Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV Security Suite Infection, can't run anything, can open little


  • This topic is locked This topic is locked
26 replies to this topic

#1 Scoobrocks

Scoobrocks

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 26 June 2010 - 08:35 PM

My son owns a Dell Inspiron 1545. Vista OS. Today while on a wikipedia site the AV Security Suite popped up for the first time ever.

In efforts to help him we found that he can not get to a legit website. It sometimes loads the page, but once clicking anywhere, the page goes away and the screen shows the site blocked by malware or something. Undesirable sites pop up randomly, multiple tabs. He has the same boxes others have posted, one ATTENTION SPYWARE ALERT box in the middle that can not be minimized or moved. One Antivirus software alert in lower right of screen that can not be moved. (both have options to click, but we didn't want to click anything) Multiple Windows Security Alert dialog messages appear from the task bar at the AV Security Suite icon.

Task Manager is blocked from access. We can open thumb drives and cd drives, but can't open or execute the files to run tests. Downloaded DDS, GMER & Hijackthis onto the thumbdrive/cd from my PC, but can't access any from his laptop.

No clue what to do since I can't access and run the files Bleeping Computer has suggested to others. Please advise how to get what you need in order to assist us in this big mess if possible.

With much appreciation,

Scoob

Almost forgot, we can't open/run Malwarebytes or Avast (his anti virus) either.

Edited by Scoobrocks, 26 June 2010 - 08:36 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 AM

Posted 01 July 2010 - 05:30 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

We can try and get into the operating system a different way

Please do this......
  • Download OTLPE Network from either location and save it to your desktop:

    http://oldtimer.geekstogo.com/OTLPENet.exe
    http://ottools.noahdfear.net/OTLPENet.exe

  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPENet Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first

    Note : For information click here

  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start
  • Copy and Paste the following code into the textbox. Do not include the word "Code"

    Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Push
  • When finished, the file will be saved in drive C:\OTL.txt
  • Please post the contents of the C:\OTL.txt file in your next reply.
  • Copy this file to your USB drive if you do not have an internet connection.

Posted Image
m0le is a proud member of UNITE

#3 Scoobrocks

Scoobrocks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 02 July 2010 - 09:10 PM

My son typed this up as a reply:

My friend, who I trust and who says he is very good with computers, came over to my place Monday to help me out. Since we didn't have any replies on Monday, I tried to let my friend help.

When we first booted up my laptop, the virus screens mentioned in the first post jumped up on the page and my taskbar and all of the icons on my desktop weren't there. We shut down the laptop and booted it up again. As soon as he could, my friend pulled up the task manager and stopped 2 or 3 processes. After that, we had access to everythin on my laptop. We were able to get on the internet and keep processes, such as Malwarebytes, running.

He stopped a couple of things on LiberKey, one of the tools he brought over to try to fix my laptop. I'm not very good with computers and I don't remember what he did and what he stopped with LiberKey, so that's all the information I have with that.

We ran Malwarebytes after that and found a few viruses. We deleted them and ran another scan. After that, everything seemed fine.

He suggested to try one of two different antivirus suites, Symante and Kaspersky. I tried to do Symantec, but it wasn't compatible with my system. I tried Kaspersky and found new problems with my computer and with Kaspersky.

I downloaded a trial from the website that had full accessibility, but I couldn't do anything about the over 20 threats detected by Kaspersky. Strangely enough, based on what I was able to determine from the threats, some of them were from Kaspersky.

I tried to quarantine and disinfect everything, but nothing happened. I clicked the options and nothing changed. I tried that again an hour or so ago and My Computer popped up. I thought that I needed to make a Quarantine folder, so I made a new empty folder, but I still can't put any of the items in that folder... and aren't Quarantine folders supposed to be within the antivirus suite, anyway?

We've been trying to open up the OTLPENet thing for quite some time now and we've had very little luck. My laptop is running incredibly slowly. I tried pulling up the task manager twice and nothing happened. I can't pull up the page with all of the wireless networks on it, so I can't get online. Both attempts at opening OTLPENet have left tabs at the taskbar that say "ImgBurn (Not Responding)."

Finally (for now), my laptop has items at the top and right of the screen grouped together. The top has an icon for games built into the computer, the internet, music, videos, etc. The right has a status section that shows how much power is being used, among other things. Both of those aren't visible on my screen, but the other icons are.

We'll continue to try to get OTLPENet to open up. For now, it's not responding.

Edited by Scoobrocks, 02 July 2010 - 09:11 PM.


#4 Scoobrocks

Scoobrocks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 03 July 2010 - 04:13 PM

We got the OTLPE network downloaded to the laptop and were able to boot from the disk we made. The first run of the scan hung up and would not respond. We booted from disk again , this time th escan ran all the way and created the OTL.txt file. The computer hung up when I tried to dave it to a CD so I could post it from this computer. I've not done anything further (just tried multiple times and now have multiple C: windows open all not responding. I've waited a couple hours and the windows are still there, won't close, won't minimize, etc.

If I shut the computer down and boot normally, will the file be in his regular C drive files? Or do I have to be in the REAGOTO-X- PE desktop to access the file?

IN efforts to not mess things up worse we await your reply.

Thanks.

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 AM

Posted 03 July 2010 - 07:58 PM

The OTL file should have been saved to the root when you boot normally. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#6 Scoobrocks

Scoobrocks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 03 July 2010 - 08:57 PM

m0le,

Thank you for your reply. Below is the OTL pasted. Please advise of next step. We will leave it alone until further instructions in efforts to not mess up what you are reviewing/suggesting.


OTL logfile created on: 7/3/2010 5:06:01 PM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Windows Vista ™ Home Premium Service Pack 1 (Version = 6.0.6001) - Type = System
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 92.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 451.07 Gb Total Space | 341.07 Gb Free Space | 75.61% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 14.65 Gb Total Space | 7.56 Gb Free Space | 51.58% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/05/07 12:39:36 | 000,344,736 | ---- | M] (Kaspersky Lab ZAO) [Auto] -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe -- (AVP)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/06/19 04:22:40 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand] -- C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe -- (Creative ALchemy AL6 Licensing Service)
SRV - [2009/06/19 04:22:02 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2009/06/19 04:21:27 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand] -- C:\Program Files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe -- (Sound Blaster X-Fi MB Licensing Service)
SRV - [2009/06/19 04:09:42 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/04/01 03:00:18 | 000,254,042 | ---- | M] (IDT, Inc.) [Auto] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\stacsv.exe -- (STacSV)
SRV - [2009/04/01 03:00:04 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\AEstSrv.exe -- (AESTFilters)
SRV - [2009/03/09 15:06:55 | 000,951,632 | ---- | M] (Lavasoft) [Auto] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/02/23 10:48:06 | 000,632,048 | ---- | M] (SoftThinks) [Auto] -- C:\Windows\sminst\sftservice.EXE -- (SftService)
SRV - [2009/02/05 01:57:14 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2009/01/30 01:50:06 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2009/01/05 18:19:10 | 000,824,560 | ---- | M] (Dell Inc.) [Auto] -- c:\Program Files\Common Files\Dell\Advanced Networking Service\hnm_svc.exe -- (hnmsvc)
SRV - [2009/01/05 18:19:08 | 000,173,296 | ---- | M] (SingleClick Systems) [Auto] -- C:\Program Files\Common Files\Dell\Remote Access File Sync Service\dsl_fs_sync.exe -- (dsl-fs-sync)
SRV - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2008/11/03 19:15:32 | 000,242,424 | ---- | M] (WildTangent, Inc.) [On_Demand] -- C:\Program Files\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/05/07 18:41:14 | 000,354,840 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/09/21 14:26:34 | 000,015,872 | ---- | M] (Apache Software Foundation) [Auto] -- C:\Program Files\Common Files\Dell\apache\bin\httpd.exe -- (Apache2.2)
SRV - [2007/09/14 14:35:04 | 005,730,304 | ---- | M] () [Auto] -- C:\Program Files\Common Files\Dell\MySQL\bin\mysqld.exe -- (dsl-db)
SRV - [2004/12/13 05:34:32 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
DRV - [2010/06/28 17:10:00 | 000,475,224 | ---- | M] (Kaspersky Lab) [File_System | System] -- C:\Windows\System32\drivers\klif.sys -- (KLIF)
DRV - [2010/05/07 00:19:06 | 000,132,184 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System] -- C:\Windows\System32\drivers\kl2.sys -- (kl2)
DRV - [2010/05/07 00:19:02 | 000,132,184 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot] -- C:\Windows\System32\drivers\kl1.sys -- (KL1)
DRV - [2010/04/22 19:07:34 | 000,022,104 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System] -- C:\Windows\System32\drivers\klim6.sys -- (KLIM6)
DRV - [2009/11/02 20:27:16 | 000,019,984 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand] -- C:\Windows\System32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/04/01 04:55:26 | 004,568,064 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2009/04/01 04:53:56 | 000,062,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\RTSTOR.sys -- (RTSTOR)
DRV - [2009/04/01 03:00:26 | 000,398,336 | ---- | M] (IDT, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2009/04/01 02:18:30 | 000,192,048 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2009/03/09 15:06:56 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot] -- C:\Windows\System32\drivers\Lbd.sys -- (Lbd)
DRV - [2008/12/22 05:12:06 | 003,662,848 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel®
DRV - [2008/11/04 19:16:40 | 000,022,904 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand] -- C:\Program Files\Dell Support Center\HWDiag\bin\pcd5srvc.pkms -- (PCD5SRVC{3F6A8B78-EC003E00-05040104})
DRV - [2008/09/01 06:19:40 | 000,304,128 | ---- | M] (Marvell) [Kernel | On_Demand] -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh)
DRV - [2008/09/01 06:15:54 | 000,317,976 | ---- | M] (Intel Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/06/17 12:01:06 | 000,022,016 | ---- | M] (SingleClick Systems) [Kernel | Auto] -- C:\Windows\System32\drivers\packet.sys -- (Packet)
DRV - [2008/01/20 22:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 22:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 22:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 22:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 22:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 22:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 22:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 22:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2008/01/20 22:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 22:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 22:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 22:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 22:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 22:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 22:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 22:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 22:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 22:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 22:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 22:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 22:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 22:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/22 19:13:22 | 000,016,024 | ---- | M] (InterVideo, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\iviaspi.sys -- (Iviaspi)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 03:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

IE - HKU\Jacob_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKU\Jacob_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
IE - HKU\Jacob_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\Jacob_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Jacob_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\Jacob_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\THBExt [2010/06/28 17:11:25 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll (Kaspersky Lab ZAO)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\Jacob_ON_C\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [RunDLLEntry] C:\Windows\system32\AmbRunE.DLL (Creative Technology Ltd.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\Windows\Updreg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\Jacob_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe File not found
O4 - HKU\LocalService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\NetworkService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKLM..\RunOnce: [DSUpdateLauncher] C:\Program Files\Dell DataSafe Local Backup\Components\DSUpdate\runhstart.bat ()
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\sminst\Components\scheduler\Launcher.exe (Softthinks)
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O4 - Startup: C:\Users\Jacob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O4 - Startup: C:\Users\RA Media Server\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\Jacob_ON_C\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\Jacob_ON_C\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\RA_Media_Server_ON_C\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\RA_Media_Server_ON_C\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.systemrequirementslab.co...eqlabdetect.cab (Reg Error: Key error.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\mzvkbd3.dll (Kaspersky Lab ZAO)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\kloehk.dll (Kaspersky Lab ZAO)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\Windows\system32\klogon.dll - C:\Windows\System32\klogon.dll (Kaspersky Lab ZAO)
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2004/04/30 17:01:00 | 000,000,053 | -HS- | M] () - E:\AUTORUN.INF -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/01/20 22:34:27 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found


SafeBootMin: AppMgmt - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootMin: MCODS - Service
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet: AppMgmt - Service
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SafeBootNet: HelpSvc - Service
SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootNet: Messenger - Service
SafeBootNet: MpfService - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: NTDS - File not found
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {814E456E-9B6D-52D1-7FF0-A0C38B86ECFC} - Microsoft Windows Media Player
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\Windows\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

========== Files/Folders - Created Within 30 Days ==========

[2010/07/03 08:36:16 | 126,850,486 | ---- | C] (Igor Pavlov) -- C:\Users\Jacob\Desktop\OTLPENet.exe
[2010/06/30 03:00:32 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2010/06/28 21:21:33 | 000,000,000 | ---D | C] -- C:\Users\Jacob\Documents\Quarantine
[2010/06/28 17:10:46 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2010/06/28 17:10:00 | 000,475,224 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\klif.sys
[2010/06/28 14:20:22 | 000,000,000 | ---D | C] -- C:\Users\Jacob\AppData\Local\Symantec
[2010/06/28 14:17:01 | 000,466,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\capicom.dll
[2010/06/28 14:17:00 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/06/28 14:16:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/06/28 14:16:53 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec AntiVirus
[2010/06/28 13:55:05 | 000,000,000 | ---D | C] -- C:\Users\Jacob\Desktop\-TOOLS-
[2010/06/28 13:54:53 | 000,000,000 | ---D | C] -- C:\Users\Jacob\Desktop\LiberKey
[2010/06/26 15:43:19 | 000,000,000 | ---D | C] -- C:\Users\Jacob\AppData\Local\{669A7C14-38C1-40E0-89AE-5A1B8EB8D4D1}
[2010/06/26 15:41:41 | 000,000,000 | ---D | C] -- C:\Users\Jacob\AppData\Local\Windows Server
[2010/06/26 15:40:39 | 000,000,000 | ---D | C] -- C:\Users\Jacob\AppData\Local\phwyqriia
[2010/06/24 03:01:23 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2010/06/24 03:01:23 | 000,080,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax
[2010/06/24 03:01:23 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Mpeg2Data.ax
[2010/06/24 03:01:23 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSDvbNP.ax
[2010/06/24 03:01:17 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll
[2010/06/24 03:01:15 | 000,428,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2010/06/24 03:01:15 | 000,217,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisrndr.ax
[2010/06/24 03:00:50 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2010/06/24 03:00:49 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2010/06/24 03:00:49 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2010/06/23 21:38:41 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2010/06/23 21:38:41 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010/06/11 19:18:19 | 000,458,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/06/11 19:18:19 | 000,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/06/11 19:18:19 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2010/06/11 19:18:18 | 000,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/06/11 19:18:18 | 000,389,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2010/06/11 19:18:18 | 000,230,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2010/06/11 19:18:18 | 000,193,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/06/11 19:18:18 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll
[2010/06/11 19:18:18 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/06/11 19:18:18 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010/06/11 19:18:17 | 001,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010/06/11 19:18:14 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll
[2010/06/11 19:18:09 | 000,289,792 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010/06/11 19:18:09 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2010/06/11 19:18:04 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2010/06/11 16:33:35 | 002,036,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2009/07/29 20:59:20 | 008,270,752 | ---- | C] (Dell, Inc. ) -- C:\Users\Jacob\AppData\Roaming\DataSafeDotNet.exe
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/03 15:45:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/07/03 15:45:38 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/07/03 15:45:38 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/07/03 15:45:35 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/07/03 15:45:27 | 3718,631,424 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/03 11:35:51 | 000,703,388 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/07/03 11:35:51 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/07/03 11:35:51 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/07/03 09:58:14 | 001,835,620 | -H-- | M] () -- C:\Users\Jacob\AppData\Local\IconCache.db
[2010/07/02 21:25:37 | 126,850,486 | ---- | M] (Igor Pavlov) -- C:\Users\Jacob\Desktop\OTLPENet.exe
[2010/07/02 21:10:12 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{0F4814C2-49B8-4DE4-80A4-AF91F4DF25F6}.job
[2010/06/28 17:12:35 | 000,113,933 | ---- | M] () -- C:\Windows\System32\drivers\klin.dat
[2010/06/28 17:12:35 | 000,097,549 | ---- | M] () -- C:\Windows\System32\drivers\klick.dat
[2010/06/28 17:10:00 | 000,475,224 | ---- | M] (Kaspersky Lab) -- C:\Windows\System32\drivers\klif.sys
[2010/06/28 16:20:53 | 000,001,908 | ---- | M] () -- C:\Windows\diagwrn.xml
[2010/06/28 16:20:53 | 000,001,908 | ---- | M] () -- C:\Windows\diagerr.xml
[2010/06/28 16:20:00 | 000,006,404 | ---- | M] () -- C:\Users\Jacob\Desktop\Windows Compatibility Report.htm
[2010/06/28 14:04:07 | 001,373,616 | ---- | M] () -- C:\Users\Jacob\Documents\MCPR.exe
[2010/06/26 21:12:07 | 000,002,495 | ---- | M] () -- C:\Users\Jacob\AppData\Local\ayufaxawiroz.dll
[2010/06/26 19:54:27 | 000,002,495 | ---- | M] () -- C:\Users\Jacob\AppData\Local\Vpayilita.dat
[2010/06/26 19:08:36 | 000,002,495 | ---- | M] () -- C:\Users\Jacob\AppData\Local\arekijad.dll
[2010/06/26 17:44:15 | 000,002,495 | ---- | M] () -- C:\Users\Jacob\AppData\Local\egetugapojuy.dll
[2010/06/26 15:43:19 | 000,000,000 | ---- | M] () -- C:\Users\Jacob\AppData\Local\Tfumuwonezonuso.bin
[2010/06/24 15:43:56 | 000,015,360 | ---- | M] () -- C:\Users\Jacob\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/23 21:59:57 | 000,000,384 | ---- | M] () -- C:\Windows\tasks\SmartDefrag.job
[2010/06/18 22:56:57 | 299,428,219 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/06/12 03:20:59 | 000,271,240 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/28 17:12:35 | 000,113,933 | ---- | C] () -- C:\Windows\System32\drivers\klin.dat
[2010/06/28 17:12:35 | 000,097,549 | ---- | C] () -- C:\Windows\System32\drivers\klick.dat
[2010/06/28 16:20:00 | 000,006,404 | ---- | C] () -- C:\Users\Jacob\Desktop\Windows Compatibility Report.htm
[2010/06/28 16:17:45 | 000,001,908 | ---- | C] () -- C:\Windows\diagwrn.xml
[2010/06/28 16:17:45 | 000,001,908 | ---- | C] () -- C:\Windows\diagerr.xml
[2010/06/28 14:04:05 | 001,373,616 | ---- | C] () -- C:\Users\Jacob\Documents\MCPR.exe
[2010/06/28 13:05:23 | 025,481,728 | ---- | C] () -- C:\Users\Jacob\Desktop\Symantec Antivirus Liscensed.exe
[2010/06/26 21:12:07 | 000,002,495 | ---- | C] () -- C:\Users\Jacob\AppData\Local\ayufaxawiroz.dll
[2010/06/26 19:08:36 | 000,002,495 | ---- | C] () -- C:\Users\Jacob\AppData\Local\arekijad.dll
[2010/06/26 17:44:15 | 000,002,495 | ---- | C] () -- C:\Users\Jacob\AppData\Local\egetugapojuy.dll
[2010/06/26 15:43:19 | 000,002,495 | ---- | C] () -- C:\Users\Jacob\AppData\Local\Vpayilita.dat
[2010/06/26 15:43:19 | 000,000,000 | ---- | C] () -- C:\Users\Jacob\AppData\Local\Tfumuwonezonuso.bin
[2010/03/11 22:26:19 | 000,000,036 | ---- | C] () -- C:\Users\Jacob\AppData\Local\housecall.guid.cache
[2010/03/09 12:51:00 | 000,524,288 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2010/03/09 12:51:00 | 000,139,264 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/09/10 20:22:50 | 000,000,680 | ---- | C] () -- C:\Users\Jacob\AppData\Local\d3d9caps.dat
[2009/07/26 20:37:56 | 000,015,360 | ---- | C] () -- C:\Users\Jacob\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/25 22:51:01 | 000,002,043 | ---- | C] () -- C:\Users\Jacob\AppData\Roaming\install.dat
[2009/06/19 04:22:45 | 000,005,051 | ---- | C] () -- C:\Windows\System32\cfgfx.ini
[2009/06/19 04:22:45 | 000,001,438 | ---- | C] () -- C:\Windows\FF08_not_Spk_Hp.ini
[2009/06/19 04:22:45 | 000,001,379 | ---- | C] () -- C:\Windows\FF08_Render_Spk_Hp.ini
[2009/06/19 04:22:44 | 000,146,432 | ---- | C] () -- C:\Windows\System32\APOMngr.DLL
[2009/06/19 04:22:44 | 000,072,704 | ---- | C] () -- C:\Windows\System32\CmdRtr.DLL
[2009/06/19 04:19:19 | 000,385,024 | ---- | C] () -- C:\Windows\System32\STODD.dll
[2009/06/19 04:19:19 | 000,380,928 | ---- | C] () -- C:\Windows\System32\STODDRD.dll
[2009/06/19 04:19:19 | 000,266,240 | ---- | C] () -- C:\Windows\System32\STODDIM.dll
[2009/06/19 04:19:19 | 000,253,952 | ---- | C] () -- C:\Windows\System32\STODDSC.dll
[2009/06/19 04:19:19 | 000,229,376 | ---- | C] () -- C:\Windows\System32\STFiles.dll
[2009/06/19 04:19:19 | 000,122,880 | ---- | C] () -- C:\Windows\System32\STLog.dll
[2009/06/19 04:19:19 | 000,115,712 | ---- | C] () -- C:\Windows\System32\STNLS.dll
[2009/06/19 04:19:19 | 000,106,496 | ---- | C] () -- C:\Windows\System32\STPE.dll
[2009/06/19 04:19:19 | 000,098,304 | ---- | C] () -- C:\Windows\System32\STFileMonitor.dll
[2009/06/19 04:19:19 | 000,094,208 | ---- | C] () -- C:\Windows\System32\STMsXml.dll
[2009/06/19 04:19:19 | 000,077,824 | ---- | C] () -- C:\Windows\System32\STLangXml.dll
[2009/06/19 04:19:19 | 000,069,632 | ---- | C] () -- C:\Windows\System32\STRegistry.dll
[2009/06/19 04:19:19 | 000,066,048 | ---- | C] () -- C:\Windows\System32\STWiz.dll
[2009/06/19 04:19:19 | 000,065,536 | ---- | C] () -- C:\Windows\System32\STProcess.dll
[2009/06/19 04:19:18 | 000,471,040 | ---- | C] () -- C:\Windows\System32\PSTImage.dll
[2009/06/19 04:19:18 | 000,126,976 | ---- | C] () -- C:\Windows\System32\STWmiM.dll
[2009/06/19 04:19:18 | 000,118,784 | ---- | C] () -- C:\Windows\System32\STCrypto.dll
[2009/06/19 04:19:18 | 000,110,592 | ---- | C] () -- C:\Windows\System32\PSTVdsDisk.dll
[2009/06/19 04:19:18 | 000,090,112 | ---- | C] () -- C:\Windows\System32\wnaspi32.dll
[2009/06/19 04:19:18 | 000,073,728 | ---- | C] () -- C:\Windows\System32\zlib1.dll
[2009/06/19 04:19:17 | 000,102,400 | ---- | C] () -- C:\Windows\System32\STShellVC6.dll
[2009/06/19 04:19:15 | 001,118,208 | ---- | C] () -- C:\Windows\System32\libxml2.dll
[2009/06/19 04:19:15 | 000,053,248 | ---- | C] () -- C:\Windows\System32\STCoreXml.dll
[2009/06/19 03:55:50 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\Windows\bdoscandellang.ini
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2009/07/07 14:54:59 | 000,000,000 | ---D | M] -- C:\Users\Jacob\AppData\Roaming\Absolute
[2009/07/15 15:44:22 | 000,000,000 | ---D | M] -- C:\Users\Jacob\AppData\Roaming\Aim
[2010/01/02 18:21:29 | 000,000,000 | ---D | M] -- C:\Users\Jacob\AppData\Roaming\Desktopicon
[2010/04/09 15:12:22 | 000,000,000 | ---D | M] -- C:\Users\Jacob\AppData\Roaming\Facebook
[2009/12/30 21:19:48 | 000,000,000 | ---D | M] -- C:\Users\Jacob\AppData\Roaming\InterVideo
[2010/02/11 02:44:15 | 000,000,000 | ---D | M] -- C:\Users\Jacob\AppData\Roaming\IObit
[2009/06/28 22:22:12 | 000,000,000 | ---D | M] -- C:\Users\Jacob\AppData\Roaming\iWin
[2010/04/27 00:26:46 | 000,000,000 | ---D | M] -- C:\Users\Jacob\AppData\Roaming\uTorrent
[2009/06/28 22:19:28 | 000,000,000 | ---D | M] -- C:\Users\Jacob\AppData\Roaming\WildTangent
[2009/07/07 22:06:05 | 000,000,458 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job
[2010/07/03 12:03:41 | 000,032,522 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/06/23 21:59:57 | 000,000,384 | ---- | M] () -- C:\Windows\Tasks\SmartDefrag.job
[2010/07/02 21:10:12 | 000,000,418 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{0F4814C2-49B8-4DE4-80A4-AF91F4DF25F6}.job

========== Purity Check ==========



========== Custom Scans ==========


Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.

Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.exe

Invalid Environment Variable: %APPDATA%\*.

Invalid Environment Variable: %APPDATA%\*.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/06/19 06:26:27 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\System32\drivers\atapi.sys
[2009/06/19 06:26:27 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
[2009/06/19 06:26:27 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18034_none_dd1bb97e219e87cb\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2009/06/19 06:26:27 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=96DC4E1A9F90CCD489950A8935425C59 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22134_none_dda556493abc2795\atapi.sys

< MD5 for: IASTOR.SYS >
[2008/05/07 18:40:38 | 000,395,288 | ---- | M] (Intel Corporation) MD5=07FB761600EFF44AF02C35B8B57E5863 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys
[2008/09/01 06:15:54 | 000,317,976 | ---- | M] (Intel Corporation) MD5=80C633722DA72E97F3F5B3B11325696D -- C:\Drivers\storage\R197861\IaStor.sys
[2008/05/07 18:40:02 | 000,317,976 | ---- | M] (Intel Corporation) MD5=80C633722DA72E97F3F5B3B11325696D -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver\IaStor.sys
[2008/09/01 06:15:54 | 000,317,976 | ---- | M] (Intel Corporation) MD5=80C633722DA72E97F3F5B3B11325696D -- C:\Windows\System32\drivers\iaStor.sys
[2008/05/07 18:40:02 | 000,317,976 | ---- | M] (Intel Corporation) MD5=80C633722DA72E97F3F5B3B11325696D -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_1ab0331f\iaStor.sys
[2008/09/01 06:15:54 | 000,317,976 | ---- | M] (Intel Corporation) MD5=80C633722DA72E97F3F5B3B11325696D -- C:\Windows\System32\DriverStore\FileRepository\iastor.inf_8e717be2\iaStor.sys

< MD5 for: IASTORV.SYS >
[2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/20 22:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
[2008/01/20 22:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/20 22:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
[2008/01/20 22:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< MD5 for: USERINIT.EXE >
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[1 C:\Windows\system32\drivers\*.tmp files -> C:\Windows\system32\drivers\*.tmp -> ]

< %systemroot%\System32\config\*.sav >
[2008/01/20 23:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/01/20 23:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/01/20 23:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/01/20 22:24:58 | 000,142,336 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\fontext.dll
[2009/06/19 06:36:52 | 011,580,928 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\shell32.dll

< CREATERESTOREPOINT >
< End of report >


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 AM

Posted 04 July 2010 - 12:18 PM

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

CODE
:OTL
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
[2010/06/26 15:40:39 | 000,000,000 | ---D | C] -- C:\Users\Jacob\AppData\Local\phwyqriia
[2010/06/26 21:12:07 | 000,002,495 | ---- | M] () -- C:\Users\Jacob\AppData\Local\ayufaxawiroz.dll
[2010/06/26 19:54:27 | 000,002,495 | ---- | M] () -- C:\Users\Jacob\AppData\Local\Vpayilita.dat
[2010/06/26 19:08:36 | 000,002,495 | ---- | M] () -- C:\Users\Jacob\AppData\Local\arekijad.dll
[2010/06/26 17:44:15 | 000,002,495 | ---- | M] () -- C:\Users\Jacob\AppData\Local\egetugapojuy.dll
[2010/06/26 15:43:19 | 000,000,000 | ---- | M] () -- C:\Users\Jacob\AppData\Local\Tfumuwonezonuso.bin

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Posted Image
m0le is a proud member of UNITE

#8 Scoobrocks

Scoobrocks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 04 July 2010 - 03:10 PM

pardon my ignorance, but am I to go back in to REAGOTO desktop to run what you are asking or can I access it from my son's regular desktop?

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 AM

Posted 04 July 2010 - 03:16 PM

Run it in REAGOTO thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#10 Scoobrocks

Scoobrocks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 04 July 2010 - 03:56 PM


Thanks. I figured, but wasn't sure if somehow it could now be accessed from the regualr desk top.

When I clicked ok to open log, nothing happened that I could see. So I went in to the Windows files to see what I could find. I found a file created at teh time of the fix that is a .txt about moved files. Hoping that is what you need me to post. It is below:

========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
C:\Users\Jacob\AppData\Local\phwyqriia folder moved successfully.
C:\Users\Jacob\AppData\Local\ayufaxawiroz.dll moved successfully.
C:\Users\Jacob\AppData\Local\Vpayilita.dat moved successfully.
C:\Users\Jacob\AppData\Local\arekijad.dll moved successfully.
C:\Users\Jacob\AppData\Local\egetugapojuy.dll moved successfully.
C:\Users\Jacob\AppData\Local\Tfumuwonezonuso.bin moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTLPE by OldTimer - Version 3.1.39.0 log created on 07042010_205159

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 AM

Posted 04 July 2010 - 06:41 PM

Quite a lot of nasty files removed there. Boot into normal mode and follow the next instructions carefully. Be aware that this may not work, if so let me know.

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Then

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#12 Scoobrocks

Scoobrocks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 04 July 2010 - 07:12 PM

Thank you. Here is the RKILL log (not much there, hope I did it right), I will do the Combo Fix next:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Jacob on 07/05/2010 at 0:09:01.


Processes terminated by Rkill or while it was running:


C:\Users\Jacob\Desktop\rkill.scr


Rkill completed on 07/05/2010 at 0:09:06.


#13 Scoobrocks

Scoobrocks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 04 July 2010 - 07:32 PM

Here is the Combo Fix Log:

ComboFix 10-07-04.01 - Jacob 07/05/2010 0:18.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3545.2282 [GMT -4:00]
Running from: c:\users\Jacob\Desktop\comfix.exe.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Jacob\AppData\Local\{669A7C14-38C1-40E0-89AE-5A1B8EB8D4D1}
c:\users\Jacob\AppData\Local\{669A7C14-38C1-40E0-89AE-5A1B8EB8D4D1}\chrome.manifest
c:\users\Jacob\AppData\Local\{669A7C14-38C1-40E0-89AE-5A1B8EB8D4D1}\chrome\content\_cfg.js
c:\users\Jacob\AppData\Local\{669A7C14-38C1-40E0-89AE-5A1B8EB8D4D1}\chrome\content\overlay.xul
c:\users\Jacob\AppData\Local\{669A7C14-38C1-40E0-89AE-5A1B8EB8D4D1}\install.rdf
c:\users\Jacob\AppData\Local\Windows Server
c:\users\Jacob\AppData\Roaming\Desktopicon
c:\users\Jacob\AppData\Roaming\Desktopicon\eBay.ico
c:\users\Jacob\AppData\Roaming\Desktopicon\uninst.exe
c:\users\Jacob\AppData\Roaming\install.dat
c:\windows\system32\st326162.dll
c:\windows\xpsp1hfm.log
E:\AUTORUN.INF

.
((((((((((((((((((((((((( Files Created from 2010-06-05 to 2010-07-05 )))))))))))))))))))))))))))))))
.

2010-07-05 00:52 . 2010-07-05 00:52 -------- d-----w- C:\_OTL
2010-06-30 07:00 . 2010-06-30 07:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-28 21:58 . 2010-06-28 21:58 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2010-06-28 21:58 . 2010-06-28 21:58 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer
2010-06-28 21:27 . 2010-06-28 21:27 88760 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav11\11.0.0.232\libola.dll
2010-06-28 21:27 . 2010-06-28 21:27 387768 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav11\11.0.0.232\ksn_client.dll
2010-06-28 21:27 . 2010-06-28 21:27 264888 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav11\11.0.0.232\esmgr.dll
2010-06-28 21:27 . 2010-06-28 21:27 191160 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav11\11.0.0.232\klwtbbho.dll
2010-06-28 21:27 . 2010-06-28 21:27 88760 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav11\11.0.0.232\libola.dll
2010-06-28 21:27 . 2010-06-28 21:27 387768 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav11\11.0.0.232\ksn_client.dll
2010-06-28 21:27 . 2010-06-28 21:27 191160 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav11\11.0.0.232\klwtbbho.dll
2010-06-28 21:26 . 2010-06-28 21:27 264888 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav11\11.0.0.232\esmgr.dll
2010-06-28 21:26 . 2010-06-29 17:33 1037648 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\bases\sw2\klavasyswatch.dll
2010-06-28 21:19 . 2010-06-29 17:32 275792 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\bases\av\kdb\i386\win\avengine.dll
2010-06-28 21:12 . 2010-06-28 21:12 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-06-28 21:12 . 2010-06-28 21:12 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-06-28 21:10 . 2010-06-28 21:10 -------- d-----w- c:\program files\Kaspersky Lab
2010-06-28 21:10 . 2010-07-05 04:00 -------- d-----w- c:\programdata\Kaspersky Lab
2010-06-28 21:01 . 2010-06-28 21:01 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-06-28 18:20 . 2010-06-28 18:20 -------- d-----w- c:\users\Jacob\AppData\Local\Symantec
2010-06-28 18:17 . 2010-06-28 20:33 -------- d-----w- c:\program files\Symantec
2010-06-28 18:16 . 2010-06-28 20:33 -------- d-----w- c:\programdata\Symantec
2010-06-28 18:16 . 2010-06-28 20:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-28 18:16 . 2010-06-28 20:33 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-24 07:01 . 2010-04-14 17:54 293376 ----a-w- c:\windows\system32\psisdecd.dll
2010-06-24 07:01 . 2010-04-14 17:54 428544 ----a-w- c:\windows\system32\EncDec.dll
2010-06-24 07:00 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 07:00 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 07:00 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 07:00 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 07:00 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-24 01:38 . 2010-04-16 16:05 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-24 01:38 . 2010-04-16 14:17 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-11 20:33 . 2010-05-01 13:53 2036224 ----a-w- c:\windows\system32\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-29 17:33 . 2010-05-07 16:34 1037648 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\klavasyswatch.dll
2010-06-29 17:33 . 2010-05-06 19:00 275792 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\avengine.dll
2010-06-29 01:17 . 2009-12-06 19:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-28 17:34 . 2010-03-24 17:20 41 ----a-w- c:\users\Jacob\jagex__preferences3.dat
2010-06-28 17:34 . 2009-06-26 16:47 46 ----a-w- c:\users\Jacob\jagex_runescape_preferences.dat
2010-06-28 17:28 . 2009-09-05 05:07 99 ----a-w- c:\users\Jacob\jagex_runescape_preferences2.dat
2010-06-25 07:02 . 2010-02-25 03:01 -------- d-----w- c:\program files\Microsoft.NET
2010-06-12 07:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-12 07:03 . 2010-02-25 02:57 -------- d-----w- c:\programdata\Microsoft Help
2010-06-11 12:20 . 2009-06-19 08:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-26 16:16 . 2010-06-11 23:18 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-11 23:18 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14 . 2010-03-12 07:05 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-09 00:53 . 2009-09-11 00:22 680 ----a-w- c:\users\Jacob\AppData\Local\d3d9caps.dat
2010-05-07 20:44 . 2010-05-07 20:44 247120 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\uds.dll
2010-05-07 20:44 . 2010-05-07 20:44 272984 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\sys_critical_obj.dll
2010-05-07 20:44 . 2010-05-07 20:44 132432 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\dns_client.dll
2010-05-07 16:37 . 2010-05-07 16:37 228024 ----a-w- c:\windows\system32\klogon.dll
2010-05-07 12:53 . 2010-05-07 12:53 68256 ----a-w- c:\programdata\Kaspersky Lab Setup Files\Kaspersky Internet Security 2011 11.0.0.232\English\setup.exe
2010-05-07 04:19 . 2010-05-07 04:19 132184 ----a-w- c:\windows\system32\drivers\kl2.sys
2010-05-07 04:19 . 2010-05-07 04:19 132184 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-05-04 18:42 . 2010-06-11 23:18 833024 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 18:37 . 2010-06-11 23:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 16:53 . 2010-06-11 23:18 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-04-29 19:39 . 2009-12-06 19:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-12-06 19:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 04:23 . 2010-04-27 04:23 2431536 ----a-w- c:\programdata\WildTangent\OEM Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-04-25 02:11 . 2010-04-25 02:11 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-23 13:55 . 2010-05-25 17:56 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-22 23:07 . 2010-04-22 23:07 22104 ----a-w- c:\windows\system32\drivers\klim6.sys
2010-04-16 16:10 . 2010-06-11 23:18 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-04-16 16:05 . 2010-06-24 01:38 459776 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:05 . 2010-06-24 01:38 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:05 . 2010-06-24 01:38 2153984 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-04-16 16:05 . 2010-06-24 01:38 541696 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-04-09 19:12 . 2010-02-11 03:59 50354 ----a-w- c:\users\Jacob\AppData\Roaming\Facebook\uninstall.exe
2009-06-19 10:28 . 2009-06-19 10:26 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-04-01 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-01 483428]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 150552]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RunDLLEntry"="c:\windows\system32\AmbRunE.dll" [2008-12-17 14848]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-05-07 344736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\Components\scheduler\Launcher.exe" [2009-02-23 165104]
"DSUpdateLauncher"="c:\program files\Dell DataSafe Local Backup\Components\DSUpdate\runhstart.bat" [2008-10-29 123]

c:\users\Jacob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Remote Access.lnk - c:\windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut4_F66A31D978314FBABA02C411C0047CC5.exe [2009-6-19 53248]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-2-4 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-19 08:09 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~1\KASPER~1\KASPER~1\kloehk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-05-07 132184]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 dsl-db;Remote Access DB;c:\program files\Common Files\Dell\MySQL\bin\mysqld.exe [2007-09-14 5730304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-06-19 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-06-19 79360]
R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904]
R3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [2009-06-19 79360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2010-04-22 22104]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-04-01 81920]
S2 Apache2.2;Remote Access Media Server;c:\program files\Common Files\Dell\apache\bin\httpd.exe [2007-09-21 15872]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 dsl-fs-sync;Remote Access File Sync Service;c:\program files\Common Files\Dell\Remote Access File Sync Service\dsl_fs_sync.exe [2009-01-05 173296]
S2 SftService;SoftThinks Agent Service;c:\windows\sminst\sftservice.EXE [2009-02-23 632048]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-03 19984]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-12-22 3662848]

.
Contents of the 'Scheduled Tasks' folder

2009-07-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2010-06-24 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-02-11 20:30]

2010-07-05 c:\windows\Tasks\User_Feed_Synchronization-{0F4814C2-49B8-4DE4-80A4-AF91F4DF25F6}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
SafeBoot-MCODS
AddRemove-eBay Icon - c:\users\Jacob\AppData\Roaming\Desktopicon\uninst.exe
AddRemove-HijackThis - d:\-tools-\HiJackThis!\HijackThis.exe
AddRemove-{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} - c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-05 00:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1270741886-24198561-637533113-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2DDC845-D3BA-948E-4694-401A347B689B}*]
"oamhkeinjdcanbiclhidcbpjioaabi"=hex:6b,61,61,68,68,63,6c,64,68,6c,61,63,70,6b,
6a,70,66,6f,65,6b,64,69,00,00
"nacimkegbdlfapbibajlhjblnkon"=hex:6a,61,6e,67,63,65,67,63,6e,6e,67,64,65,70,
6c,66,64,61,70,67,00,00
"oaafkagdefmdomgphkfnhcmikpfnmc"=hex:64,61,6e,67,63,65,6c,62,00,83
.
Completion time: 2010-07-05 00:28:29
ComboFix-quarantined-files.txt 2010-07-05 04:28

Pre-Run: 366,260,416,512 bytes free
Post-Run: 367,987,212,288 bytes free

- - End Of File - - AA3C5826B619C67248CBBA9AA0A1DDE1


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 AM

Posted 05 July 2010 - 06:08 PM

Let's run Combofix again, this time as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
RegNull::
[HKEY_USERS\S-1-5-21-1270741886-24198561-637533113-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2DDC845-D3BA-948E-4694-401A347B689B}*]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 Scoobrocks

Scoobrocks
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 05 July 2010 - 06:59 PM

ComboFix 10-07-04.04 - Jacob 07/05/2010 19:31:58.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3545.1965 [GMT -4:00]
Running from: c:\users\Jacob\Desktop\comfix.exe.exe
Command switches used :: c:\users\Jacob\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-06-05 to 2010-07-05 )))))))))))))))))))))))))))))))
.

2010-07-06 03:22 . 2010-07-06 03:22 -------- d-----w- c:\users\Jacob\AppData\Local\Stardock_Corporation
2010-07-05 23:37 . 2010-07-05 23:37 -------- d-----w- c:\users\RA Media Server\AppData\Local\temp
2010-07-05 23:37 . 2010-07-05 23:37 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-05 23:37 . 2010-07-05 23:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-05 00:52 . 2010-07-05 00:52 -------- d-----w- C:\_OTL
2010-06-30 07:00 . 2010-06-30 07:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-28 21:58 . 2010-06-28 21:58 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2010-06-28 21:58 . 2010-06-28 21:58 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer
2010-06-28 21:27 . 2010-06-28 21:27 88760 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav11\11.0.0.232\libola.dll
2010-06-28 21:27 . 2010-06-28 21:27 387768 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav11\11.0.0.232\ksn_client.dll
2010-06-28 21:27 . 2010-06-28 21:27 264888 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav11\11.0.0.232\esmgr.dll
2010-06-28 21:27 . 2010-06-28 21:27 191160 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav11\11.0.0.232\klwtbbho.dll
2010-06-28 21:27 . 2010-06-28 21:27 88760 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav11\11.0.0.232\libola.dll
2010-06-28 21:27 . 2010-06-28 21:27 387768 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav11\11.0.0.232\ksn_client.dll
2010-06-28 21:27 . 2010-06-28 21:27 191160 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav11\11.0.0.232\klwtbbho.dll
2010-06-28 21:26 . 2010-06-28 21:27 264888 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav11\11.0.0.232\esmgr.dll
2010-06-28 21:26 . 2010-06-29 17:33 1037648 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\bases\sw2\klavasyswatch.dll
2010-06-28 21:19 . 2010-06-29 17:32 275792 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Data\Updater\Temporary Files\temporaryFolder\bases\av\kdb\i386\win\avengine.dll
2010-06-28 21:12 . 2010-06-28 21:12 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-06-28 21:12 . 2010-06-28 21:12 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-06-28 21:10 . 2010-06-28 21:10 -------- d-----w- c:\program files\Kaspersky Lab
2010-06-28 21:10 . 2010-07-06 03:20 -------- d-----w- c:\programdata\Kaspersky Lab
2010-06-28 21:01 . 2010-06-28 21:01 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-06-28 18:20 . 2010-06-28 18:20 -------- d-----w- c:\users\Jacob\AppData\Local\Symantec
2010-06-28 18:17 . 2010-06-28 20:33 -------- d-----w- c:\program files\Symantec
2010-06-28 18:16 . 2010-06-28 20:33 -------- d-----w- c:\programdata\Symantec
2010-06-28 18:16 . 2010-06-28 20:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-28 18:16 . 2010-06-28 20:33 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-24 07:01 . 2010-04-14 17:54 293376 ----a-w- c:\windows\system32\psisdecd.dll
2010-06-24 07:01 . 2010-04-14 17:54 428544 ----a-w- c:\windows\system32\EncDec.dll
2010-06-24 07:00 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 07:00 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 07:00 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 07:00 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 07:00 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-24 01:38 . 2010-04-16 16:05 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-24 01:38 . 2010-04-16 14:17 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-11 20:33 . 2010-05-01 13:53 2036224 ----a-w- c:\windows\system32\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-29 17:33 . 2010-05-07 16:34 1037648 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\klavasyswatch.dll
2010-06-29 17:33 . 2010-05-06 19:00 275792 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\avengine.dll
2010-06-29 01:17 . 2009-12-06 19:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-28 17:34 . 2010-03-24 17:20 41 ----a-w- c:\users\Jacob\jagex__preferences3.dat
2010-06-28 17:34 . 2009-06-26 16:47 46 ----a-w- c:\users\Jacob\jagex_runescape_preferences.dat
2010-06-28 17:28 . 2009-09-05 05:07 99 ----a-w- c:\users\Jacob\jagex_runescape_preferences2.dat
2010-06-25 07:02 . 2010-02-25 03:01 -------- d-----w- c:\program files\Microsoft.NET
2010-06-12 07:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-12 07:03 . 2010-02-25 02:57 -------- d-----w- c:\programdata\Microsoft Help
2010-06-11 12:20 . 2009-06-19 08:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-26 16:16 . 2010-06-11 23:18 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-11 23:18 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14 . 2010-03-12 07:05 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-09 00:53 . 2009-09-11 00:22 680 ----a-w- c:\users\Jacob\AppData\Local\d3d9caps.dat
2010-05-07 20:44 . 2010-05-07 20:44 247120 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\uds.dll
2010-05-07 20:44 . 2010-05-07 20:44 272984 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\sys_critical_obj.dll
2010-05-07 20:44 . 2010-05-07 20:44 132432 ----a-w- c:\programdata\Kaspersky Lab\AVP11\Bases\dns_client.dll
2010-05-07 16:37 . 2010-05-07 16:37 228024 ----a-w- c:\windows\system32\klogon.dll
2010-05-07 12:53 . 2010-05-07 12:53 68256 ----a-w- c:\programdata\Kaspersky Lab Setup Files\Kaspersky Internet Security 2011 11.0.0.232\English\setup.exe
2010-05-07 04:19 . 2010-05-07 04:19 132184 ----a-w- c:\windows\system32\drivers\kl2.sys
2010-05-07 04:19 . 2010-05-07 04:19 132184 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-05-04 18:42 . 2010-06-11 23:18 833024 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 18:37 . 2010-06-11 23:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 16:53 . 2010-06-11 23:18 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-04-29 19:39 . 2009-12-06 19:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-12-06 19:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 04:23 . 2010-04-27 04:23 2431536 ----a-w- c:\programdata\WildTangent\OEM Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-04-25 02:11 . 2010-04-25 02:11 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-23 13:55 . 2010-05-25 17:56 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-22 23:07 . 2010-04-22 23:07 22104 ----a-w- c:\windows\system32\drivers\klim6.sys
2010-04-16 16:10 . 2010-06-11 23:18 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-04-16 16:05 . 2010-06-24 01:38 459776 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:05 . 2010-06-24 01:38 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:05 . 2010-06-24 01:38 2153984 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-04-16 16:05 . 2010-06-24 01:38 541696 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-04-09 19:12 . 2010-02-11 03:59 50354 ----a-w- c:\users\Jacob\AppData\Roaming\Facebook\uninstall.exe
2009-06-19 10:28 . 2009-06-19 10:26 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-04-01 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-01 483428]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 150552]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RunDLLEntry"="c:\windows\system32\AmbRunE.dll" [2008-12-17 14848]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-05-07 344736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\Components\scheduler\Launcher.exe" [2009-02-23 165104]
"DSUpdateLauncher"="c:\program files\Dell DataSafe Local Backup\Components\DSUpdate\runhstart.bat" [2008-10-29 123]

c:\users\Jacob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Remote Access.lnk - c:\windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut4_F66A31D978314FBABA02C411C0047CC5.exe [2009-6-19 53248]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-2-4 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-19 08:09 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~1\KASPER~1\KASPER~1\kloehk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-05-07 132184]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 dsl-db;Remote Access DB;c:\program files\Common Files\Dell\MySQL\bin\mysqld.exe [2007-09-14 5730304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-06-19 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-06-19 79360]
R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904]
R3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [2009-06-19 79360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2010-04-22 22104]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-04-01 81920]
S2 Apache2.2;Remote Access Media Server;c:\program files\Common Files\Dell\apache\bin\httpd.exe [2007-09-21 15872]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 dsl-fs-sync;Remote Access File Sync Service;c:\program files\Common Files\Dell\Remote Access File Sync Service\dsl_fs_sync.exe [2009-01-05 173296]
S2 SftService;SoftThinks Agent Service;c:\windows\sminst\sftservice.EXE [2009-02-23 632048]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-03 19984]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-12-22 3662848]

.
Contents of the 'Scheduled Tasks' folder

2009-07-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2010-07-05 c:\windows\Tasks\User_Feed_Synchronization-{0F4814C2-49B8-4DE4-80A4-AF91F4DF25F6}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1270741886-24198561-637533113-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A2DDC845-D3BA-948E-4694-401A347B689B}*]
"oamhkeinjdcanbiclhidcbpjioaabi"=hex:6b,61,61,68,68,63,6c,64,68,6c,61,63,70,6b,
6a,70,66,6f,65,6b,64,69,00,00
"nacimkegbdlfapbibajlhjblnkon"=hex:6a,61,6e,67,63,65,67,63,6e,6e,67,64,65,70,
6c,66,64,61,70,67,00,00
"oaafkagdefmdomgphkfnhcmikpfnmc"=hex:64,61,6e,67,63,65,6c,62,00,83
.
Completion time: 2010-07-05 19:40:32
ComboFix-quarantined-files.txt 2010-07-05 23:40
ComboFix2.txt 2010-07-05 04:28

Pre-Run: 370,415,861,760 bytes free
Post-Run: 370,386,374,656 bytes free

- - End Of File - - DC8885B5A87C1FF74BF8F24424D8E7A4





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users