Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Down Almost 2 weeks--still not sure what I have


  • This topic is locked This topic is locked
39 replies to this topic

#1 sneal

sneal

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 24 May 2010 - 12:00 AM

Was asked to repost due to issue not resolved.

From original posting of May 15:

[/indent]I changed ISP's last week due to a move. Left my current antivirus protection running while I waited for a security code to be snail-mailed to me. Needed security code to be able to download the ISP's "Security Suite." (Using Charter internet, and was trying to download and use their "security suite.")

Entered security code, and download started. During download, several popups that looked like part of the "security suite" announced that sections of my previous antivirus software were being removed. (Popups looked legit--same color shading, same size, etc.) I was concerned, but let the program run on. After restart, I received the "NT/Authority System" and "Remote Procedure Call (RPC)" error/shutdown message. So, down we went.

[indent=1]
I've been able to restart in SafeMode (top of screen shows "Microsoft Windows XP (Build 2600.xpsp_sp3_gdr.100216: Service Pack 3)"--if that's to be trusted), and I've been able to do the "shutdown -a" command through DOS, but everything else I've attempted has not worked. All of my antivirus software seems to be gone. The "task bar" (?) at the bottom of the screen is visible, but I can't pull it up to be able to use it. I cannot get to the ''Start" button, and the Windows key does nothing. Any attempt to run antivirus software from a CD leads to a shutdown. I do not have access to an internet connection on the infected computer because it looks like Firefox and MS Explorer were both wiped off the computer.

Many attempts to run DDS, Gmer, etc. were unsuccessful. Was advised to boot with Hiren's Boot CD 10.4, and was able to boot loading "Mini Windows." Posted DDS on 5/20.

Here is today's DDS:


DDS_BootCD_Version (Ver_09-10-04.01) - NTFSx86
Run at 11:21:10.39 on Sat 05/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

============== Pseudo HJT Report ===============

S-1-5-21-776561741-1580818891-839522115-501_Search Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
S-1-5-21-776561741-1580818891-839522115-501_Search Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearch Page =
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
S-1-5-21-776561741-1580818891-839522115-1005_URLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
S-1-5-21-776561741-1580818891-839522115-1005_URLSearchHooks: : {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
S-1-5-21-776561741-1580818891-839522115-1005_URLSearchHooks: H - No File
S-1-5-21-776561741-1580818891-839522115-1005_URLSearchHooks: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\momma\local settings\application data\cyberdefender\cdmyidd.dll
S-1-5-21-776561741-1580818891-839522115-1005_URLSearchHooks: Total Gym Toolbar: {a2a2d97b-96d0-4a2f-a7d1-eed992f1696b} - c:\program files\total_gym\tbTot0.dll
S-1-5-21-776561741-1580818891-839522115-1005_URLSearchHooks: H - No File
S-1-5-21-776561741-1580818891-839522115-1007_URLSearchHooks: H - No File
S-1-5-21-776561741-1580818891-839522115-1007_URLSearchHooks: H - No File
S-1-5-21-776561741-1580818891-839522115-1007_URLSearchHooks: H - No File
S-1-5-21-776561741-1580818891-839522115-1007_URLSearchHooks: H - No File
S-1-5-21-776561741-1580818891-839522115-1007_URLSearchHooks: : {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\momma\local settings\application data\cyberdefender\cdmyidd.dll
BHO: Total Gym Toolbar: {a2a2d97b-96d0-4a2f-a7d1-eed992f1696b} - c:\program files\total_gym\tbTot0.dll
BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - c:\program files\charter security suite\nrs\iescript\baselitmus.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\momma\local settings\application data\cyberdefender\cdmyidd.dll
BHO: Total Gym Toolbar: {a2a2d97b-96d0-4a2f-a7d1-eed992f1696b} - c:\program files\total_gym\tbTot0.dll
BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - c:\program files\charter security suite\nrs\iescript\baselitmus.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\momma\local settings\application data\cyberdefender\cdmyidd.dll
TB: Total Gym Toolbar: {a2a2d97b-96d0-4a2f-a7d1-eed992f1696b} - c:\program files\total_gym\tbTot0.dll
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
S-1-5-21-776561741-1580818891-839522115-1005_Run: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
S-1-5-21-776561741-1580818891-839522115-1005_Run: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
S-1-5-21-776561741-1580818891-839522115-1005_Run: [ctfmon.exe] c:\windows\system32\ctfmon.exe
S-1-5-21-776561741-1580818891-839522115-1005_Run: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
S-1-5-21-776561741-1580818891-839522115-1007_Run: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
S-1-5-21-776561741-1580818891-839522115-1007_Run: [ctfmon.exe] c:\windows\system32\ctfmon.exe
S-1-5-21-776561741-1580818891-839522115-1007_Run: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
S-1-5-21-776561741-1580818891-839522115-1007_RunOnce: [AVG Security Toolbar_updatecleanup] "c:\program files\avg\avg8\toolbar\ToolbarBroker.exe" /CLEANUP
S-1-5-21-776561741-1580818891-839522115-1008_Run: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SnoopFreeUI] SnoopFreeUI.exe
mRun: [NPSStartup]
mRun: [SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}] c:\program files\sound volume hotkeys\SoundVolumeHotkeys.exe -a
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [F-Secure Manager] "c:\program files\charter security suite\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\charter security suite\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sbcsel~1.lnk - b:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\momma\startm~1\programs\startup\dropbox.lnk - b:\documents and settings\default user\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\momma\startm~1\programs\startup\mailwa~1.lnk - b:\program files\firetrust\mailwasher free\MailWasher.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZKfox000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {8D8BC573-B272-41A9-95D1-4661BD4AFF44} - c:\program files\freshdevices\freshdownload\fd.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\momma\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: plaxo.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5570/mcfscan.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstop2.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\documents and settings\momma\application data\mozilla\firefox\profiles\c13wf1jy.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

acfva; system32\DRIVERS\acfva.sys
F-Secure Filter; \??\c:\program files\charter security suite\anti-virus\win2k\FSfilter.sys
F-Secure Gatekeeper; \??\c:\program files\charter security suite\anti-virus\minifilter\fsgk.sys
F-Secure HIPS; \??\c:\program files\charter security suite\hips\drivers\fshs.sys
F-Secure Recognizer; \??\c:\program files\charter security suite\anti-virus\win2k\FSrec.sys
fsbts; system32\Drivers\fsbts.sys
FSFW; System32\drivers\fsdfw.sys
FSIHS; "c:\docume~1\momma\locals~1\temp\installer\00000002\bootstrap\fsihs.exe"
FSORSPClient; "c:\program files\charter security suite\orsp client\fsorsp.exe"
FsUsbExDisk; \??\c:\windows\system32\FsUsbExDisk.SYS
FsUsbExService; c:\windows\system32\FsUsbExService.Exe
getPlusHelper; %SystemRoot%\System32\svchost.exe -k getPlusHelper; c:\program files\nos\bin\getPlus_Helper.dll
motccgp; system32\DRIVERS\motccgp.sys
motccgpfl; system32\DRIVERS\motccgpfl.sys
motport; system32\DRIVERS\motport.sys
MyWebSearchService; c:\progra~1\mywebs~1\bar\2.bin\mwssvc.exe
PCPitstop Scheduling; c:\program files\pcpitstop\PCPitstopScheduleService.exe
YahooAUService; "c:\program files\yahoo!\softwareupdate\YahooAUService.exe"
{3F35FFA7-2B74-4B1B-8C1F-B11BBE4239C9}; [x]

=============== Created Last 30 ================

2010-05-15 02:41 711,168 a------- c:\windows\is-DGTJN.exe
2010-05-15 02:41 10,562 a------- c:\windows\is-DGTJN.msg
2010-05-15 02:41 311 a------- c:\windows\is-DGTJN.lst
2010-05-15 02:39 <DIR> --d----- c:\program files\YourWare Solutions
2010-05-14 14:23 <DIR> --d----- c:\documents and settings\all users\application data\SpeedyPC
2010-05-14 14:23 <DIR> --d----- c:\program files\SpeedyPC
2010-05-14 14:21 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 14:21 <DIR> --d----- c:\documents and settings\all users\application data\Malwarebytes
2010-05-14 14:21 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-05-14 14:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-05-13 02:26 <DIR> --d----- c:\windows\pss
2010-05-11 05:17 33,408 a------- c:\windows\system32\drivers\fsbts.sys
2010-05-11 05:16 80,000 a------- c:\windows\system32\drivers\fsdfw.sys
2010-05-11 05:15 <DIR> --d----- c:\program files\Charter Security Suite
2010-05-07 03:56 <DIR> --d----- c:\program files\Free Disk Analyzer
2010-05-06 09:48 3,558,912 -c------ c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-10 06:15 420,352 a------- c:\windows\system32\vbscript.dll
2010-02-25 06:24 916,480 a------- c:\windows\system32\wininet.dll
2010-01-22 03:05 139,152 ac------ c:\documents and settings\momma\application data\PnkBstrK.sys
2009-09-19 16:20 262,144 a------- c:\documents and settings\all users\ntuser.dat
2008-08-07 01:21 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080620080807\index.dat

==== Installed Programs ======================

Sansa Media Converter
56USBP
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11
Ahead InCD EasyWrite Reader
All To MP3 Converter 2.15
Amazon MP3 Downloader 1.0.5
America Online (Choose which version to remove)
Any Video Converter 3.0.3
Apple Application Support
Apple Software Update
Audacity 1.3.9 (Unicode)
AviSynth 2.5
Bejeweled Twist 1.0
Belltech Business Card Designer Pro 5.2.1
Carrie the Caregiver™
CCleaner
ChordWizard Silver 2.0
Chuzzle Deluxe
Cool Timer 3.6
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.7
Defraggler (remove only)
DriverAgent Installer by eSupport.com
Dropbox
Dup Detector
EA Mobile Games
Eraser 5.8.7
Eudora (8.0.0b3)
Exif Launcher Ver.1.1
eXplorist Wizard
Exterminate3
EZ Recipes
F-Secure Internet Security Technology Preview
F-Secure PSC Prerequisites
FinePixViewer Ver.1.1
Flash Slideshow Maker Pro 4.88
FormatFactory 1.70
FoxyTunes for Firefox
Free Disk Analyzer
Free FLV Converter V 5.9.2
Free Video Converter V 2.0
Guitar Pro Lite
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
iMage 1.0 by Vanga Sasidhar
IMVU Avatar Chat Software
Instant Play Electric Guitar 6 CD-ROM
Java™ 6 Update 13
Java™ 6 Update 4
Java™ 6 Update 7
Joost ™ Beta 1.1.4
KNVB Version 4.5.1
LADSPA_plugins-win-0.4.15
LAME v3.98.2 for Audacity
Learn2 Player (Uninstall Only)
Lexmark 2400 Series
Lexmark Fax Solutions
Lexmark Toolbar
MailWasher Free 6.5.2
Malwarebytes' Anti-Malware
MapSend Lite
MFC RunTime files
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Expression Encoder 3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Office Live Small Business Image Uploader
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Motorola Driver Installation
Mozilla Firefox (3.5.9)
Mozilla Sunbird (0.8)
Mozilla Thunderbird (3.0.4)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Coach Player
My Fantasy Wedding
My Web Search (Webfetti)
MyIdentityDefender Toolbar (CyberDefender Corporation)
Nero Media Player
Nero OEM
NeroVision Express 2
Norton Security Scan
NVIDIA Drivers
OpenAL
OpenOffice.org 3.1
Orbit Downloader
PC Connectivity Solution
PC Matic 1.0.0.0
Peggle Deluxe 1.0
Photo Story 3 for Windows
PHP Generator for MySQL 7.10
Picasa 3
PixiePack Codec Pack
Pixillion Image Converter
Power Tab Editor 1.7
PunkBuster Services
Pure Networks Port Magic
QuickTime
Radiotracker
RealPlayer
Recuva (remove only)
Riva FLV Encoder 2.0
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
SamsungConnectivityCableDriver
Sansa Updater
Search Settings 1.2
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Slideroll Video Creator 0.84b
SnoopFree Privacy Shield
Song Builder
Sound Volume Hotkeys 1.2
SpeedyPC
Spybot - Search & Destroy
Steam
Stickies 6.7a
STOIK Video Converter 2
Switch Sound File Converter
Total_Gym Toolbar
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VDownloader 0.81
VIA Audio Driver Setup Program
VIA Rhine-Family Fast Ethernet Adapter
Viewpoint Media Player
VS2005 Redistributable Package
WavePad Sound Editor
WebFldrs XP
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
XNeat Windows Manager
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Software Update
Yahoo! Toolbar
YouTube Downloader App 1.02

============= FINISH: 11:21:55.40 ===============

Here is today's Gmer file (I believe it was finished--screen showed no other activity.):

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-22 23:36:46
Windows 5.1.2600
Running: gmer.exe; Driver: B:\Temp\kwtdypog.sys


---- System - GMER 1.0.15 ----

INT 0x1F \i386\System32\halaacpi.dll 80A18FD0
INT 0x37 \i386\System32\halaacpi.dll 80A18728
INT 0x3D \i386\System32\halaacpi.dll 80A19B70
INT 0x41 \i386\System32\halaacpi.dll 80A199CC
INT 0x50 \i386\System32\halaacpi.dll 80A18800
INT 0xC1 \i386\System32\halaacpi.dll 80A18984
INT 0xD1 \i386\System32\halaacpi.dll 80A17D34
INT 0xE1 \i386\System32\halaacpi.dll 80A18F0C
INT 0xE3 \i386\System32\halaacpi.dll 80A18C70
INT 0xFD \i386\System32\halaacpi.dll 80A19464
INT 0xFE \i386\System32\halaacpi.dll 80A19604

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs dc_fsf.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume1 dcrypt.sys

Device \Driver\ACPI_HAL \Device\00000006 halaacpi.dll

AttachedDevice \FileSystem\Fastfat \Fat dc_fsf.sys
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{D6FEDB1D-CF21-4BD9-AF3B-C5468E9C6684}\InprocServer32@ ??????????????????????????????????

---- EOF - GMER 1.0.15 ----

I am able to boot with an Ubuntu CD, but I do not have internet access, as this worm/virus/whatever it is has wiped out the connection. It appears that it also wiped out my IP address. I have not tried to reconfigure it yet.

Also, just noticed this: the time and date shown for these scans shows a Saturday time. These scans were run on Sunday. I had reset the system calendar before the system crashed last week.

Any help you could provide is definitely appreciated.

Edited by sneal, 24 May 2010 - 12:04 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 24 May 2010 - 08:17 AM

Hi sneal,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know on your next reply if you agree with this.

We are going to remove some baddies and get a log to determine the next steps.
  1. On the working computer:
  2. Please download MBR.EXE by GMER. Save the file in your flash drive.

  3. On the working computer:
    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @echo off
    echo %date% %time% %cd% >log.txt
    regedit /e look1.txt HKEY_CLASSES_ROOT\.exe
    regedit /e look2.txt HKEY_CLASSES_ROOT\exefile
    regedit /e look3.txt HKEY_CURRENT_USER\Software\Classes\.exe
    regedit /e look4.txt HKEY_CURRENT_USER\Software\Classes\exefile
    regedit /e look5.txt HKEY_LOCAL_MACHINE\Software\Classes\.exe
    regedit /e look6.txt HKEY_LOCAL_MACHINE\Software\Classes\exefile
    regedit /e look7.txt HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
    regedit /e look8.txt KEY_LOCAL_MACHINE\SOFTWARE\Policies
    regedit /e look9.txt KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
    regedit /e look10.txt HKEY_CURRENT_USER\SOFTWARE\Policies
    regedit /e look11.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
    regedit /e look12.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search"
    reg query HKCU\Software\Classes >>log.txt
    type look*.txt >>log.txt
    for %%g in (
    acfva
    "F-Secure Filter"
    "F-Secure Gatekeeper"
    "F-Secure HIPS"
    "F-Secure Recognizer"
    fsbts
    FSFW
    FSIHS
    FSORSPClient
    FsUsbExDisk
    FsUsbExService
    getPlusHelper
    ) do (
    reg query "hklm\system\currentcontrolset\services\%%~g" /v start >>log.txt)
    cacls c:\windows\system32\svchost.exe >>log.txt
    cacls c:\windows\explorer.exe >>log.txt
    dir /a/s c:\svchost.exe >>log.txt
    del look*.txt
    sc config MyWebSearchService start= disabled
    tskill mwssvc >nul 2>&1
    sc delete MyWebSearchService
    rd /s/q "c:\program files\mywebsearch"
    rd /s/q "c:\program files\avg"
    del /a/f/q "c:\program files\mozilla firefox\plugins\NPMyWebS.dll"
    del /a/f/q "c:\documents and settings\momma\local settings\application data\cyberdefender\cdmyidd.dll"
    del /a/f/q "c:\program files\total_gym\tbTot0.dll"
    if not exist "c:\program files\mywebsearch" echo.mywebsearch deleted.>>log.txt
    if not exist "c:\program files\mozilla firefox\plugins\NPMyWebS.dll" echo.NPMyWebS.dll deleted.>>log.txt
    mbr.exe -t
    exit
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
  4. On the infected computer go to Safe Mode by using F8 key.

  5. If you can't get to your flash drive use Windows key+R to bring up bring up Run box or bring up task manager => under File menu select New Task and fill in e:\look.bat. I have assumed you flash drive letter is E. If your flash drive letter is different you should change e.

  6. Remove the flash drive and use the working computer to post two logs on the flash drive: log.txt and mbr.log

  7. We have not removed all the infections yet, but tell me if you see any difference in performance.

Edited by farbar, 24 May 2010 - 08:28 AM.


#3 sneal

sneal
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 24 May 2010 - 10:31 PM

I'll refrain from making changes, etc. until advised.

Notes re: tasks (don't know if this helps or not) . . . still receiving message about computer shutting down--about every 2 minutes. Stopped shutdown with "shutdown -a" at command prompt. Infected computer had to run "Found New Hardware" wizard before recognizing flash drive. As wizard ran, received an error message about "Windows Logo Testing" and the need to stop the wizard. Ignored the message and ran wizard anyway.

Here's the log.tx file from log.bat:

Sun 05/23/2010 22:11:16.54 E:\

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Classes

HKEY_CURRENT_USER\Software\Classes\*

HKEY_CURRENT_USER\Software\Classes\.3fr

HKEY_CURRENT_USER\Software\Classes\.act

HKEY_CURRENT_USER\Software\Classes\.amr

HKEY_CURRENT_USER\Software\Classes\.ape

HKEY_CURRENT_USER\Software\Classes\.arw

HKEY_CURRENT_USER\Software\Classes\.awb

HKEY_CURRENT_USER\Software\Classes\.bmp

HKEY_CURRENT_USER\Software\Classes\.cr2

HKEY_CURRENT_USER\Software\Classes\.crw

HKEY_CURRENT_USER\Software\Classes\.dart

HKEY_CURRENT_USER\Software\Classes\.dcr

HKEY_CURRENT_USER\Software\Classes\.dct

HKEY_CURRENT_USER\Software\Classes\.divx

HKEY_CURRENT_USER\Software\Classes\.dng

HKEY_CURRENT_USER\Software\Classes\.dss

HKEY_CURRENT_USER\Software\Classes\.dvf

HKEY_CURRENT_USER\Software\Classes\.dvs

HKEY_CURRENT_USER\Software\Classes\.eml

HKEY_CURRENT_USER\Software\Classes\.erf

HKEY_CURRENT_USER\Software\Classes\.flac

HKEY_CURRENT_USER\Software\Classes\.gif

HKEY_CURRENT_USER\Software\Classes\.htm

HKEY_CURRENT_USER\Software\Classes\.html

HKEY_CURRENT_USER\Software\Classes\.ivr

HKEY_CURRENT_USER\Software\Classes\.jp2

HKEY_CURRENT_USER\Software\Classes\.jpe

HKEY_CURRENT_USER\Software\Classes\.jpeg

HKEY_CURRENT_USER\Software\Classes\.jpg

HKEY_CURRENT_USER\Software\Classes\.kdc

HKEY_CURRENT_USER\Software\Classes\.magnet

HKEY_CURRENT_USER\Software\Classes\.mef

HKEY_CURRENT_USER\Software\Classes\.moh

HKEY_CURRENT_USER\Software\Classes\.mos

HKEY_CURRENT_USER\Software\Classes\.mpc

HKEY_CURRENT_USER\Software\Classes\.mpga

HKEY_CURRENT_USER\Software\Classes\.mrw

HKEY_CURRENT_USER\Software\Classes\.msv

HKEY_CURRENT_USER\Software\Classes\.nef

HKEY_CURRENT_USER\Software\Classes\.nrw

HKEY_CURRENT_USER\Software\Classes\.orf

HKEY_CURRENT_USER\Software\Classes\.pcx

HKEY_CURRENT_USER\Software\Classes\.pef

HKEY_CURRENT_USER\Software\Classes\.pgf

HKEY_CURRENT_USER\Software\Classes\.png

HKEY_CURRENT_USER\Software\Classes\.ppm

HKEY_CURRENT_USER\Software\Classes\.psd

HKEY_CURRENT_USER\Software\Classes\.ptx

HKEY_CURRENT_USER\Software\Classes\.r3d

HKEY_CURRENT_USER\Software\Classes\.ra

HKEY_CURRENT_USER\Software\Classes\.raf

HKEY_CURRENT_USER\Software\Classes\.ram

HKEY_CURRENT_USER\Software\Classes\.ras

HKEY_CURRENT_USER\Software\Classes\.raw

HKEY_CURRENT_USER\Software\Classes\.rax

HKEY_CURRENT_USER\Software\Classes\.rcd

HKEY_CURRENT_USER\Software\Classes\.rec

HKEY_CURRENT_USER\Software\Classes\.rjs

HKEY_CURRENT_USER\Software\Classes\.rjt

HKEY_CURRENT_USER\Software\Classes\.rm

HKEY_CURRENT_USER\Software\Classes\.rmj

HKEY_CURRENT_USER\Software\Classes\.rmm

HKEY_CURRENT_USER\Software\Classes\.rmp

HKEY_CURRENT_USER\Software\Classes\.rms

HKEY_CURRENT_USER\Software\Classes\.rmvb

HKEY_CURRENT_USER\Software\Classes\.rmx

HKEY_CURRENT_USER\Software\Classes\.rnx

HKEY_CURRENT_USER\Software\Classes\.rp

HKEY_CURRENT_USER\Software\Classes\.rsml

HKEY_CURRENT_USER\Software\Classes\.rt

HKEY_CURRENT_USER\Software\Classes\.rv

HKEY_CURRENT_USER\Software\Classes\.rvx

HKEY_CURRENT_USER\Software\Classes\.rw2

HKEY_CURRENT_USER\Software\Classes\.sdp

HKEY_CURRENT_USER\Software\Classes\.shn

HKEY_CURRENT_USER\Software\Classes\.shtml

HKEY_CURRENT_USER\Software\Classes\.smi

HKEY_CURRENT_USER\Software\Classes\.smil

HKEY_CURRENT_USER\Software\Classes\.spx

HKEY_CURRENT_USER\Software\Classes\.sr2

HKEY_CURRENT_USER\Software\Classes\.srf

HKEY_CURRENT_USER\Software\Classes\.sri

HKEY_CURRENT_USER\Software\Classes\.ssk

HKEY_CURRENT_USER\Software\Classes\.sti

HKEY_CURRENT_USER\Software\Classes\.tga

HKEY_CURRENT_USER\Software\Classes\.tif

HKEY_CURRENT_USER\Software\Classes\.tiff

HKEY_CURRENT_USER\Software\Classes\.vox

HKEY_CURRENT_USER\Software\Classes\.vuze

HKEY_CURRENT_USER\Software\Classes\.wbmp

HKEY_CURRENT_USER\Software\Classes\.wpp

HKEY_CURRENT_USER\Software\Classes\.x3f

HKEY_CURRENT_USER\Software\Classes\.xht

HKEY_CURRENT_USER\Software\Classes\.xhtml

HKEY_CURRENT_USER\Software\Classes\Applications

HKEY_CURRENT_USER\Software\Classes\CLSID

HKEY_CURRENT_USER\Software\Classes\Directory

HKEY_CURRENT_USER\Software\Classes\FirefoxHTML

HKEY_CURRENT_USER\Software\Classes\FirefoxURL

HKEY_CURRENT_USER\Software\Classes\ftp

HKEY_CURRENT_USER\Software\Classes\http

HKEY_CURRENT_USER\Software\Classes\https

HKEY_CURRENT_USER\Software\Classes\imvu

HKEY_CURRENT_USER\Software\Classes\JavaPlugin.160_04

HKEY_CURRENT_USER\Software\Classes\JavaPlugin.160_07

HKEY_CURRENT_USER\Software\Classes\JavaPlugin.160_13

HKEY_CURRENT_USER\Software\Classes\M2.Filter

HKEY_CURRENT_USER\Software\Classes\M2.Language

HKEY_CURRENT_USER\Software\Classes\M2.Layout

HKEY_CURRENT_USER\Software\Classes\M2.Plugin

HKEY_CURRENT_USER\Software\Classes\M2.Skin

HKEY_CURRENT_USER\Software\Classes\mailto

HKEY_CURRENT_USER\Software\Classes\MIME

HKEY_CURRENT_USER\Software\Classes\pnm

HKEY_CURRENT_USER\Software\Classes\RealJukebox.RJS.1

HKEY_CURRENT_USER\Software\Classes\RealJukebox.RJT.1

HKEY_CURRENT_USER\Software\Classes\RealJukebox.RMJ.1

HKEY_CURRENT_USER\Software\Classes\RealJukebox.RMP.1

HKEY_CURRENT_USER\Software\Classes\RealJukebox.RMX.1

HKEY_CURRENT_USER\Software\Classes\RealPlayer.AMR.10

HKEY_CURRENT_USER\Software\Classes\RealPlayer.AMR_WB.10

HKEY_CURRENT_USER\Software\Classes\RealPlayer.AudioCD.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.AutoPlay.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.CDBurn.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.DIVX.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.DVD.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.IVR.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.PIX.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.RA.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.RAM.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.RAX.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.RM.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.RMS.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.RMVB.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.RP.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.RSML.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.RT.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.RV.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.RVX.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.SDP.6

HKEY_CURRENT_USER\Software\Classes\RealPlayer.SMIL.6

HKEY_CURRENT_USER\Software\Classes\rtsp

HKEY_CURRENT_USER\Software\Classes\Software

HKEY_CURRENT_USER\Software\Classes\Stickyfile

HKEY_CURRENT_USER\Software\Classes\StickySkin

HKEY_CURRENT_USER\Software\Classes\Thunderbird.Url.mailto

HKEY_CURRENT_USER\Software\Classes\ThunderbirdEML

HKEY_CURRENT_USER\Software\Classes\Vuze
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Classes\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_LOCAL_MACHINE\Software\Classes\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Classes\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_LOCAL_MACHINE\Software\Classes\exefile\DefaultIcon]
@="%1"

[HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell]

[HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\runas]

[HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\Classes\exefile\shellex]

[HKEY_LOCAL_MACHINE\Software\Classes\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_LOCAL_MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_LOCAL_MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Policies]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\internet explorer]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\internet explorer\control panel]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\internet explorer\restrictions]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\ca]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\Certificates]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\CRLs]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\CTLs]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"CustomSearch"="http://red.clientapps.yahoo.com/customize/ie/defaults/cs/ymsgr6/*http://www.yahoo.com/ext/search/search.html"


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\acfva
start REG_DWORD 0x3


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\F-Secure Filter
start REG_DWORD 0x4


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\F-Secure Gatekeeper
start REG_DWORD 0x3


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\F-Secure HIPS
start REG_DWORD 0x1


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\F-Secure Recognizer
start REG_DWORD 0x4


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\fsbts
start REG_DWORD 0x0


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\FSFW
start REG_DWORD 0x0


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\FSIHS
start REG_DWORD 0x2


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\FSORSPClient
start REG_DWORD 0x3


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\FsUsbExDisk
start REG_DWORD 0x3


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\FsUsbExService
start REG_DWORD 0x2


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\getPlusHelper
start REG_DWORD 0x3

c:\windows\system32\svchost.exe BUILTIN\Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

c:\windows\explorer.exe BUILTIN\Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

Volume in drive C has no label.
Volume Serial Number is A0D1-0FF1

--------------

Here's the mbr file:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfullyr
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Note: after running look.bat and mbr, infected computer was restarted. Continues to run very slowly, and same shutdown message (RPC error) appears every 2 minutes.

I appreciate your taking your time to look into this.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 25 May 2010 - 07:05 AM

Well done.

The batch file was not run fully and the mbr log is not what what we need. It looks like it is run separately while I have included the command in the batch file.
Please don't run mbr just let it be on the flash drive.

We are going to do some more preparation, remove some files and disable some security programs that don't do anything. The next round we are going to update Malwarebytes via the working computer and transfer it to the infected computer and run it.

Please make a new look.bat with the following syntax:

QUOTE
@echo off
shutdown -a >nul 2>&1
echo. %date% %time% >log.txt
dir /a/b c:\windows\tasks >>log.txt
net stop schedule
del /a/f/q c:\windows\tasks\*.job
dir /a/b c:\windows\tasks >>log.txt 2>&1
for %%g in (
MyWebSearchService
acfva
"F-Secure Gatekeeper"
"F-Secure HIPS"
fsbts
FSFW
FSIHS
FSORSPClient
FsUsbExDisk
FsUsbExService
getPlusHelper
) do (
sc config %%g start= disabled >>log.txt 2>&1)
shutdown -a >nul 2>&1
tskill mwssvc >>log.txt 2>&1
sc delete MyWebSearchService >>log.txt 2>&1
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SnoopFreeUI /f >>log.txt 2>&1
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "SpybotSD TeaTimer" /f >>log.txt 2>&1
rd /s/q "c:\program files\mywebsearch"
rd /s/q "c:\program files\avg"
del /a/f/s/q c:\autorun.inf
del /a/f/q "c:\program files\mozilla firefox\plugins\NPMyWebS.dll"
del /a/f/q "c:\documents and settings\momma\local settings\application data\cyberdefender\cdmyidd.dll"
del /a/f/q "c:\program files\total_gym\tbTot0.dll"
if not exist "c:\program files\mywebsearch" echo.mywebsearch deleted.>>log.txt
if not exist "c:\program files\mozilla firefox\plugins\NPMyWebS.dll" echo.NPMyWebS.dll deleted.>>log.txt
dir /a/b/s "C:\documents and settings\all users\application data\Malwarebytes" >>log.txt
dir /a/b/s "c:\program files\Malwarebytes' Anti-Malware" >>log.txt
shutdown -a >nul 2>&1
if exist mbr.log del mbr.log
mbr.exe -t
type mbr.log >>log.txt
exit


Please post the content of log.txt to your reply. Also tell me which Windows version is installed on the working computer and what is the drive letter of the flash drive on the working computer.

Edited by farbar, 25 May 2010 - 07:55 AM.


#5 sneal

sneal
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 25 May 2010 - 09:22 PM

Thanks, farbar!

Here's the log:

Mon 05/24/2010 21:14:08.29
AppleSoftwareUpdate.job
desktop.ini
Norton Security Scan for Momma.job
SA.DAT
SpeedyPC Program Check.job
SpeedyPC.job
desktop.ini
SA.DAT
[SC] ChangeServiceConfig SUCCESS
^C

(Should there be more?)

Don't know if it means much or not, but the date's still wrong on the infected computer. And, it's still trying to shutdown about every 2 minutes.

On the working computer, I'm running Window's XP, and the flash drive is e:

Thanks, again!

Edited by sneal, 25 May 2010 - 09:37 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 26 May 2010 - 04:53 PM

The log is not complete.

We want to try the following. If it didn't work we should work both much harder and make another BootCD (not the one you have made) and do it from there.
    On the working computer:
  1. Please set your system to show all files:
    • Click Start, open My Computer, select the Tools menu and click Folder Options.
    • Select the View Tab. Under the Hidden files and folders heading, check Show hidden files and folders.
    • Uncheck: Hide file extensions for known file types
    • Uncheck: Hide protected operating system files (recommended) option.
    • Click Yes to confirm.

  2. On the working computer make a batch file, as you made other batch files with the following syntax:

    QUOTE
    @echo off
    :start
    shutdown -a
    goto start


    Name it run.bat and save it on the flash drive.

  3. We need to run this tool first:
    • Click RKill.pif to download and save it to your flash drive.
      RKill.pif
      RKill.scr
      RKill.com
      RKill.exe
    • In Windows XP double click the RKill, in Windows Vista right click and select "Run as Administrator".
    • A black screen will briefly flash indicating a successful run.
    • If this does not occur please delete that application and download RKill.scr.
    • Continue process until the tool runs.

  4. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! rename combofixexe to moon.exe to your Desktop


    Now you have run.bat, Rkill.pif and moon.exe on your flash drive.

  5. Boot to Save mode on the infected computer and type the following one by one in the New Task box and click OK after each command:

    e:\run.bat
    (a black command windows will open, don't close it and let it be there until the computer needs a reboot. It prevents the computer from shutdown.)

    e:\rkill
    (Rkill should start to run, give it a couple of minute, and then proceed to the next command. This tool is going to disable the rogue malware that prevents other tools to run)

    e:\moon

    (ComboFix should start to run. Click Yes and OK to any prompts. It warns you about the wrong download sites (other than Bleeping computer) asks you to disable antivirus, or let combofix download Recovery console. Click Yes and OK and proceed anyway. It is not able to download the Recovery Console as you have not internet connection but it doesn't matter. Whatever you do don't interrupt it and run it to the end.
    When it wanted to reboot let it reboot to normal mode.

    After it completed the run it makes a log. We need that log.





#7 sneal

sneal
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 27 May 2010 - 06:46 AM

Had a few problems . . . .

Could not download the rkill file. Tried saving it to several different flash drives--"Cannot copy . . . access denied . . . full or write protected." Tried saving to desktop and got same error. Tried saving to CD, got same error. Finally ran it from a copy on CD that I'd downloaded before I started working with bleepingcomputer.com. (Got it from a link that was directed to this site.) When I ran it, received an error message: "Data error . . . check your settings." Clicked "OK," and went on.

Also, in all of this, the drive letter on flash drive got changed from e: to f: (possibly because I had several drives loaded at the same time, trying to get file to download to one of the drives.) When loaded on infected computer, drive letter on that computer was e:. Ran files from that drive.

Here's the log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Momma on 05/25/2010 at 23:50:34.


Processes terminated by Rkill or while it was running:




Rkill completed on 05/25/2010 at 23:50:37.

Ran moon.exe next. Let it run all night. Never got a log file. Don't know what to do. Had followed directions exactly.

Any clues?

Thanks!

Edited by sneal, 27 May 2010 - 06:49 AM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 27 May 2010 - 06:54 AM

First the Rkill, did you tried all the options or just the first one. I tried the first one and the link was dead but the other 3 worked.

About ComboFix, how was it running? what did it? Did it rebooted?

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 27 May 2010 - 08:36 AM

Please don't take this as any negative comment about the way you do it. I'm sure you are doing your best, so do I. But this looks not sufficient.

I'm thinking this type of communication between us can go on very long. We have posts with 70 plus replies, sometimes in heavily infected and complicated cases like this it might be more. We exchange the post once in 24 hours. I feel hampered because I need more feedback and asking every question can take another day to get replied. It means we can be a couple of mounts busy with this. Is this OK to you?

Otherwise we have to find a way to be both on line and get the job done in quick exchanges.
I need you to give me proper and detailed feedback, like the one you have given about Rkiller. The same type of feedback I need in case of ComboFix as combofix was our main object. Rkiller does nothing but terminating the running processes which can interfere with running the tools. It doesn't change in any way the condition of the computer. ComboFix scans, deletes, modifies and is the one that can provide us with a major break through. I could not see if still Malwarebytes was on the computer as the previous log was not complete. We could run it via New Task and it could remove the infection too.

I need full feedback about Combofix and the current condition of the computer after running it.

Also do the following:

Make a batch file with the following syntax:

QUOTE
@echo off
%date% %time% >log.txt
if exist c:\combofix.txt type c:\combofix.txt >>log.txt
if exist C:\QooBox\ComboFix-quarantined-files.txt type C:\QooBox\ComboFix-quarantined-files.txt >>log.txt
dir /a/s C:\QooBox >>log.txt
dir /a/b/s "C:\documents and settings\all users\application data\Malwarebytes" >>log.txt
dir /a/b/s "c:\program files\Malwarebytes' Anti-Malware" >>log.txt


Name it search.bat then run the butch file on the infected computer. A log.txt will be made on the same place the batch file is located. Please post the log.

Edited by farbar, 27 May 2010 - 08:54 AM.


#10 sneal

sneal
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 27 May 2010 - 11:50 PM

It appears that we are both frustrated. But, we'll get through it. (Please understand that I am not frustrated with you at all. I'm frustrated with my goofy computer.)

I noticed that you were online just after I left
for work this morning. If you'll tell me what time to "meet" you, I'll take some time off of work. You're in the
Netherlands, I'm in the US, in Texas . . . so, if you'd like to arrange a time, be sure to tell me whether it's your
time or my time. Tomorrow is Friday. I'll be off work Saturday and Sunday. If setting a time works for you, I'll
set my alarm and be here when it's best for you.

For this evening's entertainment . . . .

1. Made the search.bat file as directed and saved it to the flash drive.
2. Downloaded ComboFix from Link 2 and saved to flash drive as moon.exe, deleting old moon.exe.
3a. Saved search.bat file to flash drive.
3b. Booted infected computer in SafeMode.
4. Removed CD that had rkill on it. (Don't know if that was appropriate or not. Thought I'd try without it.)
5. Ran e:\run.bat from flash drive, as before. (Computer still tries to shut down.) Wasn't sure if I needed to try
moon.exe again. Finally went forward with it.
6. Ran e:\moon.exe from flash drive. Nothing seemed to happen at first. Finally received error regarding computer
date. Clicked "OK" and went on.
7. 20 minutes later . . . received message: "The software you are trying to install has not passed the Windows logo
test . . . Clicked to contine, and went on. An hour later, received message that Windows had finished installing
hardware (icon showed flash drive). Let it continue to run. Half hour later, no change. Finally restarted computer.


RESTART

1. Restarted again in Safe Mode.
2. Inserted flash drive and ran e:\run.bat to stop shutdowns.
3. Again, did not run rkill from CD.
4. Ran e:\search.bat. Got a quick black screen/DOS-type window that immediately went away.Couldn't tell that
anything else happened. Could not find any type of log on flash drive.
5. Restarted again. Got same results.

INSERTED CD with rKill on it.
1. With e:\run.bat working, ran rkill.exe from CD. rkill log was produced, but it did not indicate that any
processes were terminated.
2. Ran e:\search.bat again. No log was produced on desktop, on flash drive, or on d: drive.
3. In attempt to get any type of result, ran moon.exe from flash drive, and ComboFix progress bar started!!!!!
4. Got c:\ "blue screen" AND another "Date Error" info box. Clicked OK on info box. Let it run for 20 minutes, with
no other results.
5. Ran e:\search.bat again. Got another quick black DOS-type window, then nothing. No log file produced.

LOOKED AT your note on Malwarebytes, again. Found malwarbytes in Program Files on infected computer, dated 4/29/10.
Tried to run mbam.exe. Got Run-time error '372': "Failed to load control 'vbalgrid' from vlasgrid6.06x. Versions may
be outdated."

QUESTION re: mBam . . . should I download it to flash drive again, and run it from there?

Other note: Tried to drag/copy/past e:\moon.exe from Flast to desktop. Wasn't able to do it.

QUESTIONS:
1. Am I missing anything?
2. Am I doing the steps in the correct order? From the correct drive?
3. Have any steps been left out?
4. Should I try to run the processes in regular mode? I'd be able to copy the files to the desktop and run from there.

Please let me know what to do next. I'll check back in the morning, and I'll plan to take some time off work, if needed.

Thanks!







#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 28 May 2010 - 08:56 AM

Thank you for the detailed feedback. thumbup2.gif

The best time for us is when you get back from work or Sunday morning. But this part you can do on your own.

You have done a lot with no result other than the system is in a very bad shape st it is not giving us any log any more. I have divided the post into two parts. Just try part 1 once more after running the patch file I've made. Don't spend much time on it if you didn't get any result and proceed with the second part. If you get good result in part one no need to move to the second part.

step1.gif
  1. Make a batch file with the following syntax and name it svc.bat

    CODE
    reg add hklm\system\currentcontrolset\services\RpcSs /v start /t REG_DWORD /d 0x2 /f
    config RpcSs start= auto
    sc config Alerter start= auto
    sc config ALG start= demand
    sc config AppMgmt start= demand
    sc config AudioSrv start= auto
    sc config BITS start= auto
    sc config Browser start= auto
    sc config CiSvc start= demand
    sc config ClipSrv start= demand
    sc config COMSysApp start= demand
    sc config CryptSvc start= auto
    sc config DcomLaunch start= auto
    sc config Dhcp start= auto
    sc config dmadmin start= demand
    sc config dmserver start= demand
    sc config Dnscache start= auto
    sc config Dot3svc start= demand
    sc config EapHost start= auto
    sc config ERSvc start= auto
    sc config Eventlog start= auto
    sc config EventSystem start= demand
    sc config FastUserSwitchingCompatibility start= demand
    sc config helpsvc start= auto
    sc config HidServ start= auto
    sc config hkmsvc start= demand
    sc config HTTPFilter start= demand
    sc config ImapiService start= demand
    sc config Irmon start= demand
    sc config lanmanserver start= auto
    sc config lanmanworkstation start= auto
    sc config LmHosts start= auto
    sc config MSDTC start= demand
    sc config mnmsrvc start= demand
    sc config MSIServer start= demand
    sc config napagent start= demand
    sc config Netlogon start= demand
    sc config Netman start= demand
    sc config Nla start= demand
    sc config NtLmSsp start= demand
    sc config NtmsSvc start= demand
    sc config PolicyAgent start= auto
    sc config plugplay start= auto
    sc config ProtectedStorage start= auto
    sc config RasAuto start= demand
    sc config RasMan start= demand
    sc config SamSs start= auto
    sc config SCardSvr start= demand
    sc config RDSessMgr start= demand
    sc config RpcLocator start= demand
    sc config RSVP start= demand
    sc config Schedule start= auto
    sc config seclogon start= auto
    sc config SENS start= auto
    sc config SharedAccess start= auto
    sc config ShellHWDetection start= auto
    sc config Spooler start= auto
    sc config SSDPSRV start= demand
    sc config srservice start= auto
    sc config stisvc start= auto
    sc config SwPrv start= demand
    sc config SysmonLog start= demand
    sc config TapiSrv start= demand
    sc config TermService start= demand
    sc config Themes start= auto
    sc config TrkWks start= auto
    sc config upnphost start= demand
    sc config UPS start= demand
    sc config VSS start= demand
    sc config W32Time start= auto
    sc config WebClient start= auto
    sc config winmgmt start= auto
    sc config WmdmPmSN start= demand
    sc config Wmi start= demand
    sc config WmiApSrv start= demand
    sc config WMPNetworkSvc start= demand
    sc config wscsvc start= auto
    sc config wuauserv start= auto
    sc config WudfSvc start= demand
    sc config WZCSVC start= auto
    sc config xmlprov start= demand
    ren "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" clear.exe
    sc config RpcSs start= auto
    pause


  2. The batch file will attempt to set the right start type for services and also rename mbam.exe to clear.exe. This both might help running MBAM.
    First run run.bat and then svc.bat. After running svc.bat you sill see all the result of svc.bat on the black command window. The command windows remains open as long as you don't press a key. Check to see if the following lines are listed after each other:

    QUOTE
    E:\>sc config RpcSs start= auto
    [SC] ChangeServiceConfig SUCCESS


    I have put the command at the start and the end of the syntax. The other lines are not so important as this one ( the line that contains RpcSs).
    You may press a key to close the windows.

  3. Restart the computer, run run.bat and let it be open. Then type "c:\program files\Malwarebytes' Anti-Malware\clear.exe" (make sure the quotes are included) into New Task box.

  4. Also try to run run.bat and moon.exe again. If you don't get any result move on to the next section.


***********
***********

step2.gif

We need to make a Boot CD. This one is able to do more than the one you have made. This is very handy to have also in the future if anything goes wrong.
  1. We need to make a Boot CD to create an OTL Report
  2. If you have Nero:
    • Open Nero SmartStart.
    • Under Applications tab Select Nero Burning Rom
    • In the left pane CD-ROM (ISO) should be highlighted.
    • At the bottom of the open window click Open.
    • In the open window select desktop, highlight the rc.iso file on the desktop and click Open.
    • Put a blank CD in your computer burner and press Burn.
    • When the disk finishes, eject the CD.

  3. If you don't have Nero:
  4. Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
    • Please be patient as "Windows" loads
    • Your system should now display a REATOGO-X-PE desktop.
      Note: In case you did not get this screen your computer is not set to boot from CD-ROM and you should change the BIOS set up as describe in How to Set BIOS to Boot from CDROM
    • Double click on the OTLPE icon on your desktop.
    • When asked "Do you wish to load the remote registry", select Yes
    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • On make sure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • For each section there are three options (None, SafeList and All). Change the following settings:
      • Set "Files Created Within" and "Files Modified Within" to "By Date" while the scroll down at the top is set to the defaut which is 30 days.
      • Set all the other sections to "All".
    • Copy and Paste the following code into the Custom Scan section. Do not include the word "Code"

      Please note: You can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

      CODE
      netsvcs
      msconfig
      drivers32
      %systemroot%\tasks\*.job
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      disk.sys
      classpnp.sys
      kbdclass.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      rpcss.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      svchost.exe
      services.exe
      winlogon.exe
      wscntfy.exe
      /md5stop
      %systemroot%\*. /mp /s
    • Push runscan button
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the C:\OTL.txt file in your reply.


#12 sneal

sneal
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 29 May 2010 - 03:07 AM

I apologize for not getting to the computer after work on Friday. My daughter had a program at her school, then because
it's my weekend with my kids, we were playing games until about midnight. Sunday? I can be free anytime after about 1:00 my time. Please let me know if you're available. Next week, I should be home from work every evening by 6:00 my time at the latest.

Here's I did this evening/morning . . .

PART 1:
1. Made svc.bat file.
2. Assumed I need to continue to boot into Safe Mode, so I did.
3. Ran run.bat, then svc.bat. The "E:\>sc config RpcSs start= auto . . . SUCCESS" lines appeared as expected.
4. Restarted computer in Safe Mode, and ran run.bat.
5. Performed "new task": "c:\program files\Malwarebytes' Anti-Malware\clear.exe". Task Manager/Applications showed
that Malwarebytes was running, but received this error: "Run-time error '372': Failed to load control 'vbalGrid'
from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may by outdated. Make sure you are using the version of the
control that was provided with your application." Clicked "OK," and application terminated.

PART 2:
1. Downloaded OTLPE-ISO from geekstogo.com and saved to desktop.
2. Downloaded BurnCDCC and created boot CD as instructed.
3. Inserted Boot CD into CD drive on infected computer, then restarted. "Starting Reatogo-X-PE" appeared. (NOTE: did
not use run.bat from flash drive this time.)
4. Double-clicked on OTLPE desktop icon.
a. "Do you wish to load the remote registry?"--question did not appear.
b. "Load remote user profiles for scanning?"--selected "Yes"
c. "Automatically Load All Remaining Users"--checked and clicked OK.
5. OTL front end appeared. Set sections as directed. (NOTE: "Files Created/Modified Within" sections did not have
"By Date" choice. Middle choice was "File Age." Left "File Age" selected.)
6. Pasted code into Custom Scan as directed, then clicked "Run Scan." OTL log was created.

NOTE: Very concerned that "Do you with to load the remote registry?" question did not appear. Could it have happened
so fast that I didn't see it? If I did not see the question, would the OTL log produced still be valid?

Here's the OTL log that was produced:

OTL logfile created on: 5/28/2010 3:19:41 AM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 293.00 Mb Available Physical Memory | 57.00% Memory free
459.00 Mb Paging File | 334.00 Mb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 148.96 Gb Free Space | 79.96% Space Free | Partition Type: NTFS
Drive D: | 7.47 Gb Total Space | 5.03 Gb Free Space | 67.30% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 280.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (All) ==========

SRV - File not found [Auto] -- -- (FSIHS)
SRV - [2010/01/25 12:02:20 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2010/01/21 23:04:54 | 000,075,064 | ---- | M] () [Auto] -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA)
SRV - [2009/10/26 00:07:03 | 000,028,762 | ---- | M] (MyWebSearch.com) [Disabled] -- C:\Program Files\MyWebSearch\bar\2.bin\MWSSVC.EXE -- (MyWebSearchService)
SRV - [2009/08/05 11:59:26 | 000,055,904 | ---- | M] (F-Secure Corporation) [On_Demand] -- C:\Program Files\Charter Security Suite\ORSP Client\fsorsp.exe -- (FSORSPClient)
SRV - [2009/08/05 11:58:52 | 000,186,976 | ---- | M] (F-Secure Corporation) [Auto] -- C:\Program Files\Charter Security Suite\Common\FSMA32.EXE -- (FSMA)
SRV - [2009/08/05 11:57:20 | 000,522,848 | ---- | M] (F-Secure Corporation) [On_Demand] -- C:\Program Files\Charter Security Suite\FWES\Program\fsdfwd.exe -- (FSDFWD)
SRV - [2009/08/05 11:56:10 | 000,215,648 | ---- | M] (F-Secure Corporation) [Auto] -- C:\Program Files\Charter Security Suite\Anti-Virus\fsgk32st.exe -- (F-Secure Gatekeeper Handler Starter)
SRV - [2009/06/26 10:26:20 | 000,085,504 | ---- | M] (PC Pitstop LLC) [Disabled] -- C:\Program Files\PCPitstop\PCPitstopScheduleService.exe -- (PCPitstop Scheduling)
SRV - [2009/06/10 02:14:49 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)
SRV - [2009/04/16 19:24:07 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/03/23 21:43:14 | 000,090,112 | ---- | M] () [Auto] -- C:\WINDOWS\system32\SnoopFreeSvc.exe -- (SnoopFreeSvc)
SRV - [2009/02/12 11:10:56 | 000,233,472 | ---- | M] (Teruten) [Auto] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2009/02/09 08:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs) Remote Procedure Call (RPC)
SRV - [2009/02/09 08:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\rpcss.dll -- (DcomLaunch)
SRV - [2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
SRV - [2008/11/20 15:18:52 | 000,136,120 | ---- | M] (Google) [On_Demand] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/07/29 22:10:04 | 000,046,104 | ---- | M] (Microsoft Corporation) [On_Demand] -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 20:24:50 | 000,881,664 | ---- | M] (Microsoft Corporation) [On_Demand] -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 20:16:38 | 000,132,096 | ---- | M] (Microsoft Corporation) [Disabled] -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 12:17:02 | 000,069,632 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 12:16:40 | 000,034,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/07/07 16:26:58 | 000,253,952 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\es.dll -- (EventSystem)
SRV - [2008/06/20 13:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\mswsock.dll -- (Nla) Network Location Awareness (NLA)
SRV - [2008/04/13 20:12:40 | 000,126,464 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\wbem\wmiapsrv.exe -- (WmiApSrv)
SRV - [2008/04/13 20:12:38 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2008/04/13 20:12:38 | 000,018,432 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\ups.exe -- (UPS)
SRV - [2008/04/13 20:12:36 | 000,057,856 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\svchost.exe -- (AppMgmt)
SRV - [2008/04/13 20:12:35 | 000,089,600 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\smlogsvc.exe -- (SysmonLog)
SRV - [2008/04/13 20:12:34 | 000,141,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\sessmgr.exe -- (RDSessMgr)
SRV - [2008/04/13 20:12:33 | 000,095,744 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\scardsvr.exe -- (SCardSvr)
SRV - [2008/04/13 20:12:29 | 000,111,104 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\netdde.exe -- (NetDDEdsdm)
SRV - [2008/04/13 20:12:29 | 000,111,104 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\netdde.exe -- (NetDDE)
SRV - [2008/04/13 20:12:28 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2008/04/13 20:12:27 | 000,006,144 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\msdtc.exe -- (MSDTC)
SRV - [2008/04/13 20:12:25 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\mnmsrvc.exe -- (mnmsrvc)
SRV - [2008/04/13 20:12:24 | 000,075,264 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\locator.exe -- (RpcLocator) Remote Procedure Call (RPC)
SRV - [2008/04/13 20:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
SRV - [2008/04/13 20:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2008/04/13 20:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2008/04/13 20:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\lsass.exe -- (NtLmSsp)
SRV - [2008/04/13 20:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2008/04/13 20:12:22 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2008/04/13 20:12:17 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2008/04/13 20:12:17 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2008/04/13 20:12:17 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\System32\dllhost.exe -- (COMSysApp)
SRV - [2008/04/13 20:12:14 | 000,033,280 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\clipsrv.exe -- (ClipSrv)
SRV - [2008/04/13 20:12:14 | 000,005,632 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\cisvc.exe -- (CiSvc)
SRV - [2008/04/13 20:12:12 | 000,044,544 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\alg.exe -- (ALG)
SRV - [2008/04/13 20:12:11 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2008/04/13 20:12:11 | 000,129,024 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\xmlprov.dll -- (xmlprov)
SRV - [2008/04/13 20:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2008/04/13 20:12:10 | 000,080,896 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wscsvc.dll -- (wscsvc)
SRV - [2008/04/13 20:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
SRV - [2008/04/13 20:12:08 | 000,333,824 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc) Windows Image Acquisition (WIA)
SRV - [2008/04/13 20:12:08 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\upnphost.dll -- (upnphost)
SRV - [2008/04/13 20:12:08 | 000,175,104 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\w32time.dll -- (W32Time)
SRV - [2008/04/13 20:12:08 | 000,068,096 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\webclnt.dll -- (WebClient)
SRV - [2008/04/13 20:12:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - [2008/04/13 20:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2008/04/13 20:12:07 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2008/04/13 20:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/04/13 20:12:07 | 000,096,768 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver)
SRV - [2008/04/13 20:12:07 | 000,090,112 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\trkwks.dll -- (TrkWks)
SRV - [2008/04/13 20:12:07 | 000,071,680 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\ssdpsrv.dll -- (SSDPSRV)
SRV - [2008/04/13 20:12:05 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2008/04/13 20:12:05 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2008/04/13 20:12:05 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2008/04/13 20:12:05 | 000,135,168 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2008/04/13 20:12:05 | 000,039,424 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\sens.dll -- (SENS)
SRV - [2008/04/13 20:12:05 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/13 20:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2008/04/13 20:12:03 | 000,291,328 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\qagentrt.dll -- (napagent)
SRV - [2008/04/13 20:12:03 | 000,186,368 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2008/04/13 20:12:03 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2008/04/13 20:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2008/04/13 20:12:02 | 000,038,400 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2008/04/13 20:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/04/13 20:11:59 | 000,033,792 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\msgsvc.dll -- (Messenger)
SRV - [2008/04/13 20:11:57 | 000,053,248 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\mprdim.dll -- (RemoteAccess)
SRV - [2008/04/13 20:11:56 | 000,061,440 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\kmsvc.dll -- (hkmsvc)
SRV - [2008/04/13 20:11:56 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2008/04/13 20:11:55 | 000,331,264 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess) Windows Firewall/Internet Connection Sharing (ICS)
SRV - [2008/04/13 20:11:54 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\hidserv.dll -- (HidServ)
SRV - [2008/04/13 20:11:53 | 000,023,040 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\ersvc.dll -- (ERSvc)
SRV - [2008/04/13 20:11:52 | 000,132,096 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc)
SRV - [2008/04/13 20:11:52 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2008/04/13 20:11:52 | 000,033,792 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost)
SRV - [2008/04/13 20:11:52 | 000,023,552 | ---- | M] (Microsoft Corp.) [On_Demand] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2008/04/13 20:11:51 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2008/04/13 20:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2008/04/13 20:11:50 | 000,077,824 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2008/04/13 20:11:50 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
SRV - [2008/04/13 20:11:49 | 000,017,408 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\alrsvc.dll -- (Alerter)
SRV - [2008/04/07 10:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2006/10/22 14:22:00 | 000,159,810 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2006/10/18 22:47:16 | 000,027,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\mspmsnsv.dll -- (WmdmPmSN)
SRV - [2006/10/18 21:05:24 | 000,913,408 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/09/28 19:56:14 | 000,055,808 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\WudfSvc.dll -- (WudfSvc)
SRV - [2006/02/20 15:23:08 | 000,495,616 | ---- | M] ( ) [On_Demand] -- C:\WINDOWS\System32\lxcrcoms.exe -- (lxcr_device)
SRV - [2003/03/31 08:00:00 | 000,132,608 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\rsvp.exe -- (RSVP)


========== Driver Services (All) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | Disabled] -- -- (ultra)
DRV - File not found [Kernel | Disabled] -- -- (TosIde)
DRV - File not found [Kernel | Disabled] -- -- (symc8xx)
DRV - File not found [Kernel | Disabled] -- -- (symc810)
DRV - File not found [Kernel | Disabled] -- -- (sym_u3)
DRV - File not found [Kernel | Disabled] -- -- (sym_hi)
DRV - File not found [Kernel | Disabled] -- -- (Sparrow)
DRV - File not found [Kernel | Disabled] -- -- (Simbad)
DRV - File not found [Kernel | Disabled] -- -- (ql1280)
DRV - File not found [Kernel | Disabled] -- -- (ql1240)
DRV - File not found [Kernel | Disabled] -- -- (ql12160)
DRV - File not found [Kernel | Disabled] -- -- (Ql10wnt)
DRV - File not found [Kernel | Disabled] -- -- (ql1080)
DRV - File not found [Kernel | Disabled] -- -- (perc2hib)
DRV - File not found [Kernel | Disabled] -- -- (perc2)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | Disabled] -- -- (PCIIde)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | Disabled] -- -- (mraid35x)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | Disabled] -- -- (IntelIde)
DRV - File not found [Kernel | Disabled] -- -- (ini910u)
DRV - File not found [Kernel | Disabled] -- -- (i2omp)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | Disabled] -- -- (hpn)
DRV - File not found [Kernel | On_Demand] -- -- (FreshIO)
DRV - File not found [Kernel | Disabled] -- -- (dpti2o)
DRV - File not found [Kernel | Disabled] -- -- (dac960nt)
DRV - File not found [Kernel | Disabled] -- -- (dac2w2k)
DRV - File not found [Kernel | Disabled] -- -- (Cpqarray)
DRV - File not found [Kernel | Disabled] -- -- (CmdIde)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | Disabled] -- -- (cd20xrnt)
DRV - File not found [Kernel | Disabled] -- -- (Atdisk)
DRV - File not found [Kernel | System] -- -- (ASPI32)
DRV - File not found [Kernel | Disabled] -- -- (asc3550)
DRV - File not found [Kernel | Disabled] -- -- (asc3350p)
DRV - File not found [Kernel | Disabled] -- -- (asc)
DRV - File not found [Kernel | Disabled] -- -- (amsint)
DRV - File not found [Kernel | Disabled] -- -- (AliIde)
DRV - File not found [Kernel | Disabled] -- -- (aic78xx)
DRV - File not found [Kernel | Disabled] -- -- (aic78u2)
DRV - File not found [Kernel | Disabled] -- -- (Aha154x)
DRV - File not found [Kernel | Disabled] -- -- (adpu160m)
DRV - File not found [Kernel | Disabled] -- -- (abp480n5)
DRV - File not found [Kernel | Disabled] -- -- (Abiosdsk)
DRV - [2010/05/11 01:17:32 | 000,033,408 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\fsbts.sys -- (fsbts)
DRV - [2010/02/24 09:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) [File_System | System] -- C:\WINDOWS\system32\drivers\mrxsmb.sys -- (MRxSmb)
DRV - [2009/12/31 12:50:03 | 000,353,792 | ---- | M] (Microsoft Corporation) [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\srv.sys -- (Srv)
DRV - [2009/10/20 12:20:16 | 000,265,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\http.sys -- (HTTP)
DRV - [2009/08/05 11:58:30 | 000,068,064 | ---- | M] (F-Secure Corporation) [Kernel | System] -- C:\Program Files\Charter Security Suite\HIPS\drivers\fshs.sys -- (F-Secure HIPS)
DRV - [2009/08/05 11:57:20 | 000,080,000 | ---- | M] (F-Secure Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\fsdfw.sys -- (FSFW)
DRV - [2009/08/05 11:56:14 | 000,039,776 | ---- | M] () [Kernel | Disabled] -- C:\Program Files\Charter Security Suite\Anti-Virus\win2k\fsfilter.sys -- (F-Secure Filter)
DRV - [2009/08/05 11:56:14 | 000,025,184 | ---- | M] () [Kernel | Disabled] -- C:\Program Files\Charter Security Suite\Anti-Virus\win2k\fsrec.sys -- (F-Secure Recognizer)
DRV - [2009/08/05 11:56:12 | 000,099,936 | ---- | M] () [Kernel | On_Demand] -- C:\Program Files\Charter Security Suite\Anti-Virus\minifilter\fsgk.sys -- (F-Secure Gatekeeper)
DRV - [2009/06/24 07:18:41 | 000,092,928 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\ksecdd.sys -- (KSecDD)
DRV - [2009/03/23 21:43:14 | 000,009,472 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SnopFree.sys -- (SnoopFree)
DRV - [2009/02/12 11:10:56 | 000,036,608 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2009/02/10 00:43:43 | 000,023,600 | ---- | M] (EnTech Taiwan) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\TVICHW32.SYS -- (TVICHW32)
DRV - [2008/11/21 14:28:42 | 000,115,968 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2008/11/21 14:28:42 | 000,087,296 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2008/11/21 14:28:42 | 000,014,976 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2008/11/20 15:19:06 | 000,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20)
DRV - [2008/08/14 06:04:36 | 000,138,496 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\System32\drivers\afd.sys -- (AFD)
DRV - [2008/06/20 07:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\tcpip.sys -- (Tcpip)
DRV - [2008/04/13 20:13:22 | 000,139,656 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rdpwd.sys -- (RDPWD)
DRV - [2008/04/13 20:13:21 | 000,021,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tdtcp.sys -- (TDTCP)
DRV - [2008/04/13 20:13:20 | 000,040,840 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\termdd.sys -- (TermDD)
DRV - [2008/04/13 20:13:20 | 000,012,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tdpipe.sys -- (TDPIPE)
DRV - [2008/04/13 15:28:39 | 000,175,744 | ---- | M] (Microsoft Corporation) [File_System | System] -- C:\WINDOWS\system32\drivers\rdbss.sys -- (Rdbss)
DRV - [2008/04/13 15:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\netbt.sys -- (NetBT)
DRV - [2008/04/13 15:20:42 | 000,091,520 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ndiswan.sys -- (NdisWan)
DRV - [2008/04/13 15:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\ndis.sys -- (NDIS)
DRV - [2008/04/13 15:19:48 | 000,048,384 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\raspptp.sys -- (PptpMiniport) WAN Miniport (PPTP)
DRV - [2008/04/13 15:19:43 | 000,051,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rasl2tp.sys -- (Rasl2tp) WAN Miniport (L2TP)
DRV - [2008/04/13 15:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\ipsec.sys -- (IPSec)
DRV - [2008/04/13 15:18:00 | 000,052,480 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\i8042prt.sys -- (i8042prt)
DRV - [2008/04/13 15:17:18 | 000,083,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wdmaud.sys -- (wdmaud)
DRV - [2008/04/13 15:17:05 | 000,105,344 | ---- | M] (Microsoft Corporation) [File_System | Boot] -- C:\WINDOWS\system32\drivers\mup.sys -- (Mup)
DRV - [2008/04/13 15:15:55 | 000,060,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sysaudio.sys -- (sysaudio)
DRV - [2008/04/13 15:15:53 | 000,574,976 | ---- | M] (Microsoft Corporation) [File_System | Disabled] -- C:\WINDOWS\system32\drivers\ntfs.sys -- (Ntfs)
DRV - [2008/04/13 15:15:45 | 000,064,512 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\serial.sys -- (Serial)
DRV - [2008/04/13 15:14:29 | 000,143,744 | ---- | M] (Microsoft Corporation) [File_System | Disabled] -- C:\WINDOWS\system32\drivers\fastfat.sys -- (Fastfat)
DRV - [2008/04/13 15:14:21 | 000,063,744 | ---- | M] (Microsoft Corporation) [File_System | Disabled] -- C:\WINDOWS\system32\drivers\cdfs.sys -- (Cdfs)
DRV - [2008/04/13 15:00:19 | 000,030,080 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\modem.sys -- (Modem)
DRV - [2008/04/13 14:57:32 | 000,041,472 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\raspppoe.sys -- (RasPppoe)
DRV - [2008/04/13 14:57:29 | 000,040,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ndproxy.sys -- (NDProxy)
DRV - [2008/04/13 14:57:27 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\asyncmac.sys -- (AsyncMac)
DRV - [2008/04/13 14:57:27 | 000,010,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ndistapi.sys -- (NdisTapi)
DRV - [2008/04/13 14:57:21 | 000,034,560 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wanarp.sys -- (Wanarp)
DRV - [2008/04/13 14:57:15 | 000,152,832 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ipnat.sys -- (IpNat)
DRV - [2008/04/13 14:57:07 | 000,020,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ipinip.sys -- (IpInIp)
DRV - [2008/04/13 14:56:38 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\psched.sys -- (PSched)
DRV - [2008/04/13 14:56:32 | 000,035,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\msgpc.sys -- (Gpc)
DRV - [2008/04/13 14:56:02 | 000,034,688 | ---- | M] (Microsoft Corporation) [File_System | System] -- C:\WINDOWS\system32\drivers\netbios.sys -- (NetBIOS)
DRV - [2008/04/13 14:55:58 | 000,014,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ndisuio.sys -- (Ndisuio)
DRV - [2008/04/13 14:54:28 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\irenum.sys -- (IRENUM)
DRV - [2008/04/13 14:53:34 | 000,036,608 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ip6fw.sys -- (ip6fw)
DRV - [2008/04/13 14:51:25 | 000,059,904 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\atmarpc.sys -- (Atmarpc)
DRV - [2008/04/13 14:47:37 | 000,025,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbprint.sys -- (usbprint)
DRV - [2008/04/13 14:45:39 | 000,032,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbccgp.sys -- (usbccgp)
DRV - [2008/04/13 14:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\USBSTOR.SYS -- (USBSTOR)
DRV - [2008/04/13 14:45:37 | 000,059,520 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbhub.sys -- (usbhub)
DRV - [2008/04/13 14:45:36 | 000,026,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbser.sys -- (usbser)
DRV - [2008/04/13 14:45:35 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbehci.sys -- (usbehci)
DRV - [2008/04/13 14:45:35 | 000,020,608 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbuhci.sys -- (usbuhci)
DRV - [2008/04/13 14:45:34 | 000,015,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbscan.sys -- (usbscan)
DRV - [2008/04/13 14:45:27 | 000,010,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hidusb.sys -- (HidUsb)
DRV - [2008/04/13 14:45:13 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\drmkaud.sys -- (drmkaud)
DRV - [2008/04/13 14:45:09 | 000,172,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\kmixer.sys -- (kmixer)
DRV - [2008/04/13 14:45:09 | 000,056,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\swmidi.sys -- (swmidi)
DRV - [2008/04/13 14:45:07 | 000,006,272 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\splitter.sys -- (splitter)
DRV - [2008/04/13 14:45:01 | 000,052,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dmusic.sys -- (DMusic)
DRV - [2008/04/13 14:44:48 | 000,799,744 | ---- | M] (Microsoft Corp., Veritas Software) [Kernel | Disabled] -- C:\WINDOWS\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2008/04/13 14:44:46 | 000,153,344 | ---- | M] (Microsoft Corp., Veritas Software) [Kernel | Disabled] -- C:\WINDOWS\system32\drivers\dmio.sys -- (dmio)
DRV - [2008/04/13 14:44:40 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\System32\drivers\vga.sys -- (VgaSave)
DRV - [2008/04/13 14:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\volsnap.sys -- (VolSnap)
DRV - [2008/04/13 14:40:58 | 000,042,112 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\imapi.sys -- (Imapi)
DRV - [2008/04/13 14:40:49 | 000,019,712 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\partmgr.sys -- (PartMgr)
DRV - [2008/04/13 14:40:48 | 000,036,352 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\disk.sys -- (Disk)
DRV - [2008/04/13 14:40:48 | 000,011,392 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\sfloppy.sys -- (Sfloppy)
DRV - [2008/04/13 14:40:46 | 000,062,976 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\cdrom.sys -- (Cdrom)
DRV - [2008/04/13 14:40:31 | 000,005,376 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\viaide.sys -- (ViaIde)
DRV - [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\atapi.sys -- (atapi)
DRV - [2008/04/13 14:40:27 | 000,057,600 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\redbook.sys -- (redbook)
DRV - [2008/04/13 14:40:25 | 000,027,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\fdc.sys -- (Fdc)
DRV - [2008/04/13 14:40:25 | 000,020,480 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\flpydisk.sys -- (Flpydisk)
DRV - [2008/04/13 14:40:12 | 000,015,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\serenum.sys -- (serenum)
DRV - [2008/04/13 14:40:10 | 000,080,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\parport.sys -- (Parport)
DRV - [2008/04/13 14:39:53 | 000,004,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\swenum.sys -- (swenum)
DRV - [2008/04/13 14:39:52 | 000,007,552 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mskssrv.sys -- (MSKSSRV)
DRV - [2008/04/13 14:39:51 | 000,004,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mspqm.sys -- (MSPQM)
DRV - [2008/04/13 14:39:50 | 000,005,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mspclock.sys -- (MSPCLOCK)
DRV - [2008/04/13 14:39:48 | 000,014,592 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid)
DRV - [2008/04/13 14:39:47 | 000,024,576 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\kbdclass.sys -- (Kbdclass)
DRV - [2008/04/13 14:39:47 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\mouclass.sys -- (Mouclass)
DRV - [2008/04/13 14:39:46 | 000,384,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\update.sys -- (Update)
DRV - [2008/04/13 14:39:46 | 000,042,368 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mountmgr.sys -- (MountMgr)
DRV - [2008/04/13 14:36:52 | 000,073,472 | ---- | M] (Microsoft Corporation) [File_System | Boot] -- C:\WINDOWS\system32\drivers\sr.sys -- (sr)
DRV - [2008/04/13 14:36:46 | 000,015,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mssmbios.sys -- (mssmbios)
DRV - [2008/04/13 14:36:44 | 000,068,224 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\pci.sys -- (PCI)
DRV - [2008/04/13 14:36:43 | 000,120,192 | ---- | M] (Microsoft Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\drivers\pcmcia.sys -- (Pcmcia)
DRV - [2008/04/13 14:36:41 | 000,037,248 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\isapnp.sys -- (isapnp)
DRV - [2008/04/13 14:36:35 | 000,187,776 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\acpi.sys -- (ACPI)
DRV - [2008/04/13 14:33:28 | 000,044,544 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\fips.sys -- (Fips)
DRV - [2008/04/13 14:32:59 | 000,129,792 | ---- | M] (Microsoft Corporation) [File_System | Boot] -- C:\WINDOWS\system32\drivers\fltmgr.sys -- (FltMgr)
DRV - [2008/04/13 14:32:44 | 000,180,608 | ---- | M] (Microsoft Corporation) [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\mrxdav.sys -- (MRxDAV)
DRV - [2008/04/13 14:32:39 | 000,030,848 | ---- | M] (Microsoft Corporation) [File_System | System] -- C:\WINDOWS\system32\drivers\npfs.sys -- (Npfs)
DRV - [2008/04/13 14:32:39 | 000,019,072 | ---- | M] (Microsoft Corporation) [File_System | System] -- C:\WINDOWS\system32\drivers\msfs.sys -- (Msfs)
DRV - [2008/04/13 14:32:36 | 000,066,048 | ---- | M] (Microsoft Corporation) [File_System | Disabled] -- C:\WINDOWS\system32\drivers\udfs.sys -- (Udfs)
DRV - [2008/04/13 14:31:32 | 000,036,352 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\intelppm.sys -- (intelppm)
DRV - [2008/04/13 14:31:30 | 000,035,840 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\processr.sys -- (Processor)
DRV - [2008/04/13 12:39:23 | 000,142,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\aec.sys -- (aec)
DRV - [2008/04/13 12:39:15 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/09/17 16:53:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/05/04 17:54:08 | 000,022,528 | ---- | M] (Motorola) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\motport.sys -- (motport)
DRV - [2007/05/04 17:54:08 | 000,022,528 | ---- | M] (Motorola) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/04/05 16:04:16 | 000,017,920 | ---- | M] (Motorola) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2007/01/23 20:03:44 | 000,007,680 | ---- | M] (Motorola) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2006/11/02 08:22:54 | 000,492,000 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000)
DRV - [2006/10/22 14:22:00 | 003,994,624 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/10/18 21:00:00 | 000,038,528 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wpdusb.sys -- (WpdUsb)
DRV - [2006/09/28 20:00:34 | 000,082,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\WudfRd.sys -- (WudfRd)
DRV - [2006/09/28 19:55:50 | 000,077,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\WudfPf.sys -- (WudfPf)
DRV - [2004/12/16 14:36:30 | 000,042,496 | ---- | M] (VIA Technologies, Inc. ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\fetnd5bv.sys -- (FETND5BV)
DRV - [2003/08/21 19:56:36 | 000,025,520 | ---- | M] (Ahead Software AG) [Kernel | System] -- C:\WINDOWS\system32\drivers\incdrm.sys -- (incdrm)
DRV - [2003/07/02 06:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\VIAAGP1.SYS -- (viaagp1)
DRV - [2003/03/31 08:00:00 | 000,125,056 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\ftdisk.sys -- (Ftdisk)
DRV - [2003/03/31 08:00:00 | 000,032,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ipfltdrv.sys -- (IpFilterDriver)
DRV - [2003/03/31 08:00:00 | 000,032,512 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nwlnkfwd.sys -- (NwlnkFwd)
DRV - [2003/03/31 08:00:00 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\cdaudio.sys -- (Cdaudio)
DRV - [2003/03/31 08:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2003/03/31 08:00:00 | 000,016,512 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\raspti.sys -- (Raspti)
DRV - [2003/03/31 08:00:00 | 000,013,952 | ---- | M] (Microsoft Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\drivers\cbidf2k.sys -- (cbidf2k)
DRV - [2003/03/31 08:00:00 | 000,012,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nwlnkflt.sys -- (NwlnkFlt)
DRV - [2003/03/31 08:00:00 | 000,012,032 | ---- | M] (Microsoft Corporation) [Kernel | Disabled] -- C:\WINDOWS\System32\drivers\ws2ifsl.sys -- (WS2IFSL)
DRV - [2003/03/31 08:00:00 | 000,011,648 | ---- | M] (Microsoft Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\drivers\acpiec.sys -- (ACPIEC)
DRV - [2003/03/31 08:00:00 | 000,008,832 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\rasacd.sys -- (RasAcd)
DRV - [2003/03/31 08:00:00 | 000,007,936 | ---- | M] (Microsoft Corporation) [Recognizer | System] -- C:\WINDOWS\system32\drivers\fs_rec.sys -- (Fs_Rec)
DRV - [2003/03/31 08:00:00 | 000,006,784 | ---- | M] (Microsoft Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\parvdm.sys -- (ParVdm)
DRV - [2003/03/31 08:00:00 | 000,005,888 | ---- | M] (Microsoft Corp., Veritas Software.) [Kernel | Disabled] -- C:\WINDOWS\system32\drivers\dmload.sys -- (dmload)
DRV - [2003/03/31 08:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\rdpcdd.sys -- (RDPCDD)
DRV - [2003/03/31 08:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\mnmdd.sys -- (mnmdd)
DRV - [2003/03/31 08:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\beep.sys -- (Beep)
DRV - [2003/03/31 08:00:00 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\null.sys -- (Null)
DRV - [2003/03/31 08:00:00 | 000,002,864 | ---- | M] (Microsoft Corporation) [Adapter | On_Demand] -- C:\WINDOWS\system32\winsock.dll -- (Winsock)
DRV - [2003/02/26 04:04:00 | 000,370,048 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\viaudios.sys -- (VIAudio) VIA AC'97 Audio Controller (WDM)
DRV - [2003/02/24 12:42:44 | 000,029,709 | ---- | M] (CONEXANT) [Kernel | Disabled] -- C:\WINDOWS\system32\drivers\acfva.sys -- (acfva)
DRV - [2003/02/24 12:42:44 | 000,011,035 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2002/10/29 02:20:30 | 000,040,960 | R--- | M] (VIA Technologies, Inc. ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\fetnd5b.sys -- (FETNDISB)
DRV - [2001/08/17 15:48:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mouhid.sys -- (mouhid)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 09:59:44 | 000,003,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\audstub.sys -- (audstub)
DRV - [2001/08/17 08:13:08 | 000,027,165 | ---- | M] (VIA Technologies, Inc. ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/...rch/search.html
IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Search,CustomSearch =
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Elizabeth_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\Elizabeth_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
IE - HKU\Elizabeth_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\Elizabeth_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKU\Elizabeth_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKU\Elizabeth_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\Elizabeth_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Elizabeth_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 42 6E CD A7 83 0B CC 01 [binary data]
IE - HKU\Elizabeth_ON_C\Software\Microsoft\Internet Explorer\Search,CustomSearch =
IE - HKU\Elizabeth_ON_C\..\URLSearchHook: *{00A6FAF6-072E-44cf-8957-5838F569A31D} - Reg Error: Key error. File not found
IE - HKU\Elizabeth_ON_C\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\Elizabeth_ON_C\..\URLSearchHook: *{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - Reg Error: Key error. File not found
IE - HKU\Elizabeth_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL (MyWebSearch.com)
IE - HKU\Elizabeth_ON_C\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\Elizabeth_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Guest_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\Guest_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
IE - HKU\Guest_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\Guest_ON_C\Software\Microsoft\Internet Explorer\Search,CustomSearch =
IE - HKU\Guest_ON_C\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKU\Guest_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Matthew_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\Matthew_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
IE - HKU\Matthew_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKU\Matthew_ON_C\Software\Microsoft\Internet Explorer\Search,CustomSearch =
IE - HKU\Matthew_ON_C\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKU\Matthew_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Momma_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\Momma_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\Momma_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\Momma_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\Momma_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKU\Momma_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\Momma_ON_C\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\Momma_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\Momma_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL (MyWebSearch.com)
IE - HKU\Momma_ON_C\..\URLSearchHook: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Momma\Local Settings\Application Data\CyberDefender\cdmyidd.dll (CyberDefender Corp.)
IE - HKU\Momma_ON_C\..\URLSearchHook: {a2a2d97b-96d0-4a2f-a7d1-eed992f1696b} - C:\Program Files\Total_Gym\tbTot0.dll (Conduit Ltd.)
IE - HKU\Momma_ON_C\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKU\Momma_ON_C\..\URLSearchHook: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - Reg Error: Key error. File not found
IE - HKU\Momma_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
IE - HKU\Momma_ON_C\..\URLSearchHook: ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\Momma_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Momma_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Eudora 8.0.0b3\extensions\\Components: C:\Program Files\Eudora\components [2010/02/20 11:46:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Eudora 8.0.0b3\extensions\\Plugins: C:\Program Files\Eudora\plugins [2010/05/13 02:14:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/03/15 17:02:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/23 19:28:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/04/16 19:24:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\litmus-ff@f-secure.com: C:\Program Files\Charter Security Suite\NRS\litmus-ff@f-secure.com [2010/05/11 01:16:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Flock 2.0\extensions\\Components: C:\Program Files\Flock\components
FF - HKLM\software\mozilla\Flock 2.0\extensions\\Plugins: C:\Program Files\Flock\plugins [2010/05/07 00:12:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/06 05:46:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/06 05:46:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Sunbird 0.8\extensions\\Components: C:\Program Files\Mozilla Sunbird\components [2010/02/20 11:46:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Sunbird 0.8\extensions\\Plugins: C:\Program Files\Mozilla Sunbird\plugins [2010/02/21 02:54:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/05/14 10:04:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/05/11 00:16:19 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/06 05:46:57 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/09/14 18:32:53 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
[2008/10/18 13:27:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/04/16 19:24:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/03/20 00:08:49 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\npmozax@real.com
[2010/05/06 05:46:29 | 000,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/05/06 05:46:29 | 000,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2008/12/06 00:52:44 | 000,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
[2009/04/16 19:24:08 | 000,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2009/02/06 13:44:28 | 001,447,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
[2009/10/25 00:27:30 | 000,024,684 | ---- | M] (MyWebSearch.com) -- C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
[2010/05/06 05:46:43 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2010/02/20 12:59:13 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2010/02/20 12:59:13 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2010/02/20 12:59:13 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2010/02/20 12:59:13 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2010/02/20 12:59:13 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2010/02/20 12:59:13 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2010/02/20 12:59:13 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2010/01/25 12:02:20 | 000,031,936 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
[2010/05/06 05:46:47 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2010/05/06 05:46:47 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/10/18 17:05:34 | 000,001,497 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml
[2010/05/06 05:46:47 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2010/05/06 05:46:47 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2010/05/06 05:46:47 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010/05/06 05:46:48 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml

O1 HOSTS File: ([2009/09/19 12:47:17 | 000,255,673 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.1001-search.info
O1 - Hosts: 127.0.0.1 1001-search.info
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 8893 more lines...
O2 - BHO: (MyWebSearch Search Assistant BHO) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL (MyWebSearch.com)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (MyIdentityDefender) - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Momma\Local Settings\Application Data\CyberDefender\cdmyidd.dll (CyberDefender Corp.)
O2 - BHO: (Total Gym Toolbar) - {a2a2d97b-96d0-4a2f-a7d1-eed992f1696b} - C:\Program Files\Total_Gym\tbTot0.dll (Conduit Ltd.)
O2 - BHO: (Browsing Protection Class) - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Charter Security Suite\NRS\iescript\BaseLitmus.dll (F-Secure Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (Browsing Protection Toolbar) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Charter Security Suite\NRS\iescript\BaseLitmus.dll (F-Secure Corporation)
O3 - HKLM\..\Toolbar: (MyIdentityDefender) - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Momma\Local Settings\Application Data\CyberDefender\cdmyidd.dll (CyberDefender Corp.)
O3 - HKLM\..\Toolbar: (Total Gym Toolbar) - {a2a2d97b-96d0-4a2f-a7d1-eed992f1696b} - C:\Program Files\Total_Gym\tbTot0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (FreshDownload Bar) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll File not found
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O3 - HKU\Elizabeth_ON_C\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\Elizabeth_ON_C\..\Toolbar\WebBrowser: (Total Gym Toolbar) - {A2A2D97B-96D0-4A2F-A7D1-EED992F1696B} - C:\Program Files\Total_Gym\tbTot0.dll (Conduit Ltd.)
O3 - HKU\Momma_ON_C\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\Momma_ON_C\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKU\Momma_ON_C\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\Momma_ON_C\..\Toolbar\WebBrowser: (MyIdentityDefender) - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Momma\Local Settings\Application Data\CyberDefender\cdmyidd.dll (CyberDefender Corp.)
O3 - HKU\Momma_ON_C\..\Toolbar\WebBrowser: (Total Gym Toolbar) - {A2A2D97B-96D0-4A2F-A7D1-EED992F1696B} - C:\Program Files\Total_Gym\tbTot0.dll (Conduit Ltd.)
O3 - HKU\Momma_ON_C\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O3 - HKU\Momma_ON_C\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\Charter Security Suite\Common\FSM32.EXE (F-Secure Corporation)
O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\Charter Security Suite\FSGUI\TNBUtil.exe (F-Secure Corporation)
O4 - HKLM..\Run: [LXCRCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.DLL ()
O4 - HKLM..\Run: [Motive SmartBridge] C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe (Motive, Inc.)
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [Pure Networks Port Magic] C:\Program Files\Pure Networks\Port Magic\PortAOL.exe (Pure Networks, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SnoopFreeUI] C:\WINDOWS\SnoopFreeUI.exe (SnoopFree Software)
O4 - HKLM..\Run: [SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}] C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe (Softarium.com)
O4 - HKU\Elizabeth_ON_C..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\Elizabeth_ON_C..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKU\Elizabeth_ON_C..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe File not found
O4 - HKU\Matthew_ON_C..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKU\Momma_ON_C..\Run: [ccleaner] C:\Program Files\CCleaner\CCleaner.exe (Piriform Ltd)
O4 - HKU\Momma_ON_C..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\Momma_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKU\Momma_ON_C..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe File not found
O4 - HKU\Elizabeth_ON_C..\RunOnce: [AVG Security Toolbar_updatecleanup] C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe (Motive Communications, Inc.)
O4 - Startup: C:\Documents and Settings\Momma\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe File not found
O4 - Startup: C:\Documents and Settings\Momma\Start Menu\Programs\Startup\MailWasherFree.lnk = C:\Program Files\FireTrust\MailWasher Free\MailWasher.exe (Firetrust Ltd)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Elizabeth_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Guest_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Matthew_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Momma_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Momma_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll File not found
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll File not found
O9 - Extra Button: FreshDownload - {8D8BC573-B272-41A9-95D1-4661BD4AFF44} - C:\Program Files\FreshDevices\FreshDownload\fd.exe File not found
O9 - Extra Button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Momma\Start Menu\Programs\IMVU\Run IMVU.lnk ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirvana/con...s/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} http://utilities.pcpitstop.com/Nirvana/con...DiskMD3Ctrl.dll (diskhealth Class)
O16 - DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} http://utilities.pcpitstop.com/Nirvana/con...opAntiVirus.dll (PCPitstop AntiVirus)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn.com/download/MsnMesse...pDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...570/mcfscan.cab (McFreeScan Class)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/Nirvana/con.../pcpitstop2.dll (PCPitstop Exam)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.113.206.10 24.217.0.5 24.217.201.67
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop BackupWallPaper:
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/08 01:56:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (sprecovr \SystemRoot\sprecovr.txt) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/01/08 01:56:10 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 2
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\system32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\system32\ir32_32.dll ()
Drivers32: vidc.mp42 - mpg4c32.dll File not found
Drivers32: vidc.mp43 - mpg4c32.dll File not found
Drivers32: vidc.mpg4 - mpg4c32.dll File not found
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/05/06 00:11:49 | 009,028,040 | ---- | C] (Mozilla) -- C:\Documents and Settings\Momma\Desktop\Thunderbird Setup 3.0.4.exe
[2011/05/05 00:36:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Momma\Application Data\Vivox
[2011/05/05 00:21:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Momma\Application Data\IMVU
[2011/05/05 00:17:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Momma\Application Data\IMVUClient
[2011/05/04 23:52:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Momma\Desktop\Rock Box Files
[2011/05/04 23:44:45 | 009,252,456 | ---- | C] (FireTrust Limited ) -- C:\Documents and Settings\Momma\Desktop\MailWasherFree_652_Setup.exe
[2011/05/03 22:31:44 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/05/03 22:31:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Momma\Desktop\Desktop Clean-up
[2011/03/03 22:10:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Momma\Local Settings\Application Data\NOS
[2011/03/03 22:09:51 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2011/03/03 22:09:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Momma\Desktop\Music
[2011/03/03 22:09:00 | 000,000,000 | ---D | C] -- C:\Downloads
[2011/03/03 22:05:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Momma\Desktop\Downloads
[2011/03/03 22:05:00 | 000,000,000 | ---D | C] -- C:\Program Files\LimeWire
[2010/05/26 22:35:11 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Momma\Recent
[2010/05/26 20:26:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood.Tmp
[2010/05/26 00:52:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/26 00:52:06 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/17 23:15:14 | 000,000,000 | ---D | C] -- C:\rsit
[2010/05/14 22:39:47 | 000,000,000 | ---D | C] -- C:\Program Files\YourWare Solutions
[2010/05/14 10:23:17 | 000,000,000 | ---D | C] -- C:\Program Files\SpeedyPC
[2010/05/14 10:21:55 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/14 10:21:48 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/14 10:21:48 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/14 10:04:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Thunderbird
[2010/05/14 10:04:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Thunderbird
[2010/05/14 10:04:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
[2010/05/12 22:59:03 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2010/05/12 22:56:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2010/05/12 22:56:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2010/05/12 22:56:36 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2010/05/12 22:56:36 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2010/05/12 22:56:36 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2010/05/12 22:56:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2010/05/12 22:56:36 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2010/05/12 22:56:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2010/05/12 22:56:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/05/12 22:56:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2010/05/12 22:56:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2010/05/12 22:56:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2010/05/12 22:56:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures
[2010/05/12 22:56:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2010/05/12 22:56:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents
[2010/05/12 22:56:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Favorites
[2010/05/12 22:56:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2010/05/12 22:56:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
[2010/05/12 22:26:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/05/11 01:17:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\F-Secure
[2010/05/11 01:16:53 | 000,080,000 | ---- | C] (F-Secure Corporation) -- C:\WINDOWS\System32\drivers\fsdfw.sys
[2010/05/11 01:15:43 | 000,000,000 | ---D | C] -- C:\Program Files\Charter Security Suite
[2010/05/11 00:22:43 | 056,106,368 | ---- | C] (F-Secure Corporation) -- C:\Documents and Settings\Momma\Desktop\Charter_version_9.exe
[2010/05/10 23:54:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Matthew\Application Data\Identities
[2010/05/10 23:53:57 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Matthew\IETldCache
[2010/05/10 23:53:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft
[2010/05/10 23:53:24 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Matthew\Application Data\Microsoft
[2010/05/10 23:53:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Matthew\SendTo
[2010/05/10 23:53:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Matthew\Recent
[2010/05/10 23:53:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Matthew\Application Data
[2010/05/10 23:53:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Matthew\Start Menu
[2010/05/10 23:53:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Matthew\My Documents\My Pictures
[2010/05/10 23:53:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Matthew\My Documents\My Music
[2010/05/10 23:53:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Matthew\My Documents
[2010/05/10 23:53:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Matthew\Favorites
[2010/05/10 23:53:24 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Matthew\Cookies
[2010/05/10 23:53:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Matthew\Templates
[2010/05/10 23:53:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Matthew\PrintHood
[2010/05/10 23:53:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Matthew\NetHood
[2010/05/10 23:53:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Matthew\Local Settings
[2010/05/10 23:53:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Matthew\Application Data\Macromedia
[2010/05/10 23:53:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Matthew\Desktop
[2010/05/10 23:53:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Matthew\Local Settings\Application Data\Adobe
[2010/05/06 23:56:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Momma\Local Settings\Application Data\DiskAnalyzer
[2010/05/06 23:56:15 | 000,000,000 | ---D | C] -- C:\Program Files\Free Disk Analyzer
[2010/05/06 06:36:34 | 011,680,559 | ---- | C] (Extensoft) -- C:\Documents and Settings\Momma\Desktop\FreeDiskAnalyzer.exe
[2010/05/06 05:48:48 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/05/05 21:04:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Momma\Desktop\Tbird Email Backup
[2008/11/29 15:39:27 | 000,409,600 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrinpa.dll
[2008/11/29 15:39:27 | 000,393,216 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcriesc.dll
[2008/11/29 15:37:33 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrserv.dll
[2008/11/29 15:37:33 | 000,995,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrusb1.dll
[2008/11/29 15:37:33 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrprox.dll
[2008/11/29 15:37:33 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrpplc.dll
[2008/11/29 15:37:32 | 000,536,576 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrlmpm.dll
[2008/11/29 15:37:31 | 000,610,304 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrcomc.dll
[2008/11/29 15:37:31 | 000,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcrcomm.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/05 20:36:13 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Elizabeth\ntuser.ini
[2011/05/05 19:41:40 | 000,001,008 | ---- | M] () -- C:\Documents and Settings\Momma\Start Menu\Programs\Startup\Dropbox.lnk
[2011/05/05 19:41:40 | 000,001,008 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\Dropbox.lnk
[2011/05/05 00:22:51 | 000,000,771 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\MailWasher Free.lnk
[2011/05/04 23:30:53 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\yahoo_firefox_3.6.3_setup_us.exe
[2011/05/04 21:51:41 | 000,001,680 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\Mozilla Thunderbird (2).lnk
[2011/05/03 22:31:53 | 000,002,855 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\Gel Pad Installation--knoplace.pif
[2011/05/03 22:31:53 | 000,000,378 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\Video Stuff.lnk
[2011/05/03 22:31:53 | 000,000,356 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\Recipes.lnk
[2010/05/28 03:20:38 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/05/28 03:02:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/28 03:02:14 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Momma\ntuser.ini
[2010/05/28 03:02:13 | 008,650,752 | ---- | M] () -- C:\Documents and Settings\Momma\ntuser.dat
[2010/05/28 02:12:36 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2010/05/28 02:12:35 | 000,233,472 | ---- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/05/28 01:58:24 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/27 00:52:49 | 000,229,376 | ---- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/05/26 22:34:51 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/18 20:02:21 | 000,000,245 | -HS- | M] () -- C:\boot.ini
[2010/05/17 08:06:33 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/05/16 23:52:39 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Momma\defogger_reenable
[2010/05/14 22:41:54 | 000,711,168 | ---- | M] () -- C:\WINDOWS\is-DGTJN.exe
[2010/05/14 22:41:54 | 000,010,562 | ---- | M] () -- C:\WINDOWS\is-DGTJN.msg
[2010/05/14 22:41:54 | 000,000,311 | ---- | M] () -- C:\WINDOWS\is-DGTJN.lst
[2010/05/14 22:39:47 | 000,000,927 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\FreeRAM XP Pro.lnk
[2010/05/13 02:15:31 | 003,407,872 | ---- | M] () -- C:\Documents and Settings\Guest\NTUSER.DAT
[2010/05/13 02:15:31 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Matthew\NTUSER.DAT
[2010/05/13 02:15:30 | 001,273,856 | ---- | M] () -- C:\Documents and Settings\Elizabeth\NTUSER.DAT
[2010/05/12 22:50:08 | 000,001,164 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/12 22:50:08 | 000,000,275 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2010/05/11 02:28:09 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Matthew\ntuser.ini
[2010/05/11 01:18:21 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/11 01:17:32 | 000,033,408 | ---- | M] () -- C:\WINDOWS\System32\drivers\fsbts.sys
[2010/05/11 01:16:57 | 000,439,484 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/11 01:16:56 | 000,518,004 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/11 01:16:56 | 000,070,556 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/10 22:54:09 | 000,042,510 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\JCP Pmnt 051410.pdf
[2010/05/10 22:52:04 | 000,073,163 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\BestBuyPmnt 051210.pdf
[2010/05/09 23:26:39 | 000,233,963 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\ATT 051010.pdf
[2010/05/09 22:58:42 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\Bill Update 0510.xls
[2010/05/06 21:58:02 | 001,661,285 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\rockbox-sansafuze.pdf
[2010/05/06 21:09:23 | 000,993,130 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\sansafuze-20100507-english.zip
[2010/05/06 21:00:10 | 003,545,840 | ---- | M] () -- C:\Documents and Settings\Momma\Desktop\rockbox-sansafuze.zip
[2010/04/29 16:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 16:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/05 19:24:59 | 013,525,424 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\Dropbox 0.7.110.exe
[2011/05/05 00:22:49 | 000,000,771 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\MailWasher Free.lnk
[2011/05/04 23:30:16 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\yahoo_firefox_3.6.3_setup_us.exe
[2011/05/04 21:51:41 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\Mozilla Thunderbird (2).lnk
[2011/05/03 22:31:53 | 000,002,855 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\Gel Pad Installation--knoplace.pif
[2011/05/03 22:31:53 | 000,000,378 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\Video Stuff.lnk
[2011/05/03 22:31:53 | 000,000,356 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\Recipes.lnk
[2010/05/16 23:52:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Momma\defogger_reenable
[2010/05/14 22:41:54 | 000,711,168 | ---- | C] () -- C:\WINDOWS\is-DGTJN.exe
[2010/05/14 22:41:54 | 000,010,562 | ---- | C] () -- C:\WINDOWS\is-DGTJN.msg
[2010/05/14 22:41:54 | 000,000,311 | ---- | C] () -- C:\WINDOWS\is-DGTJN.lst
[2010/05/14 22:39:47 | 000,000,927 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\FreeRAM XP Pro.lnk
[2010/05/12 22:56:38 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/05/12 22:56:36 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/05/12 22:56:36 | 000,073,728 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT.LOG
[2010/05/11 01:17:32 | 000,033,408 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsbts.sys
[2010/05/10 23:53:30 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Matthew\ntuser.ini
[2010/05/10 23:53:23 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Matthew\NTUSER.DAT
[2010/05/10 23:53:23 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\Matthew\NTUSER.DAT.LOG
[2010/05/10 22:54:07 | 000,042,510 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\JCP Pmnt 051410.pdf
[2010/05/10 22:51:57 | 000,073,163 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\BestBuyPmnt 051210.pdf
[2010/05/09 23:26:34 | 000,233,963 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\ATT 051010.pdf
[2010/05/09 22:58:38 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\Bill Update 0510.xls
[2010/05/06 06:23:25 | 000,993,130 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\sansafuze-20100507-english.zip
[2010/05/06 06:23:07 | 001,661,285 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\rockbox-sansafuze.pdf
[2010/05/06 06:22:49 | 003,545,840 | ---- | C] () -- C:\Documents and Settings\Momma\Desktop\rockbox-sansafuze.zip
[2010/02/21 02:54:41 | 008,650,752 | ---- | C] () -- C:\Documents and Settings\Momma\ntuser.dat
[2010/02/20 01:02:07 | 001,273,856 | ---- | C] () -- C:\Documents and Settings\Elizabeth\NTUSER.DAT
[2010/01/21 23:05:21 | 000,139,152 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2010/01/21 23:05:19 | 000,139,152 | ---- | C] () -- C:\Documents and Settings\Momma\Application Data\PnkBstrK.sys
[2009/11/15 16:02:35 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Momma\Local Settings\Application Data\.mpid
[2009/10/03 09:59:29 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\Momma\settings.xml
[2009/09/07 14:27:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2009/08/29 10:42:04 | 000,001,511 | ---- | C] () -- C:\Documents and Settings\Momma\BykiDownloader.log
[2009/08/15 01:18:50 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
[2009/08/15 01:18:49 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
[2009/08/15 01:18:12 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Momma\Application Data\$_hpcst$.hpc
[2009/05/10 20:07:35 | 000,007,552 | ---- | C] () -- C:\WINDOWS\System32\drivers\enodpl.sys
[2009/05/10 20:07:35 | 000,004,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\tandpl.sys
[2009/03/23 21:43:14 | 000,045,056 | ---- | C] () -- C:\WINDOWS\SnoopFreeDll.dll
[2009/03/23 21:43:14 | 000,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\SnopFree.sys
[2009/03/16 09:54:35 | 000,290,816 | ---- | C] () -- C:\WINDOWS\System32\decdll.dll
[2009/03/15 15:11:48 | 000,000,111 | ---- | C] () -- C:\WINDOWS\Sansa Media Converter.INI
[2009/03/02 21:48:32 | 000,209,008 | ---- | C] () -- C:\WINDOWS\System32\kbhookdll.dll
[2008/12/27 20:42:41 | 000,000,595 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/11/29 15:39:29 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcrvs.dll
[2008/11/29 15:39:25 | 000,303,104 | ---- | C] () -- C:\WINDOWS\System32\lxcrcoin.dll
[2008/11/29 15:39:05 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxcrdrs.dll
[2008/11/29 15:39:05 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxcrcaps.dll
[2008/11/29 15:39:05 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxcrcnv4.dll
[2008/11/29 15:38:37 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\LXPRMON.DLL
[2008/11/29 15:38:37 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXPMONUI.DLL
[2008/11/29 15:37:33 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\LXCRinst.dll
[2008/10/04 13:05:40 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Elizabeth\ntuser.ini
[2008/10/04 13:05:38 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\Elizabeth\NTUSER.DAT.LOG
[2008/09/01 01:19:01 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2008/08/09 17:24:02 | 000,000,074 | ---- | C] () -- C:\WINDOWS\st_affiliate.ini
[2008/08/02 00:13:49 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/07/30 13:51:57 | 000,000,029 | ---- | C] () -- C:\WINDOWS\videoimp.ini
[2008/07/30 13:51:49 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2008/07/28 17:00:09 | 000,028,160 | ---- | C] () -- C:\Documents and Settings\Momma\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/23 02:22:37 | 000,204,857 | ---- | C] () -- C:\WINDOWS\System32\InstallHelp.dll
[2007/10/25 18:26:10 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2007/08/23 19:30:00 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2006/10/22 14:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 14:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 14:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 14:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 14:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 14:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 14:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/05/07 19:51:44 | 000,000,638 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2005/08/21 23:29:25 | 000,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll
[2005/08/21 23:29:25 | 000,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
[2005/07/28 21:33:50 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/07/18 12:56:59 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Momma\ntuser.ini
[2005/07/18 12:56:58 | 000,016,384 | -H-- | C] () -- C:\Documents and Settings\Momma\NTUSER.DAT.LOG
[2005/01/08 13:15:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/01/08 02:31:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\AutoRun.INI
[2005/01/08 02:07:47 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/01/08 02:05:46 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2005/01/08 01:59:07 | 000,233,472 | ---- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2005/01/08 01:59:07 | 000,229,376 | ---- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2005/01/08 01:59:07 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2005/01/08 01:59:07 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
[2005/01/08 01:59:07 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2005/01/08 01:59:07 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini
[2004/09/17 18:37:42 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2002/01/01 02:01:29 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\Guest\ntuser.ini
[2002/01/01 02:01:26 | 003,407,872 | ---- | C] () -- C:\Documents and Settings\Guest\NTUSER.DAT
[2002/01/01 02:01:26 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\Guest\NTUSER.DAT.LOG
[1999/01/22 22:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 04:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== LOP Check ==========

[2010/05/14 10:04:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Thunderbird
[2008/10/04 19:30:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Elizabeth\Application Data\WeatherBug
[2009/10/13 21:03:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Amazon
[2010/01/31 04:57:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\AnvSoft
[2010/01/31 04:15:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Any Video Converter
[2009/09/07 23:30:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Audacity
[2008/07/29 02:34:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Azureus
[2008/11/23 14:38:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\com.ebay.sandimas.public-beta.AA1EEF5552BF52051F68E7EAF27E23FA6449A65C.1
[2010/05/18 00:33:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Dropbox
[2008/07/23 02:48:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Eyeblaster
[2009/03/19 13:49:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\flightgear.org
[2010/05/07 00:12:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Flock
[2009/10/17 21:57:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\FreshDiagnose
[2010/05/10 23:44:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\IMVU
[2011/05/05 00:19:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\IMVUClient
[2009/04/17 22:05:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Inspiration Software
[2009/12/07 03:14:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\KNVB
[2009/08/29 12:15:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\LimeWire
[2010/05/23 23:25:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\MailWasherFree
[2008/07/26 23:57:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\MailWasherPro
[2009/10/12 01:17:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Music Coach
[2008/12/24 03:37:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\MxBoost
[2010/02/07 00:04:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\NCH Swift Sound
[2009/03/16 00:10:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\OpenCandy
[2008/10/18 13:30:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\OpenOffice.org
[2010/02/20 12:05:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Orbit
[2009/08/15 01:22:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\PC Suite
[2009/09/19 12:04:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\PCPitstop
[2010/01/30 00:56:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\rockbox.org
[2008/10/03 16:35:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\RTPlayer
[2009/08/15 01:18:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Samsung
[2008/10/26 23:44:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\SanDisk
[2009/03/31 20:34:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Search Settings
[2009/02/10 01:29:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\SecondLife
[2009/02/14 18:59:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\smc
[2009/12/15 22:31:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\stickies
[2009/03/16 10:00:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\STOIK
[2008/07/24 00:31:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Thunderbird
[2009/07/25 02:10:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Uniblue
[2009/12/22 03:57:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Utherverse
[2011/05/05 00:36:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Momma\Application Data\Vivox

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\tasks\*.job >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2005/01/10 03:15:52 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/05 22:42:44 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2005/01/10 03:15:52 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/08/05 22:42:44 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2003/03/31 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2005/01/10 03:15:52 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/05 22:42:44 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2005/01/10 03:15:52 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/08/05 22:42:44 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: CLASSPNP.SYS >
[2004/08/04 02:14:26 | 000,049,664 | ---- | M] (Microsoft Corporation) MD5=D86173B401470F06D9810F7962969DDF -- C:\WINDOWS\$NtServicePackUninstall$\classpnp.sys
[2008/04/13 15:16:22 | 000,049,536 | ---- | M] (Microsoft Corporation) MD5=FE47DD8FE6D7768FF94EBEC6C74B2719 -- C:\WINDOWS\ServicePackFiles\i386\classpnp.sys
[2008/04/13 15:16:22 | 000,049,536 | ---- | M] (Microsoft Corporation) MD5=FE47DD8FE6D7768FF94EBEC6C74B2719 -- C:\WINDOWS\system32\drivers\classpnp.sys

< MD5 for: DISK.SYS >
[2003/03/31 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:disk.sys
[2005/01/10 03:15:52 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2008/08/05 22:42:44 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2005/01/10 03:15:52 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:disk.sys
[2008/08/05 22:42:44 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/04 01:59:54 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 14:40:48 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\LastGood.Tmp\system32\DRIVERS\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 14:40:48 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: KBDCLASS.SYS >
[2003/03/31 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:kbdclass.sys
[2005/01/10 03:15:52 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:kbdclass.sys
[2008/08/05 22:42:44 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:kbdclass.sys
[2005/01/10 03:15:52 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:kbdclass.sys
[2008/08/05 22:42:44 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:kbdclass.sys
[2008/04/13 14:39:47 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=463C1EC80CD17420A542B7F36A36F128 -- C:\WINDOWS\ServicePackFiles\i386\kbdclass.sys
[2008/04/13 14:39:47 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=463C1EC80CD17420A542B7F36A36F128 -- C:\WINDOWS\system32\drivers\kbdclass.sys
[2004/08/04 01:58:32 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=EBDEE8A2EE5393890A1ACEE971C4C246 -- C:\WINDOWS\$NtServicePackUninstall$\kbdclass.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: RPCSS.DLL >
[2008/04/13 20:12:04 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=2589FE6015A316C0F5D5112B4DA7B509 -- C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2008/04/13 20:12:04 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=2589FE6015A316C0F5D5112B4DA7B509 -- C:\WINDOWS\ServicePackFiles\i386\rpcss.dll
[2005/01/14 04:55:50 | 000,395,776 | ---- | M] (Microsoft Corporation) MD5=419899803CA479B73B02390318C787C0 -- C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll
[2003/03/31 08:00:00 | 000,260,608 | ---- | M] (Microsoft Corporation) MD5=493FCBED180DCACF0B5D4C8C29949CA9 -- C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll
[2004/08/04 03:56:44 | 000,395,776 | ---- | M] (Microsoft Corporation) MD5=5C83A4408604F737717AB96371201680 -- C:\WINDOWS\$NtUninstallKB873333$\rpcss.dll
[2009/02/09 08:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) MD5=6B27A5C03DFB94B4245739065431322C -- C:\WINDOWS\system32\dllcache\rpcss.dll
[2009/02/09 08:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) MD5=6B27A5C03DFB94B4245739065431322C -- C:\WINDOWS\system32\rpcss.dll
[2009/02/09 06:56:36 | 000,401,408 | ---- | M] (Microsoft Corporation) MD5=9222562D44021B988B9F9F62207FB6F2 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2005/01/14 01:07:42 | 000,395,776 | ---- | M] (Microsoft Corporation) MD5=94456045BEB4545B5EBE1DCC85951AFA -- C:\WINDOWS\$hf_mig$\KB873333\SP2QFE\rpcss.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SERVICES.EXE >
[2009/02/06 07:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/13 20:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2008/04/13 20:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
[2004/08/04 03:56:55 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 03:56:57 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 03:56:57 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2003/03/31 08:00:00 | 000,516,608 | ---- | M] (Microsoft Corporation) MD5=2246D8D8F4714A2CEDB21AB9B1849ABB -- C:\WINDOWS\$NtUninstallKB840987$\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WSCNTFY.EXE >
[2004/08/04 03:56:57 | 000,013,824 | ---- | M] (Microsoft Corporation) MD5=49911DD39E023BB6C45E4E436CFBD297 -- C:\WINDOWS\$NtServicePackUninstall$\wscntfy.exe
[2008/04/13 20:12:41 | 000,013,824 | ---- | M] (Microsoft Corporation) MD5=F92E1076C42FCD6DB3D72D8CFE9816D5 -- C:\WINDOWS\ServicePackFiles\i386\wscntfy.exe
[2008/04/13 20:12:41 | 000,013,824 | ---- | M] (Microsoft Corporation) MD5=F92E1076C42FCD6DB3D72D8CFE9816D5 -- C:\WINDOWS\system32\wscntfy.exe

< %systemroot%\*. /mp /s >
< End of report >


Any clues as to what I might have? Everything was working fine until I received my login code from the new ISP
(Charter internet) and tried to download their "Security Suite." I sat and watched while it erased my security
software. I was concerned, but Charter told me that their software would erase conflicting security products.
Whatever it did, it certainly created problems for me.

Thanks for your help!

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 29 May 2010 - 07:02 AM

Thank you for the detailed feedback. You did a nice job and the log is what we need. thumbup2.gif

No worries for the delay, we have all other priorities. smile.gif

What I see is that except MyWebSearch there is no malware on this computer. It can not cause those serious issues. I have thought for a while that the new security software didn't installed fully and caused the issue. We tried to disable them with no luck.

What we are going to do is to remove all the security software. Our main aim at the moment is to be able to boot normally and then take care of the other issues.

After booting normally there is a possibility that you don't have internet connection. The security software has entries that when we remove it may cause internet connection issue. OTL might take care of that, but even if you have connection problem we will fix it easily and you don't need to worry about it. As I mentioned the main issue is to boot normally, the rest will be much easier.

  1. On the working computer:
    Insert your flash drive.
    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    :otl
    DRV - [2010/05/11 01:17:32 | 000,033,408 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\fsbts.sys -- (fsbts)
    DRV - [2009/08/05 11:58:30 | 000,068,064 | ---- | M] (F-Secure Corporation) [Kernel | System] -- C:\Program Files\Charter Security Suite\HIPS\drivers\fshs.sys -- (F-Secure HIPS)
    DRV - [2009/08/05 11:57:20 | 000,080,000 | ---- | M] (F-Secure Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\fsdfw.sys -- (FSFW)
    DRV - [2009/08/05 11:56:14 | 000,039,776 | ---- | M] () [Kernel | Disabled] -- C:\Program Files\Charter Security Suite\Anti-Virus\win2k\fsfilter.sys -- (F-Secure Filter)
    DRV - [2009/08/05 11:56:14 | 000,025,184 | ---- | M] () [Kernel | Disabled] -- C:\Program Files\Charter Security Suite\Anti-Virus\win2k\fsrec.sys -- (F-Secure Recognizer)
    DRV - [2009/08/05 11:56:12 | 000,099,936 | ---- | M] () [Kernel | On_Demand] -- C:\Program Files\Charter Security Suite\Anti-Virus\minifilter\fsgk.sys -- (F-Secure Gatekeeper)
    DRV - [2009/03/23 21:43:14 | 000,009,472 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SnopFree.sys -- (SnoopFree)
    DRV - [2009/02/12 11:10:56 | 000,036,608 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
    SRV - [2009/10/26 00:07:03 | 000,028,762 | ---- | M] (MyWebSearch.com) [Disabled] -- C:\Program Files\MyWebSearch\bar\2.bin\MWSSVC.EXE -- (MyWebSearchService)
    SRV - [2009/08/05 11:59:26 | 000,055,904 | ---- | M] (F-Secure Corporation) [On_Demand] -- C:\Program Files\Charter Security Suite\ORSP Client\fsorsp.exe -- (FSORSPClient)
    SRV - [2009/08/05 11:58:52 | 000,186,976 | ---- | M] (F-Secure Corporation) [Auto] -- C:\Program Files\Charter Security Suite\Common\FSMA32.EXE -- (FSMA)
    SRV - [2009/08/05 11:57:20 | 000,522,848 | ---- | M] (F-Secure Corporation) [On_Demand] -- C:\Program Files\Charter Security Suite\FWES\Program\fsdfwd.exe -- (FSDFWD)
    SRV - [2009/08/05 11:56:10 | 000,215,648 | ---- | M] (F-Secure Corporation) [Auto] -- C:\Program Files\Charter Security Suite\Anti-Virus\fsgk32st.exe -- (F-Secure Gatekeeper Handler Starter)
    SRV - [2009/03/23 21:43:14 | 000,090,112 | ---- | M] () [Auto] -- C:\WINDOWS\system32\SnoopFreeSvc.exe -- (SnoopFreeSvc)
    IE - HKU\Elizabeth_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL (MyWebSearch.com)
    IE - HKU\Momma_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL (MyWebSearch.com)
    [2009/10/25 00:27:30 | 000,024,684 | ---- | M] (MyWebSearch.com) -- C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
    O2 - BHO: (MyWebSearch Search Assistant BHO) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL (MyWebSearch.com)
    O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (MyIdentityDefender) - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Momma\Local Settings\Application Data\CyberDefender\cdmyidd.dll (CyberDefender Corp.)
    O4 - HKU\Momma_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
    O4 - HKU\Momma_ON_C..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe File not found
    O4 - HKU\Elizabeth_ON_C..\RunOnce: [AVG Security Toolbar_updatecleanup] C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe File not found
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL (F-Secure Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - File not found
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    :file
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\F-Secure
    C:\Program Files\MyWebSearch
    C:\Program Files\Charter Security Suite
    C:\WINDOWS\is-DGTJN.exe
    C:\WINDOWS\is-DGTJN.msg
    C:\WINDOWS\is-DGTJN.lst
    :commands
    [resethosts]
    [emptytemp]

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select save in: Flsh drive
    • Fill in File name: fix.txt
    • Click save.
    • Close the Notepad.
    • Take out your flash drive and insert it to the problem computer.
    • Open OTLPE. Click Yes and OK to the prompts.
    • Double-click on My Computer icon on the desktop, open your flash drive.
    • Copy the content of fix.txt and paste it to Costum Scans/Fixes area and press Run Fix.
      Alternatively you can right-click fix.txt and click Copy, return to the desktop and paste it there. Now drag the fix.txt to the Costum Scans/Fixes area and OTLPE starts to run automatically.
    • A notepad opens, save the content to the flash drive to copy and paste it to your reply.

  2. Shut down the computer, remove the Boot CD and let the computer boots normally. In case it booted normally please go to Start => Control Panel => Windows Firewall and make sure it is enabled. Then tell me about the current condition of your computer.


#14 sneal

sneal
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 29 May 2010 - 02:11 PM

Great! Looks like we're getting somewhere, maybe?

Here's what I've done so far today:

1. Copied fix.txt and ran through OTLPE as directed.
2. OTLPE indicated that scan was completed, and a window indicating that I needed to restart appeared. I clicked "OK," and nothing happened. A log file did not appear, and the computer did not restart. Decided to wait awhile and see if anything would happen. Waited a couple of hours, and still nothing happened.
Decided to try the scan again, so . . . .
3. Closed OTLPE, and a txt file appeared. I'm not sure if this is the log we needed, but here it is:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fsbts deleted successfully.
C:\WINDOWS\system32\drivers\fsbts.sys moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F-Secure HIPS deleted successfully.
C:\Program Files\Charter Security Suite\HIPS\drivers\fshs.sys moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FSFW deleted successfully.
C:\WINDOWS\system32\drivers\fsdfw.sys moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F-Secure Filter deleted successfully.
C:\Program Files\Charter Security Suite\Anti-Virus\win2k\fsfilter.sys moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F-Secure Recognizer deleted successfully.
C:\Program Files\Charter Security Suite\Anti-Virus\win2k\fsrec.sys moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F-Secure Gatekeeper deleted successfully.
C:\Program Files\Charter Security Suite\Anti-Virus\minifilter\fsgk.sys moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SnoopFree deleted successfully.
C:\WINDOWS\system32\drivers\SnopFree.sys moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FsUsbExDisk deleted successfully.
C:\WINDOWS\system32\FsUsbExDisk.Sys moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MyWebSearchService deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\MWSSVC.EXE moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FSORSPClient deleted successfully.
C:\Program Files\Charter Security Suite\ORSP Client\fsorsp.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FSMA deleted successfully.
C:\Program Files\Charter Security Suite\Common\FSMA32.EXE moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FSDFWD deleted successfully.
C:\Program Files\Charter Security Suite\FWES\program\fsdfwd.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\F-Secure Gatekeeper Handler Starter deleted successfully.
C:\Program Files\Charter Security Suite\Anti-Virus\fsgk32st.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SnoopFreeSvc deleted successfully.
C:\WINDOWS\system32\SnoopFreeSvc.exe moved successfully.
Registry value HKEY_USERS\Elizabeth_ON_C\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00A6FAF6-072E-44cf-8957-5838F569A31D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\ deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL moved successfully.
Registry value HKEY_USERS\Momma_ON_C\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00A6FAF6-072E-44cf-8957-5838F569A31D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\ not found.
File C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL not found.
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}\ deleted successfully.
File C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}\ deleted successfully.
C:\Documents and Settings\Momma\Local Settings\Application Data\CyberDefender\cdmyidd.dll moved successfully.
Registry value HKEY_USERS\Momma_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\SpybotSD TeaTimer deleted successfully.
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe moved successfully.
Registry value HKEY_USERS\Momma_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\Uniblue RegistryBooster 2009 deleted successfully.
Registry value HKEY_USERS\Elizabeth_ON_C\Software\Microsoft\Windows\CurrentVersion\RunOnce\\AVG Security Toolbar_updatecleanup deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ not found.
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
C:\Program Files\Charter Security Suite\FSPS\program\fslsp.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\ deleted successfully.
File C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\ deleted successfully.
File C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\ deleted successfully.
File C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\ deleted successfully.
File C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\ deleted successfully.
File C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\ deleted successfully.
File C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000028\ deleted successfully.
File C:\Program Files\Charter Security Suite\FSPS\program\FSLSP.DLL not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000027\ deleted successfully.
File move failed. X:\AUTORUN.INF scheduled to be moved on reboot.
Error: Unable to interpret <:file> in the current context!
Error: Unable to interpret <C:\Documents and Settings\NetworkService\Local Settings\Application Data\F-Secure> in the current context!
Error: Unable to interpret <C:\Program Files\MyWebSearch> in the current context!
Error: Unable to interpret <C:\Program Files\Charter Security Suite> in the current context!
Error: Unable to interpret <C:\WINDOWS\is-DGTJN.exe> in the current context!
Error: Unable to interpret <C:\WINDOWS\is-DGTJN.msg> in the current context!
Error: Unable to interpret <C:\WINDOWS\is-DGTJN.lst> in the current context!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 131072 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Elizabeth
->Temp folder emptied: 3894544 bytes
->Temporary Internet Files folder emptied: 16670908 bytes
->FireFox cache emptied: 78368580 bytes
->Flash cache emptied: 4597 bytes

User: Guest
->Temp folder emptied: 4 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Matthew
->Temp folder emptied: 1040 bytes
->Temporary Internet Files folder emptied: 115151 bytes
->Flash cache emptied: 41620 bytes

User: Momma
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 51565952 bytes
->Flash cache emptied: 43002 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 42991031 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1175239 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33726 bytes

Total Files Cleaned = 186.00 mb

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.

OTLPE by OldTimer - Version 3.1.39.0 log created on 05282010_131424

Files\Folders moved on Reboot...
File move failed. X:\AUTORUN.INF scheduled to be moved on reboot.

Registry entries deleted on Reboot...

=========

Is this the file that we needed? Or, do I need to run it again?

4. Ejected CD and restarted computer. (Booted much faster than in the past . . . you've done good work!)
5. Windows booted normally, and I received several messages that might/might not be important:
a. "Failed FsUsbExService, no existing FsUsbDevice" -- because I didn't have a flash drive plugged in?
b. Logon password was requested for Charter email -- cancelled out of this
c. "Snoopfree" not available because of "No Service" -- internet cable not plugged in . . . won't plug it in until advised.
6. Checked Windows Firewall-- was already enabled.

I've shut down the "infected" computer, and I'm awaiting your direction.

Thanks for all you've done!





#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 29 May 2010 - 05:24 PM

QUOTE
Windows booted normally.

Great, that is what we needed, the rest will be smooth from now on.

Let's take care of those errors at startup:

Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Set Services to All.
  • Set Drivers to All.
  • Click Run Scan button.
  • Two reports will open, copy and paste them to your reply:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users