6E-872E-6DB72E417E24}"
[HKEY_CLASSES_ROOT\CLSID\{284C090F-EB1D-4A6E-872E-6DB72E417E24}]
2009-12-11 22:39 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Shared Folder)]
@="{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}"
[HKEY_CLASSES_ROOT\CLSID\{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}]
2009-12-11 22:39 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NPDTRAY"="c:\progra~1\Lenovo\NPDIRECT\NPDTray.exe" [2010-03-22 40448]
"cryptp2pdev"="c:\documents and settings\khastie\Local Settings\Application Data\cryptp2pdev\cryptp2pdev.dll" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-22 40448]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2010-03-22 40448]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2010-03-22 40448]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-12-16 513384]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-03-22 40448]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-22 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-22 40448]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2010-03-22 40448]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2010-03-22 40448]
"TpShocks"="TpShocks.exe" [2010-03-22 40448]
"Xerox_WorkCenter_C2424"="c:\program files\Xerox\WorkCentre C2424\xc24bgts.exe" [2010-03-22 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-22 40448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\khastie\Start Menu\Programs\Startup\AutorunsDisabled
Iomega Product Registration.lnk - c:\program files\Iomega\Registration\Register.exe [2004-2-4 16175104]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2009-8-14 607584]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-1-15 50688]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-1-23 2311472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2009-03-19 10:55 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-15 15:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 22:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Intel\\WiMAX\\Bin\\AppSrv.exe"=
"c:\\Program Files\\Intel\\WiMAX\\Bin\\DMAgent.exe"=
"c:\\WINDOWS\\system32\\xnetsrvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Iomega\\Home Storage Manager\\Iomega Discovery.exe"=
"c:\\Program Files\\Iomega\\Home Storage Manager\\Iomega Storage Manager.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\JetBrains\\IntelliJ IDEA 9.0.1\\bin\\idea.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_18\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Development\\apache-tomcat-6.0.24\\bin\\tomcat6.exe"=
"c:\\Program Files\\Syncplicity\\Syncplicity.exe"=
"c:\\cygwin\\bin\\XWin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3306:TCP"= 3306:TCP:MySQL Server

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [3/11/2010 3:39 AM 12552]
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [1/15/2010 1:35 PM 24304]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/9/2009 1:10 PM 20520]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/11/2010 3:39 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/11/2010 3:39 AM 108552]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [3/19/2009 5:48 AM 1680632]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/15/2010 10:50 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/15/2010 10:50 AM 297752]
R2 BPPROT;Intel® WiMAX Link Protocol Driver;c:\windows\system32\drivers\bpprot.sys [2/1/2009 7:39 PM 18560]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [1/15/2010 1:35 PM 132456]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [3/19/2009 5:53 AM 98304]
R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [3/19/2009 5:55 AM 118784]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [10/29/2009 1:27 PM 1074568]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [1/15/2010 1:35 PM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [1/15/2010 1:56 PM 62320]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [1/15/2010 1:58 PM 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [1/15/2010 1:44 PM 482176]
R3 bpenum;Intel® WiMAX Link Enumerator;c:\windows\system32\drivers\bpenum.sys [2/1/2009 7:39 PM 163840]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [9/19/2008 5:29 PM 239760]
S0 ncikqjui;ncikqjui; [x]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [1/15/2010 1:56 PM 45424]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [3/19/2009 5:52 AM 106496]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 8:03 PM 32408]
S4 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [2/5/2009 3:36 PM 348160]
S4 Tomcat6;Apache Tomcat 6;c:\development\apache-tomcat-6.0.24\bin\tomcat6.exe [1/19/2010 8:42 AM 57344]
S4 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [2/5/2009 3:36 PM 2379776]
.
Contents of the 'Scheduled Tasks' folder

2010-03-22 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-22 22:07]

2010-03-22 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-01-15 07:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\khastie\Application Data\Mozilla\Firefox\Profiles\y78dpd77.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\documents and settings\khastie\Application Data\Mozilla\Firefox\Profiles\y78dpd77.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\khastie\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{a6cd52dd-4639-43de-a771-95fff25a88e9} - vokuharo.dll
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 17:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Xerox_WorkCenter_C2424 = c:\program files\Xerox\WorkCentre C2424\xc24bgts.exe 1?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,75,99,fb,46,b3,ac,40,bd,01,42,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,75,99,fb,46,b3,ac,40,bd,01,42,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1748)
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5364)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\MozyHome\mozyshell.dll
c:\program files\Syncplicity\SyncplicityShellExt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Retrospect\Retrospect Express HD 2.5\retrorun.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\progra~1\avg\avg8\avgtray .exe
c:\progra~1\thinkpad\utilit~1\ezejmnap .exe
c:\program files\lenovo\hotkey\tpfnf6r .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\synaptics\syntp\syntpenh .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\lenovo\npdirect\tpfnf7sp .exe
c:\windows\system32\tpshocks .exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\xerox\workcentre c2424\xc24bgts .exe
c:\program files\adobe\reader 9.0\reader\reader_sl .exe
c:\progra~1\lenovo\npdirect\npdtray .exe
c:\windows\system32\xnetsrvc.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-03-22 17:10:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-22 22:10

Pre-Run: 22,201,012,224 bytes free
Post-Run: 19,470,819,328 bytes free

- - End Of File - - 409814428CA4541890F52A853F6E8317


#13 kghastie

kghastie
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 March 2010 - 06:03 PM

By the way, AVG still finds multiple versions of this very often, despite Healing or Moving To Vault each time:

C:\program files\internet explorer\wmpscfgs.exe

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,591 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:38 AM

Posted 23 March 2010 - 04:44 AM

Still quite some stuff to take care of. We also need to replace a file. Please let me know if you have an XP CD at hand (if you don't have one, maybe you can borrow one from a friend or family member).

In the fix below I'm including the script for that "crypt-something" file smile.gif

Your AVG8 is outdated. I recommend you download and install the latest version (AVG9).

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe
c:\program files\AVG\AVG8\avgtray .exe
c:\program files\CONEXANT\SAII\saiicpl .exe
c:\program files\Lenovo\HOTKEY\tpfnf6r .exe
c:\program files\Lenovo\HOTKEY\tposdsvc .exe
c:\program files\Lenovo\NPDIRECT\npdtray .exe
c:\program files\Lenovo\NPDIRECT\tpfnf7sp .exe
c:\program files\Lenovo Fingerprint Software\fpapp .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\ThinkPad\Utilities\ezejmnap .exe
c:\program files\xerox\WorkCentre C2424\xc24bgts .exe
c:\windows\system32\tpshocks .exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cryptp2pdev"=-

AtJob::

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 kghastie

kghastie
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 23 March 2010 - 12:24 PM

I might have an ISO from work I could try for WinXP. If so, is there another step I can do with that?

Might not be able to try these quite yet as i am using that machine for work w the linux partition...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users