Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirected. AVE.exe infection and likely others


  • This topic is locked This topic is locked
20 replies to this topic

#1 cghand

cghand

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 25 March 2010 - 05:34 PM

Orange Blossom sent me to AII because DDS wouldn't produce logs. Boopme suggested rkill which ran but dds still runs without generating logs. I ran RSIT and will post log.txt below. GMER ran fine and Ark.txt attached


***********BELOW COPIED FROM YESTERDAY'S ORIGINAL POST***************
I'm stuck in misery and am so grateful for your help. My google searches return results but when I click on the results I get redirected to indyhub.com, asklots.com, informationgetter. I use this machine for personal finance so obviously I'm concerned about how compromised I am so far.

My dear wife admits to clicking on some scare ware screen a few days ago which started the infection. I keep McAfee updated weekly but it didn't help. I used to keep Spybot S&D running but apparently it hadn't been updating.

I don't remember how but I found ave.exe running. I stopped it, deleted it, and followed some online instructions (perhaps from bleepingcomputer) to manually delete registry keys containing ave.exe.

executables then wouldn't run. I ran xp_exe_fix.reg from dougknox website which fixed the exe problem.

I bought Stopzilla which found a slew of things but correcting them didn't help so I called for a refund. They politely obliged. The free version still pops up that Cognac is being blocked.
I downloaded and ran Malwarebytes anti-malware which found a few more things but didn't fix the problem either.
I updated and ran Spybot S&D but it didn't solve the problem either.

I have read the entire preparation guide and followed the directions carefully.

dds.scr launches and I get the black screen seen in Fig. 5 but it disappears in about 2 minutes and doesn't open notepad to produce the logs. I can launch Notepad from the Start screen but of course it's a blank new document.

gmer.exe is running now and seems to be working ok. I'll post that info ASAP

I'm sure you need the logs from dds.scr and I'll do whatever you think will help produce that and save this computer.
Thanks in advance for any help.
************END COPY FROM ORIGINAL POST************************************

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2010-03-25 18:09:17
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 8 GB (5%) free of 148 GB
Total RAM: 1983 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:23 PM, on 3/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\Merge eFilm\eFilm\SCSIACC.EXE
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1;Rayhana
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.svremote.com
O15 - Trusted Zone: http://www.svremote.com
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://172.25.250.9/OfficePACSExpress/Controls/LTOCX14N.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
O16 - DPF: {305B6C9D-56BB-4A18-B6C5-1D270FFFCAA7} (StDICOMDownload.StDICOM) - http://172.25.250.9/OfficePACSExpress/Cont...COMDownload.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://secure.heekinortho.com/XTSAC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://secure.heekinortho.com/NELX.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://webmail.drheekin.com/Remote/msrdp.cab
O16 - DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} (WSpell Spelling Checker Control) - http://asweb/TouchWorks/DocWorks/CHWorks/Note/wspell.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: klpsrvc - Unknown owner - C:\Program Files\USB LOCK AP\klpsrvc.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: ScsiAcc - Unknown owner - C:\Program Files\Merge eFilm\eFilm\SCSIACC.EXE
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 11274 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{3824B018-81E1-4C80-911F-93BFF16DE257}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 434279]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E3215F20-3212-11D6-9F8B-00D0B743919D}]
STOPzilla Browser Helper Object - C:\Program Files\STOPzilla!\SZIEBHO.dll [2010-03-19 247232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"KBD"=C:\HP\KBD\KBD.EXE [2003-02-11 61440]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2004-04-14 233472]
"VTTimer"=C:\WINDOWS\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-03-04 88209]
"PS2"=C:\WINDOWS\system32\ps2.exe [2003-09-12 98304]
"AlcxMonitor"=C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-06-28 32768]
"WrtMon.exe"=C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe [2006-09-20 20480]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-09-30 155648]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"= []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"Simple Star PhotoShow Media Manager"=C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe [2005-11-18 233472]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe /L ElbyCDFL []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2005-05-19 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2004-01-16 229376]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
C:\Program Files\lg_fwupdate\fwupdate.exe [2006-11-04 249856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe [2004-07-29 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfotoNow USB Detection]
C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL [2002-11-05 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2006-09-30 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe [2006-10-12 49263]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-04-13 180269]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-02-25 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~3.0\Reader\READER~1.EXE [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"eFilmProcessManagerNT"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-02-10 339968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Documents and Settings\Owner\My Documents\downloads\uTorrent\utorrent.exe"="C:\Documents and Settings\Owner\My Documents\downloads\uTorrent\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\Info.exe folder.htt 480 480


======List of files/folders created in the last 1 months======

2010-03-25 18:09:17 ----D---- C:\rsit
2010-03-25 18:09:17 ----D---- C:\Program Files\trend micro
2010-03-21 20:15:51 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2010-03-21 20:15:44 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-03-21 20:15:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-19 22:44:24 ----D---- C:\Documents and Settings\All Users\Application Data\SITEguard
2010-03-19 22:43:31 ----D---- C:\Program Files\STOPzilla!
2010-03-19 22:43:28 ----D---- C:\Program Files\Common Files\iS3
2010-03-19 22:43:26 ----D---- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2010-03-19 20:31:06 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2010-03-19 20:31:06 ----D---- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2010-03-19 20:31:06 ----D---- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
2010-03-19 20:31:05 ----D---- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
2010-03-11 04:03:52 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-03-05 18:16:42 ----RA---- C:\WINDOWS\system32\SZIO5.dll
2010-03-05 18:14:16 ----RA---- C:\WINDOWS\system32\SZBase5.dll
2010-03-05 18:13:44 ----RA---- C:\WINDOWS\system32\SZComp5.dll

======List of files/folders modified in the last 1 months======

2010-03-25 18:09:18 ----D---- C:\WINDOWS\Temp
2010-03-25 18:09:17 ----D---- C:\Program Files
2010-03-25 17:56:55 ----D---- C:\WINDOWS\system32\drivers
2010-03-25 17:56:44 ----D---- C:\WINDOWS\system32
2010-03-25 17:56:44 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-25 15:16:38 ----D---- C:\WINDOWS\Prefetch
2010-03-24 20:04:19 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-22 06:21:05 ----HDC---- C:\WINDOWS\$NtUninstallKB950974_0$
2010-03-21 20:36:36 ----D---- C:\WINDOWS\Internet Logs
2010-03-21 15:19:50 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-03-21 15:16:48 ----D---- C:\WINDOWS\system
2010-03-21 15:15:55 ----D---- C:\Program Files\SpamBlockerUtility_Icons
2010-03-21 15:15:50 ----D---- C:\WINDOWS\pss
2010-03-21 15:15:19 ----D---- C:\Program Files\WinRAR
2010-03-21 09:11:48 ----D---- C:\WINDOWS
2010-03-20 21:15:13 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-20 02:07:51 ----D---- C:\quarantine
2010-03-19 22:53:58 ----D---- C:\WINDOWS\Minidump
2010-03-19 22:43:38 ----SHD---- C:\WINDOWS\Installer
2010-03-19 22:43:38 ----HD---- C:\Config.Msi
2010-03-19 22:43:36 ----D---- C:\WINDOWS\WinSxS
2010-03-19 22:43:28 ----D---- C:\Program Files\Common Files
2010-03-19 21:59:56 ----A---- C:\WINDOWS\ODBC.INI
2010-03-19 21:03:56 ----A---- C:\WINDOWS\NeroDigital.ini
2010-03-11 04:03:58 ----HD---- C:\WINDOWS\inf
2010-03-11 04:03:54 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-11 04:03:54 ----D---- C:\Program Files\Movie Maker
2010-03-11 04:03:32 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-02 01:30:12 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 SiSkp;SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [2004-01-03 11520]
R2 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2005-04-21 10624]
R2 ssoftnt4;ssoftnt4; \??\C:\WINDOWS\system32\Drivers\ssoftnt4.sys []
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2005-03-04 1066278]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 AnyDVD;AnyDVD; C:\WINDOWS\System32\Drivers\AnyDVD.sys [2005-07-11 19200]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2005-05-03 27392]
R3 ElbyDelay;ElbyDelay; C:\WINDOWS\System32\Drivers\ElbyDelay.sys [2005-04-12 4608]
R3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2003-11-12 41984]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2003-11-03 9760]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2003-09-11 21060]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2004-08-28 28352]
R3 NaiAvFilter1;NaiAvFilter1; C:\WINDOWS\system32\drivers\naiavf5x.sys [2003-09-29 83008]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2002-07-30 23808]
R3 SSLDrv;SSL-VPN NetExtender Adapter; C:\WINDOWS\system32\DRIVERS\SSLDrv.sys [2009-02-23 20504]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 viagfx;viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [2004-12-07 172672]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S2 mrtRate;mrtRate; C:\WINDOWS\system32\drivers\mrtRate.sys []
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-12-12 391424]
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\System32\DRIVERS\CVirtA.sys [2003-05-01 5220]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-04-12 49664]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-04-12 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-04-12 21568]
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-02-10 681469]
S3 IPSECSHM;Nortel IPSECSHM Adapter; C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver; C:\WINDOWS\system32\DRIVERS\NetMotCM.sys [2004-02-09 15360]
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys [2004-04-13 16509]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2004-01-02 432000]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-13 73472]
S4 Vax347b;Vax347b; C:\WINDOWS\system32\DRIVERS\Vax347b.sys [2005-04-25 159616]
S4 Vax347s;Vax347s; C:\WINDOWS\System32\Drivers\Vax347s.sys [2004-04-30 5248]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 GEARSecurity;Gear Security Service; C:\WINDOWS\System32\gearsec.exe [2003-11-03 53248]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-02-17 73728]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [2003-09-10 106586]
R2 McShield;Network Associates McShield; C:\Program Files\Network Associates\VirusScan\Mcshield.exe [2003-09-29 237657]
R2 McTaskManager;Network Associates Task Manager; C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe [2003-09-29 69706]
R2 SansaService;Sansa Updater Service; C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe [2006-08-22 36864]
R2 ScsiAcc;ScsiAcc; C:\Program Files\Merge eFilm\eFilm\SCSIACC.EXE [2003-06-13 181312]
R2 SONICWALL_NetExtender;SonicWALL NetExtender Service; C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe [2009-08-05 305024]
R2 ssoftservice;Cryptainer service; C:\WINDOWS\system32\cryptainersrv.exe [2007-01-24 74240]
R2 StarWindService;StarWind iSCSI Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe [2005-04-02 217600]
R2 szserver;STOPzilla Service; C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe [2010-03-18 57344]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 klpsrvc;klpsrvc; C:\Program Files\USB LOCK AP\klpsrvc.exe []
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-02-22 69632]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 iPodService;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2004-01-16 417792]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 eFilmProcessManagerNT;eFilmProcessManagerNT; C:\Program Files\Merge eFilm\eFilm\efPMNT.exe [2004-03-05 15872]

-----------------EOF-----------------

Attached Files

  • Attached File  ark.txt   963bytes   6 downloads


BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:21 AM

Posted 29 March 2010 - 09:03 PM

Hey cghand,

Welcome to Bleepingcomputer! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. smile.gif
  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. ;)
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Bleepingcomputer and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:21 AM

Posted 30 March 2010 - 10:06 AM

Hey cghand,

From your log, you seem to have multiple anti-spyware running on your computer. This is not recommended as multiple protection of the same kind can cause conflicts and reduce the efficiency of the softwares. Please remove/disable one of the following:

Spybot - Search & Destroy
is3 Anti-spyware


I do see something hiding in there, let's run some scans. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Network Associates anti-virus and your anti-spyware program) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
Next reply (please include in your post):

OTS.txt (attached)
ComboFix.txt

Edited by Ltangelic, 30 March 2010 - 10:07 AM.

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#4 cghand

cghand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 31 March 2010 - 07:45 AM

Thank you. I'll get to work on these things. Stuck with work last night and tonight but I'm on it.

#5 cghand

cghand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 01 April 2010 - 05:12 PM

Attached File  OTS.Txt   164.15KB   9 downloads

Ltangelic,
Thanks for your help thus far. I think I've got everything you asked for.
A few notes:
1. I unstalled Stopzilla is3 Anti-spyware
2. I followed the instructions to stop Spybot Search and Destroy and I think it worked
3. I tried to disable Network Associates anti virus. The icon hasn't been showing up in the system tray so I went into the Virus Scan Console and disabled On-Access scanning.
4. The first time I ran ComboFix it rebooted but didn't generate a log. When the reboot completed I got a notice to install "Cumulative Security Update for Internet Explorer 8 for Windows XP (KB980182) I didn't do this.
5. The next time I ran ComboFix it also rebooted but did generate a log.txt. I had one of these already on the desktop so I saved it as Combofix.txt and have pasted it below.

Thanks Again.

ComboFix 10-03-29.04 - Owner 04/01/2010 8:27.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1478 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\cg reg backup-1.reg
c:\recycler\S-1-5-21-1180975056-3221489076-3856198511-1003
c:\windows\system32\ntSVc.ocx
c:\windows\system32\ps2.bat
c:\windows\system32\VB6KO.DLL
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KLPSRVC
-------\Service_klpsrvc


((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))
.

2010-03-31 07:55 . 2010-03-31 07:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-03-27 22:02 . 2010-03-27 22:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-03-25 22:09 . 2010-03-25 22:09 -------- d-----w- C:\rsit
2010-03-25 22:09 . 2010-03-25 22:09 -------- d-----w- c:\program files\trend micro
2010-03-25 19:16 . 2010-03-25 19:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-22 00:15 . 2010-03-22 00:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-22 00:15 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-22 00:15 . 2010-03-22 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-22 00:15 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-22 00:15 . 2010-03-22 00:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-20 02:45 . 2010-03-20 02:45 3514368 ---ha-w- C:\SZKGFS.dat
2010-03-20 02:44 . 2010-03-20 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-03-20 02:43 . 2010-03-20 02:43 -------- d-----w- c:\program files\Common Files\iS3
2010-03-20 02:43 . 2010-03-30 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-20 00:31 . 2010-03-20 00:31 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-03-20 00:31 . 2010-03-20 00:31 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-03-20 00:31 . 2010-03-20 00:31 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-03-20 00:31 . 2010-03-20 00:31 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-03-18 20:58 . 2010-03-18 20:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-18 20:58 . 2010-03-18 20:58 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-03-18 17:59 . 2010-03-18 17:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-18 17:54 . 2010-03-18 18:25 201728 --sha-w- c:\documents and settings\Owner\Local Settings\Application Data\3159844522.dll
2010-03-10 23:50 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 11:27 . 2010-03-25 21:54 2080 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-27 22:03 . 2010-03-25 21:56 1336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-03-21 19:19 . 2004-08-13 22:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-21 19:15 . 2006-04-05 01:06 -------- d-----w- c:\program files\SpamBlockerUtility_Icons
2010-03-21 01:15 . 2004-11-06 23:32 45432 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-21 01:15 . 2004-08-13 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-21 19:35 . 2006-10-06 02:24 1924744 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2004-10-01 21:00 . 2006-11-04 21:17 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2005-03-17 23:02 . 2005-04-03 20:03 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-03-17 23:02 . 2005-04-03 20:03 48223 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-03-17 23:02 . 2005-04-03 20:03 158823 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-01-26 04:14 . 2005-01-26 04:14 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Simple Star PhotoShow Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [2005-11-18 233472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-29 32768]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-30 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-5-13 113664]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 07:12 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2005-05-19 13:47 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 17:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2004-01-17 03:16 229376 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2006-11-04 21:21 249856 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-07-29 04:27 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfotoNow USB Detection]
2002-11-05 14:32 77824 ----a-w- c:\progra~1\Ofoto\OfotoNow\OFUSBS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-30 19:39 155648 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-10-12 08:10 49263 ----a-w- c:\program files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-04-13 14:10 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 05:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"eFilmProcessManagerNT"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\downloads\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ScsiAcc;ScsiAcc;c:\program files\Merge eFilm\eFilm\SCSIACC.EXE [6/13/2003 3:32 PM 181312]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [3/11/2007 6:09 PM 94080]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [1/16/2008 10:51 PM 20504]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys --> c:\windows\system32\DRIVERS\ElbyVCD.sys [?]
S2 mrtRate;mrtRate; [x]
S4 eFilmProcessManagerNT;eFilmProcessManagerNT;c:\program files\Merge eFilm\eFilm\efPMNT.exe [3/5/2004 2:03 PM 15872]
S4 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [1/7/2006 12:46 PM 159616]
S4 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [1/7/2006 12:46 PM 5248]
.
Contents of the 'Scheduled Tasks' folder

2010-04-01 c:\windows\Tasks\User_Feed_Synchronization-{3824B018-81E1-4C80-911F-93BFF16DE257}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = localhost;127.0.0.1;Rayhana
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Trusted Zone: svremote.com\www
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://172.25.250.9/OfficePACSExpress/Controls/LTOCX14N.cab
DPF: {305B6C9D-56BB-4A18-B6C5-1D270FFFCAA7} - hxxp://172.25.250.9/OfficePACSExpress/Controls/StDICOMDownload.cab
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://secure.heekinortho.com/NELX.cab
DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - hxxp://asweb/TouchWorks/DocWorks/CHWorks/Note/wspell.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nq8kajyf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "update.mozilla.org,addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RecordNow! - (no file)
MSConfigStartUp-CloneCDElbyCDFL - c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe
AddRemove-0254DF9A-618A-4A2C-A5ED-FA7115988B02 - c:\program files\WildTangent\Apps\GameChannel\Games\0254DF9A-618A-4A2C-A5ED-FA7115988B02\Uninstall.exe
AddRemove-05E21449-3BA3-42BF-BBDA-95205F4EA40A - c:\program files\WildTangent\Apps\GameChannel\Games\05E21449-3BA3-42BF-BBDA-95205F4EA40A\Uninstall.exe
AddRemove-26DC0ED6-93A7-43C1-8DC5-EC16079580F9 - c:\program files\WildTangent\Apps\GameChannel\Games\26DC0ED6-93A7-43C1-8DC5-EC16079580F9\Uninstall.exe
AddRemove-29FF6D07-4A15-41F1-9D5E-E0F3A58012C6 - c:\program files\WildTangent\Apps\GameChannel\Games\29FF6D07-4A15-41F1-9D5E-E0F3A58012C6\Uninstall.exe
AddRemove-2FDCC229-354D-4279-ABEF-CE17E355BFFA - c:\program files\WildTangent\Apps\GameChannel\Games\2FDCC229-354D-4279-ABEF-CE17E355BFFA\Uninstall.exe
AddRemove-66195170-D19D-46C5-8FB7-8A4630071ADC - c:\program files\WildTangent\Apps\GameChannel\Games\66195170-D19D-46C5-8FB7-8A4630071ADC\Uninstall.exe
AddRemove-75528D5F-DD82-402E-BA7C-045B7DC6A712 - c:\program files\WildTangent\Apps\GameChannel\Games\75528D5F-DD82-402E-BA7C-045B7DC6A712\Uninstall.exe
AddRemove-8A225900-C06D-41DD-B66C-43840D472758 - c:\program files\WildTangent\Apps\GameChannel\Games\8A225900-C06D-41DD-B66C-43840D472758\Uninstall.exe
AddRemove-8BA6F58B-7A91-461F-95F8-E34F8BD8AA4E - c:\program files\WildTangent\Apps\GameChannel\Games\8BA6F58B-7A91-461F-95F8-E34F8BD8AA4E\Uninstall.exe
AddRemove-C43D84CD-EBFC-48D3-A330-7868C8AD415A - c:\program files\WildTangent\Apps\GameChannel\Games\C43D84CD-EBFC-48D3-A330-7868C8AD415A\Uninstall.exe
AddRemove-F07504C6-20C5-4BFE-83A0-523FB2455E72 - c:\program files\WildTangent\Apps\GameChannel\Games\F07504C6-20C5-4BFE-83A0-523FB2455E72\Uninstall.exe
AddRemove-FA7F5211-C629-4711-BD82-7DFFB08CB518 - c:\program files\WildTangent\Apps\GameChannel\Games\FA7F5211-C629-4711-BD82-7DFFB08CB518\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 08:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fasttx2k]
"ImagePath"="System32\Drivers\Fasttx2k.svs"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3976)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\gearsec.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\SanDisk\Sansa Updater\SansaSvr.exe
c:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
c:\windows\system32\cryptainersrv.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\VTTimer.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2010-04-01 08:49:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-01 12:49

Pre-Run: 10,385,035,264 bytes free
Post-Run: 10,670,968,832 bytes free

- - End Of File - - 9C1D63F2953A55BB88D47B520E384298

Edited by cghand, 01 April 2010 - 05:21 PM.


#6 cghand

cghand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 02 April 2010 - 08:09 PM

FYI: when I returned to the computer this evening I got a message: "Your computer was recently updated! Windows recentlyl downloaded and installed an important security update...."

cghand

#7 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:21 AM

Posted 03 April 2010 - 01:04 AM

Hey cghand,

Thank you for the logs. You said your computer installed some new updates, can you go into Add or Remove Programs and see what updates you've installed? smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Network Associates anti-virus and Spybot Search and Destroy) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run CFScript

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
Dirlook::
C:\quarantine

File::
c:\documents and settings\Owner\Local Settings\Application Data\3159844522.dll

Driver::
mrtRate

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"=-
"Search Bar"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt .

2) Run Malwarebytes scan
  • Open Malwarebytes by clicking on its shortcut on desktop. Please click on the "Update" tab and click "Check for Updates".
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next reply (please include in your post):

Tell me how your computer is doing
ComboFix.txt
MBAM scan log

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#8 cghand

cghand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 03 April 2010 - 05:23 PM

Below is the Combofix log, the MBAM log.

The google searches are not being redirected now. thumbup.gif

When I dragged the .txt file to ComboFix it started and said there was a newer version. I chose yes to install it. It restarted after install but I don't know if it ran with the CFscript or not. Does this matter?

The attached file is a screen shot of the Windows update that happenend last night.

Things are looking better.
What are your recs for future protection and for control of startup programs?

ComboFix 10-04-02.01 - Owner 04/03/2010 8:32.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1457 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\Owner\Local Settings\Application Data\3159844522.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application Data\3159844522.dll
c:\windows\AppPatch\AcAdProc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MRTRATE
-------\Service_mrtRate


((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))
.

2010-03-31 07:55 . 2010-03-31 07:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-03-27 22:02 . 2010-03-27 22:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-03-25 22:09 . 2010-03-25 22:09 -------- d-----w- C:\rsit
2010-03-25 22:09 . 2010-03-25 22:09 -------- d-----w- c:\program files\trend micro
2010-03-25 19:16 . 2010-03-25 19:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-22 00:15 . 2010-03-22 00:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-22 00:15 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-22 00:15 . 2010-03-22 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-22 00:15 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-22 00:15 . 2010-03-22 00:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-20 02:45 . 2010-03-20 02:45 3514368 ---ha-w- C:\SZKGFS.dat
2010-03-20 02:44 . 2010-03-20 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-03-20 02:43 . 2010-03-20 02:43 -------- d-----w- c:\program files\Common Files\iS3
2010-03-20 02:43 . 2010-03-30 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-20 00:31 . 2010-03-20 00:31 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-03-20 00:31 . 2010-03-20 00:31 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-03-20 00:31 . 2010-03-20 00:31 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-03-20 00:31 . 2010-03-20 00:31 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-03-18 20:58 . 2010-03-18 20:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-18 20:58 . 2010-03-18 20:58 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-03-18 17:59 . 2010-03-18 17:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-10 23:50 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 11:27 . 2010-03-25 21:54 2080 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-27 22:03 . 2010-03-25 21:56 1336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-03-21 19:19 . 2004-08-13 22:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-21 19:15 . 2006-04-05 01:06 -------- d-----w- c:\program files\SpamBlockerUtility_Icons
2010-03-21 01:15 . 2004-11-06 23:32 45432 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-21 01:15 . 2004-08-13 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-25 06:24 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-21 19:35 . 2006-10-06 02:24 1924744 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2004-10-01 21:00 . 2006-11-04 21:17 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2005-03-17 23:02 . 2005-04-03 20:03 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-03-17 23:02 . 2005-04-03 20:03 48223 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-03-17 23:02 . 2005-04-03 20:03 158823 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-01-26 04:14 . 2005-01-26 04:14 12208 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\quarantine ----

2010-03-26 02:45 . 2010-03-26 02:45 68129 ----a-w- c:\quarantine\SMI63.tmp.Vir
2010-03-26 02:45 . 2010-03-26 02:45 20415417 ----a-w- c:\quarantine\SMI62.tmp.Vir
2010-03-26 02:45 . 2010-03-26 02:45 155104 ----a-w- c:\quarantine\SMI61.tmp.Vir
2010-03-26 02:45 . 2010-03-26 02:45 1036 ----a-w- c:\quarantine\SMI60.tmp.Vir
2010-03-26 02:45 . 2010-03-26 02:45 46816513 ----a-w- c:\quarantine\SMI5F.tmp.Vir
2010-03-26 02:44 . 2010-03-26 02:44 341976 ----a-w- c:\quarantine\SMI5E.tmp.Vir
2010-03-26 02:44 . 2010-03-26 02:44 24035 ----a-w- c:\quarantine\SMI5D.tmp.Vir
2010-03-26 02:44 . 2010-03-26 02:44 68129 ----a-w- c:\quarantine\SMI5C.tmp.Vir
2010-03-26 02:44 . 2010-03-26 02:44 20415417 ----a-w- c:\quarantine\SMI5B.tmp.Vir
2010-03-26 02:44 . 2010-03-26 02:44 155104 ----a-w- c:\quarantine\SMI5A.tmp.Vir
2010-03-26 02:44 . 2010-03-26 02:44 1036 ----a-w- c:\quarantine\SMI59.tmp.Vir
2010-03-26 02:43 . 2010-03-26 02:43 46816513 ----a-w- c:\quarantine\SMI58.tmp.Vir
2010-03-26 02:43 . 2010-03-26 02:43 341976 ----a-w- c:\quarantine\SMI57.tmp.Vir
2010-03-26 02:43 . 2010-03-26 02:43 24035 ----a-w- c:\quarantine\SMI56.tmp.Vir
2010-03-20 06:07 . 2010-03-20 06:07 68129 ----a-w- c:\quarantine\SMID4.tmp.Vir
2010-03-20 06:07 . 2010-03-20 06:07 20415417 ----a-w- c:\quarantine\SMID3.tmp.Vir
2010-03-20 06:07 . 2010-03-20 06:07 155104 ----a-w- c:\quarantine\SMID2.tmp.Vir
2010-03-20 06:07 . 2010-03-20 06:07 1036 ----a-w- c:\quarantine\SMICC.tmp.Vir
2010-03-20 06:06 . 2010-03-20 06:06 46816513 ----a-w- c:\quarantine\SMICB.tmp.Vir
2010-03-20 06:06 . 2010-03-20 06:06 341976 ----a-w- c:\quarantine\SMICA.tmp.Vir
2010-03-20 06:06 . 2010-03-20 06:06 24035 ----a-w- c:\quarantine\SMIBC.tmp.Vir
2008-07-26 01:42 . 2007-12-04 20:28 341976 ----a-w- c:\quarantine\Fugawi_514_crack.rar
2008-07-26 01:38 . 2008-07-26 01:39 46816513 ----a-w- c:\quarantine\Fugawi_Global_and_Marine_Navigator_Pack_v4.5.14.1696.rar
2007-09-11 14:00 . 2010-03-20 06:07 28666 ----a-w- c:\quarantine\java-4939ee73-4eb0ba30.zip
2007-09-04 17:44 . 2010-03-20 06:07 28666 ----a-w- c:\quarantine\java-4939ee73-35b9336a.zip
2006-11-07 01:57 . 2010-03-20 06:07 22 ----a-w- c:\quarantine\T-408608-ClearVue Suite 2.12 Pocket PC by CoMaNdIuX.zip.Vir
2006-11-07 01:20 . 2004-01-31 04:50 68129 ----a-w- c:\quarantine\o-n6302a.zip
2006-11-07 01:20 . 2004-02-08 22:13 24082428 ----a-w- c:\quarantine\Nero.Burning.ROM.v6.3.0.3.Ultra Edition.by.MoM(keygen.Orion).rar
2006-04-03 23:51 . 2006-04-03 23:51 4827648 ----a-w- c:\quarantine\_CACHE_001_.Vir
2005-11-03 19:03 . 2010-03-20 06:07 308 ----a-w- c:\quarantine\java.jar-5d45dd39-42adc37d.zip
2005-11-03 19:03 . 2010-03-20 06:07 22 ----a-w- c:\quarantine\loaderadv441.jar-6cf96188-55e93082.zip
2005-11-03 19:03 . 2010-03-20 06:06 350 ----a-w- c:\quarantine\count.jar-5c9ed667-12aeb2f7.zip
2005-06-13 21:05 . 2010-03-20 06:06 350 ----a-w- c:\quarantine\classload.jar-2fa9f21f-42e29689.zip
2005-05-29 14:27 . 2010-03-20 06:07 350 ----a-w- c:\quarantine\msjld.jar-5fda7c69-1664c0bc.zip
2005-04-30 20:50 . 2010-03-20 06:06 350 ----a-w- c:\quarantine\count.jar-66caba6e-79382e70.zip
2005-04-28 00:18 . 2005-04-28 00:18 1036 ----a-w- c:\quarantine\input[1].php
2005-04-22 15:09 . 2010-03-20 06:06 350 ----a-w- c:\quarantine\classload.jar-2fdafaa7-7590f750.zip
2005-04-22 15:09 . 2010-03-20 06:06 353 ----a-w- c:\quarantine\archive.jar-66c38a79-19398702.zip
2005-04-20 20:08 . 2010-03-20 06:06 353 ----a-w- c:\quarantine\archive.jar-6c8af854-53649c10.zip
2005-04-14 19:07 . 2005-04-14 19:07 24035 ----a-w- c:\quarantine\archive.jar-1f77224a-708ebde6.zip
2005-04-14 14:25 . 2010-03-20 06:06 353 ----a-w- c:\quarantine\archive1213.jar-e42282d-2d71a125.zip
2005-04-11 18:31 . 2010-03-20 06:06 350 ----a-w- c:\quarantine\classload.jar-96d30d8-19f3b3c2.zip
2005-04-03 17:02 . 2010-03-26 02:45 6617 ----a-w- c:\quarantine\INFECTED.LOG
2005-03-28 14:00 . 2010-03-20 06:06 353 ----a-w- c:\quarantine\archive.jar-6fd2c65b-58b52364.zip
2005-03-28 13:47 . 2010-03-20 06:06 350 ----a-w- c:\quarantine\classload.jar-96d30d8-4f1f72ac.zip
2005-02-14 15:57 . 2010-03-20 06:06 353 ----a-w- c:\quarantine\archive.jar-6ab936b4-4c1edb1e.zip
2005-02-02 18:19 . 2010-03-20 06:06 350 ----a-w- c:\quarantine\classload.jar-1910af16-66d0c8fb.zip
2005-02-02 18:14 . 2010-03-20 06:06 353 ----a-w- c:\quarantine\archive.jar-11ef3c2a-514bc2f8.zip
2004-12-07 15:50 . 2010-03-20 06:06 350 ----a-w- c:\quarantine\classload.jar-19061f19-4fa5c9d8.zip
2004-08-28 16:16 . 2004-08-28 16:17 155104 ----a-w- c:\quarantine\Musicmatch Jukebox Plus v9.00.0122 Patch.And.Keymaker.rar
2004-08-28 16:07 . 2004-08-28 16:33 20415417 ----a-w- c:\quarantine\MUSICMATCH.Jukebox.Plus.v9.00.0128.Incl.Patch.And.Keymaker-AGAiN.rar
2004-08-10 01:29 . 2003-03-17 20:19 111104 ----a-w- c:\quarantine\support.QZ_.0
2004-08-10 01:27 . 2003-03-17 20:18 111104 ----a-w- c:\quarantine\support.QZ_
2004-03-14 23:29 . 2004-03-14 23:29 522310 ----a-w- c:\quarantine\DVD Shrink 3.1.exe
2004-01-09 16:24 . 2004-01-09 16:24 27136 ----a-w- c:\quarantine\AX_UA.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Simple Star PhotoShow Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [2005-11-18 233472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-29 32768]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-30 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-5-13 113664]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 07:12 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2005-05-19 13:47 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 17:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2004-01-17 03:16 229376 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2006-11-04 21:21 249856 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-07-29 04:27 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfotoNow USB Detection]
2002-11-05 14:32 77824 ----a-w- c:\progra~1\Ofoto\OfotoNow\OFUSBS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-30 19:39 155648 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-10-12 08:10 49263 ----a-w- c:\program files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-04-13 14:10 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 05:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"eFilmProcessManagerNT"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\downloads\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ScsiAcc;ScsiAcc;c:\program files\Merge eFilm\eFilm\SCSIACC.EXE [6/13/2003 3:32 PM 181312]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [3/11/2007 6:09 PM 94080]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [1/16/2008 10:51 PM 20504]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys --> c:\windows\system32\DRIVERS\ElbyVCD.sys [?]
S4 eFilmProcessManagerNT;eFilmProcessManagerNT;c:\program files\Merge eFilm\eFilm\efPMNT.exe [3/5/2004 2:03 PM 15872]
S4 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [1/7/2006 12:46 PM 159616]
S4 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [1/7/2006 12:46 PM 5248]
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\User_Feed_Synchronization-{3824B018-81E1-4C80-911F-93BFF16DE257}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost;127.0.0.1;Rayhana
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Trusted Zone: svremote.com\www
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://172.25.250.9/OfficePACSExpress/Controls/LTOCX14N.cab
DPF: {305B6C9D-56BB-4A18-B6C5-1D270FFFCAA7} - hxxp://172.25.250.9/OfficePACSExpress/Controls/StDICOMDownload.cab
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://secure.heekinortho.com/NELX.cab
DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - hxxp://asweb/TouchWorks/DocWorks/CHWorks/Note/wspell.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nq8kajyf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "update.mozilla.org,addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-03 08:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fasttx2k]
"ImagePath"="System32\Drivers\Fasttx2k.svs"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2444)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\gearsec.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\SanDisk\Sansa Updater\SansaSvr.exe
c:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
c:\windows\system32\cryptainersrv.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\VTTimer.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2010-04-03 08:53:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-03 12:53
ComboFix2.txt 2010-04-01 12:49

Pre-Run: 10,514,272,256 bytes free
Post-Run: 10,484,908,032 bytes free

- - End Of File - - 2414DC72531557BEE02E5FC07242BB44


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/3/2010 9:08:45 AM
mbam-log-2010-04-03 (09-08-45).txt

Scan type: Quick scan
Objects scanned: 110380
Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thank you again.

Edited by cghand, 03 April 2010 - 06:15 PM.


#9 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:21 AM

Posted 04 April 2010 - 03:03 AM

Hey cghand,

That's great to hear. smile.gif I'll recommend protection software after we're done cleaning up this computer, we're finishing soon

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Network Associates anti-virus and Spybot Search and Destroy) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 19.
  • Click the "Download JRE" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6u19 with JavaFX 1 License Agreement".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u19-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Make sure the C:\Program Files\JAVA folder is removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u19-windows-i586.exe and select "Run as an Administrator.")

    THEN

    Please do an online scan with Kaspersky WebScanner
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Next reply (please include in your post):

Kaspersky scan log

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#10 cghand

cghand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 04 April 2010 - 07:27 AM

I downloaded the new Java without a problem.

I went to add/remove programs and removed about 6 Java related things.

After reboot, the C:\ProgramFiles\Java folder still exists. Attached is a screen shot of the tree. There are a few files in the folders.

Should I just delete C:\ProgramFiles\Java and it's sub components or do I need to look somewhere else for things to uninstall?

Attached Files



#11 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:21 AM

Posted 04 April 2010 - 07:40 AM

Hi,

Yes, please remove older versions of Java and all its folders. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#12 cghand

cghand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 05 April 2010 - 07:09 PM

the Kapersky scan got stuck last night at about 4 hours. I restarted it this morning and after 13 hours it seems to have finished uneventfully and generated the following log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, April 5, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, April 05, 2010 07:06:15
Records in database: 3914122
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
G:\
H:\
I:\
J:\
M:\
O:\

Scan statistics:
Objects scanned: 288881
Threats found: 11
Infected objects found: 21
Suspicious objects found: 0
Scan duration: 12:57:24


File name / Threat / Threats count
C:\Compaq715\Documents and Settings\COMPAQ\My Documents\downloads\AGSetup0608.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 1
C:\Compaq715\Documents and Settings\COMPAQ\My Documents\downloads\dap53.exe Infected: not-a-virus:AdWare.Win32.Dap.g 1
C:\Compaq715\Documents and Settings\COMPAQ\My Documents\downloads\LimeWireWin1.exe Infected: not-a-virus:AdWare.Win32.TopMoxie.c 1
C:\Documents and Settings\Owner\My Documents\downloads\Mozilla firefox cache viewer\mozillacacheview\MozillaCacheView.exe Infected: not-a-virus:PSWTool.Win32.NetPass.p 1
C:\Documents and Settings\Owner\My Documents\downloads\Mozilla firefox cache viewer\mozillacacheview.zip Infected: not-a-virus:PSWTool.Win32.NetPass.p 1
C:\Documents and Settings\Owner\My Documents\downloads\TightVNC\tightvnc-1.3.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\Documents and Settings\Owner\My Documents\downloads\Uninst.exe Infected: not-a-virus:AdWare.Win32.HotBar.bf 1
C:\Documents and Settings\Owner\My Documents\New Limewire\daughter in the water.zip Infected: not-a-virus:AdWare.Win32.Agent.zk 1
C:\hp\recovery\wizard\fscommand\AppRecoveryLink_ret.exe Infected: Trojan-Spy.Win32.Agent.bdrd 1
C:\hp\recovery\wizard\fscommand\CDLogic_ret.exe Infected: Trojan-Spy.Win32.Agent.bdrd 1
C:\hp\recovery\wizard\fscommand\CreatorLink_ret.exe Infected: Trojan-Spy.Win32.Agent.bdrd 1
C:\hp\recovery\wizard\fscommand\RestoreLink_ret.exe Infected: Trojan-Spy.Win32.Agent.bdrd 1
C:\hp\recovery\wizard\fscommand\RTCDLink_ret.exe Infected: Trojan-Spy.Win32.Agent.bdrd 1
C:\hp\recovery\wizard\fscommand\RunLink_ret.exe Infected: Trojan-Spy.Win32.Agent.bdrd 1
C:\hp\recovery\wizard\fscommand\SysRecoveryLink_ret.exe Infected: Trojan-Spy.Win32.Agent.bdrd 1
C:\hp\recovery\wizard\fscommand\WizardLink_ret.exe Infected: Trojan-Spy.Win32.Agent.bdrd 1
C:\Maine\Puller Tools\URL2FILE.EXE Infected: not-a-virus:Downloader.Win32.Url2File.a 1
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\3159844522.dll.vir Infected: Packed.Win32.Katusha.j 1
C:\quarantine\java-4939ee73-35b9336a.zip Infected: Trojan.Java.ClassLoader.ap 1
C:\quarantine\java-4939ee73-4eb0ba30.zip Infected: Trojan.Java.ClassLoader.ap 1
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP4\A0001354.dll Infected: Packed.Win32.Katusha.j 1

Selected area has been scanned.


#13 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:21 AM

Posted 06 April 2010 - 09:19 AM

Hi,

Sincere apologies for the late reply. I will be unavailable from today and a fellow colleague will take over and help you instead. Please be patient in waiting for a reply, thank you. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:21 PM

Posted 06 April 2010 - 11:11 AM

Hello, cghand
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

I will review the topic now, in the meantime, please tell me how the system is running and run this tool:

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 cghand

cghand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 06 April 2010 - 05:53 PM

Thanks for taking over.

Things have improved since beginning this process. My google searches are no longer being redirected and I'm not getting pop-up for scare ware. I haven't been using the computer much while the repair process is underway because I don't want to log into anything that I use until I have 1) reliably cleansed the machine and 2) have reasonable malware and firewall protection.

OTL logfile created on: 4/6/2010 6:38:09 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.96 Gb Total Space | 9.62 Gb Free Space | 6.64% Space Free | Partition Type: NTFS
Drive D: | 4.07 Gb Total Space | 0.59 Gb Free Space | 14.59% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 111.81 Gb Total Space | 92.67 Gb Free Space | 82.88% Space Free | Partition Type: NTFS

Computer Name: RAYHANA
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/06 18:36:39 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/08/05 17:56:44 | 000,305,024 | ---- | M] (SonicWALL Inc.) -- C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/24 19:45:10 | 000,074,240 | ---- | M] (Cypherix Software (India) Pvt. Ltd.) -- C:\WINDOWS\system32\cryptainersrv.exe
PRC - [2006/11/13 13:39:52 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 13:39:34 | 000,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2006/10/30 16:59:34 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
PRC - [2006/09/20 08:35:26 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
PRC - [2006/08/22 18:18:10 | 000,036,864 | ---- | M] () -- C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
PRC - [2006/03/03 23:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2005/11/18 19:13:31 | 000,233,472 | ---- | M] (Simple Star, Inc.) -- C:\Program Files\Simple Star\PhotoShow 4\data\Xtras\mssysmgr.exe
PRC - [2005/04/02 02:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
PRC - [2004/10/22 12:53:06 | 000,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
PRC - [2003/11/03 23:47:08 | 000,053,248 | ---- | M] (GEAR Software) -- C:\WINDOWS\system32\gearsec.exe
PRC - [2003/09/29 07:10:00 | 000,237,657 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\VirusScan\Mcshield.exe
PRC - [2003/09/29 07:10:00 | 000,069,706 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
PRC - [2003/09/10 03:11:00 | 000,127,058 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
PRC - [2003/09/10 03:11:00 | 000,106,586 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
PRC - [2003/06/13 15:32:26 | 000,181,312 | ---- | M] () -- C:\Program Files\Merge eFilm\eFilm\SCSIACC.EXE


========== Modules (SafeList) ==========

MOD - [2010/04/06 18:36:39 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/08/05 17:56:44 | 000,305,024 | ---- | M] (SonicWALL Inc.) [Auto | Running] -- C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe -- (SONICWALL_NetExtender)
SRV - [2007/01/24 19:45:10 | 000,074,240 | ---- | M] (Cypherix Software (India) Pvt. Ltd.) [Auto | Running] -- C:\WINDOWS\System32\cryptainersrv.exe -- (ssoftservice)
SRV - [2006/08/22 18:18:10 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe -- (SansaService)
SRV - [2006/03/03 23:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/04/02 02:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe -- (StarWindService)
SRV - [2004/03/05 14:03:44 | 000,015,872 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Merge eFilm\eFilm\efPMNT.exe -- (eFilmProcessManagerNT)
SRV - [2003/11/03 23:47:08 | 000,053,248 | ---- | M] (GEAR Software) [Auto | Running] -- C:\WINDOWS\system32\gearsec.exe -- (GEARSecurity)
SRV - [2003/09/29 07:10:00 | 000,237,657 | ---- | M] (Network Associates, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\VirusScan\Mcshield.exe -- (McShield)
SRV - [2003/09/29 07:10:00 | 000,069,706 | ---- | M] (Network Associates, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe -- (McTaskManager)
SRV - [2003/09/10 03:11:00 | 000,106,586 | ---- | M] (Network Associates, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2003/06/13 15:32:26 | 000,181,312 | ---- | M] () [Auto | Running] -- C:\Program Files\Merge eFilm\eFilm\SCSIACC.EXE -- (ScsiAcc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Use Custom Search URL = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;127.0.0.1;Rayhana

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/ig"

FF - HKLM\software\mozilla\Mozilla Firefox 1.0.2\Extensions\\Components: C:\Program Files\Mozilla Firefox\Components [2009/12/25 15:45:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 1.0.2\Extensions\\Plugins: C:\Program Files\Mozilla Firefox\Plugins [2010/04/04 17:32:22 | 000,000,000 | ---D | M]

[2005/04/03 16:03:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nq8kajyf.default\extensions
[2005/04/03 16:03:56 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nq8kajyf.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2010/04/04 17:32:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2005/04/03 16:03:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\defaults\profile\extensions
[2005/04/03 16:03:39 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Program Files\Mozilla Firefox\defaults\profile\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2005/03/17 19:02:00 | 000,041,573 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2005/03/17 19:02:00 | 000,048,223 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2005/03/17 19:02:00 | 000,158,823 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2004/11/12 23:36:20 | 000,005,120 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
[2006/11/09 16:20:40 | 002,111,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
[2005/03/17 19:02:00 | 000,000,680 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.png
[2005/03/17 19:02:00 | 000,000,735 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.src
[2005/03/17 19:02:00 | 000,000,356 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.png
[2005/03/17 19:02:00 | 000,000,976 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.src
[2005/03/17 19:02:00 | 000,000,557 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\dictionary.png
[2005/03/17 19:02:00 | 000,000,692 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\dictionary.src
[2005/03/17 19:02:00 | 000,000,210 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.gif
[2005/03/17 19:02:00 | 000,001,064 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.src
[2005/03/17 19:02:00 | 000,001,076 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.gif
[2010/03/18 14:00:50 | 000,000,750 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.src
[2005/03/17 19:02:00 | 000,000,088 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.gif
[2005/03/17 19:02:00 | 000,001,098 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.src

O1 HOSTS File: ([2010/04/03 08:41:08 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.EXE (Hewlett-Packard Company)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe ()
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Simple Star PhotoShow Media Manager] C:\Program Files\Simple Star\PhotoShow 4\data\Xtras\mssysmgr.exe (Simple Star, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (Intertrust Technologies, Inc.)
O15 - HKCU\..Trusted Domains: svremote.com ([www] * in Trusted sites)
O15 - HKCU\..Trusted Domains: svremote.com ([www] http in Trusted sites)
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} http://172.25.250.9/OfficePACSExpress/Controls/LTOCX14N.cab (LEAD Main Control (14.0))
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/install-ie/alttiff.cab (AlternaTIFF ActiveX)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} http://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab (Reg Error: Key error.)
O16 - DPF: {305B6C9D-56BB-4A18-B6C5-1D270FFFCAA7} http://172.25.250.9/OfficePACSExpress/Cont...COMDownload.cab (StDICOMDownload.StDICOM)
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} https://secure.heekinortho.com/XTSAC.cab (XTSAC Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} https://secure.heekinortho.com/NELX.cab (NELaunchCtrl Class)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://webmail.drheekin.com/Remote/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} http://asweb/TouchWorks/DocWorks/CHWorks/Note/wspell.cab (WSpell Spelling Checker Control)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 68.87.68.166
O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/02 04:03:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/04/29 19:16:40 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/06 18:36:30 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/04/04 17:37:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/04 17:31:21 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/04/04 17:30:00 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/03 08:39:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/01 17:47:41 | 000,637,440 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTS.exe
[2010/04/01 08:02:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/01 08:02:09 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/01 08:02:09 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/01 08:02:09 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/01 08:01:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/01 08:01:06 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/01 07:41:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\ResetTeaTimer
[2010/03/31 03:55:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AdobeUM
[2010/03/29 03:03:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Real
[2010/03/27 18:02:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/03/27 18:02:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/03/25 18:09:17 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010/03/25 18:09:17 | 000,000,000 | ---D | C] -- C:\rsit
[2010/03/25 15:16:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/03/25 15:16:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/03/22 23:47:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/03/18 16:58:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2010/03/18 16:58:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
[2010/03/18 14:05:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2007/12/02 04:00:43 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/01/07 12:46:52 | 000,159,616 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\Vax347b.sys
[2006/01/07 12:46:52 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\Vax347s.sys
[2004/11/06 19:33:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2004/04/02 04:06:09 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2004/04/02 04:06:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[8 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/06 18:36:39 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/04/06 12:47:17 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{3824B018-81E1-4C80-911F-93BFF16DE257}.job
[2010/04/05 02:21:39 | 000,000,512 | ---- | M] () -- C:\WINDOWS\randseed.rnd
[2010/04/04 17:43:06 | 000,441,626 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/04 17:43:06 | 000,381,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/04 17:43:06 | 000,053,436 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/04 17:40:45 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/04 17:38:37 | 000,000,187 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT
[2010/04/04 17:38:35 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/04 17:38:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/04 17:38:31 | 2079,903,744 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/04 17:37:15 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/04/04 17:37:15 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/04/04 08:26:56 | 000,032,299 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\jra tree.JPG
[2010/04/04 08:19:37 | 001,204,278 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\jra tree.bmp
[2010/04/03 08:41:58 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/03 08:41:08 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/03 08:29:50 | 003,907,066 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/04/03 08:24:08 | 001,151,022 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\updates.bmp
[2010/04/03 08:19:23 | 000,001,493 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Remote Desktop Connection.lnk
[2010/04/02 03:01:54 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/01 17:47:51 | 000,637,440 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTS.exe
[2010/04/01 07:41:01 | 000,000,668 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ResetTeaTimer.zip
[2010/04/01 07:27:18 | 000,002,080 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/27 18:03:08 | 000,001,336 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpfr2.cfg
[2010/03/25 18:08:28 | 000,781,909 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RSIT.exe
[2010/03/25 17:49:01 | 000,363,008 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\rkill.pif
[2010/03/23 20:42:26 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/03/23 20:33:59 | 000,000,052 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[8 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/04 08:26:56 | 000,032,299 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\jra tree.JPG
[2010/04/04 08:19:37 | 001,204,278 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\jra tree.bmp
[2010/04/03 08:24:07 | 001,151,022 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\updates.bmp
[2010/04/01 08:02:09 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/01 08:02:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/01 08:02:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/01 08:02:09 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/01 08:02:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/01 07:59:22 | 003,907,066 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/04/01 07:41:00 | 000,000,668 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ResetTeaTimer.zip
[2010/03/25 18:08:21 | 000,781,909 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RSIT.exe
[2010/03/25 17:56:55 | 000,001,336 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpfr2.cfg
[2010/03/25 17:54:14 | 000,002,080 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/03/25 17:48:37 | 000,363,008 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rkill.pif
[2010/03/23 21:08:29 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/03/23 20:33:54 | 000,000,052 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/03/18 13:54:09 | 000,009,116 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\EHa7lW0
[2010/03/18 13:54:09 | 000,009,116 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\EHa7lW0
[2010/01/18 21:26:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\webica.ini
[2008/07/25 21:46:26 | 000,000,017 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\19720201.dat
[2008/07/25 21:46:16 | 000,000,037 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2008/07/20 13:42:49 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2008/06/08 10:28:31 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2007/10/25 18:34:36 | 000,000,062 | ---- | C] () -- C:\WINDOWS\pcvcdbr.INI
[2007/10/25 18:34:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcvcdvw.INI
[2007/09/18 11:47:27 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/08/26 18:20:11 | 000,339,456 | ---- | C] () -- C:\WINDOWS\System32\tx32.dll
[2007/08/26 18:09:38 | 000,000,023 | ---- | C] () -- C:\WINDOWS\CDCOPS.INI
[2007/03/17 13:53:56 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2007/03/17 13:53:55 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2007/03/08 17:00:49 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2007/03/08 16:53:48 | 000,005,050 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/11/07 19:10:20 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\$_hpcst$.hpc
[2006/11/07 18:41:26 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/11/04 17:20:35 | 000,000,361 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2006/11/04 17:17:07 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2006/10/16 00:03:11 | 000,000,107 | ---- | C] () -- C:\WINDOWS\IfoEdit.INI
[2006/04/08 15:42:42 | 000,000,156 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2006/04/08 15:42:21 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2006/01/07 12:48:14 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2005/10/14 15:31:52 | 000,000,711 | ---- | C] () -- C:\Documents and Settings\Owner\.plugin141_04.trace
[2005/09/20 22:37:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2005/09/06 21:01:51 | 000,028,957 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Comma Separated Values (DOS).ADR
[2005/09/06 20:59:29 | 000,023,182 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Comma Separated Values (Windows).ADR
[2005/06/27 19:19:54 | 000,000,932 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
[2005/06/27 19:19:54 | 000,000,616 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\dm.ini
[2005/04/03 18:26:00 | 000,000,265 | ---- | C] () -- C:\WINDOWS\pixcache.ini
[2005/03/06 20:51:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QUICKI~1.INI
[2005/01/26 00:14:32 | 000,012,208 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2004/10/26 18:39:05 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/10/16 21:04:31 | 000,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll
[2004/10/16 21:04:31 | 000,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
[2004/10/16 20:49:53 | 000,001,805 | ---- | C] () -- C:\WINDOWS\ACROREAD.INI
[2004/09/15 23:12:57 | 000,000,063 | ---- | C] () -- C:\WINDOWS\refpt.ini
[2004/08/28 13:02:15 | 000,005,201 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/08/26 23:02:31 | 000,000,239 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2004/08/24 20:46:13 | 000,192,512 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/08/07 16:30:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\search.INI
[2004/08/07 16:24:23 | 000,007,435 | ---- | C] () -- C:\WINDOWS\keyview.ini
[2004/08/04 20:54:44 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2004/08/02 21:37:58 | 000,000,120 | ---- | C] () -- C:\WINDOWS\System32\winsusrx.dll
[2004/08/02 21:37:39 | 000,000,264 | ---- | C] () -- C:\WINDOWS\System32\winsusrm.dll
[2004/08/02 15:16:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\HBOWEM32.ini
[2004/08/02 12:38:32 | 000,139,280 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2004/08/01 18:35:34 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2004/08/01 18:35:34 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2004/06/22 18:21:34 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2004/06/22 18:21:34 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2004/06/22 18:21:34 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2004/06/22 18:21:34 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2004/06/22 18:21:34 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2004/06/22 18:21:34 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2004/04/03 04:18:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/03 03:36:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/04/03 03:36:39 | 000,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/04/02 20:19:03 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2004/04/02 20:18:38 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2004/04/02 20:18:38 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2004/04/02 20:17:14 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/04/02 20:15:40 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/04/02 20:00:40 | 000,027,752 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/04/02 20:00:02 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2004/04/02 06:01:01 | 000,000,488 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/04/02 05:52:33 | 000,000,907 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/04/02 05:14:52 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/04/02 04:43:52 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/02 04:34:53 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/04/02 04:34:53 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/04/02 04:34:35 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/04/02 04:31:02 | 000,014,785 | ---- | C] () -- C:\Documents and Settings\Owner\ml2.srt
[2004/04/02 04:31:02 | 000,014,727 | ---- | C] () -- C:\Documents and Settings\Owner\ml1.srt
[2004/04/02 04:31:02 | 000,003,568 | ---- | C] () -- C:\Documents and Settings\Owner\tempdiff.txt
[2004/04/02 04:08:11 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/04/02 04:07:33 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Owner\ntuser.ini
[2004/04/02 04:07:32 | 009,175,040 | -H-- | C] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2004/04/02 04:07:32 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Owner\ntuser.dat.LOG
[2004/04/02 02:52:53 | 000,000,553 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/01/24 03:33:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/08 02:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/10/28 16:31:42 | 000,033,280 | ---- | C] () -- C:\WINDOWS\System32\cursor.dll
[2001/07/07 05:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2001/05/07 14:57:20 | 000,137,728 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2001/05/07 14:56:30 | 000,660,480 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll

========== LOP Check ==========

[2006/11/13 14:33:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acoustica
[2006/12/18 14:31:01 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2008/07/25 21:44:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fugawi
[2004/08/13 17:59:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Network Associates
[2007/03/17 13:53:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2010/03/19 22:44:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/03/30 01:04:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2007/02/19 16:08:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2005/02/22 11:36:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\.BitTornado
[2006/11/13 14:33:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Acoustica
[2008/06/06 21:30:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Azureus
[2009/10/15 21:33:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Canon
[2008/07/26 09:35:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Fugawi
[2008/11/30 12:02:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GARMIN
[2005/02/16 20:35:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ICAClient
[2005/01/29 22:17:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterTrust
[2005/03/26 20:08:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterVideo
[2004/08/02 22:02:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2006/03/16 22:13:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mobipocket Reader
[2008/07/20 14:40:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\NewSoft
[2004/08/01 19:01:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Ofoto
[2004/08/09 21:58:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Primal Pictures
[2004/04/02 21:28:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2006/10/20 17:17:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Simple Star
[2009/10/04 19:30:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\uTorrent
[2007/02/19 16:08:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Viewpoint
[2008/07/20 14:28:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Vso
[2010/04/06 12:47:17 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{3824B018-81E1-4C80-911F-93BFF16DE257}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/10/31 11:56:00 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe


< MD5 for: AGP440.SYS >
[2004/09/13 17:12:42 | 022,245,337 | ---- | M] () .cab file -- C:\Compaq715\WINDOWS\Driver Cache\I386\sp2.cab:AGP440.sys
[2004/09/13 17:12:42 | 022,245,337 | ---- | M] () .cab file -- C:\Compaq715\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2004/10/20 20:11:13 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/06/03 20:02:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/10/20 20:11:13 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2009/06/03 20:02:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\Compaq715\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\Compaq715\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2001/08/17 16:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\Compaq715\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2001/08/17 16:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\Compaq715\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2003/08/13 16:37:29 | 012,091,533 | ---- | M] () .cab file -- C:\Compaq715\WINDOWS\Driver Cache\I386\sp1.cab:atapi.sys
[2004/09/13 17:12:42 | 022,245,337 | ---- | M] () .cab file -- C:\Compaq715\WINDOWS\Driver Cache\I386\sp2.cab:atapi.sys
[2003/08/13 16:37:29 | 012,091,533 | ---- | M] () .cab file -- C:\Compaq715\WINDOWS\ServicePackFiles\i386\sp1.cab:atapi.sys
[2004/09/13 17:12:42 | 022,245,337 | ---- | M] () .cab file -- C:\Compaq715\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2004/02/12 07:07:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/10/20 20:11:13 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/06/03 20:02:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/02/12 00:07:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:atapi.sys
[2004/10/20 20:11:13 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2009/06/03 20:02:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2002/08/29 04:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\Compaq715\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2002/08/29 04:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtUninstallQ331958$\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\Compaq715\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\Compaq715\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\Compaq715\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\Compaq715\WINDOWS\SYSTEM32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2002/08/29 06:40:52 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\Compaq715\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2002/08/29 06:41:08 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\Compaq715\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\Compaq715\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\Compaq715\WINDOWS\SYSTEM32\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\Compaq715\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\Compaq715\WINDOWS\SYSTEM32\scecli.dll
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2002/08/29 06:41:12 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\Compaq715\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/04/01 19:55:44 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/04/01 19:55:44 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/04/01 19:55:44 | 000,393,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >


OTL Extras logfile created on: 4/6/2010 6:38:09 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.96 Gb Total Space | 9.62 Gb Free Space | 6.64% Space Free | Partition Type: NTFS
Drive D: | 4.07 Gb Total Space | 0.59 Gb Free Space | 14.59% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 111.81 Gb Total Space | 92.67 Gb Free Space | 82.88% Space Free | Partition Type: NTFS

Computer Name: RAYHANA
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe" = C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- File not found
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Documents and Settings\Owner\My Documents\downloads\uTorrent\utorrent.exe" = C:\Documents and Settings\Owner\My Documents\downloads\uTorrent\utorrent.exe:*:Enabled:µTorrent -- ()
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0128A79D-D481-448E-89E1-F697B70DEC44}" = Thomson Clinical Xpert
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX310_series" = Canon MX310 series
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{12F7033F-3B47-4C9E-AB20-2EC556C40287}" = Microsoft .NET Compact Framework 1.0 SP3
"{14589F05-C658-4594-9429-D437BA688686}" = IntelliMover Data Transfer Demo
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Multimedia Launcher
"{21CF9B27-4E86-41E8-B831-1F75157C7266}" = eFilm Workstation
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 19
"{2875A5F5-E613-4F99-9B47-8882C9DD24A5}" = OfotoNow
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator 2
"{33CCBBB3-B9E6-41A9-A70D-14C929DE0B85}" = Amazing Mail Outlook Plugin
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}" = QuickTime
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"{55251924-B51C-4E66-8199-5258672518C5}" = Epocrates Essentials for Pocket PC
"{55937F00-A69B-4049-8D3A-1C7729742B6F}" = BUM
"{59224777-298D-4E9C-9AEB-4A91BDA01B27}" = McAfee VirusScan Enterprise
"{6179550A-3E7C-499E-BCC9-9E8113E0A285}" = LG ODD Auto Firmware Update
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7C5307B7-779F-4D77-8380-4F0B38C2E8E9}" = Code X 2008
"{8704D51E-25B7-4F23-81E7-AA4F54790230}" = Microsoft MapPoint North America 2004
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" =
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{8E7D3F6B-E9AB-4CD1-AFC3-49CCC9EA95CA}" = First Steps
"{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}" = Musicmatch® Jukebox
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = RecordNow!
"{9705A7E1-3DD1-4BAC-8CA9-FE7B1473BEC9}" = iTunes
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD Player
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9DA735C0-3C3E-4CB3-BC26-BE95E768115F}" = Garmin City Navigator North America NT 2009 Update
"{A0D47410-9AF8-11D4-AD14-0000B49DF1AC}" = MobiPocket Reader
"{A5B5F3FE-8FBE-4767-8145-F98D02C8872F}" = CatSA
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B729E033-6FB3-445B-89ED-2E24EAC72582}" = Let's Imagine
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{B9B37361-214D-4D7B-B616-159C390FE1ED}" = Microsoft Voice Command US PPC 1.60 for M2M
"{BAF8D498-5957-4D7F-8788-CF07B836EFDE}" = My Home
"{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}" = Microsoft Plus! Digital Media Edition
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D2A0F8F4-CE50-4857-A21C-3061682B2E87}" = Sansa Media Converter
"{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}" = Presto! PageManager 7.15.16
"{D65CAF34-C0C6-4AE6-92BB-5A6153200865}" = Mobile MerckMedicus
"{D755C7A3-C03E-4460-8C00-AC6E55505FB5}" = LightScribe 1.4.74.1
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E2D7E05E-C8C7-45F4-8D89-D6696075E0B7}" = Sansa Updater
"{E89D78B8-28F7-412F-8B26-C684739CBBDC}" = Palm Desktop
"{E9F81423-211E-46B6-9AE0-38568BC5CF6F}" = Alcohol 120%
"{EDE721EC-870A-11D8-9D75-000129760D75}" = PowerDirector Express
"{EF964A78-078C-11D1-B7A7-0000C0134CE6}" = Mayo VPN
"{F445476A-42DE-11D4-80D0-00C04F2750A6}" = Epocrates Essentials
"{F6970FBD-809A-4C51-BAB3-D94A04C6C8E7}" = Garmin Communicator Plugin
"2001 OSIE" = 2001 OSIE
"2002 OSIE" = 2002 OSIE
"2003 OSIE" = 2003 OSIE
"2004 OSIE" = 2004 OSIE
"2005 OSIE" = 2005 OSIE
"2006 OBS" = 2006 OBS
"2006 OSIE" = 2006 OSIE
"Acoustica CD Label Maker" = Acoustica CD Label Maker
"Acoustica CD/DVD Label Maker" = Acoustica CD/DVD Label Maker
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.0 Professional
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe PageMaker 7.0" = Adobe PageMaker 7.0
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"AdobeESD" = Adobe Download Manager 2.0 (Remove Only)
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"AnyDVD" = AnyDVD
"Azureus" = Azureus
"BackWeb-1940576 Uninstaller" = Compaq Connections
"BitTornado" = BitTornado 0.3.7
"Canon MX310 series User Registration" = Canon MX310 series User Registration
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CloneCD" = CloneCD
"CloneDVD2" = CloneDVD2
"Compaq Instant Support" = Compaq Instant Support
"Cryptainer PPC LE" = Cryptainer PPC LE
"cTide" = cTide (remove only)
"cTide_data" = cTide Data Florida (remove only)
"DeductionPro 2006" = DeductionPro 2006
"DVD Decrypter 3.2.1.0 Fr" = DVD Decrypter 3.2.1.0 Fr
"DVD Shrink_is1" = DVD Shrink 3.1.7
"DVDx 2.3_is1" = DVDx 2.3
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"EmergiMed" = EmergiMed Uninstall
"Fugawi45_is1" = Fugawi 4.5
"Handbook of Fractures 2/E_5.0.112CE" = HBFrac v 5.0.112 by Skyscape
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{21CF9B27-4E86-41E8-B831-1F75157C7266}" = eFilm Workstation
"InstallShield_{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}" = QuickTime
"InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"InstallShield_{9705A7E1-3DD1-4BAC-8CA9-FE7B1473BEC9}" = iTunes
"InstallShield_{EAC1077D-EB12-4515-B8B1-2E55AA026D3E}" = LimeWire
"LimeWire" = LimeWire 4.10.9
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Magic ISO Maker v5.5 (build 0272)" = Magic ISO Maker v5.5 (build 0272)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mosby's Guide to Physical Examination" = Mosby's Guide to Physical Examination
"Mozilla Firefox (1.0.2)" = Mozilla Firefox (1.0.2)
"MP Navigator EX 1.0" = Canon MP Navigator EX 1.0
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" =
"OfotoEZUpload" = KODAK EASYSHARE Gallery Upload ActiveX Control
"OfotoPrint@Home" = Ofoto Print@Home ActiveX Control
"Pdf995" = Pdf995
"Photo DVD Maker Professional" = Photo DVD Maker Professional 7.33
"PhotoShow Express 4" = PhotoShow Express 4
"Picasa2" = Picasa 2
"Pocket Informant" = Pocket Informant Pro 2005
"Primal Pictures Interactive Hand - DVD" = Primal Pictures Interactive Hand - DVD
"PS2" = PS2
"Python 2.2 combined Win32 extensions" = Python 2.2 combined Win32 extensions
"Python 2.2.1" = Python 2.2.1
"RealPlayer 6.0" = RealPlayer
"Reference Point Word 2000 or XP APA Template" = Reference Point Word 2000 or XP APA Template
"S3" = VIA/S3G Display Driver
"SonicWALL SSL-VPN NetExtender" = SonicWALL SSL-VPN NetExtender
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.3
"sscrle_is1" = Cryptainer LE
"TaxCut Premium 2006" = TaxCut Premium 2006
"TightVNC_is1" = TightVNC 1.3.9
"Uninstall Log" = Uninstall OSIE
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"VLC media player" = VideoLAN VLC media player 0.8.4a
"VSO Image Resizer_is1" = VSO Image Resizer 1.1.14
"VTDisplay" = S3 S3Display
"VTGamma2" = S3 S3Gamma2
"VTInfo2" = S3 S3Info2
"VTOverlay" = S3 S3Overlay
"WebZIP" = WebZIP
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"Yahoo! Companion" = Yahoo! Companion

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/17/2010 1:44:57 PM | Computer Name = RAYHANA | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.0.2.0, faulting module
unknown, version 0.0.0.0, fault address 0x3c797373.

Error - 1/17/2010 8:49:37 PM | Computer Name = RAYHANA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module xtsac.ocx, version 3.5.0.76, fault address 0x0001dd2f.

Error - 3/9/2010 2:33:12 PM | Computer Name = RAYHANA | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.0.2.0, faulting module
npswf32.dll, version 9.0.28.0, fault address 0x00060e9b.

Error - 3/9/2010 2:33:54 PM | Computer Name = RAYHANA | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.0.2.0, faulting module
npswf32.dll, version 9.0.28.0, fault address 0x00060e9b.

Error - 3/9/2010 2:34:18 PM | Computer Name = RAYHANA | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.0.2.0, faulting module
npswf32.dll, version 9.0.28.0, fault address 0x00060e9b.

Error - 3/13/2010 4:32:51 PM | Computer Name = RAYHANA | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.0.2.0, faulting module
npswf32.dll, version 9.0.28.0, fault address 0x00060e9b.

Error - 3/17/2010 2:03:12 PM | Computer Name = RAYHANA | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.0.2.0, faulting module
npswf32.dll, version 9.0.28.0, fault address 0x00060e9b.

Error - 3/22/2010 10:55:49 PM | Computer Name = RAYHANA | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x0063006f.

Error - 3/24/2010 7:31:27 AM | Computer Name = RAYHANA | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0005c887.

Error - 3/26/2010 8:47:46 PM | Computer Name = RAYHANA | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module urlmon.dll, version 8.0.6001.18876, fault address 0x0002df6e.

[ System Events ]
Error - 4/5/2010 1:26:17 PM | Computer Name = RAYHANA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 4/5/2010 1:26:18 PM | Computer Name = RAYHANA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 4/5/2010 1:26:19 PM | Computer Name = RAYHANA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 4/5/2010 1:26:20 PM | Computer Name = RAYHANA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 4/5/2010 1:26:21 PM | Computer Name = RAYHANA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 4/5/2010 1:26:22 PM | Computer Name = RAYHANA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 4/5/2010 8:24:48 PM | Computer Name = RAYHANA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 4/5/2010 8:40:42 PM | Computer Name = RAYHANA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 4/5/2010 11:48:19 PM | Computer Name = RAYHANA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 4/6/2010 12:50:57 PM | Computer Name = RAYHANA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.


< End of report >





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users