Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect trojan


  • This topic is locked This topic is locked
23 replies to this topic

#1 Jack Matz

Jack Matz

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 07 June 2010 - 06:52 PM

When I Google a topic, then open a new IE7 tab on a link on the Google page I am usually redirected to another page, frequently a page that purports to be a search engine. Sometimes I am able to close the tab, try again, and get the correct link.

Neither Trend Micro (with the latest data update) nor AntiMalwareBytes is able to see a problem. I note in other cases of this problem that the victim is instructed to run DDS.SCR and GMER.EXE, and present the logs here. I downloaded both and attempted to run DDS. When I do so I get the anticipated security warning and I tell it to Run, but instead of executing the program Notepad (or Wordpad) opens up and I see the guts of the DDR file. I was able to run GMER. I UN-checked the IAT/EAT, and Show All boxes, and had only the C:\ drive checked-off. The GMER scan took somewhere between 12 and 20 HOURS, but I was able to save the file. I won't post it until you instruct me to do so.

I am running XP-pro SP3 with Trend Micro firewall, anti-virus, spyware scanner, etc.

(Many thanks in advance)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-06 04:32:35
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\RCA\LOCALS~1\Temp\uxtdqpob.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xBA40B760]

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe[280] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe[280] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\svchost.exe[320] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[320] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[464] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[464] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\DigitalPersona\Bin\DpHost.exe[664] C:\WINDOWS\system32\Ws2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\DigitalPersona\Bin\DpHost.exe[664] C:\WINDOWS\system32\Ws2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[692] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[692] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\winlogon.exe[720] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\winlogon.exe[720] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\services.exe[768] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\services.exe[768] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\lsass.exe[780] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\lsass.exe[780] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\Ati2evxx.exe[1016] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\Ati2evxx.exe[1016] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1036] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1036] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1088] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1088] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\svchost.exe[1248] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[1248] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe[1316] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe[1316] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1340] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1340] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1392] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1392] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1404] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1404] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1460] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1460] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1492] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1492] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\Ati2evxx.exe[1544] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\Ati2evxx.exe[1544] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\spoolsv.exe[1780] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\spoolsv.exe[1780] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[1888] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[1888] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Norton Ghost\Agent\VProSvc.exe[2040] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Norton Ghost\Agent\VProSvc.exe[2040] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Norton Ghost\Agent\GhostTray.exe[2552] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Norton Ghost\Agent\GhostTray.exe[2552] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2736] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2736] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Documents and Settings\RCA\Application Data\Dropbox\bin\Dropbox.exe[2764] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Documents and Settings\RCA\Application Data\Dropbox\bin\Dropbox.exe[2764] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe[2972] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe[2972] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3256] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3256] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\DigitalPersona\Bin\DPAgnt.exe[3476] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\DigitalPersona\Bin\DPAgnt.exe[3476] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\alg.exe[3500] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\alg.exe[3500] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3772] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3772] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\Explorer.EXE[3900] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\Explorer.EXE[3900] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \FileSystem\Fastfat \Fat A2554D20

AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{561C54EC-86F1-4E29-93AC-8ACEF514CEE5}@DhcpRetryStatus 0

---- EOF - GMER 1.0.15 ----

Merged 2 posts. ~ OB

Edited by Orange Blossom, 07 June 2010 - 09:51 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 PM

Posted 10 June 2010 - 07:18 PM

Hi Jack Matz,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @echo off
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1000 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  2. Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Click Run Scan button.
    • Two reports will open, copy and paste them to your reply:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized


#3 Jack Matz

Jack Matz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 10 June 2010 - 11:34 PM

I understand that I should make no changes to the computer while you are helping me. I have been avoiding even using the computer, but today when I turned it on to collect my messages, an automatic Windows update started. It has not completed downloading yet, so it has not installed (yet).

How do you wish to proceed. I want to follow your directions exactly. I have downloaded the programs mentioned in your message, but I will wait to hear your instructions regarding the Windows update.

I regret the inconvenience.

Jack

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 PM

Posted 11 June 2010 - 07:11 AM

Turn off Windows automatic updates as it might lead to unexpected results at this stage:
  • Go to start -> Control Panel -> double-click System to open it.
  • Go to the Automatic Updates tab.
  • Select the "Turn off Automatic Updates" box.
  • Click Apply and then OK.
  • Important: Reboot.

You may now proceed with the steps.

#5 Jack Matz

Jack Matz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 12 June 2010 - 02:22 AM

Please pardon me if this is a duplicate message, I'm struggling with the operation of this forum. I can't find a SEND button, and it appears that my previous posting of the logs you requested did not get on the board. With this post I will try the ADD REPLY button.

I turned off Windows update and rebooted per your instructions. It seems that the reboot installed the updates that were downloading during my prior message.

Here are the logs you requested:
==========
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

============

OTL logfile created on: 6/12/2010 1:41:56 AM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\RCA\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 72.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 108.57 Gb Total Space | 68.22 Gb Free Space | 62.84% Space Free | Partition Type: NTFS
Drive D: | 37.08 Gb Total Space | 31.37 Gb Free Space | 84.60% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 232.86 Gb Free Space | 50.00% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BECCA
Current User Name: RCA
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/10 23:22:14 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\RCA\Desktop\OTL.exe
PRC - [2010/06/02 19:43:54 | 005,937,984 | ---- | M] (SurfRight B.V.) -- C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe
PRC - [2010/04/03 16:44:26 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2010/02/26 00:10:20 | 021,979,992 | ---- | M] () -- C:\Documents and Settings\RCA\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2009/11/19 21:50:17 | 000,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/09/22 14:09:02 | 000,156,672 | ---- | M] (Applian Technologies, Inc.) -- C:\Program Files\Replay Media Catcher\FLVSrvc.exe
PRC - [2009/09/10 20:31:38 | 000,046,920 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
PRC - [2009/08/12 17:20:28 | 000,615,720 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2009/01/19 12:07:24 | 001,048,576 | ---- | M] (PFU LIMITED) -- C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
PRC - [2008/12/25 13:18:53 | 000,548,864 | ---- | M] (BL) -- C:\Program Files\lg_fwupdate\fwupdate.exe
PRC - [2008/05/19 16:17:14 | 001,475,936 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/17 11:42:04 | 000,181,608 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
PRC - [2008/01/17 11:42:02 | 000,197,992 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
PRC - [2008/01/17 11:42:02 | 000,058,728 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
PRC - [2006/11/21 14:02:24 | 001,807,960 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
PRC - [2006/11/09 16:04:02 | 000,566,872 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe
PRC - [2006/10/09 16:28:06 | 000,230,928 | ---- | M] (DigitalPersona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DpHost.exe
PRC - [2006/10/09 16:27:58 | 000,534,032 | ---- | M] (DigitalPersona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
PRC - [2006/10/09 16:27:56 | 000,155,664 | ---- | M] (DigitalPersona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
PRC - [2006/10/09 16:27:54 | 000,807,440 | ---- | M] (DigitalPersona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
PRC - [2006/09/18 15:50:54 | 000,345,696 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe
PRC - [2006/08/04 16:15:28 | 000,321,040 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
PRC - [2006/08/04 16:13:20 | 000,800,272 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 14\TMAS_OL\TMAS_OL.exe
PRC - [2006/02/15 22:02:38 | 000,822,424 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2006/02/08 18:29:34 | 000,024,576 | ---- | M] (Mobile Action Technology Inc.) -- C:\Program Files\Mobile Action\Bluetooth Manager\MaBtSh.exe
PRC - [2005/09/09 20:09:28 | 002,066,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe
PRC - [2005/09/09 20:09:24 | 001,537,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Ghost\Agent\GhostTray.exe
PRC - [2005/08/16 21:05:38 | 000,053,248 | ---- | M] (GEAR Software) -- C:\WINDOWS\system32\gearsec.exe
PRC - [2005/06/17 08:56:14 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2005/06/17 08:55:58 | 000,086,140 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
PRC - [2005/06/10 11:44:02 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2005/03/23 01:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2005/01/27 02:02:00 | 000,086,016 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe


========== Modules (SafeList) ==========

MOD - [2010/06/12 01:32:26 | 000,012,800 | ---- | M] (Applian Technologies, Inc.) -- C:\Documents and Settings\RCA\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
MOD - [2010/06/10 23:22:14 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\RCA\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/01/26 10:36:00 | 000,285,184 | ---- | M] (DigitalPersona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DpOFeedb.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
SRV - File not found [On_Demand | Stopped] -- -- (NBService)
SRV - File not found [Auto | Stopped] -- -- (IREIKE)
SRV - File not found [Auto | Stopped] -- -- (IPSECMON)
SRV - File not found [Auto | Stopped] -- -- (InCDsrv)
SRV - [2009/11/19 21:50:17 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-110309-193829)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/08/12 17:20:28 | 000,615,720 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2009/06/27 15:09:19 | 002,109,440 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\Z-SANService.log -- (Z-SANService)
SRV - [2009/05/30 14:16:52 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/05/19 16:17:14 | 001,475,936 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe -- (PcCtlCom)
SRV - [2008/01/17 11:42:04 | 000,181,608 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2008/01/17 11:42:04 | 000,079,208 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2008/01/17 11:42:02 | 000,197,992 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/11/09 16:04:02 | 000,566,872 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe -- (tmproxy)
SRV - [2006/11/09 16:03:42 | 000,923,216 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe -- (TmPfw)
SRV - [2006/10/09 16:28:06 | 000,230,928 | ---- | M] (DigitalPersona, Inc.) [Auto | Running] -- C:\Program Files\DigitalPersona\Bin\DpHost.exe -- (DpHost)
SRV - [2006/10/09 16:27:56 | 000,155,664 | ---- | M] (DigitalPersona, Inc.) [Auto | Running] -- C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe -- (DPFUSMgr)
SRV - [2006/09/18 15:50:54 | 000,345,696 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe -- (Tmntsrv)
SRV - [2006/03/05 03:57:26 | 000,902,760 | ---- | M] (Autodesk, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe -- (Autodesk Network Licensing Service)
SRV - [2006/02/15 22:02:38 | 000,822,424 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2005/09/09 20:09:28 | 002,066,024 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe -- (Norton Ghost)
SRV - [2005/08/16 21:05:38 | 000,053,248 | ---- | M] (GEAR Software) [Auto | Running] -- C:\WINDOWS\system32\gearsec.exe -- (GEARSecurity)
SRV - [2005/06/17 08:55:58 | 000,086,140 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe -- (IAANTMon) Intel®
SRV - [2003/06/13 14:20:56 | 000,081,920 | ---- | M] (NetGroup - Politecnico di Torino) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)


========== Driver Services (SafeList) ==========

DRV - [2010/06/12 01:33:11 | 000,015,944 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hitmanpro35.sys -- (hitmanpro35)
DRV - [2009/08/12 17:07:02 | 000,026,624 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2008/11/26 18:42:42 | 000,205,328 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmxpflt.sys -- (tmxpflt)
DRV - [2008/11/26 18:42:40 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmpreflt.sys -- (tmpreflt)
DRV - [2008/11/26 18:39:56 | 001,195,384 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vsapint.sys -- (vsapint)
DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/26 14:54:12 | 000,038,440 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm)
DRV - [2007/11/26 14:54:12 | 000,036,776 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2007/11/26 14:54:02 | 000,118,952 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2007/09/28 22:05:59 | 002,456,064 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/08/18 21:40:23 | 000,043,672 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2007/08/14 21:29:46 | 000,345,984 | ---- | M] (DataPlow, Incorporated) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\sfsz.sys -- (SFSZ)
DRV - [2007/08/08 19:57:18 | 000,015,488 | ---- | M] (Zetera Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ZetBus.sys -- (ZetBus)
DRV - [2007/08/08 19:57:18 | 000,012,800 | ---- | M] (Zetera Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ZetSFD.sys -- (ZetSFD)
DRV - [2007/08/08 19:57:16 | 000,005,120 | ---- | M] (Zetera Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZetMPD.sys -- (ZetMPD)
DRV - [2007/07/26 06:05:04 | 000,028,384 | ---- | M] (Mobile Action Technology Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\SGP46A55.sys -- (RJIHJ32I)
DRV - [2007/06/28 16:19:36 | 000,157,024 | ---- | M] (Mobile Action Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ma730c.sys -- (Ma730c)
DRV - [2007/03/05 11:42:16 | 000,103,680 | ---- | M] (Mobile Action Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ma730Pt.sys -- (Ma730Pt)
DRV - [2007/01/26 19:48:44 | 000,050,522 | ---- | M] (Mobile Action Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Ma730Vad.sys -- (Ma730Vad)
DRV - [2007/01/26 18:32:40 | 000,021,851 | ---- | M] (Mobile Action Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Ma730VaA.sys -- (Ma730VaA)
DRV - [2006/11/09 16:04:20 | 000,280,392 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TM_CFW.sys -- (tmcfw)
DRV - [2006/11/09 16:04:20 | 000,073,288 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2006/11/01 11:39:16 | 000,246,680 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2006/09/16 17:25:38 | 000,035,584 | ---- | M] (DigitalPersona®, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dpK0Bx01.sys -- (dpK0Bx01)
DRV - [2006/09/16 17:23:06 | 000,047,360 | ---- | M] (DigitalPersona®, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbdpfp.sys -- (UsbdpFP)
DRV - [2006/02/15 22:02:38 | 000,004,608 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2005/09/09 20:09:20 | 000,144,832 | ---- | M] (StorageCraft) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SymSnap.sys -- (SymSnap)
DRV - [2005/09/09 20:09:20 | 000,056,192 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\V2iMount.sys -- (V2IMount)
DRV - [2005/06/17 13:33:40 | 000,872,064 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iastor.sys -- (iastor)
DRV - [2005/06/14 23:40:08 | 000,180,864 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
DRV - [2004/12/06 02:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 02:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 02:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 02:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 02:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 02:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 02:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 02:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 02:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/01 04:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 03:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/08/11 13:01:40 | 000,119,864 | ---- | M] (SafeNet) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\IpSecDrv.sys -- (IPSECDRV)
DRV - [2004/08/03 23:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/07/30 14:20:44 | 000,000,136 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\Crypto.sig -- (Crypto)
DRV - [2004/07/14 12:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 12:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/06/16 04:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/06 05:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/06 05:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/06 05:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003/11/23 17:07:12 | 000,050,360 | ---- | M] (Hewlett-Packard) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hpzs2k12.sys -- (HPZs2k12) Storage Class Driver for IEEE-1284.4 (HPZ12)
DRV - [2003/06/13 14:06:32 | 000,030,336 | ---- | M] (Politecnico di Torino) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com/ig/dell?hl=en


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/05/22 15:42:15 | 000,000,736 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll File not found
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll File not found
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll File not found
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll File not found
O3 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\..\Toolbar\ShellBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll File not found
O3 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll File not found
O3 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Ask and Record FLV Service] C:\Program Files\Replay Media Catcher\FLVSrvc.exe (Applian Technologies, Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe (DigitalPersona, Inc.)
O4 - HKLM..\Run: [DXDllRegExe] File not found
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe File not found
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [LGODDFU] C:\Program Files\lg_fwupdate\fwupdate.exe (BL)
O4 - HKLM..\Run: [MaBtSh] C:\Program Files\Mobile Action\Bluetooth Manager\MaBtSh.exe (Mobile Action Technology Inc.)
O4 - HKLM..\Run: [Norton Ghost 10.0] C:\Program Files\Norton Ghost\Agent\GhostTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk = C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
O4 - Startup: C:\Documents and Settings\RCA\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\RCA\Application Data\Dropbox\bin\Dropbox.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 80 00 00 02 [binary data]
O8 - Extra context menu item: &GripIE - C:\Program Files\GripIE\GripIEExt.htm ()
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\..Trusted Domains: microsoft.com ([office] http in Trusted sites)
O15 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\..Trusted Domains: usbank.com ([trustnowessentials] https in Trusted sites)
O15 - HKU\S-1-5-21-1895446190-753311809-2171750408-1005\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.microsoft.com/download/7/0...tualEarth3D.cab (SentinelVE3D Class)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/install-ie/alttiff.cab (AlternaTIFF ActiveX)
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab (Reg Error: Key error.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.0.cab (DownloadManager Control)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB (Hewlett-Packard Printer Diagnostics)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1188018998687 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab (HPSDDX Class)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://connect.hbpsi.com/dana-cached/setup...perSetupSP1.cab (JuniperSetupControlXP Class)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://connect.hbpsi.com/dana-cached/sc/Ju...SetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\DPWLN : DllName - C:\WINDOWS\system32\DPWLEvHd.dll - C:\WINDOWS\system32\DPWLEvHd.dll (DigitalPersona, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\RCA\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\RCA\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/08/17 13:48:16 | 000,000,040 | ---- | M] () - F:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/12 01:30:15 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\RCA\Recent
[2010/06/10 23:22:07 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\RCA\Desktop\OTL.exe
[2010/06/07 22:13:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RCA\Desktop\Disc Cleaner
[2010/06/03 23:37:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RCA\Desktop\virus hunt
[2010/06/02 21:10:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RCA\Application Data\Malwarebytes
[2010/06/02 21:10:21 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/02 21:10:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/02 21:10:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/02 21:10:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/02 19:44:22 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/06/02 19:44:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/05/17 22:28:14 | 000,082,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ws2_32.dll
[2010/05/15 21:30:01 | 000,000,000 | ---D | C] -- C:\Program Files\Nolo's Financial Planning Library
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/12 01:39:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/12 01:38:34 | 000,000,101 | ---- | M] () -- C:\Documents and Settings\RCA\Desktop\look.bat
[2010/06/12 01:33:11 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/06/12 01:32:26 | 000,000,318 | ---- | M] () -- C:\WINDOWS\lgfwup.ini
[2010/06/12 01:32:09 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/12 01:32:06 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/12 01:32:05 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/06/12 01:31:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/12 01:31:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/12 01:30:24 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\RCA\NTUSER.DAT
[2010/06/12 01:30:24 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\RCA\ntuser.ini
[2010/06/10 23:22:14 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\RCA\Desktop\OTL.exe
[2010/06/10 23:21:47 | 000,077,312 | ---- | M] () -- C:\WINDOWS\mbr.exe
[2010/06/10 23:19:42 | 000,503,304 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 23:19:42 | 000,442,466 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/10 23:19:42 | 000,071,732 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/07 21:47:11 | 000,038,030 | ---- | M] () -- C:\Documents and Settings\RCA\Desktop\key log detector13.zip
[2010/06/06 13:30:15 | 000,005,532 | ---- | M] () -- C:\grab00000.jpg
[2010/05/31 14:10:00 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\RCA\Desktop\Eric's Credit Community.url
[2010/05/29 14:07:16 | 000,235,008 | ---- | M] () -- C:\Documents and Settings\RCA\My Documents\Passwords, IDs, AcctNumbers, etc.doc
[2010/05/27 23:00:04 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\RCA\Desktop\Medicare notes.doc
[2010/05/26 22:40:05 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/23 14:58:43 | 000,004,096 | -HS- | M] () -- C:\VSNAP.IDX
[2010/05/23 14:04:35 | 000,237,568 | ---- | M] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2010/05/23 14:04:35 | 000,156,672 | ---- | M] (Radioactive) -- C:\WINDOWS\System32\rmc_fixasf.exe
[2010/05/22 15:42:15 | 000,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/22 01:53:02 | 000,001,732 | ---- | M] () -- C:\Documents and Settings\RCA\My Documents\Default.rdp
[2010/05/22 01:43:17 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/20 22:03:00 | 000,010,622 | ---- | M] () -- C:\Documents and Settings\RCA\Desktop\KnowYourABCs.pdf
[2010/05/16 18:30:29 | 000,000,278 | ---- | M] () -- C:\Documents and Settings\RCA\Desktop\Prosper.com.url
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/12 01:38:31 | 000,000,101 | ---- | C] () -- C:\Documents and Settings\RCA\Desktop\look.bat
[2010/06/10 23:21:43 | 000,077,312 | ---- | C] () -- C:\WINDOWS\mbr.exe
[2010/06/07 21:47:11 | 000,038,030 | ---- | C] () -- C:\Documents and Settings\RCA\Desktop\key log detector13.zip
[2010/06/02 19:44:38 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/27 22:40:28 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\RCA\Desktop\Medicare notes.doc
[2010/05/22 01:43:17 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/20 22:03:00 | 000,010,622 | ---- | C] () -- C:\Documents and Settings\RCA\Desktop\KnowYourABCs.pdf
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/05/30 15:51:26 | 000,000,161 | ---- | C] () -- C:\WINDOWS\DISPARAM.INI
[2009/02/21 22:13:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MelodyExe.INI
[2008/09/22 22:58:34 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2008/08/25 22:52:45 | 000,163,927 | ---- | C] () -- C:\WINDOWS\System32\ZSANCoInst.dll
[2008/05/09 00:02:32 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.INI
[2008/05/08 23:19:05 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/05/08 23:19:00 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/05/08 23:19:00 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/05/08 23:18:59 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/05/08 23:18:59 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/05/01 16:25:46 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/04/12 21:04:50 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/04/10 23:07:37 | 000,000,318 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2008/01/21 02:28:59 | 000,000,056 | ---- | C] () -- C:\WINDOWS\TaxACT07.ini
[2007/12/24 05:22:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PanelExe.INI
[2007/12/24 05:22:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EngineExe.INI
[2007/12/24 03:28:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\FileMgrExe.INI
[2007/12/24 03:18:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VideoExe.INI
[2007/12/24 03:17:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\AlbumExe.INI
[2007/12/24 03:14:39 | 000,000,362 | ---- | C] () -- C:\WINDOWS\PhoneBkExe.INI
[2007/11/01 20:21:22 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/09/20 21:39:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2007/08/24 14:37:17 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2007/08/18 21:15:24 | 000,014,796 | ---- | C] () -- C:\WINDOWS\hpoj9100.ini
[2007/05/10 19:24:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\HPMProp.INI
[2007/02/12 00:04:25 | 000,087,800 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2007/01/14 23:46:09 | 000,003,558 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/11/17 12:34:40 | 000,091,848 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2006/10/09 16:27:40 | 000,951,824 | ---- | C] () -- C:\WINDOWS\System32\DPCredProv.dll
[2006/10/09 16:09:42 | 000,000,527 | ---- | C] () -- C:\WINDOWS\System32\DpGina.dll.manifest
[2006/07/04 00:14:09 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/07/02 12:00:39 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/03/01 14:14:28 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll
[2006/02/28 23:28:52 | 000,000,263 | R--- | C] () -- C:\WINDOWS\hpw9100k.ini
[2006/02/28 23:27:24 | 000,001,882 | ---- | C] () -- C:\WINDOWS\mariner.ini
[2006/02/28 21:42:28 | 000,002,192 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/27 23:59:18 | 000,205,312 | R--- | C] () -- C:\WINDOWS\patchw32.dll
[2006/02/27 23:58:56 | 000,205,312 | R--- | C] () -- C:\WINDOWS\pw32a.dll
[2006/02/27 23:45:34 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\3B11A8725A.sys
[2006/02/15 22:09:48 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/02/15 22:02:47 | 000,712,704 | ---- | C] () -- C:\WINDOWS\System32\DellSystemRestore.dll
[2006/02/15 21:35:14 | 000,000,387 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/01/28 09:08:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/11 18:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 18:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/04/23 05:17:34 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\hpzcoi01.dll
[2002/03/02 04:10:02 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
< End of report >
=============

OTL Extras logfile created on: 6/12/2010 1:41:56 AM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\RCA\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 72.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 108.57 Gb Total Space | 68.22 Gb Free Space | 62.84% Space Free | Partition Type: NTFS
Drive D: | 37.08 Gb Total Space | 31.37 Gb Free Space | 84.60% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 232.86 Gb Free Space | 50.00% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BECCA
Current User Name: RCA
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [opennew] -- explorer %1 (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"20001:UDP" = 20001:UDP:*:Enabled:MicroSAN
"80:TCP" = 80:TCP:*:Enabled:Web

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
"C:\Program Files\WatchGuard\Mobile User VPN\CmonApp.exe" = C:\Program Files\WatchGuard\Mobile User VPN\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp -- File not found
"C:\Program Files\WatchGuard\Mobile User VPN\vpn.exe" = C:\Program Files\WatchGuard\Mobile User VPN\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager -- File not found
"C:\Program Files\WatchGuard\Mobile User VPN\ViewLog.exe" = C:\Program Files\WatchGuard\Mobile User VPN\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog -- File not found
"C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe" = C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe:*:Enabled:IreIke -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
"C:\Program Files\Microsoft Games\Flight Simulator 9\fs9.exe" = C:\Program Files\Microsoft Games\Flight Simulator 9\fs9.exe:*:Enabled:Microsoft Flight Simulator -- (Microsoft Corporation)
"C:\WINDOWS\system32\dpnsvr.exe" = C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server -- (Microsoft Corporation)
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client -- File not found
"C:\Program Files\NETGEAR\SC101 Manager Utility\Client\SCM.exe" = C:\Program Files\NETGEAR\SC101 Manager Utility\Client\SCM.exe:*:Enabled:NETGEAR Storage Center Manager -- File not found
"C:\Program Files\HP\HP Officejet 9100 series\Toolbox\HPWKTBX.exe" = C:\Program Files\HP\HP Officejet 9100 series\Toolbox\HPWKTBX.exe:*:Disabled:Toolbox for HP Printing System for Windows -- (Hewlett-Packard Company)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- File not found
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- File not found
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Common Files\Ahead\Nero Web\SetupX.exe" = C:\Program Files\Common Files\Ahead\Nero Web\SetupX.exe:*:Enabled:Nero ProductSetup -- File not found
"C:\Documents and Settings\RCA\Local Settings\Temp\Nero Web\SetupXu.exe" = C:\Documents and Settings\RCA\Local Settings\Temp\Nero Web\SetupXu.exe:*:Enabled:Nero ProductSetup -- File not found
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- File not found
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- File not found
"C:\Program Files\WatchGuard\Mobile User VPN\CmonApp.exe" = C:\Program Files\WatchGuard\Mobile User VPN\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp -- File not found
"C:\Program Files\WatchGuard\Mobile User VPN\vpn.exe" = C:\Program Files\WatchGuard\Mobile User VPN\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager -- File not found
"C:\Program Files\WatchGuard\Mobile User VPN\ViewLog.exe" = C:\Program Files\WatchGuard\Mobile User VPN\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog -- File not found
"C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe" = C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe:*:Enabled:IreIke -- File not found
"C:\Documents and Settings\RCA\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\RCA\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- ()
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0712638F-559B-4F49-B8BE-BF3AAEE54A38}" = ScanSnap
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}" = Canon PhotoRecord
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{12E8314B-09ED-40CC-B66E-9B4E1A5CC181}" = Fax
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1ABCD64F-6B57-D191-707A-A64C6E177DDF}" = Catalyst Control Center Graphics Full New
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD LE
"{2222B364-0854-4265-B32E-A142DB9DC7BB}" = Intel® PRO Network Connections 11.2.0.69
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 14
"{26BDE7D8-93F0-4A07-AD47-1707DB417941}" = Camera Support Core Library
"{26FA3721-E325-44DE-8318-6FA434F2A064}" = CardMinder V4.0
"{2930D73B-49E6-02DC-BA42-8EC2B1C6752E}" = CCC Help English
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2E132061-C78A-48D4-A899-1D13B9D189FA}" = Memories Disc Creator 2.0
"{2F1FD032-67D1-4569-923F-47EAF132BF0F}" = DocProc
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{32F720F5-2D0D-4245-A2B0-9EB3CECF8101}" = Norton Ghost 10.0
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{3CCB26F5-E2A7-4C91-8340-9149D7B7C2BE}" = Virtual Earth 3D (Beta)
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{3D6A4420-EAA2-012B-AEE4-000000000000}" = TurboTax 2009 wwiiper
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{42B22B81-26D3-4572-AA75-0AB8DB374FC2}" = BPD_Scan
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{49EC6CF7-B704-C2FE-49B9-E3CEBA76C671}" = Catalyst Control Center Core Implementation
"{4FB6F304-A91D-4919-98E5-D96E074EA9E5}" = SkinsHP1
"{52969324-463B-4643-BF36-854BE2BECB89}" = Autodesk Inventor 2010 English Language Pack
"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade
"{548EEA8E-8299-497F-8057-811D2D7097DC}" = Dell Support 3.1
"{5545EEE1-FA36-4F76-B6BE-5696E7F4E2D6}" = VBA (2627.01)
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5783F2D7-8028-0409-0000-0060B0CE6BBA}" = DWG TrueView 2010
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{595D0DE8-C38A-4432-B851-47DECC1A99BD}" = HP Unload DLL Patch
"{5ADF6293-D60F-4425-AFA7-CEB820DB872B}" = QuickProjects
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6179550A-3E7C-499E-BCC9-9E8113E0A285}" = LG ODD Auto Firmware Update
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.9
"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP
"{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}" = RAW Image Task 1.1
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73ECBBAB-86D8-4A32-854C-DCAF90E63AFE}" = DigitalPersona Password Manager 2.0.1
"{745A92AF-53B4-41A7-91C3-9B026B1D5897}" = InstantShare
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C950A9E-B452-4DA1-BF55-C610D70E89E1}" = TurboTax 2008 wwiiper
"{7CFAEC66-BA0E-4076-AAA5-2BE29153E6DF}" = Microsoft XML Parser
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{7F4DD591-1100-0409-0000-7107D70F3DB4}" = Autodesk Inventor 11
"{7F4DD591-1400-0409-0000-7107D70F3DB4}" = Autodesk Inventor 2010
"{829698DE-9EAC-475E-9A05-B7BA807CA1EF}" = Director
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91C4CBA0-2AD5-5AA8-EC98-0BCD4914C5F4}" = Catalyst Control Center Graphics Previews Common
"{939227BD-19D8-4684-8A04-31AC9F6A564C}" = Scan
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{99D328E0-51DE-465E-9307-B85CA9511033}" = Nero 7 Essentials
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{9F4EEA0C-7174-4BD3-89AF-7AB2F9F6AEDD}" = hpmdtab
"{A2104078-AAA5-449E-95DD-55C9443A1033}" = Nero 7 Essentials
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A363B66C-1547-47bf-90F0-3834E70A841A}" = CreativeProjects
"{A3672E1B-021F-4F50-A891-609471CCF941}" = NETGEAR Storage Central Manager Utility
"{A918DE8A-98C8-0950-0000-000005300066}" = LG VX8700 (Verizon) MA730 - Handset Manager V9.5
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{ABD1DC2F-0D20-4C44-BEB9-3EEFA0EA1033}" = SecurDisc Viewer
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{AC76BA86-1033-F400-BA7E-000000000004}" = Adobe Acrobat 9 Standard - English, Français, Deutsch
"{AC76BA86-1033-F400-BA7E-000000000004}_932" = Adobe Acrobat 9.3.2 - CPSID_53951
"{AC76BA86-1033-F400-BA7E-000000000004}{AC76BA86-1033-F400-BA7E-000000000004}" = Adobe Acrobat 9 Standard - English, Français, Deutsch
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{ACCDF2D6-40FE-4B75-8ACB-B4AC9F2DCA47}" = CelsiusProd
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B1E260B6-9456-88F7-9994-7A4CCF39FB0C}" = ccc-utility
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B34BE30D-A759-4EC2-B58F-19FE2DEBF651}" = Camera Window
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B8737BE8-0E2B-C420-DB2D-F468748414F0}" = ccc-core-preinstall
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon Utilities ZoomBrowser EX
"{C38BC5B7-62D3-4880-82DD-A4803FD81921}" = PhotoGallery
"{C57466CA-70BF-4093-9D10-FC2D53A09D4E}" = HP Officejet 9100 series
"{C810930D-3FA2-3E54-1FAC-3907C5AEA7BC}" = Catalyst Control Center Graphics Full Existing
"{CAFC9755-5469-DC18-CDD2-6F5C743AC478}" = Catalyst Control Center Graphics Light
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC0A24CB-87C9-4F1C-A1F2-F87D8D4DDCAF}" = HP Software Update
"{CDB1F1FE-C07A-454B-8B6F-3863C2B29ADC}" = Autodesk Vault 5
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE4F8FFB-4063-4247-9F14-ECE61AFEFA25}" = TrayApp
"{CF2C1A86-5A98-4862-A3AE-9992E3A6427D}" = RemoteCapture Task 1.0.3
"{CFD1B282-555D-494d-8231-4175C2AF08C2}" = PrintScreen
"{D1D8C9C4-89BE-4f37-9EC4-B80E3C239C41}" = Copy
"{D3EC4EA1-A1F8-4A66-AFBE-32413C079EAA}" = HP Officejet 9100 series
"{D4F2AFD3-0167-4464-B92F-78AB6DA8A0AA}" = CardMinder
"{D545BB81-DEB0-49f7-BE26-197BC31AAF57}" = SkinsHP2
"{D9B4D7EE-481C-4C36-86AB-A8F7417725FF}" = LightScribe 1.6.43.1
"{DBCDB997-EEEB-4BE9-BAFF-26B4094DBDE6}" = ScanSnap Manager
"{DE286975-ACF1-45B8-9EF7-34E162B2C817}" = MovieEdit Task
"{DFA1E2C8-A9DE-4B99-8B3C-866664B5F67C}" = Garmin POI Loader
"{E4ABB302-9D82-4D18-83D5-AD1DFE786AA8}" = Unload
"{E58F3B88-3B3E-4F85-9323-04789D979C15}" = ScanSnap Organizer
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}" = Trend Micro PC-cillin Internet Security 14
"{EF2E9E14-F267-4D40-846F-C394B8A04C14}" = AiOSoftware
"{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}" = PhotoStitch
"{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}" = Microsoft WSE 2.0 SP3 Runtime
"{F537DBBF-7296-4D85-88BF-55BDEEEA8BBF}" = ScanSnap Organizer
"{F539210E-8474-44E3-9035-01CB6444DB46}" = OutlookTools 2
"{F54885B7-7789-087D-62EB-373D4DF83B56}" = Skins
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{F8474DF7-9902-7305-BAB3-34DEDFF2ADC5}" = ccc-core-static
"{FB400000-0001-0000-0000-074957833700}" = ABBYY FineReader for ScanSnap ™ 4.0
"{FBBF532A-47AC-457d-AC06-0D3163D8911E}" = WebReg
"Active Ports" = Active Ports
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"Autodesk DWF Viewer" = Autodesk DWF Viewer
"Autodesk Inventor 2010" = Autodesk Inventor 2010 English (English)
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CutePDF Writer Installation" = CutePDF Writer 2.7
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell Game Console" = Dell Game Console
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DWG TrueView 2010" = DWG TrueView 2010
"Flight Simulator 9.0" = Microsoft Flight Simulator 2004 A Century of Flight
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"GripIE" = GripIE
"HitmanPro35" = Hitman Pro 3.5
"HP Photo & Imaging" = HP Photo & Imaging 3.1
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{26BDE7D8-93F0-4A07-AD47-1707DB417941}" = Canon Camera Support Core Library
"InstallShield_{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}" = Canon RAW Image Task for ZoomBrowser EX
"InstallShield_{B34BE30D-A759-4EC2-B58F-19FE2DEBF651}" = Canon Camera Window for ZoomBrowser EX
"InstallShield_{CF2C1A86-5A98-4862-A3AE-9992E3A6427D}" = Canon RemoteCapture Task for ZoomBrowser EX
"InstallShield_{DE286975-ACF1-45B8-9EF7-34E162B2C817}" = Canon MovieEdit Task for ZoomBrowser EX
"InstallShield_{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}" = Canon Utilities PhotoStitch 3.1
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"Juniper Network Connect 6.5.0" = Juniper Networks Network Connect 6.5.0
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 3.9.0
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nolo's Financial Planning Library" = Nolo's Financial Planning Library
"Picasa 3" = Picasa 3
"PROSet" = Intel® PRO Network Connections Drivers
"QuickPar" = QuickPar 0.9
"RealPlayer 6.0" = RealPlayer
"RealVNC_is1" = VNC 4.0
"Replay Director1.0" = Replay Director
"Replay Media Catcher 3.01" = Replay Media Catcher 3.01
"Replay Media Catcher 3.11" = Replay Media Catcher 3.11
"Replay Media Catcher2.10" = Replay Media Catcher
"Replay Video Capture4.1" = Replay Video Capture
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TmPcc" = Trend Micro PC-cillin Internet Security 14
"TurboTax 2008" = TurboTax 2008
"TurboTax 2009" = TurboTax 2009
"TurboTax Deluxe 2005" = TurboTax Deluxe 2005
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"Tweak UI 2.10" = Tweak UI
"ViewpointMediaPlayer" = Viewpoint Media Player
"WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPcapInst" = WinPcap 3.01 alpha
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Xvid_is1" = Xvid 1.1.3 final uninstall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1895446190-753311809-2171750408-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Juniper_Setup_Client" = Juniper Networks Setup Client

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/11/2010 12:16:31 AM | Computer Name = BECCA | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/11/2010 12:43:46 AM | Computer Name = BECCA | Source = Google Update | ID = 20
Description =

Error - 6/12/2010 2:27:58 AM | Computer Name = BECCA | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/12/2010 2:27:59 AM | Computer Name = BECCA | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/12/2010 2:28:04 AM | Computer Name = BECCA | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/12/2010 2:28:04 AM | Computer Name = BECCA | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/12/2010 2:31:40 AM | Computer Name = BECCA | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/12/2010 2:31:40 AM | Computer Name = BECCA | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/12/2010 2:31:52 AM | Computer Name = BECCA | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/12/2010 2:31:52 AM | Computer Name = BECCA | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

[ System Events ]
Error - 6/12/2010 2:28:03 AM | Computer Name = BECCA | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 6/12/2010 2:28:19 AM | Computer Name = BECCA | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.100.11 for the Network Card with network
address 0013720A7BF1 has been denied by the DHCP server 192.168.100.1 (The DHCP
Server sent a DHCPNACK message).

Error - 6/12/2010 2:31:45 AM | Computer Name = BECCA | Source = Ma730Pt | ID = 393234
Description =

Error - 6/12/2010 2:31:45 AM | Computer Name = BECCA | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 6/12/2010 2:31:55 AM | Computer Name = BECCA | Source = Service Control Manager | ID = 7000
Description = The Crypto service failed to start due to the following error: %%31

Error - 6/12/2010 2:31:55 AM | Computer Name = BECCA | Source = Service Control Manager | ID = 7001
Description = The SafeNet IKE Service service depends on the Crypto service which
failed to start because of the following error: %%31

Error - 6/12/2010 2:31:55 AM | Computer Name = BECCA | Source = Service Control Manager | ID = 7000
Description = The SafeNet IPSec Plugin service failed to start due to the following
error: %%31

Error - 6/12/2010 2:31:55 AM | Computer Name = BECCA | Source = Service Control Manager | ID = 7000
Description = The InCD Helper service failed to start due to the following error:
%%2

Error - 6/12/2010 2:31:55 AM | Computer Name = BECCA | Source = Service Control Manager | ID = 7000
Description = The SafeNet Monitor Service service failed to start due to the following
error: %%3

Error - 6/12/2010 2:32:00 AM | Computer Name = BECCA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
ZetSFD


< End of report >


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 PM

Posted 12 June 2010 - 06:30 AM

Thanks for the logs. But the log of the step 1 is not complete. Please run look.bat again. The log misses one line (Called Modules) and it should look like this (the bold line is the missing line):

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK

Edited by farbar, 12 June 2010 - 07:09 AM.


#7 Jack Matz

Jack Matz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 12 June 2010 - 02:04 PM

I have checked the location of mbr.exe. It is in C:\windows. There are no other copies of mbr.exe on my machine. I re-ran the batch file and the resulting log file is exactly the same as I sent.

The batch file "look.bat" contains only the following text. Is it complete?
@echo off
if exist mbr.log del mbr.log
mbr.exe -t
ping 1.1.1.1 -n 1 -w 1000 >nul
start mbr.log

Also note that in my first post I said I couldn't run DDR.scr.
Do you think this virus/trojan is fighting back?


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 PM

Posted 12 June 2010 - 05:31 PM

QUOTE
Do you think this virus/trojan is fighting back?

I'm not sure about that. The log was good to get but it is not vital and we will do it without it.
  1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either Trend Micro Internet Security or Hitman Pro.

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  3. Please run the batch file once more.





#9 Jack Matz

Jack Matz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 12 June 2010 - 09:28 PM

Good day:

Per your instructions I deleted Hitman Pro 3.5. Please note that the Trend Micro security software that I have used for years (updated) is still
resident on the computer, and I recently installed MalwareBytes. This probably means that I still have two virus checkers running.

When I uninstalled Hitman Pro, the process was almost instant. I am not used to seeing anything uninstall so quickly. It was so fast that I wonder if it did uninstall correctly. The program IS gone from the list of programs on the control panel, however.

After un-installing Hitman, I updated MalwareBytes and ran the quick scan that you requested. The scan found NO malware.

Since the scan found no malware, and I have not used Google for several days, I did a Google search and clicked on the list of links that the search returned to me. The first link I clicked on appeared to take me to the correct location, but when I clicked on another link many bad things happened! After clicking the second link I received an error message telling me that an Adobe Acrobat 3D parsing error had occurred. At almost the same moment, the Trend Micro virus protection told me that it found two items. Also at this time a Java logo appeared briefly on the screen. Here are the things that Trend Micro found:

Incident name: C:\DOCUME~1\RCA\LOCALS~1\Temp\PRAGMA5d39.tmp
Detection name: TROJ_MSVCRTHK.I

and

Incident name: C:\WINDOWS\PRAGMAcrppxvbvfq\PRAGMAd.sys
Detection name: WORM_TDSS.SMA

In addition, a balloon message appeared with a yellow triangle in the lower right area of my screen. The message in the balloon said "Danger,
unauthorized access to your computer. Click on the balloon to install up-to-date software. I DID NOT CLICK ON THE BALLOON.

At the same time several new icons appeared on my desktop with names like spam001.exe and pornotube.com, and a message box appeared telling me that I must immediatly uninstall HitMan Pro or my computer would have problems.

Now I ran MalwareBytes for the second time. MANY problems were found. Some were fixed immediately and some required that I reboot. I did reboot, and immediately ran MalwareBytes for the third time. This time, as with the first time, no problems were found. I will include all three MalwareBytes logs below.

It seems that the malware we're fighting hides itself until Google is used, then it might run a Java script or cause an Adobe Acrobat 3D parsing
error that allows it to download other malware to the computer.

Here is the first Malware Bytes log:
====================================
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4192

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

6/12/2010 7:17:10 PM
mbam-log-2010-06-12 (19-17-10).txt

Scan type: Quick scan
Objects scanned: 142061
Time elapsed: 9 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
===============================

Here is the second MalwareBytes Log:
===================================
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4192

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

6/12/2010 8:03:47 PM
mbam-log-2010-06-12 (20-03-47).txt

Scan type: Quick scan
Objects scanned: 142207
Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
C:\Documents and Settings\RCA\Local Settings\Temp\esentutl64.exe (Trojan.Agent.Gen) -> Unloaded process successfully.

Memory Modules Infected:
C:\Documents and Settings\RCA\Local Settings\Temp\mschrt20ex.dll (Trojan.Agent.Gen) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined

and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) ->

Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\PRAGMAcrppxvbvfq (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\RCA\Local Settings\Temp\mschrt20ex.dll (Trojan.Agent.Gen) -> Delete on reboot.
C:\Documents and Settings\RCA\Local Settings\Temp\esentutl64.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\RCA\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\RCA\Local Settings\Temp\PRAGMA5d39.tmp (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\RCA\Local Settings\Temp\PRAGMAaf41.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\RCA\Local Settings\Temp\tmp6E9E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\RCA\Local Settings\Temp\topwesitjh (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\RCA\Local Settings\Temporary Internet Files\Content.IE5\VKM3ER8G\391-direct[1].ex (Trojan.Agent.Gen) -> Quarantined and

deleted successfully.
C:\Documents and Settings\RCA\Desktop\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\RCA\Desktop\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\RCA\Desktop\spam001.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\RCA\Desktop\spam003.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\RCA\Desktop\troj000.exe (Malware.Trave) -> Quarantined and deleted successfully.
C:\Documents and Settings\RCA\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\RCA\Local Settings\Temp\PRAGMA5d2a.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
===========================

And here is the third MalwareBytes log:
===========================
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4192

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

6/12/2010 8:21:57 PM
mbam-log-2010-06-12 (20-21-57).txt

Scan type: Quick scan
Objects scanned: 142040
Time elapsed: 9 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
=============================

Edited by Jack Matz, 12 June 2010 - 09:32 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 PM

Posted 13 June 2010 - 07:02 AM

Good day Jack Matz,

Looks you got reinfected on the top of the current infection.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#11 Jack Matz

Jack Matz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 13 June 2010 - 01:01 PM

Per your instructions, I halted operation of my Trend Micro real time antivirus protection. Windows security center reports as follows: Automatic updates: OFF, Virus protection: OFF, Firewall: ON.

I ran Combofix and the log is attached below:

Two items to note:
1. After rebooting the computer, Combofix said "Do not run other programs until Combofix completes". My Outlook loads at startup, and it automatically started and ran while Combofix was completing it's operations. I think that did not cause a problem, however.
2. After the Combofix log was created, the Trend Micro antivirus program came on-line and downloaded updates. I stopped the process, so I think the updates did not install. I mention this because you told me not to change any software without your instructions.

Here is the Combofix log:
=================
ComboFix 10-06-12.04 - RCA 06/13/2010 12:31:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2388 [GMT -5:00]
Running from: c:\documents and settings\RCA\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\RCA\Application Data\JuniperSetup.exe
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\VB6KO.DLL
c:\windows\system32\wpcap.dll
F:\Autorun.inf

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\ws2_32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_PRAGMAcrppxvbvfq
-------\Service_NPF
-------\Service_PRAGMAcrppxvbvfq


((((((((((((((((((((((((( Files Created from 2010-05-13 to 2010-06-13 )))))))))))))))))))))))))))))))
.

2010-06-13 17:38 . 2009-09-01 17:26 558344 ----a-w- c:\documents and settings\All Users\Application Data\Trend Micro\OL_OEM\engine\01\tmaseng.dll
2010-06-03 02:10 . 2010-06-03 02:10 -------- d-----w- c:\documents and settings\RCA\Application Data\Malwarebytes
2010-06-03 02:10 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 02:10 . 2010-06-03 02:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 02:10 . 2010-06-03 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-03 02:10 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-03 00:44 . 2010-06-12 06:33 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-03 00:44 . 2010-06-03 00:44 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-03 00:44 . 2010-06-03 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-16 02:30 . 2010-05-16 02:30 -------- d-----w- c:\program files\Nolo's Financial Planning Library

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-13 17:38 . 2010-01-14 22:13 -------- d-----w- c:\documents and settings\RCA\Application Data\Dropbox
2010-06-13 17:38 . 2008-04-11 04:07 -------- d-----w- c:\program files\lg_fwupdate
2010-06-13 16:33 . 2009-02-12 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-06 10:02 . 2008-04-27 02:17 -------- d-----w- c:\program files\BitTorrent
2010-05-23 19:55 . 2008-02-03 01:08 -------- d-----w- c:\program files\Replay Media Catcher
2010-05-23 19:04 . 2008-09-23 03:58 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-05-23 19:04 . 2008-09-23 03:58 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-05-04 17:20 . 2004-08-11 23:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-06-06 18:10 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-11 23:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-31 05:20 . 2009-09-06 18:14 3709232 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-07-25 04:40 . 2006-02-28 04:45 56 --sh--r- c:\windows\system32\3B11A8725A.sys
2008-07-25 04:40 . 2007-01-15 04:46 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\RCA\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\RCA\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\RCA\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-09-10 1537648]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"MaBtSh"="c:\program files\Mobile Action\Bluetooth Manager\MaBtSh.exe" [2006-02-08 24576]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-12-25 548864]
"DPAgnt"="c:\program files\DigitalPersona\Bin\DPAgnt.exe" [2006-10-09 807440]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-20 30192]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"Ask and Record FLV Service"="c:\program files\Replay Media Catcher\FLVSrvc.exe" [2009-09-22 156672]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-04-03 640440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

c:\documents and settings\RCA\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\RCA\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launch Microsoft Outlook.lnk - c:\program files\Microsoft Office\Office10\OUTLOOK.EXE [2009-9-10 46920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
2006-10-09 21:27 99856 ----a-w- c:\windows\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\HP\\HP Officejet 9100 series\\Toolbox\\HPWKTBX.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\RCA\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20001:UDP"= 20001:UDP:MicroSAN

R2 RJIHJ32I;RJIHJ32I;c:\windows\system32\drivers\SGP46A55.sys [12/24/2007 3:06 AM 28384]
R2 SFSZ;DataPlow SFS for Zetera Storage Devices;c:\windows\system32\drivers\sfsz.sys [8/25/2008 10:52 PM 345984]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~2\Tmntsrv.exe [9/18/2006 3:50 PM 345696]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/11/2006 5:11 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~2\tmproxy.exe [8/29/2006 2:55 PM 566872]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;c:\windows\system32\drivers\dpK0Bx01.sys [8/4/2004 5:58 PM 35584]
R3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\hpzs2k12.sys [11/23/2003 5:07 PM 50360]
R3 Ma730Pt;MA730 Bluetooth VCOM Driver;c:\windows\system32\drivers\ma730Pt.sys [12/24/2007 3:01 AM 103680]
R3 Ma730VaA;MA730 Bluetooth Advanced Audio;c:\windows\system32\drivers\Ma730VaA.sys [12/24/2007 3:01 AM 21851]
R3 Ma730Vad;MA730 Bluetooth Audio;c:\windows\system32\drivers\Ma730Vad.sys [12/24/2007 3:01 AM 50522]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/29/2006 2:54 PM 280392]
R3 UsbdpFP;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [8/4/2004 5:59 PM 47360]
R3 ZetBus;Zetera Virtual Bus;c:\windows\system32\drivers\ZetBus.sys [8/25/2008 10:52 PM 15488]
S0 ZetSFD;ZetSFD;c:\windows\system32\drivers\ZetSFD.sys [8/25/2008 10:52 PM 12800]
S2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [3/1/2006 2:14 PM 521786]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/26/2009 2:24 AM 135664]
S2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [3/1/2006 2:14 PM 119864]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [8/29/2006 2:54 PM 923216]
S2 Z-SANService;Z-SAN Service;c:\program files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe --> c:\program files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe [?]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/7/2008 6:34 PM 30192]
S3 Ma730c;MA730 Bluetooth Core Driver;c:\windows\system32\drivers\ma730c.sys [12/24/2007 3:01 AM 157024]
S3 ZetMPD;ZetMPD;c:\windows\system32\drivers\ZetMPD.sys [8/25/2008 10:52 PM 5120]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ZETSFD

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 18:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-03 00:13]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 07:24]

2010-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 07:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: &GripIE - c:\program files\GripIE\GripIEExt.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: microsoft.com\office
Trusted Zone: turbotax.com
Trusted Zone: usbank.com\trustnowessentials
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect.hbpsi.com/dana-cached/sc/JuniperSetupClient.cab
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DXDllRegExe - dxdllreg.exe
HKLM-Run-InCD - c:\program files\Nero\Nero 7\InCD\InCD.exe
AddRemove-Dell Game Console - c:\program files\WildTangent\Apps\Dell Game Console\Uninstall.exe
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Nero\Nero 7\\nero\uninstall\UNNERO.exe
AddRemove-TurboTax Deluxe 2005 - c:\program files\TurboTax\Deluxe 2005\TaxUnst.EXE
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe
AddRemove-{A3672E1B-021F-4F50-A891-609471CCF941} - c:\program files\InstallShield Installation Information\{A3672E1B-021F-4F50-A891-609471CCF941}\setup.exe
AddRemove-{D4F2AFD3-0167-4464-B92F-78AB6DA8A0AA} - c:\program files\InstallShield Installation Information\{D4F2AFD3-0167-4464-B92F-78AB6DA8A0AA}\setup.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\DPWLEvHd.dll

- - - - - - - > 'lsass.exe'(776)
c:\windows\DPPWDFLT.dll

- - - - - - - > 'explorer.exe'(2420)
c:\windows\system32\WININET.dll
c:\documents and settings\RCA\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\documents and settings\RCA\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\DigitalPersona\Bin\DPWinLct.exe
c:\program files\DigitalPersona\Bin\DpHost.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\System32\GEARSec.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\progra~1\TRENDM~1\INTERN~2\PcCtlCom.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\DigitalPersona\Bin\DPFUSMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Trend Micro\Internet Security 14\TMAS_OL\TMAS_OL.exe
.
**************************************************************************
.
Completion time: 2010-06-13 12:43:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-13 17:43

Pre-Run: 73,128,034,304 bytes free
Post-Run: 73,165,828,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 09B790FFA1CE329487A953A9FCBE7B2B


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 PM

Posted 13 June 2010 - 02:07 PM

Thanks for the detailed feedback.

Please let Trend Micro to update fully and make sure its real time is enabled.
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  2. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  3. Tell me how is your computer running now.


#13 Jack Matz

Jack Matz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 13 June 2010 - 04:11 PM

In Add/Remove files, I found no files with "JDK" or "JRE" but I found several Java updates and one Java runtime environment. I removed all of them.

When removing the Java runtime environment I received the following two messages:

1. User SYSTEM has previously initiat4ed an installation for product Microsoft .NET Framework 2.0 Service Pack 2. That user will need to run that insatallation again before using that product. Your current installation will now continue.

2. Error 1704 An installation for Microsoft .NET Framework 2.0 Service Pack 2 is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes [answered "Yes"]

After removing all the Java files I installed JRE-6u20. The installation seems to have been successful, although I'm not sure how to test it.

The original problem, Google redirection, appears to be fixed.

I have not been this happy since my ex-wife remarried and my alimony payments stopped. (no kidding) Many, many thanks.

CAN YOU TELL ME IF ANY OF THE MALWARE YOU FOUND WOULD HAVE EXPOSED ANY PERSONAL INFORMATION FROM MY COMPUTER?
What is the best way to protect my personal information?

Thanks again.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:57 PM

Posted 13 June 2010 - 04:30 PM

To answer your question let's take a look at the patched file ComboFix disinfected.

Click on this link--> virustotal

Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

C:\QooBox\quarantine\c\windows\system32\ws2_32.dll.vir

If the file is analyzed before, click Reanalyse File Now button.
Please copy and paste the results of the scan in your next post.

#15 Jack Matz

Jack Matz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 13 June 2010 - 04:44 PM

The following is a copy/paste of the screen text. I see that all formatting is lost. I will attempt to upload a clear .pdf file showing the screen as I see it.
==========================
Antivirus Version Last Update Result
a-squared 5.0.0.26 2010.06.13 Trojan.Win32.Patched!IK
AhnLab-V3 2010.06.13.00 2010.06.12 -
AntiVir 8.2.2.6 2010.06.13 -
Antiy-AVL 2.0.3.7 2010.06.11 -
Authentium 5.2.0.5 2010.06.13 -
Avast 4.8.1351.0 2010.06.13 Win32:Patched-NW
Avast5 5.0.332.0 2010.06.13 Win32:Patched-NW
AVG 9.0.0.787 2010.06.13 Win32/Patched
BitDefender 7.2 2010.06.13 Trojan.Patched.EM
CAT-QuickHeal 10.00 2010.06.12 Trojan.Patched.HG
ClamAV 0.96.0.3-git 2010.06.13 -
Comodo 5088 2010.06.13 -
DrWeb 5.0.2.03300 2010.06.13 -
eSafe 7.0.17.0 2010.06.13 -
eTrust-Vet 36.1.7629 2010.06.11 Win32/WSPatch.A
F-Prot 4.6.0.103 2010.06.13 -
F-Secure 9.0.15370.0 2010.06.13 Trojan.Patched.EM
Fortinet 4.1.133.0 2010.06.13 W32/Patched.HG!tr
GData 21 2010.06.13 Trojan.Patched.EM
Ikarus T3.1.1.84.0 2010.06.13 Trojan.Win32.Patched
Jiangmin 13.0.900 2010.06.13 Win32/PatchFile.cc
Kaspersky 7.0.0.125 2010.06.13 Trojan.Win32.Patched.hg
McAfee 5.400.0.1158 2010.06.13 -
McAfee-GW-Edition 2010.1 2010.06.13 -
Microsoft 1.5802 2010.06.13 Trojan:Win32/Patched.L
NOD32 5193 2010.06.13 Win32/Patched.ED
Norman 6.04.12 2010.06.13 -
nProtect 2010-06-12.01 2010.06.12 Trojan.Patched.EM
Panda 10.0.2.7 2010.06.13 -
PCTools 7.0.3.5 2010.06.13 -
Prevx 3.0 2010.06.13 -
Rising 22.51.06.01 2010.06.13 Win32.Loader.fg
Sophos 4.54.0 2010.06.13 Mal/WSHack-A
Sunbelt 6444 2010.06.13 -
Symantec 20101.1.0.89 2010.06.13 -
TheHacker 6.5.2.0.298 2010.06.12 -
TrendMicro 9.120.0.1004 2010.06.13 -
TrendMicro-HouseCall 9.120.0.1004 2010.06.13 -
VBA32 3.12.12.5 2010.06.11 -
ViRobot 2010.6.12.3882 2010.06.13 -
VirusBuster 5.0.27.0 2010.06.13 -
Additional information
File size: 82432 bytes
MD5...: 487a02556fb60c59c21ad22ff1bea71b
SHA1..: 26db9ae863850b404e3c7903430976d807dfb1f4
SHA256: f2e8116dfda078d7618105418d782cfc5045a69e64baf5c692bbadfe694a8f21
ssdeep: 1536:SRqRCPAJcBuyg2f1htxvSrqtkBx5sALnR4lxCyqWYb:SR0jJKBf1hrvSrMk
Bx5swR41B

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x141a1
timedatestamp.....: 0x4802a164 (Mon Apr 14 00:12:20 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12153 0x12200 6.48 b54dac27fea9880d9fa75b0a23783e2a
.data 0x14000 0x914 0xa00 5.89 ccde7f9d581ef7f0984ad7c948ec9e3a
.rsrc 0x15000 0x3f8 0x400 3.43 5ff68b649c14d167754073f671ef1ef1
.reloc 0x16000 0xdc8 0xe00 6.46 07ffed3838d926c6f7f8c9596719adb4

( 5 imports )
> ADVAPI32.dll: RegNotifyChangeKeyValue, RegDeleteKeyA, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegEnumKeyExA
> KERNEL32.dll: GetTickCount, QueryPerformanceCounter, lstrcmpA, HeapReAlloc, HeapFree, HeapAlloc, InterlockedCompareExchange, IsBadWritePtr, GetEnvironmentVariableA, GetComputerNameA, GetVersionExA, GetSystemDirectoryA, GetWindowsDirectoryA, WaitForMultipleObjectsEx, ResetEvent, IsBadReadPtr, TlsSetValue, GetHandleInformation, ExpandEnvironmentStringsA, InterlockedExchange, GetCurrentThreadId, TlsAlloc, GetSystemInfo, HeapCreate, GetProcessHeap, HeapDestroy, TlsFree, lstrlenA, lstrcpyA, IsBadCodePtr, GetProcAddress, CreateEventA, GetModuleFileNameA, LoadLibraryA, CreateThread, FreeLibrary, WaitForSingleObject, CloseHandle, FreeLibraryAndExitThread, EnterCriticalSection, SetEvent, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SwitchToThread, SetLastError, DelayLoadFailureHook, TlsGetValue, InterlockedDecrement, GetLastError, WideCharToMultiByte, MultiByteToWideChar, InitializeCriticalSection, DeleteCriticalSection, InterlockedIncrement, LeaveCriticalSection
> msvcrt.dll: __isascii, isspace, _except_handler3, sprintf, _adjust_fdiv, malloc, _initterm, free, _stricmp, fclose, fgets, atoi, strchr, fopen, wcscpy, strtoul, wcscmp, wcslen, wcschr
> ntdll.dll: RtlIpv4StringToAddressW, RtlIpv6StringToAddressExW, RtlIpv4StringToAddressA
> WS2HELP.dll: WahCompleteRequest, WahQueueUserApc, WahEnableNonIFSHandleSupport, WahDisableNonIFSHandleSupport, WahCreateSocketHandle, WahNotifyAllProcesses, WahCreateNotificationHandle, WahWaitForNotification, WahOpenCurrentThread, WahCloseThread, WahInsertHandleContext, WahRemoveHandleContext, WahDestroyHandleContextTable, WahCreateHandleContextTable, WahEnumerateHandleContexts, WahCloseApcHelper, WahCloseHandleHelper, WahCloseNotificationHandleHelper, WahOpenNotificationHandleHelper, WahOpenHandleHelper, WahOpenApcHelper, WahCloseSocketHandle, WahReferenceContextByHandle

( 117 exports )
FreeAddrInfoW, GetAddrInfoW, GetNameInfoW, WEP, WPUCompleteOverlappedRequest, WSAAccept, WSAAddressToStringA, WSAAddressToStringW, WSAAsyncGetHostByAddr, WSAAsyncGetHostByName, WSAAsyncGetProtoByName, WSAAsyncGetProtoByNumber, WSAAsyncGetServByName, WSAAsyncGetServByPort, WSAAsyncSelect, WSACancelAsyncRequest, WSACancelBlockingCall, WSACleanup, WSACloseEvent, WSAConnect, WSACreateEvent, WSADuplicateSocketA, WSADuplicateSocketW, WSAEnumNameSpaceProvidersA, WSAEnumNameSpaceProvidersW, WSAEnumNetworkEvents, WSAEnumProtocolsA, WSAEnumProtocolsW, WSAEventSelect, WSAGetLastError, WSAGetOverlappedResult, WSAGetQOSByName, WSAGetServiceClassInfoA, WSAGetServiceClassInfoW, WSAGetServiceClassNameByClassIdA, WSAGetServiceClassNameByClassIdW, WSAHtonl, WSAHtons, WSAInstallServiceClassA, WSAInstallServiceClassW, WSAIoctl, WSAIsBlocking, WSAJoinLeaf, WSALookupServiceBeginA, WSALookupServiceBeginW, WSALookupServiceEnd, WSALookupServiceNextA, WSALookupServiceNextW, WSANSPIoctl, WSANtohl, WSANtohs, WSAProviderConfigChange, WSARecv, WSARecvDisconnect, WSARecvFrom, WSARemoveServiceClass, WSAResetEvent, WSASend, WSASendDisconnect, WSASendTo, WSASetBlockingHook, WSASetEvent, WSASetLastError, WSASetServiceA, WSASetServiceW, WSASocketA, WSASocketW, WSAStartup, WSAStringToAddressA, WSAStringToAddressW, WSAUnhookBlockingHook, WSAWaitForMultipleEvents, WSApSetPostRoutine, WSCDeinstallProvider, WSCEnableNSProvider, WSCEnumProtocols, WSCGetProviderPath, WSCInstallNameSpace, WSCInstallProvider, WSCUnInstallNameSpace, WSCUpdateProvider, WSCWriteNameSpaceOrder, WSCWriteProviderOrder, __WSAFDIsSet, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyaddr, gethostbyname, gethostname, getnameinfo, getpeername, getprotobyname, getprotobynumber, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/...-021223-0550-99
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Socket 2.0 32-Bit DLL
original name: ws2_32.dll
internal name: ws2_32.dll
file version.: 5.1.2600.5512 (xpsp.080413-0852)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users