Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IP Conflict - Limited or No Connectivity - svchost.exe - ComRes.dll - Baidu.com


  • This topic is locked This topic is locked
21 replies to this topic

#1 Prologic08

Prologic08

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 14 May 2010 - 04:04 PM

Dell Latitude D630 on corporate environment

About 8 computers were infected on Wednesday which caused the following:

- Limited or No Connectivity (though we seem to have full connectivity)
- IP address conflict
- 2 Popups for Baidu.com

I have tried the following to fix but none have fixed it fully.

Malwarebytes
Webroot Client
VundoFix
SuperAntispyware
SpyBot S&D
Dr.Web Cureit
ComboFix

I had found that it placed a file named svchost.exe in the C:\Windows\System32\Coms folder which I deleted (svchost should be in the system32 folder not com).
Also, the malware may have did something to the ComRes.dll file because Combofix and Dr.Web Cureit wanted to delete it. Once deleted, it asked me to place XPSP3 CD in. I just copied over a good file from another XP machine that was not infected and that popup went away.

Currently, I still have the IP address conflict and Limited or No Connectivity. I do have full internet access though. I know this may sound like a network issue but I assure you that it is not. this is definitly some type of malware.





DDS (Ver_10-03-17.01) - NTFSx86
Run by nmichalos at 15:39:28.20 on Fri 05/14/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1450 [GMT -4:00]

AV: Webroot Client Security *On-access scanning enabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\Pfx Engagement\Common\PFXEngDesktopService.exe
C:\Pfx Engagement\Common\PFXSYNPFTService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\Webroot\Client\commagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Client\spysweeper.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Client\SpySweeperUI.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Endpoint Encryption for PC v6\EpePcMonitor.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Pfx Engagement\WM\PfxPDFConvertService.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nmichalos.MKLLP\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [PPort10reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\10\config\ereg\ereg.ini"
mRun: [WebrootClientUI] "c:\program files\webroot\client\SpySweeperUI.EXE" /StartInTray
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SigmatelSysTrayApp] "stsystra.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [MfeEpePcMonitor] "c:\program files\mcafee\endpoint encryption for pc v6\EpePcMonitor.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"
mRun: [Apoint] "c:\program files\delltpad\Apoint.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pfxpdf~1.lnk - c:\pfx engagement\wm\PfxPDFConvertService.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\sftus.one
Trusted Zone: remote
DPF: {32564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8dmo.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.mkllp.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237829479367
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://192.168.7.2/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F589CCFE-5DCE-4009-844F-61433375F69B} - hxxps://transfer.marcumllp.com/COM/MOVEitUploadWizard6.5.0.ocx
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 MfeEpePc;MfeEpePc;c:\windows\system32\drivers\MfeEpePc.sys [2010-1-21 113864]
R0 ssfs0bbc;Spy Sweeper File System Filter Driver: 0BBC;c:\windows\system32\drivers\ssfs0bbc.sys [2009-8-25 30136]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R2 es19drv;Application Layer Gateway Servicesa;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\mcafee\endpoint encryption agent\MfeEpeHost.exe [2010-1-21 819200]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-25 120128]
R2 MSSQL$PROFXENGAGEMENT;SQL Server (PROFXENGAGEMENT);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 MSSQL$TOCTTARGPPC05;SQL Server (TOCTTARGPPC05);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 PFXEngDesktopService;PFXEngDesktopService;c:\pfx engagement\common\PFXEngDesktopService.exe [2008-11-14 428032]
R2 PFXSYNPFTService;PFXSYNPFTService;c:\pfx engagement\common\PFXSYNPFTService.exe [2008-11-14 436736]
R2 TIRmtCtl;Track-It! Remote Control;c:\windows\tiremote\wuser32.exe [2007-9-12 311374]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\tiremote\TIRemoteService.exe [2007-9-12 212480]
R2 WebrootCommAgentService;Webroot CommAgent Service;c:\program files\webroot\client\CommAgent.exe [2009-8-25 715176]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\client\SPYSWEEPER.EXE [2009-8-25 4110352]
S2 es15drv;Application Layer Gateway Servicess;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]
S3 WIMASvc;OnDemand WinINSTALL Master Agent;c:\program files\ondemand\wininstall\bin\WIMASvc.exe [2007-2-7 90112]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"

=============== Created Last 30 ================

2010-05-14 19:38:03 25 ----a-w- c:\windows\mssoft.bat
2010-05-14 19:37:41 169 ----a-w- c:\windows\hpig_WS2.dat
2010-05-14 19:37:41 140288 ----a-w- c:\windows\my_sfc_os.dll
2010-05-14 19:37:17 0 ----a-w- c:\windows\mfxixue.ini
2010-05-14 18:54:44 77312 ----a-w- c:\windows\MBR.exe
2010-05-14 18:54:44 256512 ----a-w- c:\windows\PEV.exe
2010-05-14 18:54:43 98816 ----a-w- c:\windows\sed.exe
2010-05-14 18:54:43 161792 ----a-w- c:\windows\SWREG.exe
2010-05-14 18:48:56 19968 ----a-w- c:\windows\hackshen.exe
2010-05-14 14:06:54 0 d-----w- c:\documents and settings\nmichalos.mkllp\DoctorWeb
2010-05-14 13:30:01 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-14 13:30:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-13 21:27:24 4772 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-13 21:27:24 35104 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-13 21:27:24 276000 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-13 21:27:24 15824 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-13 21:27:16 3738 ----a-w- C:\rollback.ini
2010-05-13 21:23:40 0 d-----w- c:\program files\common files\ParetoLogic
2010-05-13 21:23:40 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic Anti-Virus PLUS
2010-05-13 21:23:40 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-05-13 19:49:32 0 d-----w- c:\program files\Unlocker
2010-05-13 19:33:48 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-13 19:33:38 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-13 18:42:45 0 d-----w- C:\VundoFix Backups
2010-05-12 17:38:13 0 d-----w- c:\program files\Broadcom
2010-05-12 16:26:45 792064 ----a-w- c:\windows\system32\comres.dll
2010-05-12 16:08:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2010-05-12 16:07:52 0 d-----w- c:\program files\Webroot
2010-05-12 15:39:42 0 d-----w- c:\docume~1\nmicha~1.mkl\applic~1\Malwarebytes
2010-05-12 15:39:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-05-11 20:09:39 19968 ------w- c:\windows\system32\ctfmon.exe
2010-03-03 20:32:39 5269841 ----a-w- c:\windows\FramePkg.exe
2007-08-20 18:51:20 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat

============= FINISH: 15:40:36.08 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 15 May 2010 - 10:29 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Prologic08

Prologic08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 17 May 2010 - 10:04 AM

CODE
OTL logfile created on: 5/17/2010 9:23:34 AM - Run 1
OTL by OldTimer - Version 3.2.4.1     Folder = C:\Documents and Settings\nmichalos.MKLLP\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 4591 4591 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 44.13 Gb Free Space | 59.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NICHOLEM
Current User Name: nmichalos
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2010/05/17 09:22:42 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\OTL.exe
PRC - [2010/05/11 16:09:39 | 000,019,968 | ---- | M] () -- C:\WINDOWS\system32\ctfmon.exe
PRC - [2010/03/08 22:52:49 | 000,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2010/01/21 13:12:40 | 000,139,264 | ---- | M] () -- C:\Program Files\McAfee\Endpoint Encryption for PC v6\EpePcMonitor.exe
PRC - [2010/01/21 12:53:06 | 000,819,200 | ---- | M] () -- C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe
PRC - [2009/09/25 05:50:00 | 000,185,664 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/09/25 05:50:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/09/25 05:50:00 | 000,120,128 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/09/25 05:50:00 | 000,075,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2009/08/25 09:52:54 | 000,435,624 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Client\SpySweeperUI.exe
PRC - [2009/08/25 09:52:52 | 000,715,176 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Client\CommAgent.exe
PRC - [2009/08/25 09:51:08 | 000,166,224 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Client\SSU.EXE
PRC - [2009/08/25 09:51:06 | 004,110,352 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Client\SPYSWEEPER.EXE
PRC - [2009/03/23 14:59:51 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2009/02/04 15:35:00 | 000,078,848 | ---- | M] (DameWare Development) -- C:\WINDOWS\system32\DWRCST.EXE
PRC - [2009/02/04 15:34:46 | 000,234,496 | ---- | M] (DameWare Development LLC) -- C:\WINDOWS\system32\DWRCS.EXE
PRC - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 23:31:10 | 029,263,712 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
PRC - [2008/11/24 23:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/11/14 15:51:06 | 000,173,568 | ---- | M] (CCH Tax and Accounting) -- C:\Pfx Engagement\WM\PfxPDFConvertService.exe
PRC - [2008/11/14 15:34:10 | 000,428,032 | ---- | M] (CCH Tax and Accounting) -- C:\Pfx Engagement\Common\PFXEngDesktopService.exe
PRC - [2008/11/14 15:32:54 | 000,436,736 | ---- | M] (CCH Tax and Accounting) -- C:\Pfx Engagement\Common\PFXSYNPFTService.exe
PRC - [2008/10/14 21:38:56 | 000,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2008/07/17 16:37:44 | 002,549,248 | ---- | M] (Aladdin Knowledge Systems Ltd.) -- C:\WINDOWS\system32\hasplms.exe
PRC - [2007/11/15 16:49:30 | 000,212,480 | ---- | M] (Numara Software, Inc.) -- C:\WINDOWS\TIREMOTE\TIRemoteService.exe
PRC - [2007/07/02 14:29:22 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/06 17:44:44 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2007/05/22 15:18:56 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2007/02/19 14:27:16 | 000,090,112 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\stacsv.exe
PRC - [2007/02/19 14:26:32 | 000,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2007/02/10 05:29:54 | 029,178,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2006/10/20 17:23:38 | 000,118,784 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2006/09/08 16:10:22 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2006/08/18 14:08:44 | 000,311,374 | ---- | M] (Intuit Track-It!) -- C:\WINDOWS\TIREMOTE\wuser32.exe
PRC - [2006/06/12 18:04:14 | 000,126,976 | ---- | M] (Visioneer Inc.) -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
PRC - [2006/03/02 14:11:52 | 000,036,864 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe


[color=#E56717]========== Modules (SafeList) ==========[/color]

MOD - [2010/05/17 09:22:42 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\OTL.exe
MOD - [2010/03/08 22:55:54 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2006/02/28 08:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [On_Demand | Stopped] --  -- (Smcinst)
SRV - [2010/01/21 12:53:06 | 000,819,200 | ---- | M] () [Auto | Running] -- C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe -- (McAfee Endpoint Encryption Agent)
SRV - [2009/09/25 05:50:00 | 000,120,128 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2009/08/25 09:52:52 | 000,715,176 | ---- | M] (Webroot Software, Inc.) [Auto | Running] -- C:\Program Files\Webroot\Client\CommAgent.exe -- (WebrootCommAgentService)
SRV - [2009/08/25 09:51:06 | 004,110,352 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [On_Demand | Running] -- C:\Program Files\Webroot\Client\spysweeper.exe -- (WebrootSpySweeperService)
SRV - [2009/08/04 09:33:18 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe -- (GoToAssist)
SRV - [2009/07/13 12:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/03/23 14:59:51 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/02/04 15:34:46 | 000,234,496 | ---- | M] (DameWare Development LLC) [Auto | Running] -- C:\WINDOWS\System32\DWRCS.EXE -- (DWMRCS)
SRV - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 23:31:10 | 029,263,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe -- (MSSQL$TOCTTARGPPC05) SQL Server (TOCTTARGPPC05)
SRV - [2008/11/24 23:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 23:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/11/14 15:34:10 | 000,428,032 | ---- | M] (CCH Tax and Accounting) [Auto | Running] -- C:\Pfx Engagement\Common\PFXEngDesktopService.exe -- (PFXEngDesktopService)
SRV - [2008/11/14 15:32:54 | 000,436,736 | ---- | M] (CCH Tax and Accounting) [Auto | Running] -- C:\Pfx Engagement\Common\PFXSYNPFTService.exe -- (PFXSYNPFTService)
SRV - [2008/07/17 16:37:44 | 002,549,248 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Auto | Running] -- C:\WINDOWS\System32\hasplms.exe -- (hasplms)
SRV - [2007/11/15 16:49:30 | 000,212,480 | ---- | M] (Numara Software, Inc.) [Auto | Running] -- C:\WINDOWS\TIREMOTE\TIRemoteService.exe -- (TIRmtSvc)
SRV - [2007/02/19 14:27:16 | 000,090,112 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)
SRV - [2007/02/10 05:29:54 | 029,178,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$PROFXENGAGEMENT) SQL Server (PROFXENGAGEMENT)
SRV - [2007/02/07 01:59:38 | 000,090,112 | ---- | M] (Attachmate Corporation) [On_Demand | Stopped] -- C:\Program Files\OnDemand\WinINSTALL\Bin\WIMASvc.exe -- (WIMASvc)
SRV - [2006/08/18 14:08:44 | 000,311,374 | ---- | M] (Intuit Track-It!) [Auto | Running] -- C:\WINDOWS\TIREMOTE\wuser32.exe -- (TIRmtCtl)
SRV - [2006/06/12 18:04:14 | 000,126,976 | ---- | M] (Visioneer Inc.) [Auto | Running] -- C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe -- (OneTouch 4.0 Monitor)
SRV - [2001/05/20 18:12:00 | 000,097,345 | ---- | M] () [Auto | Running] -- C:\Program Files\Windows NT\{055EE59D-217B-43A7-ABFF-507B966405D8}\\Maina.dll -- (es19drv)
SRV - [2001/05/20 18:12:00 | 000,097,345 | ---- | M] () [Auto | Running] -- C:\Program Files\Windows NT\{055EE59D-217B-43A7-ABFF-507B966405D8}\\Main2.dll -- (es15drv)


[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - [2010/01/21 13:13:16 | 000,113,864 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\MfeEpePc.sys -- (MfeEpePc)
DRV - [2009/08/25 09:51:06 | 000,023,424 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\SSHRMD.SYS -- (sshrmd)
DRV - [2009/08/25 09:50:46 | 000,177,896 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\SSIDRV.SYS -- (ssidrv)
DRV - [2009/08/25 09:50:42 | 000,030,136 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\SSFS0BBC.SYS -- (ssfs0bbc)
DRV - [2008/03/27 18:50:00 | 000,350,720 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\aksfridge.sys -- (aksfridge)
DRV - [2008/02/11 16:55:04 | 000,586,240 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2007/08/23 11:59:09 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)
DRV - [2007/07/23 15:12:44 | 000,046,336 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\akshhl.sys -- (akshhl)
DRV - [2007/07/05 15:16:56 | 000,238,976 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\akshasp.sys -- (akshasp)
DRV - [2007/07/05 15:16:56 | 000,014,976 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aksusb.sys -- (aksusb)
DRV - [2007/06/25 19:53:10 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/05/16 18:14:58 | 005,707,744 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/03/16 19:10:56 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2007/02/25 06:05:24 | 002,203,520 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel(R)
DRV - [2007/02/19 14:27:34 | 001,228,296 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/02/16 15:46:00 | 000,160,256 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2007/02/15 07:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dwvkbd.sys -- (dwvkbd)
DRV - [2007/02/12 15:36:54 | 000,277,784 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iastor)
DRV - [2007/02/07 07:00:00 | 000,003,712 | ---- | M] (DameWare Development, LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DamewareMini.sys -- (DwMirror)
DRV - [2006/11/02 18:47:36 | 000,989,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/11/02 18:47:00 | 000,209,152 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/11/02 18:46:56 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/05/13 17:27:56 | 000,028,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbccid.sys -- (USBCCID)
DRV - [2004/08/12 17:45:54 | 000,137,728 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-462496249-1566251647-1846952604-6796\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-462496249-1566251647-1846952604-6796\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKU\S-1-5-21-462496249-1566251647-1846952604-6796\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.EXE (DameWare Development)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MfeEpePcMonitor] C:\Program Files\McAfee\Endpoint Encryption for PC v6\EpePcMonitor.exe ()
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [PPort10reminder] C:\Program Files\ScanSoft\PaperPort\Ereg\ereg.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKLM..\Run: [WebrootClientUI] C:\Program Files\Webroot\Client\SpySweeperUI.EXE (Webroot Software, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PfxPDFConvertService.exe.lnk = C:\Pfx Engagement\WM\PfxPDFConvertService.exe (CCH Tax and Accounting)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-462496249-1566251647-1846952604-6796\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-462496249-1566251647-1846952604-6796\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-462496249-1566251647-1846952604-6796\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\Excel.exe (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKU\.DEFAULT\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: microsoft.com ([sftus.one] https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: remote ([]http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: microsoft.com ([sftus.one] https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: remote ([]http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Trusted sites)
O15 - HKU\S-1-5-21-462496249-1566251647-1846952604-6796\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-462496249-1566251647-1846952604-6796\..Trusted Domains: microsoft.com ([sftus.one] https in Trusted sites)
O15 - HKU\S-1-5-21-462496249-1566251647-1846952604-6796\..Trusted Domains: remote ([]http in Trusted sites)
O15 - HKU\S-1-5-21-462496249-1566251647-1846952604-6796\..Trusted Ranges: Range1 ([http] in Trusted sites)
O16 - DPF: {32564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv8dmo.cab (Reg Error: Key error.)
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} https://vpn.mkllp.com/CACHE/stc/1/binaries/vpnweb.cab (Cisco AnyConnect VPN Client Web Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237829479367 (WUWebControl Class)
O16 - DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} https://192.168.7.2/CACHE/sdesktop/install/binaries/instweb.cab (CSD ActiveX Installer)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F589CCFE-5DCE-4009-844F-61433375F69B} https://transfer.marcumllp.com/COM/MOVEitUploadWizard6.5.0.ocx (MOVEitUpDownWiz Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.3.1.10 10.3.1.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mkllp.com
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (C:\Program Files\McAfee\Endpoint Encryption for PC v6\EpePcGina.Dll) - C:\Program Files\McAfee\Endpoint Encryption for PC v6\EpePcGina.dll ()
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/17 14:27:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {831D8ACA-CAFE-8140-5430-D22A39824417} - Browser Customizations
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax ()
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll ()

NetSvcs: 6to4 -  File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/03/23 08:43:40 | 000,000,000 | ---D | M]
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: WmdmPmSp -  File not found
NetSvcs: es0drv -  File not found
NetSvcs: es1drv -  File not found
NetSvcs: es2drv -  File not found
NetSvcs: es3drv -  File not found
NetSvcs: es4drv -  File not found
NetSvcs: es5drv -  File not found
NetSvcs: es6drv -  File not found
NetSvcs: es7drv -  File not found
NetSvcs: es8drv -  File not found
NetSvcs: es9drv -  File not found
NetSvcs: esadrv -  File not found
NetSvcs: esbdrv -  File not found
NetSvcs: escdrv -  File not found
NetSvcs: esddrv -  File not found
NetSvcs: esedrv -  File not found
NetSvcs: esfdrv -  File not found
NetSvcs: es10drv -  File not found
NetSvcs: es11drv -  File not found
NetSvcs: es12drv -  File not found
NetSvcs: es13drv -  File not found
NetSvcs: es14drv -  File not found
NetSvcs: es15drv - C:\Program Files\Windows NT\{055EE59D-217B-43A7-ABFF-507B966405D8}\\Main2.dll ()
NetSvcs: es16drv -  File not found
NetSvcs: es17drv -  File not found
NetSvcs: es18drv -  File not found
NetSvcs: es19drv - C:\Program Files\Windows NT\{055EE59D-217B-43A7-ABFF-507B966405D8}\\Maina.dll ()
NetSvcs: es1adrv -  File not found
NetSvcs: es1bdrv -  File not found

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010/05/17 09:22:28 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\OTL.exe
[2010/05/14 15:53:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\gmer
[2010/05/14 15:37:41 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\my_sfc_os.dll
[2010/05/14 14:54:44 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/14 14:54:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/14 14:54:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/14 14:54:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/14 14:53:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/14 14:52:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/14 10:06:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nmichalos.MKLLP\DoctorWeb
[2010/05/14 09:30:01 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/14 09:30:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/14 09:28:53 | 016,409,960 | ---- | C] (Safer Networking Limited                                    ) -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\spybotsd162.exe
[2010/05/14 09:23:31 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/05/13 17:23:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
[2010/05/13 17:23:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ParetoLogic
[2010/05/13 17:23:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2010/05/13 15:49:32 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/05/13 15:33:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/05/13 15:33:38 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/05/13 15:18:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nmichalos.MKLLP\Local Settings\Application Data\Downloaded Installations
[2010/05/13 14:42:45 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/05/13 14:42:34 | 000,119,808 | ---- | C] (Atribune.org) -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\VundoFix.exe
[2010/05/12 16:52:21 | 000,670,072 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\autoruns.exe
[2010/05/12 13:38:13 | 000,000,000 | ---D | C] -- C:\Program Files\Broadcom
[2010/05/12 12:08:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Webroot
[2010/05/12 12:07:52 | 000,000,000 | ---D | C] -- C:\Program Files\Webroot
[2010/05/12 11:39:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nmichalos.MKLLP\Application Data\Malwarebytes
[2010/05/12 11:39:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/12 11:38:55 | 004,045,528 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\mbam-setup.exe
[2010/05/12 04:37:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/12 04:37:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/12 04:36:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PowerDVD DX
[2010/04/19 10:09:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nmichalos.MKLLP\Local Settings\Application Data\Citrix
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2010/05/17 09:22:57 | 000,000,025 | ---- | M] () -- C:\WINDOWS\mssoft.bat
[2010/05/17 09:22:42 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\OTL.exe
[2010/05/17 09:16:19 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/17 09:11:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/14 15:52:15 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\gmer.zip
[2010/05/14 15:37:41 | 000,000,169 | ---- | M] () -- C:\WINDOWS\hpig_WS2.dat
[2010/05/14 15:37:17 | 000,000,000 | ---- | M] () -- C:\WINDOWS\mfxixue.ini
[2010/05/14 15:32:23 | 005,767,168 | ---- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\NTUSER.DAT
[2010/05/14 15:32:00 | 000,000,310 | -HS- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\ntuser.ini
[2010/05/14 15:20:55 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/14 15:20:37 | 000,557,210 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/14 15:20:37 | 000,116,978 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/14 15:20:31 | 000,686,740 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/14 15:19:17 | 000,008,410 | RHS- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\ntuser.pol
[2010/05/14 14:53:38 | 003,689,128 | R--- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\ComboFix.exe
[2010/05/14 09:58:27 | 000,035,104 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/05/14 09:58:27 | 000,015,824 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/05/14 09:58:26 | 000,276,000 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/05/14 09:58:26 | 000,004,772 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/05/13 17:27:16 | 000,003,738 | ---- | M] () -- C:\rollback.ini
[2010/05/13 16:28:26 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\dds.scr
[2010/05/13 15:54:48 | 000,000,624 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/13 15:54:48 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/05/12 16:52:19 | 000,595,499 | ---- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\Autoruns.zip
[2010/05/12 13:57:34 | 040,009,848 | ---- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\ge8v6q4m.exe
[2010/05/12 13:55:28 | 008,206,880 | ---- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\SUPERAntiSpyware.exe
[2010/05/12 13:54:52 | 016,409,960 | ---- | M] (Safer Networking Limited                                    ) -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\spybotsd162.exe
[2010/05/12 13:52:24 | 000,119,808 | ---- | M] (Atribune.org) -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\VundoFix.exe
[2010/05/12 12:11:59 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/12 11:57:34 | 000,005,396 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2010/05/12 04:36:47 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/11 16:09:39 | 000,019,968 | ---- | M] () -- C:\WINDOWS\hackshen.exe
[2010/05/11 16:09:39 | 000,019,968 | ---- | M] () -- C:\WINDOWS\System32\ctfmon.exe
[2010/05/11 16:09:39 | 000,019,968 | ---- | M] () -- C:\WINDOWS\tasks\ע.bat
[2010/05/11 15:09:48 | 000,012,564 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/05/11 10:34:47 | 000,000,133 | ---- | M] () -- C:\WINDOWS\PFXEngagement.INI
[2010/05/11 10:14:28 | 001,287,168 | ---- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\callpilot.cst
[2010/05/06 15:53:13 | 021,037,056 | RHS- | M] () -- C:\SafeBoot.fs
[2010/05/06 15:53:11 | 000,393,216 | RHS- | M] () -- C:\SafeBoot.rsv
[2010/04/30 12:01:15 | 000,000,266 | ---- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\Marcum LLP Not Signed On.url
[2010/04/30 09:10:45 | 000,000,249 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Marcum ProStaff.url
[2010/04/28 15:19:26 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Word 2007.lnk
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/25 21:32:09 | 000,000,213 | ---- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\Renaissance Login.url
[2010/04/23 15:30:43 | 000,259,116 | ---- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\callpilot.cpa
[2010/04/22 06:21:38 | 004,601,729 | ---- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\My Documents\{BF214396-6D76-413C-834E-7B17AB6DDD66}.xlsx
[2010/04/22 05:24:17 | 000,049,052 | ---- | M] () -- C:\Documents and Settings\nmichalos.MKLLP\My Documents\Fax Message big g.pdf
[2010/04/21 09:23:27 | 000,000,626 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Marcum Citrix.url
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2010/05/14 15:43:53 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\gmer.zip
[2010/05/14 15:38:03 | 000,000,025 | ---- | C] () -- C:\WINDOWS\mssoft.bat
[2010/05/14 15:37:41 | 000,000,169 | ---- | C] () -- C:\WINDOWS\hpig_WS2.dat
[2010/05/14 15:37:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mfxixue.ini
[2010/05/14 15:36:55 | 000,019,968 | ---- | C] () -- C:\WINDOWS\tasks\ע.bat
[2010/05/14 14:54:44 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/14 14:54:44 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/14 14:54:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/14 14:54:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/14 14:54:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/14 14:51:32 | 003,689,128 | R--- | C] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\ComboFix.exe
[2010/05/14 14:48:56 | 000,019,968 | ---- | C] () -- C:\WINDOWS\hackshen.exe
[2010/05/14 10:04:40 | 040,009,848 | ---- | C] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\ge8v6q4m.exe
[2010/05/13 17:27:24 | 000,276,000 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/05/13 17:27:24 | 000,035,104 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/05/13 17:27:24 | 000,015,824 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/05/13 17:27:24 | 000,004,772 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/05/13 17:27:16 | 000,003,738 | ---- | C] () -- C:\rollback.ini
[2010/05/13 16:28:22 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\dds.scr
[2010/05/13 15:54:34 | 000,000,655 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PfxPDFConvertService.exe.lnk
[2010/05/13 15:17:59 | 008,206,880 | ---- | C] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\SUPERAntiSpyware.exe
[2010/05/12 16:52:16 | 000,595,499 | ---- | C] () -- C:\Documents and Settings\nmichalos.MKLLP\Desktop\Autoruns.zip
[2010/04/22 06:21:36 | 004,601,729 | ---- | C] () -- C:\Documents and Settings\nmichalos.MKLLP\My Documents\{BF214396-6D76-413C-834E-7B17AB6DDD66}.xlsx
[2010/04/22 05:24:17 | 000,049,052 | ---- | C] () -- C:\Documents and Settings\nmichalos.MKLLP\My Documents\Fax Message big g.pdf
[2010/03/01 11:54:31 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2010/03/01 11:54:27 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/12/07 16:08:29 | 000,000,704 | ---- | C] () -- C:\WINDOWS\DX.INI
[2009/11/02 16:46:37 | 000,000,728 | ---- | C] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2008/03/31 15:35:35 | 000,003,399 | R--- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2008/03/31 15:35:35 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2008/03/31 15:33:41 | 000,000,103 | ---- | C] () -- C:\WINDOWS\System32\hptrace.ini
[2008/03/31 15:32:55 | 000,022,436 | ---- | C] () -- C:\WINDOWS\hplj42504350.ini
[2008/02/15 09:44:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/01/15 10:30:55 | 000,192,512 | R--- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2007/10/12 14:31:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nmquick.INI
[2007/08/31 17:02:08 | 000,000,133 | ---- | C] () -- C:\WINDOWS\PFXEngagement.INI
[2007/08/23 14:52:52 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/08/23 11:59:09 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2007/08/23 08:03:34 | 000,028,787 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2007/08/21 15:59:15 | 000,000,443 | R--- | C] () -- C:\WINDOWS\hpw0460k.ini
[2007/08/21 15:58:15 | 000,000,092 | ---- | C] () -- C:\WINDOWS\hpdj460.ini
[2007/08/21 15:56:51 | 000,005,303 | ---- | C] () -- C:\WINDOWS\mariner.ini
[2007/08/21 14:44:09 | 000,000,276 | ---- | C] () -- C:\WINDOWS\PPCArc32.ini
[2007/08/21 14:25:11 | 000,072,192 | ---- | C] () -- C:\WINDOWS\System32\IMG32MMB.DLL
[2007/08/21 14:25:11 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\IMG32MM.DLL
[2007/08/21 14:25:11 | 000,006,144 | ---- | C] () -- C:\WINDOWS\System32\IMGFB6MU.DLL
[2007/08/21 14:25:09 | 000,006,144 | ---- | C] () -- C:\WINDOWS\System32\IMGFX6MU.DLL
[2007/08/21 10:48:48 | 000,145,408 | ---- | C] () -- C:\WINDOWS\System32\OMS2ASC.dll
[2007/08/20 17:00:36 | 000,000,146 | ---- | C] () -- C:\WINDOWS\GTW.ini
[2007/08/20 15:13:09 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\CSICABTL.DLL
[2007/08/20 14:49:50 | 000,000,636 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/08/17 14:51:15 | 000,910,304 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2007/08/17 14:51:15 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4831.dll
[2007/05/16 15:12:48 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\GFRPResNT.dll
[2007/05/16 15:12:48 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\BuPResNT.dll
[2006/02/28 08:00:00 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2006/02/28 08:00:00 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2006/02/28 08:00:00 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2006/02/28 08:00:00 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2006/02/28 08:00:00 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2005/06/14 17:32:22 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\BiPResNT.dll
[2002/12/09 14:42:32 | 000,000,036 | ---- | C] () -- C:\WINDOWS\webica.ini
[2002/05/10 22:30:08 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\JPEG32.DLL
[2001/09/28 12:44:58 | 000,257,536 | ---- | C] () -- C:\WINDOWS\System32\BiImg.dll
[2001/07/31 06:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[1999/01/22 12:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

[color=#E56717]========== Custom Scans ==========[/color]


[color=#A23BEC]< %SYSTEMDRIVE%\*.exe >[/color]


[color=#A23BEC]< MD5 for: AGP440.SYS  >[/color]
[2006/02/28 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2006/02/28 08:00:00 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2006/02/28 08:00:00 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\agp440.sys

[color=#A23BEC]< MD5 for: ATAPI.SYS  >[/color]
[2006/02/28 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2006/02/28 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2006/02/28 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

[color=#A23BEC]< MD5 for: EVENTLOG.DLL  >[/color]
[2006/02/28 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2006/02/28 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2006/02/28 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

[color=#A23BEC]< MD5 for: IASTOR.SYS  >[/color]
[2007/02/12 15:36:54 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\WINDOWS\dell\iastor\iastor.sys
[2007/02/12 15:36:54 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\WINDOWS\system32\drivers\iaStor.sys

[color=#A23BEC]< MD5 for: NETLOGON.DLL  >[/color]
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2006/02/28 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2006/02/28 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2006/02/28 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

[color=#A23BEC]< MD5 for: NVATABUS.SYS  >[/color]
[2006/03/16 20:51:32 | 000,099,840 | ---- | M] (NVIDIA Corporation) MD5=B7FB72492B753930EC70A0F49D04F12F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys

[color=#A23BEC]< MD5 for: NVRAID.SYS  >[/color]
[2006/03/16 20:51:38 | 000,081,536 | ---- | M] (NVIDIA Corporation) MD5=4BC863E8FB65EBCFDDE04822CF875E76 -- C:\WINDOWS\dell\nvraid\nvraid.sys

[color=#A23BEC]< MD5 for: SCECLI.DLL  >[/color]
[2006/02/28 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2006/02/28 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2006/02/28 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

[color=#A23BEC]< MD5 for: SYMMPI.SYS  >[/color]
[2005/11/17 14:58:16 | 000,092,672 | ---- | M] (LSI Logic) MD5=1FD5249D5103125D2DA63F68D7BE1D35 -- C:\WINDOWS\dell\symmpi\symmpi.sys

[color=#A23BEC]< %systemroot%\*. /mp /s >[/color]

[color=#A23BEC]< %systemroot%\system32\*.dll /lockedfiles >[/color]
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

[color=#A23BEC]< %systemroot%\Tasks\*.job /lockedfiles >[/color]

[color=#A23BEC]< %systemroot%\system32\drivers\*.sys /lockedfiles >[/color]

[color=#A23BEC]< %systemroot%\System32\config\*.sav >[/color]
[2009/03/23 08:51:23 | 000,442,368 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/03/23 12:38:43 | 000,061,440 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2009/03/23 08:51:23 | 033,341,440 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/03/23 08:51:23 | 005,505,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

[color=#A23BEC]< %systemroot%\system32\drivers\*.sys /90 >[/color]
< End of report >





CODE
OTL Extras logfile created on: 5/17/2010 9:23:34 AM - Run 1
OTL by OldTimer - Version 3.2.4.1     Folder = C:\Documents and Settings\nmichalos.MKLLP\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 4591 4591 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 44.13 Gb Free Space | 59.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NICHOLEM
Current User Name: nmichalos
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Extra Registry (SafeList) ==========[/color]


[color=#E56717]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[color=#E56717]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AllAlertsDisabled" = 1
"TermService" = 1
"DisableMonitoring" = 1
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"6735:TCP" = 6735:TCP:*:Enabled:Desktopsyncservice
"2029:TCP" = 2029:TCP:*:Enabled:MSSQLPROFXENGAGEMENT
"6736:TCP" = 6736:TCP:*:Enabled:Pfxsynpfxservice
"1434:UDP" = 1434:UDP:*:Enabled:SQL UDP
"6737:UDP" = 6737:UDP:*:Enabled:PfxConfigUtility
"1947:TCP" = 1947:TCP:*:Enabled:HASP SRM
"1947:UDP" = 1947:UDP:*:Enabled:HASP SRM
"6129:TCP" = 6129:TCP:*:Enabled:DameWare Mini Remote Control Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[color=#E56717]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\TIREMOTE\wuser32.exe" = C:\WINDOWS\TIREMOTE\wuser32.exe:*:Enabled:Track-It! Remote Control -- (Intuit Track-It!)
"C:\WINDOWS\TIREMOTE\TIRemoteService.exe" = C:\WINDOWS\TIREMOTE\TIRemoteService.exe:*:Enabled:Track-It! Workstation Manager -- (Numara Software, Inc.)
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- File not found
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- File not found
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- File not found
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{004F0409-78E1-11D2-B60F-006097C998E7}" = Microsoft Access 2000 SR-1 Runtime
"{00C30DB1-D1C5-40C4-9B87-351C75B2F24C}" = OneTouch 4.0
"{042D7DB9-4AC7-42A5-AFF4-2C6D0EDF1FBD}" = PPC Practice Aids Audits of Local Governments (2-09)
"{0AA9A2A7-D1B7-49BB-9133-C092523981E2}" = PPC Practice Aids PCAOB Audits (5-09)
"{0B392DFA-18CB-4A3E-B0B6-3C82359B86C8}" = McAfee Endpoint Encryption Agent
"{12AEEE4B-19D6-4543-94F6-57142B1436F4}" = Tax Grouping Update & TB Repair Utilities
"{1314DE79-EFB6-4906-926F-F78B8717B7DE}" = Engagement573_0521
"{19ABFD8F-CB86-4965-9282-047FC27084F1}" = SQLXML 3.0 SP3
"{1B33DA23-34F8-4396-AC85-28B69DD6CB89}" = Checkpoint Tools for PPC
"{1BB28A77-64CD-4123-8F7F-AAFAE434D686}" = PPC Practice Aids Homeowners' Associations (7-09)
"{1EB719BF-360C-464B-8E49-4641ECF9CFD9}" = Nortel CallPilot Desktop Messaging
"{23E8D2D6-F7C8-4A35-816C-6C914EE0A601}" = Citrix Presentation Server Client - Web Only
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 11
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (PROFXENGAGEMENT)
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{356407C3-DFE0-404B-BF30-20941B7D5265}" = IDEA 8.2
"{3686A51B-CF12-4927-8340-898A40AE52E9}" = Attachmate WinINSTALL Agents
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{456BFD3C-5F77-4443-B489-13CC5053B0EC}" = PPC Practice Aids Audits of Employee Benefit Plans (2-09)
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5412BB35-2A01-4E7B-A344-7A86A215A33F}" = PPC Practice Aids Audits of Nonprofit Organizations (2-09)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5848CDBC-CD08-4DBE-B1CE-BD3F38D7BF8F}" = Becker CPA Review CD-ROM Course and PassMaster - 2007 Edition
"{5C7CF88E-AD37-4093-9606-483D6F3DAC29}" = Tax Grouping Update Wizard
"{63563325-B7B2-4A9A-A7C3-B79CBC624F2A}" = Becker CPA Review CD-ROM Course and PassMaster - 2009 Edition
"{644E6B78-DD11-4DFC-A66F-CCEEDA5098EE}" = Engagement573
"{657D16DF-BAE3-4481-8BFE-D3E6A85434A0}" = ScanSoft PaperPort 10
"{6D04CDF8-75C2-44D8-BFFD-347F67EAB4DD}" = ProSystem fx Engagement
"{6D7A475D-4592-4360-B99C-2940373D89DD}" = PPC Practice Aids Cash, Tax, and Other Bases of Accounting (8-09)
"{6DC9F24F-0460-47DF-94C8-99090F9883B0}" = PPC Practice Aids HUD Audits (7-09)
"{6DEF11C0-35FF-4160-A543-FDD336C4DAE5}" = Microsoft SQL Server 2005 Express Edition (TOCTTARGPPC05)
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75BD16A1-3016-4AF4-8F67-C5B0B55558C8}" = PPC Practice Aids Audits of Nonprofit Organizations (2-10)
"{89329EF7-24F6-42BA-800C-F06C3F48E20D}" = PFXEngagement_UpdateFeb2009
"{89C1C750-3291-482C-8F28-D2B28BB33C4D}" = PPC Practice Aids Audits of Employee Benefit Plans (2-10)
"{8AD82171-8919-4302-8F19-BB78DE925D49}" = PPC SMART Practice Aids - Risk Assessment
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders  (English) 12
"{90120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{6C870EC1-B845-49C4-93ED-868ECCEDD851}" =
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00D1-0409-0000-0000000FF1CE}" = Microsoft Office Access database engine 2007 (English)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91490409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Primary Interop Assemblies
"{929408E6-D265-4174-805F-81D1D914E2A4}" = QuickTime
"{94F62345-0E7D-4CD2-B1CC-4F851016B239}" = PPC Practice Aids Audits of Nonpublic Companies (2-10)
"{9875BF9C-8565-4085-B6A4-5D8D838FB5C3}" = HP Deskjet 460
"{98FE3788-D2CD-4C7F-ACCF-E714BF13477C}" = PPC Practice Aids Single Audits (6-09)
"{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A603C7FE-8546-4304-9658-E840EE7270D8}" = PPC Practice Aids PCAOB Audits (10-09)
"{A816264A-698B-49A3-BE87-E13886DD6C61}" = Webroot Client
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-1033-0000-BA7E-000000000003}" = Adobe Acrobat  8 Standard
"{ADF503FE-587E-4578-B2CE-0E00DF251F6E}" = PPC Practice Aids Nontraditional Engagements (10-09)
"{B639A4DE-A375-47D3-89C3-DDCF98D992F7}" = McAfee Agent
"{B8116E2A-541B-4CC0-9C31-B2A024420390}" = McAfee Endpoint Encryption for PC v6
"{BCB4C18A-ACA6-4383-8688-E19933A705DD}" = Microsoft SOAP Toolkit 3.0
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3AC6EC6-2A34-472B-AF3B-4D968AA798FA}" = PPC Practice Aids Audits of Nonpublic Companies (1-09)
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom Gigabit Integrated Controller
"{D8AC5F33-34F9-4218-967A-50722FC171D5}" = PPC Practice Aids Audits of Local Governments (2-10)
"{DB9EC33B-1E8E-47FF-A87A-0927F8F1C4FC}" = PPC e-Practice Aids Audits of Nonpublic Companies (1-08)
"{E063B3E2-6641-4375-9F09-ADA9E589EB90}" = hp LaserJet 4250/4350/4240
"{E5787E55-FD1E-415A-AD83-72556ADFECA1}" = PPC Practice Aids Limited-Scope Audits of Standard 401(k) Plans (2-09)
"{E92A7FA0-E883-4EC2-9561-83CF57F9E769}" = PPC Practice Aids Compilation and Review Engagements (7-09)
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"{FE5875F0-F3C4-4E71-94F0-1A2E5BEA0DE9}" = PPC Practice Aids Audits of Nonpublic Companies (11-09)
"Adobe Acrobat  8 Standard" = Adobe Acrobat 8.1.6 Standard
"Adobe Acrobat  8 Standard_816" = Adobe Acrobat 8.1.6 - CPSID_49167
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Ask Toolbar_is1" = Ask Toolbar
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"Creative Solutions Practice" = Creative Solutions Practice
"GoToAssist" = GoToAssist Corporate
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"hp deskjet 460 series" = HP Deskjet 460 Series
"hp LaserJet 4250 4350 4240" = hp LaserJet 4250/4350/4240
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{929408E6-D265-4174-805F-81D1D914E2A4}" = QuickTime
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"MoffFreeCalc_is1" = Moffsoft FreeCalc
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PPC Library" = PPC Library
"RegCure" = RegCure 1.5.1.3
"STANDARD" = Microsoft Office Standard 2007
"Unlocker" = Unlocker 1.8.9
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11

[color=#E56717]========== Last 10 Event Log Errors ==========[/color]

[ Application Events ]
Error - 5/17/2010 9:13:04 AM | Computer Name = NICHOLEM | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b).  The specified domain either does not exist
or could not be contacted.    Enrollment will not be performed.

Error - 5/17/2010 9:15:40 AM | Computer Name = NICHOLEM | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

[ Cisco AnyConnect VPN Client Events ]
Error - 4/29/2010 9:44:11 AM | Computer Name = NICHOLEM | Source = vpnagent | ID = 50331649
Description =   Function: CSocketTransport::readSocket  Return code: 0xFE1F000F  File:
.\IPC\IPCTransport.cpp  Line: 805  Description: SOCKETTRANSPORT_ERROR_TRANSPORT_FAILURE


Error - 4/29/2010 9:44:11 AM | Computer Name = NICHOLEM | Source = vpnagent | ID = 50331649
Description =   Function: CIpcTransport::OnSocketReadComplete  Return code: 0xFE1F000F
File:
.\IPC\IPCDepot.cpp  Line: 788  Description: SOCKETTRANSPORT_ERROR_TRANSPORT_FAILURE


Error - 4/29/2010 9:44:11 AM | Computer Name = NICHOLEM | Source = vpnagent | ID = 50331649
Description =   Function: WSASend  Return code: 10054  File: .\IPC\SocketTransport.cpp
Line:
1612  Description: An existing connection was forcibly closed by the remote host.



Error - 4/29/2010 9:44:11 AM | Computer Name = NICHOLEM | Source = vpnagent | ID = 50331649
Description =   Function: CSocketTransport::writeSocketBlocking  Return code: 0xFE1F000B
File:
.\IPC\IPCTransport.cpp  Line: 385  Description: SOCKETTRANSPORT_ERROR_WRITE  

Error - 4/29/2010 9:44:13 AM | Computer Name = NICHOLEM | Source = vpnagent | ID = 50331650
Description = Termination reason code 5:  The user is logging off the system.

Error - 4/29/2010 2:26:56 PM | Computer Name = NICHOLEM | Source = vpnagent | ID = 50331650
Description = Termination reason code 23:  Client PC is going into suspend mode (Sleep,
Hibernate, etc).

Error - 5/4/2010 10:18:55 PM | Computer Name = NICHOLEM | Source = vpnagent | ID = 50331650
Description = Termination reason code 23:  Client PC is going into suspend mode (Sleep,
Hibernate, etc).

Error - 5/5/2010 12:08:42 AM | Computer Name = NICHOLEM | Source = vpnagent | ID = 50331650
Description = Termination reason code 23:  Client PC is going into suspend mode (Sleep,
Hibernate, etc).

Error - 5/12/2010 12:11:08 PM | Computer Name = NICHOLEM | Source = vpnagent | ID = 50331650
Description = Termination reason code 7:  The agent has been stopped.

Error - 5/12/2010 12:11:08 PM | Computer Name = NICHOLEM | Source = vpnagent | ID = 50331649
Description =   Function: CVpnMgr::processEvents  Return code: 0  File: .\MainThread.cpp
Line:
997  Description:   fatal error, stopping service

[ OSession Events ]
Error - 11/20/2009 12:51:11 PM | Computer Name = NICHOLEM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 601
seconds with 300 seconds of active time.  This session ended with a crash.

Error - 11/30/2009 4:14:34 PM | Computer Name = NICHOLEM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 603
seconds with 360 seconds of active time.  This session ended with a crash.

Error - 11/30/2009 6:30:16 PM | Computer Name = NICHOLEM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1813
seconds with 120 seconds of active time.  This session ended with a crash.

Error - 12/1/2009 10:35:13 AM | Computer Name = NICHOLEM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 609
seconds with 180 seconds of active time.  This session ended with a crash.

Error - 12/3/2009 12:54:12 PM | Computer Name = NICHOLEM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 4762
seconds with 2280 seconds of active time.  This session ended with a crash.

Error - 12/9/2009 11:10:52 AM | Computer Name = NICHOLEM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1807
seconds with 1080 seconds of active time.  This session ended with a crash.

Error - 12/9/2009 5:13:19 PM | Computer Name = NICHOLEM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1280
seconds with 240 seconds of active time.  This session ended with a crash.

Error - 1/10/2010 12:48:43 PM | Computer Name = NICHOLEM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 179123
seconds with 1980 seconds of active time.  This session ended with a crash.

Error - 2/16/2010 1:07:45 PM | Computer Name = NICHOLEM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6341.5001, Microsoft Office Version: 12.0.4518.1014. This session lasted 20
seconds with 0 seconds of active time.  This session ended with a crash.

Error - 2/24/2010 9:30:58 AM | Computer Name = NICHOLEM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 3481
seconds with 360 seconds of active time.  This session ended with a crash.

[ System Events ]
Error - 5/14/2010 4:48:37 PM | Computer Name = NICHOLEM | Source = Service Control Manager | ID = 7023
Description = The Application Layer Gateway Servicess service terminated with the
following error:   %%126

Error - 5/14/2010 4:48:37 PM | Computer Name = NICHOLEM | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error:   %%2147500053

Error - 5/14/2010 4:50:11 PM | Computer Name = NICHOLEM | Source = Dhcp | ID = 1002
Description = The IP address lease 10.1.2.64 for the Network Card with network address
002170A3FBCB has been  denied by the DHCP server 192.168.1.1 (The DHCP Server sent
a DHCPNACK message).

Error - 5/14/2010 4:50:14 PM | Computer Name = NICHOLEM | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more  time sources, however none of the sources are currently accessible.   No attempt
to contact a source will be made for 15 minutes.  NtpClient has no source of accurate
time.

Error - 5/14/2010 4:51:50 PM | Computer Name = NICHOLEM | Source = Tcpip | ID = 4198
Description = The system detected an address conflict for IP address 208.67.222.222
with the system  having network hardware address 00:12:3F:4D:32:C7. The local interface
has been disabled.

Error - 5/17/2010 9:12:03 AM | Computer Name = NICHOLEM | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain MKLLP due to the following:
   %%1311.    Make sure that the computer is connected to the network and try  again. If
the problem persists, please contact your domain administrator.

Error - 5/17/2010 9:13:26 AM | Computer Name = NICHOLEM | Source = Service Control Manager | ID = 7023
Description = The Task Scheduler service terminated with the following error:   %%126

Error - 5/17/2010 9:13:28 AM | Computer Name = NICHOLEM | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error:   %%2147500053

Error - 5/17/2010 9:16:52 AM | Computer Name = NICHOLEM | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more  time sources, however none of the sources are currently accessible.   No attempt
to contact a source will be made for 14 minutes.  NtpClient has no source of accurate
time.

Error - 5/17/2010 9:23:23 AM | Computer Name = NICHOLEM | Source = Tcpip | ID = 4198
Description = The system detected an address conflict for IP address 208.67.222.222
with the system  having network hardware address 00:1C:23:03:9E:21. The local interface
has been disabled.


< End of report >

Attached Files



#4 Prologic08

Prologic08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 17 May 2010 - 12:40 PM

I have also noticed that when I restart the computer, the network connects fine and there is no IP conflict. I can use Firefox to surf the internet without any problems. As soon as I click on Internet Explorer, it immediatly disconnects from the network and than reconnects and that is when I get the IP conflict. Internet Explorer is running something when you open it. Then the only way to get rid of the IP conflict is to close IE and disable and then re-enable the NIC card.

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 17 May 2010 - 05:18 PM

Hi,

please run ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 Prologic08

Prologic08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 18 May 2010 - 11:28 AM

ComboFix 10-05-16.05 - nmichalos 05/18/2010 10:18:59.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.529 [GMT -4:00]
Running from: c:\documents and settings\nmichalos.MKLLP\Desktop\ComboFix.exe
AV: Webroot Client Security *On-access scanning enabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Windows NT\{055EE59D-217B-43A7-ABFF-507B966405D8}\\Main2.dll
c:\program files\Windows NT\{055EE59D-217B-43A7-ABFF-507B966405D8}\\Maina.dll
c:\windows\hpig_WS2.dat
c:\windows\mfxixue.ini
c:\windows\mssoft.bat
c:\windows\my_sfc_os.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ES15DRV
-------\Legacy_ES19DRV
-------\Service_es15drv
-------\Service_es19drv


((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-14 18:48 . 2010-05-11 20:09 19968 ----a-w- c:\windows\hackshen.exe
2010-05-14 14:06 . 2010-05-14 14:23 -------- d-----w- c:\documents and settings\nmichalos.MKLLP\DoctorWeb
2010-05-14 13:30 . 2010-05-14 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-14 13:30 . 2010-05-14 14:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-13 21:27 . 2010-05-13 21:27 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-05-13 21:27 . 2010-05-14 13:58 35104 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-13 21:27 . 2010-05-14 13:58 276000 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-13 21:23 . 2010-05-14 13:25 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-05-13 21:23 . 2010-05-14 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-05-13 21:23 . 2010-05-13 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-05-13 19:49 . 2010-05-13 19:49 -------- d-----w- c:\program files\Unlocker
2010-05-13 19:33 . 2010-05-13 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-13 19:33 . 2010-05-14 13:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-13 19:18 . 2010-05-13 19:18 -------- d-----w- c:\documents and settings\nmichalos.MKLLP\Local Settings\Application Data\Downloaded Installations
2010-05-13 18:42 . 2010-05-13 18:42 -------- d-----w- C:\VundoFix Backups
2010-05-12 17:38 . 2010-05-12 17:38 -------- d-----w- c:\program files\Broadcom
2010-05-12 16:26 . 2008-04-14 00:11 792064 ----a-w- c:\windows\system32\comres.dll
2010-05-12 16:08 . 2010-05-12 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-05-12 16:07 . 2010-05-12 16:07 -------- d-----w- c:\program files\Webroot
2010-05-12 15:39 . 2010-05-12 15:39 -------- d-----w- c:\documents and settings\nmichalos.MKLLP\Application Data\Malwarebytes
2010-05-12 15:39 . 2010-05-12 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-12 08:37 . 2010-05-12 08:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-12 08:36 . 2010-05-12 08:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PowerDVD DX
2010-04-19 14:09 . 2010-04-19 14:09 -------- d-----w- c:\documents and settings\nmichalos.MKLLP\Local Settings\Application Data\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-14 13:58 . 2010-05-13 21:27 15824 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-14 13:58 . 2010-05-13 21:27 4772 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-12 15:57 . 2007-08-21 13:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-12 15:57 . 2007-08-21 13:57 -------- d-----w- c:\program files\Symantec
2010-05-12 15:56 . 2007-08-21 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-12 08:36 . 2007-08-17 18:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-11 20:09 . 2006-02-28 12:00 19968 ------w- c:\windows\system32\ctfmon.exe
2010-05-06 09:32 . 2009-03-23 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-04-14 14:09 . 2010-03-15 13:41 79488 ----a-w- c:\documents and settings\nmichalos.MKLLP\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-31 13:15 . 2010-03-15 13:26 28856 ----a-w- c:\documents and settings\nmichalos.MKLLP\Application Data\Cisco\Cisco AnyConnect VPN Client\Cache\inst.exe
2010-03-23 15:50 . 2007-08-21 14:50 -------- d-----w- c:\program files\Snapshot Viewer
2010-03-15 13:41 . 2010-03-15 13:41 40720 ----a-w- c:\documents and settings\nmichalos.MKLLP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 13:21 . 2010-03-15 13:21 14008 ----a-w- c:\documents and settings\nmichalos.MKLLP\Application Data\Cisco\Cisco HostScan\bin\libdesktop.dll
2010-03-15 13:21 . 2010-03-15 13:21 45240 ----a-w- c:\documents and settings\nmichalos.MKLLP\Application Data\Cisco\Cisco HostScan\bin\hostscan.exe
2010-03-15 13:21 . 2010-03-15 13:21 28856 ----a-w- c:\documents and settings\nmichalos.MKLLP\Application Data\Cisco\Cisco Secure Desktop\Cache\Temp8-P00h\CSDWebLaunch.exe
2010-03-03 20:32 . 2010-03-02 19:55 5269841 ----a-w- c:\windows\FramePkg.exe
.

------- Sigcheck -------

[-] 2010-05-11 20:09 . 5C5B747BFC9AF2EC4DC0BF8458EF4977 . 19968 . . [------] . . c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 21:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort10reminder"="c:\program files\ScanSoft\PaperPort\Ereg\ereg.exe" [2005-06-03 729088]
"WebrootClientUI"="c:\program files\Webroot\Client\SpySweeperUI.EXE" [2009-08-25 435624]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 136600]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-25 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2006-03-02 36864]
"MfeEpePcMonitor"="c:\program files\McAfee\Endpoint Encryption for PC v6\EpePcMonitor.exe" [2010-01-21 139264]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2006-03-02 40960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2009-02-04 78848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PfxPDFConvertService.exe.lnk - c:\pfx engagement\WM\PfxPDFConvertService.exe [2008-11-14 173568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-09 18:57 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 MfeEpePc;MfeEpePc;c:\windows\system32\drivers\MfeEpePc.sys [1/21/2010 1:13 PM 113864]
R0 ssfs0bbc;Spy Sweeper File System Filter Driver: 0BBC;c:\windows\system32\drivers\ssfs0bbc.sys [8/25/2009 9:50 AM 30136]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 7:00 AM 26624]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe [1/21/2010 12:53 PM 819200]
R2 MSSQL$PROFXENGAGEMENT;SQL Server (PROFXENGAGEMENT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 5:29 AM 29178224]
R2 MSSQL$TOCTTARGPPC05;SQL Server (TOCTTARGPPC05);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [11/24/2008 11:31 PM 29263712]
R2 PFXEngDesktopService;PFXEngDesktopService;c:\pfx engagement\Common\PFXEngDesktopService.exe [11/14/2008 3:34 PM 428032]
R2 PFXSYNPFTService;PFXSYNPFTService;c:\pfx engagement\Common\PFXSYNPFTService.exe [11/14/2008 3:32 PM 436736]
R2 TIRmtCtl;Track-It! Remote Control;c:\windows\TIREMOTE\wuser32.exe [9/12/2007 1:31 PM 311374]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [9/12/2007 1:31 PM 212480]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 7:00 AM 3712]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S3 WIMASvc;OnDemand WinINSTALL Master Agent;c:\program files\OnDemand\WinINSTALL\Bin\WIMASvc.exe [2/7/2007 1:59 AM 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
es0drv
es1drv
es2drv
es3drv
es4drv
es5drv
es6drv
es7drv
es8drv
es9drv
esadrv
esbdrv
escdrv
esddrv
esedrv
esfdrv
es10drv
es11drv
es12drv
es13drv
es14drv
es16drv
es17drv
es18drv
es1adrv
es1bdrv
.
.
------- Supplementary Scan -------
.
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\sftus.one
Trusted Zone: remote
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.mkllp.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://192.168.7.2/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {F589CCFE-5DCE-4009-844F-61433375F69B} - hxxps://transfer.marcumllp.com/COM/MOVEitUploadWizard6.5.0.ocx
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 10:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDLL"="%SystemRoot%\System32\dmadman.dll\00|\04\15\00`@\00\00\00\00%'s?
[\00D\00\00\00g\1e@\00\12\00c\"sxs\00\00\00\04\15\00`@\00N'sl?[\00\1f@\00@\12\00,@@\00N|\00\00\00\00\12\00\"@\00"

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\program files\McAfee\Endpoint Encryption for PC v6\EpePcGina.Dll
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(1436)
c:\windows\system32\WININET.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\system32\ieframe.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\DWRCS.EXE
c:\windows\system32\hasplms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Visioneer\OneTouch 4.0\OtService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\StacSV.exe
c:\program files\Webroot\Client\commagent.exe
c:\program files\Webroot\Client\spysweeper.exe
c:\program files\Webroot\Client\SSU.EXE
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-05-18 10:48:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-18 14:48
ComboFix2.txt 2010-05-14 19:28

Pre-Run: 47,290,773,504 bytes free
Post-Run: 47,279,202,304 bytes free

- - End Of File - - AC4F661B7C3D5815785AF48CCEBCFF58

Attached Files

  • Attached File  log.txt   15.93KB   5 downloads


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 18 May 2010 - 11:43 AM

Hi,

please upload the following file to virustotal:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the file listed below in bold, then click Submit.

c:\windows\system32\ctfmon.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

When we next run ComobFix, please make sure to install the recovery console.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 Prologic08

Prologic08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 18 May 2010 - 02:13 PM

http://virusscan.jotti.org/en/scanresult/2...9972d39a4e7f0c2

#9 Prologic08

Prologic08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 18 May 2010 - 02:16 PM

File ctfmon.exe received on 2010.05.18 19:14:25 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 12/41 (29.27%)
Loading server information...
Your file is queued in position: 5.
Estimated start time is between 70 and 100 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 -
AhnLab-V3 2010.05.18.01 2010.05.18 -
AntiVir 8.2.1.242 2010.05.18 TR/Vundo.Gen
Antiy-AVL 2.0.3.7 2010.05.18 -
Authentium 5.2.0.5 2010.05.18 -
Avast 4.8.1351.0 2010.05.18 Win32:Bifrose-CBR
Avast5 5.0.332.0 2010.05.18 Win32:Bifrose-CBR
AVG 9.0.0.787 2010.05.18 -
BitDefender 7.2 2010.05.18 -
CAT-QuickHeal 10.00 2010.05.18 -
ClamAV 0.96.0.3-git 2010.05.18 -
Comodo 4875 2010.05.18 -
DrWeb 5.0.2.03300 2010.05.18 WIN.WORM.Virus
eSafe 7.0.17.0 2010.05.17 -
eTrust-Vet 35.2.7497 2010.05.18 -
F-Prot 4.5.1.85 2010.05.18 -
F-Secure 9.0.15370.0 2010.05.18 -
Fortinet 4.1.133.0 2010.05.18 -
GData 21 2010.05.18 Win32:Bifrose-CBR
Ikarus T3.1.1.84.0 2010.05.18 -
Jiangmin 13.0.900 2010.05.18 -
Kaspersky 7.0.0.125 2010.05.18 -
McAfee 5.400.0.1158 2010.05.18 -
McAfee-GW-Edition 2010.1 2010.05.18 Heuristic.LooksLike.Win32.SuspiciousPE.J
Microsoft 1.5802 2010.05.18 Worm:Win32/Chiviper.A
NOD32 5125 2010.05.18 probably a variant of Win32/Genetik
Norman 6.04.12 2010.05.18 -
nProtect 2010-05-18.01 2010.05.18 -
Panda 10.0.2.7 2010.05.18 Trj/CI.A
PCTools 7.0.3.5 2010.05.18 -
Prevx 3.0 2010.05.18 -
Rising 22.48.01.02 2010.05.18 Trojan.Win32.Generic.5202A559
Sophos 4.53.0 2010.05.18 Sus/UnkPacker
Sunbelt 6318 2010.05.18 Trojan.Win32.Generic!BT
Symantec 20101.1.0.89 2010.05.18 -
TheHacker 6.5.2.0.281 2010.05.17 -
TrendMicro 9.120.0.1004 2010.05.18 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.18 -
VBA32 3.12.12.5 2010.05.18 -
ViRobot 2010.5.18.2322 2010.05.18 -
VirusBuster 5.0.27.0 2010.05.18 -
Additional information
File size: 19968 bytes
MD5...: 5c5b747bfc9af2ec4dc0bf8458ef4977
SHA1..: 5ed9b54bd9f1d94e863a06ac75275632568521b3
SHA256: 747581bef217d382597f28de37f8343f7be2ef893ac90f276a2caac90713eb84
ssdeep: 384:COggKGHQNdMnnFsqYDbr2peEzDnBD384vOVtm7CDOqvW7y3Rac6:COgswOut
P2ptzzBY4vOqwOqu7yk

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x746a
timedatestamp.....: 0x4be252b2 (Thu May 06 05:25:06 2010)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
aaaa 0x1000 0x1317 0x1400 5.97 b6671cd7ba7d14971a63c02200924f9b
cccc 0x3000 0x392 0x400 5.61 18034fb90be54fdb39c939e815dfe9c4
dddd 0x4000 0x605 0x800 5.00 eb359ff98fd9dd83776a034e101c36b5
bbbb 0x5000 0x406 0x600 4.61 0a431c400f1588053991d33e503a869d
rdata 0x6000 0x2524 0x1a00 4.37 75545174a4ea08d55304827299a9018d
.rdata 0x9000 0x884 0xa00 4.62 e4cb12aff454249078147d51a843004b

( 3 imports )
> KERNEL32.dll: HeapFree, HeapAlloc, GetProcessHeap, Sleep, CreateThread, GetCurrentThreadId, CloseHandle, GetLastError, CreateMutexA, WinExec, TerminateProcess, OpenProcess, Process32Next, Process32First, CreateToolhelp32Snapshot, DeleteFileA, CopyFileA, GetCurrentDirectoryA, GetSystemDirectoryA, GetModuleFileNameA, FindClose, lstrcmpA, FindNextFileA, FindFirstFileA, lstrcatA, lstrcpyA, GetLogicalDriveStringsA, GetProcAddress, LoadLibraryA, GetLocalTime, GetTempPathA, GetWindowsDirectoryA, ExpandEnvironmentStringsA, RaiseException, InterlockedExchange, LocalAlloc, FreeLibrary
> MSVCRT.dll: fopen, printf, fwrite, fread, fseek, rand, srand, time, fgets, _exit, _XcptFilter, __p___initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, __2@YAPAXI@Z, exit, fclose, fputs, sprintf
> iphlpapi.dll: AddIPAddress, GetInterfaceInfo

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/...-021223-0550-99
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 18 May 2010 - 05:23 PM

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/316843/ip-conflict-limited-or-no-connectivity-svchostexe-comresdll-baiducom/
Collect::
c:\windows\system32\ctfmon.exe
suspect::
c:\windows\hackshen.exe
netsvc::
es0drv
es1drv
es2drv
es3drv
es4drv
es5drv
es6drv
es7drv
es8drv
es9drv
esadrv
esbdrv
escdrv
esddrv
esedrv
esfdrv
es10drv
es11drv
es12drv
es13drv
es14drv
es16drv
es17drv
es18drv
es1adrv
es1bdrv


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Prologic08

Prologic08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 19 May 2010 - 08:49 AM

ComboFix 10-05-17.05 - nmichalos 05/19/2010 9:04.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1191 [GMT -4:00]
Running from: c:\documents and settings\nmichalos.MKLLP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\nmichalos.MKLLP\Desktop\CFScript.txt
AV: Webroot Client Security *On-access scanning enabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}
* Resident AV is active


file zipped: c:\windows\system32\ctfmon.exe
file zipped: c:\windows\hackshen.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\hpig_WS2.dat
c:\windows\mfxixue.ini
c:\windows\mssoft.bat
c:\windows\my_sfc_os.dll
c:\windows\system32\ctfmon.exe
c:\windows\Tasks\ע.bat

.
((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))
.

2010-05-14 18:48 . 2010-05-11 20:09 19968 ----a-w- c:\windows\hackshen.exe
2010-05-14 14:06 . 2010-05-14 14:23 -------- d-----w- c:\documents and settings\nmichalos.MKLLP\DoctorWeb
2010-05-14 13:30 . 2010-05-14 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-14 13:30 . 2010-05-14 14:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-13 21:27 . 2010-05-13 21:27 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-05-13 21:27 . 2010-05-14 13:58 35104 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-13 21:27 . 2010-05-14 13:58 276000 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-13 21:23 . 2010-05-14 13:25 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-05-13 21:23 . 2010-05-14 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-05-13 21:23 . 2010-05-13 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-05-13 19:49 . 2010-05-13 19:49 -------- d-----w- c:\program files\Unlocker
2010-05-13 19:33 . 2010-05-13 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-13 19:33 . 2010-05-14 13:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-13 19:18 . 2010-05-13 19:18 -------- d-----w- c:\documents and settings\nmichalos.MKLLP\Local Settings\Application Data\Downloaded Installations
2010-05-13 18:42 . 2010-05-13 18:42 -------- d-----w- C:\VundoFix Backups
2010-05-12 17:38 . 2010-05-12 17:38 -------- d-----w- c:\program files\Broadcom
2010-05-12 16:26 . 2008-04-14 00:11 792064 ----a-w- c:\windows\system32\comres.dll
2010-05-12 16:08 . 2010-05-12 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-05-12 16:07 . 2010-05-12 16:07 -------- d-----w- c:\program files\Webroot
2010-05-12 15:39 . 2010-05-12 15:39 -------- d-----w- c:\documents and settings\nmichalos.MKLLP\Application Data\Malwarebytes
2010-05-12 15:39 . 2010-05-12 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-12 08:37 . 2010-05-12 08:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-12 08:36 . 2010-05-12 08:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PowerDVD DX
2010-04-19 14:09 . 2010-04-19 14:09 -------- d-----w- c:\documents and settings\nmichalos.MKLLP\Local Settings\Application Data\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-14 13:58 . 2010-05-13 21:27 15824 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-14 13:58 . 2010-05-13 21:27 4772 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-12 15:57 . 2007-08-21 13:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-12 15:57 . 2007-08-21 13:57 -------- d-----w- c:\program files\Symantec
2010-05-12 15:56 . 2007-08-21 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-12 08:36 . 2007-08-17 18:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-06 09:32 . 2009-03-23 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-04-14 14:09 . 2010-03-15 13:41 79488 ----a-w- c:\documents and settings\nmichalos.MKLLP\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-31 13:15 . 2010-03-15 13:26 28856 ----a-w- c:\documents and settings\nmichalos.MKLLP\Application Data\Cisco\Cisco AnyConnect VPN Client\Cache\inst.exe
2010-03-23 15:50 . 2007-08-21 14:50 -------- d-----w- c:\program files\Snapshot Viewer
2010-03-15 13:41 . 2010-03-15 13:41 40720 ----a-w- c:\documents and settings\nmichalos.MKLLP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 13:21 . 2010-03-15 13:21 14008 ----a-w- c:\documents and settings\nmichalos.MKLLP\Application Data\Cisco\Cisco HostScan\bin\libdesktop.dll
2010-03-15 13:21 . 2010-03-15 13:21 45240 ----a-w- c:\documents and settings\nmichalos.MKLLP\Application Data\Cisco\Cisco HostScan\bin\hostscan.exe
2010-03-15 13:21 . 2010-03-15 13:21 28856 ----a-w- c:\documents and settings\nmichalos.MKLLP\Application Data\Cisco\Cisco Secure Desktop\Cache\Temp8-P00h\CSDWebLaunch.exe
2010-03-03 20:32 . 2010-03-02 19:55 5269841 ----a-w- c:\windows\FramePkg.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 21:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort10reminder"="c:\program files\ScanSoft\PaperPort\Ereg\ereg.exe" [2005-06-03 729088]
"WebrootClientUI"="c:\program files\Webroot\Client\SpySweeperUI.EXE" [2009-08-25 435624]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 136600]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-25 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2006-03-02 36864]
"MfeEpePcMonitor"="c:\program files\McAfee\Endpoint Encryption for PC v6\EpePcMonitor.exe" [2010-01-21 139264]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2006-03-02 40960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2009-02-04 78848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PfxPDFConvertService.exe.lnk - c:\pfx engagement\WM\PfxPDFConvertService.exe [2008-11-14 173568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-09 18:57 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 MfeEpePc;MfeEpePc;c:\windows\system32\drivers\MfeEpePc.sys [1/21/2010 1:13 PM 113864]
R0 ssfs0bbc;Spy Sweeper File System Filter Driver: 0BBC;c:\windows\system32\drivers\ssfs0bbc.sys [8/25/2009 9:50 AM 30136]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 7:00 AM 26624]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe [1/21/2010 12:53 PM 819200]
R2 MSSQL$PROFXENGAGEMENT;SQL Server (PROFXENGAGEMENT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 5:29 AM 29178224]
R2 MSSQL$TOCTTARGPPC05;SQL Server (TOCTTARGPPC05);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [11/24/2008 11:31 PM 29263712]
R2 PFXEngDesktopService;PFXEngDesktopService;c:\pfx engagement\Common\PFXEngDesktopService.exe [11/14/2008 3:34 PM 428032]
R2 PFXSYNPFTService;PFXSYNPFTService;c:\pfx engagement\Common\PFXSYNPFTService.exe [11/14/2008 3:32 PM 436736]
R2 TIRmtCtl;Track-It! Remote Control;c:\windows\TIREMOTE\wuser32.exe [9/12/2007 1:31 PM 311374]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [9/12/2007 1:31 PM 212480]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 7:00 AM 3712]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S3 WIMASvc;OnDemand WinINSTALL Master Agent;c:\program files\OnDemand\WinINSTALL\Bin\WIMASvc.exe [2/7/2007 1:59 AM 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\sftus.one
Trusted Zone: remote
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.mkllp.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://192.168.7.2/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {F589CCFE-5DCE-4009-844F-61433375F69B} - hxxps://transfer.marcumllp.com/COM/MOVEitUploadWizard6.5.0.ocx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-19 09:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDLL"="%SystemRoot%\System32\dmadman.dll\00|\04\15\00`@\00\00\00\00%'s?
[\00D\00\00\00g\1e@\00\12\00c\"sxs\00\00\00\04\15\00`@\00N'sl?[\00\1f@\00@\12\00,@@\00N|\00\00\00\00\12\00\"@\00"

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\program files\McAfee\Endpoint Encryption for PC v6\EpePcGina.Dll
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-05-19 09:16:38
ComboFix-quarantined-files.txt 2010-05-19 13:16
ComboFix2.txt 2010-05-18 14:48
ComboFix3.txt 2010-05-14 19:28

Pre-Run: 47,252,865,024 bytes free
Post-Run: 47,243,751,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 99BE9D5D0DE65B7325C248EB3FE4D296
Upload was successful


#12 Prologic08

Prologic08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 19 May 2010 - 08:54 AM

After Combofix finished I got a popup saying Windows File Protection and to insert the XP CD.


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 19 May 2010 - 10:41 AM

Hi,

do you have your windows CD handy?

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    dmadman.dll
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Prologic08

Prologic08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 19 May 2010 - 02:05 PM

I have my XP CD.




SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:56 on 19/05/2010 by nmichalos (Limited User)

========== filefind ==========

Searching for "dmadman.dll"
No files found.

-=End Of File=-

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 19 May 2010 - 02:16 PM

Hi,

then please run a file integrity check:
Go to the Run box on the Start Menu and type in:

sfc /scannow

Make sure to include the space between the first "c" and the "/".

This will run the System File checker and it will scan for corrupt or missing files. It may prompt you to insert the CD if it needs to obtain files.

Please post back when it has finished letting me know what it has reported.

More info on this process can be found here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users