Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown malware issue


  • This topic is locked This topic is locked
38 replies to this topic

#1 itchallenge

itchallenge

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 21 July 2010 - 12:37 PM

Hello,

Please help me this bothersome issue. It started this way:


I clicked on a link within an email from a trusted source. The link was to take me to a web site for registration for a professional class. The site never appeared, so I closed out the browser and re-launch from the link.

Almost before the browser opened a window popped up Green background with "Not Available" in the windows. After scan's with Symantec, A2, Micro Trend and IOBit Security 360 and several reboot's teh Not Available window stopped appearing.

In the system tray since the window stated appearing, there is an icon of a red circle with a red diagonal line and an image in the background that is to small to tell what the image is.

When I point to it, it say's "Disconnected" and a right click on it gives only the "Exit" option.

Any ides?

ITC

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:07 PM

Posted 28 July 2010 - 04:34 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 itchallenge

itchallenge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 28 July 2010 - 01:37 PM

Thank you for your reply. The system is still infected and has been doing strange things. MS Excel unable to navigate. Difficult loading programs, ie. word, outlook.

All printers missing and unable to add any printers.

Downloaded the OTL and followed your instruction, Clicked on Run Scan and nothing happened. Have tryied many times.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:07 PM

Posted 28 July 2010 - 01:48 PM

Hi,
please run COmboFix instead then:

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

If you can't run the program rename it to fun.com and try again.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 itchallenge

itchallenge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 28 July 2010 - 02:19 PM

myrti,

here is the text of the file:

ComboFix 10-07-27.05 - john 07/28/2010 12:08:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1552 [GMT -7:00]
Running from: c:\documents and settings\john\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\JFT\g2mdlhlpx.exe
c:\program files\SmartShopper
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-23 06:27 . 2010-07-23 06:27 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2010-07-19 20:22 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-07-19 20:22 . 2010-07-21 00:44 -------- d-----w- c:\program files\Panda Security
2010-07-19 18:18 . 2010-07-19 18:18 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2010-07-16 21:55 . 2010-07-16 21:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton
2010-07-16 21:55 . 2010-07-16 23:13 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\NPE
2010-07-16 20:50 . 2010-07-16 20:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\IObit
2010-07-16 20:50 . 2010-07-16 20:57 -------- d-----w- c:\program files\IObit
2010-07-16 19:03 . 2010-07-16 19:03 -------- d-----w- c:\documents and settings\john\Application Data\CheckPoint
2010-07-16 19:02 . 2010-07-16 19:02 -------- d-----w- c:\program files\Conduit
2010-07-16 19:02 . 2010-07-16 19:02 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Conduit
2010-07-16 19:02 . 2010-07-16 19:02 -------- d-----w- c:\program files\CheckPoint
2010-07-16 19:01 . 2010-07-16 19:01 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-07-16 19:01 . 2010-06-23 20:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-07-16 19:01 . 2010-06-23 20:51 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-07-16 19:01 . 2010-06-23 20:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-07-16 17:39 . 2010-07-16 17:39 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\PrivacIE
2010-07-16 17:39 . 2010-07-16 17:39 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IECompatCache
2010-07-16 17:38 . 2004-05-11 18:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2010-07-16 17:38 . 2003-11-19 22:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2010-07-16 17:38 . 2001-04-27 21:11 24576 ----a-w- c:\windows\system32\SmartSubClass.dll
2010-07-16 17:38 . 2010-07-16 21:07 -------- d-----w- c:\program files\MalwareScanner
2010-07-16 16:26 . 2010-07-16 16:26 -------- d-----w- c:\windows\system32\Adobe
2010-07-16 16:24 . 2010-07-16 16:24 2568656 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-16 16:24 . 2010-06-22 11:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 16:19 . 2010-07-16 19:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-07-16 06:27 . 2010-07-16 06:27 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple
2010-07-16 05:51 . 2010-07-16 05:56 -------- d-----w- c:\documents and settings\john\Application Data\Apple Computer
2010-07-16 05:47 . 2010-07-16 05:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\program files\Common Files\Apple
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Apple
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\program files\Apple Software Update
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Apple Computer
2010-07-14 18:36 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 18:49 . 2009-09-22 18:04 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-07-28 16:11 . 2009-05-20 21:43 -------- d-----w- c:\program files\LogMeIn
2010-07-24 20:47 . 2010-07-21 00:15 3051671 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-07-23 00:06 . 2005-10-03 20:21 -------- d-----w- c:\program files\Common Files\Lacerte Shared
2010-07-19 19:55 . 2009-09-22 00:00 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-16 18:06 . 2005-11-11 01:54 -------- d-----w- c:\program files\Google
2010-07-16 16:24 . 2005-09-20 19:22 -------- d-----w- c:\program files\Common Files\Java
2010-07-16 16:23 . 2005-09-20 19:22 -------- d-----w- c:\program files\Java
2010-07-16 05:47 . 2005-09-20 19:39 -------- d-----w- c:\program files\QuickTime
2010-07-15 10:01 . 2009-09-22 15:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-07-13 07:42 . 2010-04-14 18:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-14 14:31 . 2009-09-21 23:36 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 03:49 . 2009-09-22 21:15 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-10 03:49 . 2009-09-22 21:15 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-10 03:49 . 2009-09-22 21:14 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-05-25 07:41 . 2010-05-25 07:41 503808 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a578df5-n\msvcp71.dll
2010-05-25 07:41 . 2010-05-25 07:41 499712 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a578df5-n\jmc.dll
2010-05-25 07:41 . 2010-05-25 07:41 348160 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a578df5-n\msvcr71.dll
2010-05-25 07:41 . 2010-05-25 07:41 61440 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7505b5df-n\decora-sse.dll
2010-05-25 07:41 . 2010-05-25 07:41 12800 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7505b5df-n\decora-d3d.dll
2010-05-21 21:14 . 2009-10-05 20:15 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 17:46 . 2009-11-13 19:27 70760 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-11 17:41 . 2010-05-11 17:41 10134 ----a-r- c:\documents and settings\john\Application Data\Microsoft\Installer\{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}\ARPPRODUCTICON.exe
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-08 16:00 . 2010-04-08 16:00 3584 --sha-w- c:\program files\Common Files\Thumbs.db
2009-08-19 12:11 . 2009-12-18 22:51 2503 ------w- c:\program files\Common Files\pr_404.html
2009-07-23 02:22 . 2009-12-18 22:51 4344 ------w- c:\program files\Common Files\tr3_lacerte.png
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe

2007-10-11 03:51 . 2007-10-11 03:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

2005-06-10 17:44 . 2005-06-10 17:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
2005-06-10 18:44 . 2005-06-10 18:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

2005-02-17 00:15 . 2005-02-17 00:15 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
2005-02-17 00:15 . 2005-02-17 00:15 221184 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

2005-11-11 01:53 . 2005-11-11 01:53 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2003-09-30 07:14 . 2003-09-30 07:14 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe
2007-03-26 15:43 . 2007-03-26 15:43 210472 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

2005-09-20 19:25 . 2005-02-23 21:19 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2007-03-15 18:09 . 2007-03-15 18:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2007-06-25 04:48 . 2007-06-25 04:48 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

2008-01-16 00:26 . 2008-01-16 00:26 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2008-01-11 19:54 . 2007-09-25 09:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

2004-08-11 22:11 . 2007-12-01 08:26 1695232 c:\program files\Messenger\bak\msmsgs.exe
2009-09-21 18:30 . 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

2005-09-20 19:38 . 2005-03-15 15:58 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe
2008-04-16 19:01 . 2006-01-17 20:03 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

2005-09-20 19:39 . 2005-09-20 19:39 98304 c:\program files\QuickTime\bak\qttask.exe
2010-03-18 04:53 . 2010-03-18 04:53 421888 c:\program files\QuickTime\QTTask.exe

2006-08-23 02:09 . 2006-08-23 02:09 40960 c:\program files\ScanSoft\PDF Professional 4.0\bak\RegistryController.exe

2007-06-06 23:52 . 2007-06-06 23:52 936960 c:\program files\Verizon\bak\McciTrayApp.exe

2006-11-04 03:20 . 2006-11-04 03:20 866584 c:\program files\Windows Defender\bak\MSASCui.exe
2006-11-04 02:20 . 2006-11-04 02:20 866584 c:\program files\Windows Defender\MSASCui.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegBooster"="c:\program files\RegBooster\RegBooster.exe" [N/A]
"Updates Scheduler"="c:\program files\Common Files\Lacerte Shared\Update Scheduler\UpdSched.EXE" [2010-03-12 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nuance PDF Professional 6-reminder"="c:\program files\Nuance\PDF Professional 6\Ereg\Ereg.exe" [N/A]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"nwiz"="nwiz.exe" [2008-07-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"FixCamera"="c:\windows\FixCamera.exe" [2007-07-11 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2007-08-31 262144]
"snp2std"="c:\windows\vsnp2std.exe" [2007-08-07 348160]
"PDFHook"="c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe" [2008-02-27 795936]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Professional 5\RegistryController.exe" [2008-02-27 58656]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-12 1280344]

c:\documents and settings\john\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2009-3-9 1553800]
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2009-2-13 2819432]
NAS Scheduler.lnk - c:\program files\BUFFALO\NASNAVI\nassche.exe [2009-3-9 206128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-10 03:49 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\BUFFALO\\NASNAVI\\NasNavi.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [4/7/2010 3:39 PM 1858144]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 NasPmService;NAS PM Service;c:\program files\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 --> c:\program files\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 [?]
R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2/27/2008 2:21 AM 144672]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [7/16/2010 1:57 PM 312152]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv11010
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2010-07-28 c:\windows\Tasks\User_Feed_Synchronization-{8D750676-AE12-40A9-B0C5-7A3980039579}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 5.0 - c:\program files\Nuance\PDF Professional 5\cnvres_eng.dll /100
FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.irs.gov/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 12:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c8,06,a2,6c,11,55,aa,48,97,70,5c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c8,06,a2,6c,11,55,aa,48,97,70,5c,\

[HKEY_USERS\S-1-5-21-1292428093-1035525444-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-07-28 12:15:55
ComboFix-quarantined-files.txt 2010-07-28 19:15

Pre-Run: 28,523,745,280 bytes free
Post-Run: 32,692,084,736 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CA64B0E8B54D97424BEE2686E4D2611A


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:07 PM

Posted 28 July 2010 - 03:25 PM

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Folder::
c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak
c:\program files\Adobe\Reader 8.0\Reader\bak
c:\program files\Common Files\InstallShield\UpdateService\bak
c:\program files\Common Files\InstallShield\UpdateService\bak
c:\program files\Common Files\Real\Update_OB\bak
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak
c:\program files\CyberLink\PowerDVD\bak
c:\program files\DellSupport\bak
c:\program files\Google\GoogleToolbarNotifier\bak
c:\program files\Grisoft\AVG7\bak
c:\program files\Java\jre1.6.0_03\bin\bak
c:\program files\Messenger\bak
c:\program files\MUSICMATCH\Musicmatch Jukebox\bak
c:\program files\QuickTime\bak
c:\program files\ScanSoft\PDF Professional 4.0\bak
c:\program files\Verizon\bak
c:\program files\Windows Defender\bak


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

how is the PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 itchallenge

itchallenge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 28 July 2010 - 04:28 PM

The PC is still doing strange things, followed your instruction and will attach file on my next reply. I disabled all Symantec services on the system, yet I still received a warning about the real time scanner running! Not possible all services are stopped.

Thanks,

ITC

#8 itchallenge

itchallenge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 28 July 2010 - 04:31 PM

Here is the file data:

ComboFix 10-07-27.05 - john 07/28/2010 14:25:48.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1538 [GMT -7:00]
Running from: c:\documents and settings\john\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\john\My Documents\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-23 06:27 . 2010-07-23 06:27 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2010-07-19 20:22 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-07-19 20:22 . 2010-07-21 00:44 -------- d-----w- c:\program files\Panda Security
2010-07-19 18:18 . 2010-07-19 18:18 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2010-07-16 21:55 . 2010-07-16 21:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton
2010-07-16 21:55 . 2010-07-16 23:13 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\NPE
2010-07-16 20:50 . 2010-07-16 20:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\IObit
2010-07-16 20:50 . 2010-07-16 20:57 -------- d-----w- c:\program files\IObit
2010-07-16 19:03 . 2010-07-16 19:03 -------- d-----w- c:\documents and settings\john\Application Data\CheckPoint
2010-07-16 19:02 . 2010-07-16 19:02 -------- d-----w- c:\program files\Conduit
2010-07-16 19:02 . 2010-07-16 19:02 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Conduit
2010-07-16 19:02 . 2010-07-16 19:02 -------- d-----w- c:\program files\CheckPoint
2010-07-16 19:01 . 2010-07-16 19:01 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-07-16 19:01 . 2010-06-23 20:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-07-16 19:01 . 2010-06-23 20:51 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-07-16 19:01 . 2010-06-23 20:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-07-16 17:39 . 2010-07-16 17:39 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\PrivacIE
2010-07-16 17:39 . 2010-07-16 17:39 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IECompatCache
2010-07-16 17:38 . 2004-05-11 18:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2010-07-16 17:38 . 2003-11-19 22:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2010-07-16 17:38 . 2001-04-27 21:11 24576 ----a-w- c:\windows\system32\SmartSubClass.dll
2010-07-16 17:38 . 2010-07-16 21:07 -------- d-----w- c:\program files\MalwareScanner
2010-07-16 16:26 . 2010-07-16 16:26 -------- d-----w- c:\windows\system32\Adobe
2010-07-16 16:24 . 2010-07-16 16:24 2568656 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-16 16:24 . 2010-06-22 11:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 16:19 . 2010-07-16 19:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-07-16 06:27 . 2010-07-16 06:27 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple
2010-07-16 05:51 . 2010-07-16 05:56 -------- d-----w- c:\documents and settings\john\Application Data\Apple Computer
2010-07-16 05:47 . 2010-07-16 05:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\program files\Common Files\Apple
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Apple
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\program files\Apple Software Update
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Apple Computer
2010-07-14 18:36 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 20:25 . 2009-01-15 22:21 -------- d-----w- c:\program files\ESET
2010-07-28 19:45 . 2008-01-16 00:25 -------- d-----w- c:\program files\Windows Defender
2010-07-28 19:41 . 2009-09-22 18:04 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-07-28 16:11 . 2009-05-20 21:43 -------- d-----w- c:\program files\LogMeIn
2010-07-24 20:47 . 2010-07-21 00:15 3051671 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-07-23 00:06 . 2005-10-03 20:21 -------- d-----w- c:\program files\Common Files\Lacerte Shared
2010-07-19 19:55 . 2009-09-22 00:00 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-16 18:06 . 2005-11-11 01:54 -------- d-----w- c:\program files\Google
2010-07-16 16:24 . 2005-09-20 19:22 -------- d-----w- c:\program files\Common Files\Java
2010-07-16 16:23 . 2005-09-20 19:22 -------- d-----w- c:\program files\Java
2010-07-16 05:47 . 2005-09-20 19:39 -------- d-----w- c:\program files\QuickTime
2010-07-15 10:01 . 2009-09-22 15:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-07-13 07:42 . 2010-04-14 18:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-14 14:31 . 2009-09-21 23:36 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 03:49 . 2009-09-22 21:15 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-10 03:49 . 2009-09-22 21:15 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-10 03:49 . 2009-09-22 21:14 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-05-25 07:41 . 2010-05-25 07:41 503808 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a578df5-n\msvcp71.dll
2010-05-25 07:41 . 2010-05-25 07:41 499712 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a578df5-n\jmc.dll
2010-05-25 07:41 . 2010-05-25 07:41 348160 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a578df5-n\msvcr71.dll
2010-05-25 07:41 . 2010-05-25 07:41 61440 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7505b5df-n\decora-sse.dll
2010-05-25 07:41 . 2010-05-25 07:41 12800 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7505b5df-n\decora-d3d.dll
2010-05-21 21:14 . 2009-10-05 20:15 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 17:46 . 2009-11-13 19:27 70760 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-11 17:41 . 2010-05-11 17:41 10134 ----a-r- c:\documents and settings\john\Application Data\Microsoft\Installer\{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}\ARPPRODUCTICON.exe
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-08 16:00 . 2010-04-08 16:00 3584 --sha-w- c:\program files\Common Files\Thumbs.db
2009-08-19 12:11 . 2009-12-18 22:51 2503 ------w- c:\program files\Common Files\pr_404.html
2009-07-23 02:22 . 2009-12-18 22:51 4344 ------w- c:\program files\Common Files\tr3_lacerte.png
.

((((((((((((((((((((((((((((( SnapShot@2010-07-28_19.13.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 19:40 . 2010-07-28 19:40 16384 c:\windows\Temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe

2007-10-11 03:51 . 2007-10-11 03:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

2005-06-10 17:44 . 2005-06-10 17:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
2005-06-10 18:44 . 2005-06-10 18:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

2005-02-17 00:15 . 2005-02-17 00:15 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
2005-02-17 00:15 . 2005-02-17 00:15 221184 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

2005-11-11 01:53 . 2005-11-11 01:53 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2003-09-30 07:14 . 2003-09-30 07:14 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe
2007-03-26 15:43 . 2007-03-26 15:43 210472 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

2005-09-20 19:25 . 2005-02-23 21:19 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2007-03-15 18:09 . 2007-03-15 18:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2007-06-25 04:48 . 2007-06-25 04:48 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

2008-01-16 00:26 . 2008-01-16 00:26 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2008-01-11 19:54 . 2007-09-25 09:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

2004-08-11 22:11 . 2007-12-01 08:26 1695232 c:\program files\Messenger\bak\msmsgs.exe
2009-09-21 18:30 . 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

2005-09-20 19:38 . 2005-03-15 15:58 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe
2008-04-16 19:01 . 2006-01-17 20:03 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

2005-09-20 19:39 . 2005-09-20 19:39 98304 c:\program files\QuickTime\bak\qttask.exe
2010-03-18 04:53 . 2010-03-18 04:53 421888 c:\program files\QuickTime\QTTask.exe

2006-08-23 02:09 . 2006-08-23 02:09 40960 c:\program files\ScanSoft\PDF Professional 4.0\bak\RegistryController.exe

2007-06-06 23:52 . 2007-06-06 23:52 936960 c:\program files\Verizon\bak\McciTrayApp.exe

2006-11-04 03:20 . 2006-11-04 03:20 866584 c:\program files\Windows Defender\bak\MSASCui.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegBooster"="c:\program files\RegBooster\RegBooster.exe" [N/A]
"Updates Scheduler"="c:\program files\Common Files\Lacerte Shared\Update Scheduler\UpdSched.EXE" [2010-03-12 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nuance PDF Professional 6-reminder"="c:\program files\Nuance\PDF Professional 6\Ereg\Ereg.exe" [N/A]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"nwiz"="nwiz.exe" [2008-07-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"FixCamera"="c:\windows\FixCamera.exe" [2007-07-11 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2007-08-31 262144]
"snp2std"="c:\windows\vsnp2std.exe" [2007-08-07 348160]
"PDFHook"="c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe" [2008-02-27 795936]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Professional 5\RegistryController.exe" [2008-02-27 58656]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-12 1280344]

c:\documents and settings\john\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2009-3-9 1553800]
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2009-2-13 2819432]
NAS Scheduler.lnk - c:\program files\BUFFALO\NASNAVI\nassche.exe [2009-3-9 206128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-10 03:49 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [4/7/2010 3:39 PM 1858144]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [7/16/2010 1:57 PM 312152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 NasPmService;NAS PM Service;c:\program files\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 --> c:\program files\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 [?]
R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2/27/2008 2:21 AM 144672]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CCPWDSVC
*NewlyCreated* - SPBBCSVC
*Deregistered* - EraserUtilDrv11010
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-28 c:\windows\Tasks\User_Feed_Synchronization-{8D750676-AE12-40A9-B0C5-7A3980039579}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 5.0 - c:\program files\Nuance\PDF Professional 5\cnvres_eng.dll /100
FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.irs.gov/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 14:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c8,06,a2,6c,11,55,aa,48,97,70,5c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c8,06,a2,6c,11,55,aa,48,97,70,5c,\

[HKEY_USERS\S-1-5-21-1292428093-1035525444-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3744)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Nuance\NaturallySpeaking10\Program\dd10hook.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-07-28 14:30:59
ComboFix-quarantined-files.txt 2010-07-28 21:30
ComboFix2.txt 2010-07-28 21:11
ComboFix3.txt 2010-07-28 20:12
ComboFix4.txt 2010-07-28 19:15

Pre-Run: 32,743,079,936 bytes free
Post-Run: 32,727,818,240 bytes free

- - End Of File - - B16A5403866EE4E355217C190B677A33


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:07 PM

Posted 28 July 2010 - 04:59 PM

Hi,

sometimes ComboFix mistakenly detects an AV to be active. Don't worry.

However the script does not have seemed to work. Could you please try agian.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 itchallenge

itchallenge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 28 July 2010 - 05:13 PM

Here are the latest txt file info:

ComboFix 10-07-27.05 - john 07/28/2010 15:08:09.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1539 [GMT -7:00]
Running from: c:\documents and settings\john\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\john\My Documents\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-23 06:27 . 2010-07-23 06:27 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2010-07-19 20:22 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-07-19 20:22 . 2010-07-21 00:44 -------- d-----w- c:\program files\Panda Security
2010-07-19 18:18 . 2010-07-19 18:18 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2010-07-16 21:55 . 2010-07-16 21:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton
2010-07-16 21:55 . 2010-07-16 23:13 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\NPE
2010-07-16 20:50 . 2010-07-16 20:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\IObit
2010-07-16 20:50 . 2010-07-16 20:57 -------- d-----w- c:\program files\IObit
2010-07-16 19:03 . 2010-07-16 19:03 -------- d-----w- c:\documents and settings\john\Application Data\CheckPoint
2010-07-16 19:02 . 2010-07-16 19:02 -------- d-----w- c:\program files\Conduit
2010-07-16 19:02 . 2010-07-16 19:02 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Conduit
2010-07-16 19:02 . 2010-07-16 19:02 -------- d-----w- c:\program files\CheckPoint
2010-07-16 19:01 . 2010-07-16 19:01 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-07-16 19:01 . 2010-06-23 20:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-07-16 19:01 . 2010-06-23 20:51 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-07-16 19:01 . 2010-06-23 20:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-07-16 17:39 . 2010-07-16 17:39 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\PrivacIE
2010-07-16 17:39 . 2010-07-16 17:39 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IECompatCache
2010-07-16 17:38 . 2004-05-11 18:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2010-07-16 17:38 . 2003-11-19 22:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2010-07-16 17:38 . 2001-04-27 21:11 24576 ----a-w- c:\windows\system32\SmartSubClass.dll
2010-07-16 17:38 . 2010-07-16 21:07 -------- d-----w- c:\program files\MalwareScanner
2010-07-16 16:26 . 2010-07-16 16:26 -------- d-----w- c:\windows\system32\Adobe
2010-07-16 16:24 . 2010-07-16 16:24 2568656 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-16 16:24 . 2010-06-22 11:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 16:19 . 2010-07-16 19:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-07-16 06:27 . 2010-07-16 06:27 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple
2010-07-16 05:51 . 2010-07-16 05:56 -------- d-----w- c:\documents and settings\john\Application Data\Apple Computer
2010-07-16 05:47 . 2010-07-16 05:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\program files\Common Files\Apple
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Apple
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\program files\Apple Software Update
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Apple Computer
2010-07-14 18:36 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 20:25 . 2009-01-15 22:21 -------- d-----w- c:\program files\ESET
2010-07-28 19:45 . 2008-01-16 00:25 -------- d-----w- c:\program files\Windows Defender
2010-07-28 19:41 . 2009-09-22 18:04 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-07-28 16:11 . 2009-05-20 21:43 -------- d-----w- c:\program files\LogMeIn
2010-07-24 20:47 . 2010-07-21 00:15 3051671 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-07-23 00:06 . 2005-10-03 20:21 -------- d-----w- c:\program files\Common Files\Lacerte Shared
2010-07-19 19:55 . 2009-09-22 00:00 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-16 18:06 . 2005-11-11 01:54 -------- d-----w- c:\program files\Google
2010-07-16 16:24 . 2005-09-20 19:22 -------- d-----w- c:\program files\Common Files\Java
2010-07-16 16:23 . 2005-09-20 19:22 -------- d-----w- c:\program files\Java
2010-07-16 05:47 . 2005-09-20 19:39 -------- d-----w- c:\program files\QuickTime
2010-07-15 10:01 . 2009-09-22 15:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-07-13 07:42 . 2010-04-14 18:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-14 14:31 . 2009-09-21 23:36 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 03:49 . 2009-09-22 21:15 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-10 03:49 . 2009-09-22 21:15 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-10 03:49 . 2009-09-22 21:14 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-05-25 07:41 . 2010-05-25 07:41 503808 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a578df5-n\msvcp71.dll
2010-05-25 07:41 . 2010-05-25 07:41 499712 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a578df5-n\jmc.dll
2010-05-25 07:41 . 2010-05-25 07:41 348160 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a578df5-n\msvcr71.dll
2010-05-25 07:41 . 2010-05-25 07:41 61440 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7505b5df-n\decora-sse.dll
2010-05-25 07:41 . 2010-05-25 07:41 12800 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7505b5df-n\decora-d3d.dll
2010-05-21 21:14 . 2009-10-05 20:15 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 17:46 . 2009-11-13 19:27 70760 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-11 17:41 . 2010-05-11 17:41 10134 ----a-r- c:\documents and settings\john\Application Data\Microsoft\Installer\{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}\ARPPRODUCTICON.exe
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-08 16:00 . 2010-04-08 16:00 3584 --sha-w- c:\program files\Common Files\Thumbs.db
2009-08-19 12:11 . 2009-12-18 22:51 2503 ------w- c:\program files\Common Files\pr_404.html
2009-07-23 02:22 . 2009-12-18 22:51 4344 ------w- c:\program files\Common Files\tr3_lacerte.png
.

((((((((((((((((((((((((((((( SnapShot@2010-07-28_19.13.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 19:40 . 2010-07-28 19:40 16384 c:\windows\Temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe

2007-10-11 03:51 . 2007-10-11 03:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

2005-06-10 17:44 . 2005-06-10 17:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
2005-06-10 18:44 . 2005-06-10 18:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

2005-02-17 00:15 . 2005-02-17 00:15 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
2005-02-17 00:15 . 2005-02-17 00:15 221184 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

2005-11-11 01:53 . 2005-11-11 01:53 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2003-09-30 07:14 . 2003-09-30 07:14 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe
2007-03-26 15:43 . 2007-03-26 15:43 210472 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

2005-09-20 19:25 . 2005-02-23 21:19 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2007-03-15 18:09 . 2007-03-15 18:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2007-06-25 04:48 . 2007-06-25 04:48 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

2008-01-16 00:26 . 2008-01-16 00:26 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2008-01-11 19:54 . 2007-09-25 09:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

2004-08-11 22:11 . 2007-12-01 08:26 1695232 c:\program files\Messenger\bak\msmsgs.exe
2009-09-21 18:30 . 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

2005-09-20 19:38 . 2005-03-15 15:58 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe
2008-04-16 19:01 . 2006-01-17 20:03 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

2005-09-20 19:39 . 2005-09-20 19:39 98304 c:\program files\QuickTime\bak\qttask.exe
2010-03-18 04:53 . 2010-03-18 04:53 421888 c:\program files\QuickTime\QTTask.exe

2006-08-23 02:09 . 2006-08-23 02:09 40960 c:\program files\ScanSoft\PDF Professional 4.0\bak\RegistryController.exe

2007-06-06 23:52 . 2007-06-06 23:52 936960 c:\program files\Verizon\bak\McciTrayApp.exe

2006-11-04 03:20 . 2006-11-04 03:20 866584 c:\program files\Windows Defender\bak\MSASCui.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegBooster"="c:\program files\RegBooster\RegBooster.exe" [N/A]
"Updates Scheduler"="c:\program files\Common Files\Lacerte Shared\Update Scheduler\UpdSched.EXE" [2010-03-12 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nuance PDF Professional 6-reminder"="c:\program files\Nuance\PDF Professional 6\Ereg\Ereg.exe" [N/A]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"nwiz"="nwiz.exe" [2008-07-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"FixCamera"="c:\windows\FixCamera.exe" [2007-07-11 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2007-08-31 262144]
"snp2std"="c:\windows\vsnp2std.exe" [2007-08-07 348160]
"PDFHook"="c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe" [2008-02-27 795936]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Professional 5\RegistryController.exe" [2008-02-27 58656]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-12 1280344]

c:\documents and settings\john\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2009-3-9 1553800]
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2009-2-13 2819432]
NAS Scheduler.lnk - c:\program files\BUFFALO\NASNAVI\nassche.exe [2009-3-9 206128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-10 03:49 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [4/7/2010 3:39 PM 1858144]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [7/16/2010 1:57 PM 312152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 NasPmService;NAS PM Service;c:\program files\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 --> c:\program files\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 [?]
R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2/27/2008 2:21 AM 144672]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CCPWDSVC
*NewlyCreated* - SPBBCSVC
*Deregistered* - EraserUtilDrv11010
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-28 c:\windows\Tasks\User_Feed_Synchronization-{8D750676-AE12-40A9-B0C5-7A3980039579}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 5.0 - c:\program files\Nuance\PDF Professional 5\cnvres_eng.dll /100
FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.irs.gov/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 15:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c8,06,a2,6c,11,55,aa,48,97,70,5c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c8,06,a2,6c,11,55,aa,48,97,70,5c,\

[HKEY_USERS\S-1-5-21-1292428093-1035525444-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3120)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Nuance\NaturallySpeaking10\Program\dd10hook.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-07-28 15:13:11
ComboFix-quarantined-files.txt 2010-07-28 22:13
ComboFix2.txt 2010-07-28 21:31
ComboFix3.txt 2010-07-28 21:11
ComboFix4.txt 2010-07-28 20:12
ComboFix5.txt 2010-07-28 22:07

Pre-Run: 32,740,896,768 bytes free
Post-Run: 32,725,577,728 bytes free

- - End Of File - - 37DC7704F8095D3C8632E36FC753CCD1


#11 itchallenge

itchallenge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 28 July 2010 - 07:21 PM

myrti,

I ran this in the safe mode:

ComboFix 10-07-27.05 - john 07/28/2010 17:08:49.6.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1670 [GMT -7:00]
Running from: c:\documents and settings\john\My Documents\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-23 06:27 . 2010-07-23 06:27 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2010-07-19 20:22 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-07-19 20:22 . 2010-07-21 00:44 -------- d-----w- c:\program files\Panda Security
2010-07-19 18:18 . 2010-07-19 18:18 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2010-07-16 21:55 . 2010-07-16 21:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton
2010-07-16 21:55 . 2010-07-16 23:13 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\NPE
2010-07-16 20:50 . 2010-07-16 20:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\IObit
2010-07-16 20:50 . 2010-07-16 20:57 -------- d-----w- c:\program files\IObit
2010-07-16 19:03 . 2010-07-16 19:03 -------- d-----w- c:\documents and settings\john\Application Data\CheckPoint
2010-07-16 19:02 . 2010-07-16 19:02 -------- d-----w- c:\program files\Conduit
2010-07-16 19:02 . 2010-07-16 19:02 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Conduit
2010-07-16 19:02 . 2010-07-16 19:02 -------- d-----w- c:\program files\CheckPoint
2010-07-16 19:01 . 2010-07-16 19:01 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-07-16 19:01 . 2010-06-23 20:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-07-16 19:01 . 2010-06-23 20:51 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-07-16 19:01 . 2010-06-23 20:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-07-16 17:39 . 2010-07-16 17:39 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\PrivacIE
2010-07-16 17:39 . 2010-07-16 17:39 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IECompatCache
2010-07-16 17:38 . 2004-05-11 18:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2010-07-16 17:38 . 2003-11-19 22:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2010-07-16 17:38 . 2001-04-27 21:11 24576 ----a-w- c:\windows\system32\SmartSubClass.dll
2010-07-16 17:38 . 2010-07-16 21:07 -------- d-----w- c:\program files\MalwareScanner
2010-07-16 16:26 . 2010-07-16 16:26 -------- d-----w- c:\windows\system32\Adobe
2010-07-16 16:24 . 2010-07-16 16:24 2568656 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-16 16:24 . 2010-06-22 11:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 16:19 . 2010-07-16 19:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-07-16 06:27 . 2010-07-16 06:27 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple
2010-07-16 05:51 . 2010-07-16 05:56 -------- d-----w- c:\documents and settings\john\Application Data\Apple Computer
2010-07-16 05:47 . 2010-07-16 05:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\program files\Common Files\Apple
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Apple
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\program files\Apple Software Update
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2010-07-16 05:46 . 2010-07-16 05:46 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\Apple Computer
2010-07-14 18:36 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 00:04 . 2009-09-22 00:00 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-28 23:22 . 2009-09-22 18:04 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-07-28 23:09 . 2010-07-21 00:15 4524534 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-07-28 23:08 . 2009-01-15 22:21 -------- d-----w- c:\program files\ESET
2010-07-28 19:45 . 2008-01-16 00:25 -------- d-----w- c:\program files\Windows Defender
2010-07-28 16:11 . 2009-05-20 21:43 -------- d-----w- c:\program files\LogMeIn
2010-07-23 00:06 . 2005-10-03 20:21 -------- d-----w- c:\program files\Common Files\Lacerte Shared
2010-07-16 18:06 . 2005-11-11 01:54 -------- d-----w- c:\program files\Google
2010-07-16 16:24 . 2005-09-20 19:22 -------- d-----w- c:\program files\Common Files\Java
2010-07-16 16:23 . 2005-09-20 19:22 -------- d-----w- c:\program files\Java
2010-07-16 05:47 . 2005-09-20 19:39 -------- d-----w- c:\program files\QuickTime
2010-07-15 10:01 . 2009-09-22 15:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-07-13 07:42 . 2010-04-14 18:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-14 14:31 . 2009-09-21 23:36 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 03:49 . 2009-09-22 21:15 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-10 03:49 . 2009-09-22 21:15 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-10 03:49 . 2009-09-22 21:14 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-05-25 07:41 . 2010-05-25 07:41 503808 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a578df5-n\msvcp71.dll
2010-05-25 07:41 . 2010-05-25 07:41 499712 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a578df5-n\jmc.dll
2010-05-25 07:41 . 2010-05-25 07:41 348160 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a578df5-n\msvcr71.dll
2010-05-25 07:41 . 2010-05-25 07:41 61440 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7505b5df-n\decora-sse.dll
2010-05-25 07:41 . 2010-05-25 07:41 12800 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7505b5df-n\decora-d3d.dll
2010-05-21 21:14 . 2009-10-05 20:15 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 17:46 . 2009-11-13 19:27 70760 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-11 17:41 . 2010-05-11 17:41 10134 ----a-r- c:\documents and settings\john\Application Data\Microsoft\Installer\{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}\ARPPRODUCTICON.exe
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-08 16:00 . 2010-04-08 16:00 3584 --sha-w- c:\program files\Common Files\Thumbs.db
2009-08-19 12:11 . 2009-12-18 22:51 2503 ------w- c:\program files\Common Files\pr_404.html
2009-07-23 02:22 . 2009-12-18 22:51 4344 ------w- c:\program files\Common Files\tr3_lacerte.png
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:46 . 2007-11-13 21:46 135168 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe

2007-10-11 03:51 . 2007-10-11 03:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

2005-06-10 17:44 . 2005-06-10 17:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
2005-06-10 18:44 . 2005-06-10 18:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

2005-02-17 00:15 . 2005-02-17 00:15 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
2005-02-17 00:15 . 2005-02-17 00:15 221184 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

2005-11-11 01:53 . 2005-11-11 01:53 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2003-09-30 07:14 . 2003-09-30 07:14 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe
2007-03-26 15:43 . 2007-03-26 15:43 210472 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

2005-09-20 19:25 . 2005-02-23 21:19 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2007-03-15 18:09 . 2007-03-15 18:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2007-06-25 04:48 . 2007-06-25 04:48 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

2008-01-16 00:26 . 2008-01-16 00:26 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2008-01-11 19:54 . 2007-09-25 09:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

2004-08-11 22:11 . 2007-12-01 08:26 1695232 c:\program files\Messenger\bak\msmsgs.exe
2009-09-21 18:30 . 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

2005-09-20 19:38 . 2005-03-15 15:58 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe
2008-04-16 19:01 . 2006-01-17 20:03 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

2005-09-20 19:39 . 2005-09-20 19:39 98304 c:\program files\QuickTime\bak\qttask.exe
2010-03-18 04:53 . 2010-03-18 04:53 421888 c:\program files\QuickTime\QTTask.exe

2006-08-23 02:09 . 2006-08-23 02:09 40960 c:\program files\ScanSoft\PDF Professional 4.0\bak\RegistryController.exe

2007-06-06 23:52 . 2007-06-06 23:52 936960 c:\program files\Verizon\bak\McciTrayApp.exe

2006-11-04 03:20 . 2006-11-04 03:20 866584 c:\program files\Windows Defender\bak\MSASCui.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegBooster"="c:\program files\RegBooster\RegBooster.exe" [N/A]
"Updates Scheduler"="c:\program files\Common Files\Lacerte Shared\Update Scheduler\UpdSched.EXE" [2010-03-12 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nuance PDF Professional 6-reminder"="c:\program files\Nuance\PDF Professional 6\Ereg\Ereg.exe" [N/A]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"nwiz"="nwiz.exe" [2008-07-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"FixCamera"="c:\windows\FixCamera.exe" [2007-07-11 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2007-08-31 262144]
"snp2std"="c:\windows\vsnp2std.exe" [2007-08-07 348160]
"PDFHook"="c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe" [2008-02-27 795936]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Professional 5\RegistryController.exe" [2008-02-27 58656]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-12 1280344]

c:\documents and settings\john\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2009-3-9 1553800]
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2009-2-13 2819432]
NAS Scheduler.lnk - c:\program files\BUFFALO\NASNAVI\nassche.exe [2009-3-9 206128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-10 03:49 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\BUFFALO\\NASNAVI\\NasNavi.exe"=

S2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [4/7/2010 3:39 PM 1858144]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [7/16/2010 1:57 PM 312152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
S2 NasPmService;NAS PM Service;c:\program files\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 --> c:\program files\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 [?]
S2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2/27/2008 2:21 AM 144672]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-28 c:\windows\Tasks\User_Feed_Synchronization-{8D750676-AE12-40A9-B0C5-7A3980039579}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 5.0 - c:\program files\Nuance\PDF Professional 5\cnvres_eng.dll /100
FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.irs.gov/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 17:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c8,06,a2,6c,11,55,aa,48,97,70,5c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c8,06,a2,6c,11,55,aa,48,97,70,5c,\

[HKEY_USERS\S-1-5-21-1292428093-1035525444-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(1724)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-07-28 17:19:15
ComboFix-quarantined-files.txt 2010-07-29 00:19
ComboFix2.txt 2010-07-28 22:13
ComboFix3.txt 2010-07-28 21:31
ComboFix4.txt 2010-07-28 21:11
ComboFix5.txt 2010-07-29 00:08

Pre-Run: 32,722,640,896 bytes free
Post-Run: 32,701,960,192 bytes free

- - End Of File - - FA88FF9F94E9E54F40E085279A6C0A0E


I hope it helps, still awaiting more direction,

Thanks,

ITC

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:07 PM

Posted 29 July 2010 - 01:03 AM

Hi,

please run the following OTL fix:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :files

    c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak
    c:\program files\Adobe\Reader 8.0\Reader\bak
    c:\program files\Common Files\InstallShield\UpdateService\bak
    c:\program files\Common Files\InstallShield\UpdateService\bak
    c:\program files\Common Files\Real\Update_OB\bak
    c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak
    c:\program files\CyberLink\PowerDVD\bak
    c:\program files\DellSupport\bak
    c:\program files\Google\GoogleToolbarNotifier\bak
    c:\program files\Grisoft\AVG7\bak
    c:\program files\Java\jre1.6.0_03\bin\bak
    c:\program files\Messenger\bak
    c:\program files\MUSICMATCH\Musicmatch Jukebox\bak
    c:\program files\QuickTime\bak
    c:\program files\ScanSoft\PDF Professional 4.0\bak
    c:\program files\Verizon\bak
    c:\program files\Windows Defender\bak
    C:\Windows\tasks\at*.job
    :commands
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
    If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 itchallenge

itchallenge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 30 July 2010 - 07:39 PM

Hello,

The system required a reboot. Upon reboot the OTL.exe run option was the first to launch. Then a Notepad file opened 07302010_171811


It's contents:

All processes killed
Error: Unable to interpret <c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak> in the current context!
Error: Unable to interpret <c:\program files\Adobe\Reader 8.0\Reader\bak> in the current context!
Error: Unable to interpret <c:\program files\Common Files\InstallShield\UpdateService\bak> in the current context!
Error: Unable to interpret <c:\program files\Common Files\InstallShield\UpdateService\bak> in the current context!
Error: Unable to interpret <c:\program files\Common Files\Real\Update_OB\bak> in the current context!
Error: Unable to interpret <c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak> in the current context!
Error: Unable to interpret <c:\program files\CyberLink\PowerDVD\bak> in the current context!
Error: Unable to interpret <c:\program files\DellSupport\bak> in the current context!
Error: Unable to interpret <c:\program files\Google\GoogleToolbarNotifier\bak> in the current context!
Error: Unable to interpret <c:\program files\Grisoft\AVG7\bak> in the current context!
Error: Unable to interpret <c:\program files\Java\jre1.6.0_03\bin\bak> in the current context!
Error: Unable to interpret <c:\program files\Messenger\bak> in the current context!
Error: Unable to interpret <c:\program files\MUSICMATCH\Musicmatch Jukebox\bak> in the current context!
Error: Unable to interpret <c:\program files\QuickTime\bak> in the current context!
Error: Unable to interpret <c:\program files\ScanSoft\PDF Professional 4.0\bak> in the current context!
Error: Unable to interpret <c:\program files\Verizon\bak> in the current context!
Error: Unable to interpret <c:\program files\Windows Defender\bak> in the current context!
Error: Unable to interpret <C:\Windows\tasks\at*.job> in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: All Users.WINDOWS

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: JFT
->Temp folder emptied: 741796402 bytes
->Temporary Internet Files folder emptied: 1266241859 bytes
->Java cache emptied: 56108589 bytes
->FireFox cache emptied: 106337627 bytes
->Flash cache emptied: 1964449 bytes

User: john
->Temp folder emptied: 445561 bytes
->Temporary Internet Files folder emptied: 1067141786 bytes
->Java cache emptied: 133775 bytes
->FireFox cache emptied: 54318408 bytes
->Flash cache emptied: 3188 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 327706 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 1048814 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 614408 bytes

User: remote user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: remote user.JFT_DT
->Temp folder emptied: 85849 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2645611 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 739 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 3,147.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 07302010_171811

Files\Folders moved on Reboot...
C:\Documents and Settings\john\Local Settings\Temp\~DF7919.tmp moved successfully.
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\aim_left_anchor_bubble_bot[77].gif not found!
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\aim_left_anchor_bubble_top[78].gif not found!
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\aim_no_anchor_bubble_bot[79].gif not found!
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\aim_no_anchor_bubble_top[80].gif not found!
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\aim_right_anchor_bubble_bot[81].gif not found!
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\aim_right_anchor_bubble_top[82].gif not found!
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\media-caption-background[268].png not found!
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\muc_left_anchor_bubble_bot[101].png not found!
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\muc_left_anchor_bubble_top[102].png not found!
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\muc_no_anchor_bubble_bot[103].png not found!
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\muc_no_anchor_bubble_top[105].png not found!
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\muc_right_anchor_bubble_bot[107].png not found!
File\Folder C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\Google Gears for Firefox\mail.google.com\https_443\WebCache-MAIN_IMAGES-john.trapani.cpa@gmail.com-GoogleMail[7]#localserver\muc_right_anchor_bubble_top[108].png not found!
File\Folder C:\WINDOWS\temp\ZLT06299.TMP not found!

Registry entries deleted on Reboot...


Sorry for the delay, I will run the 2nd part of your instructions now and post the results.

ITC

#14 itchallenge

itchallenge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 30 July 2010 - 07:48 PM

Here are the results for the Follow up scan:

OTL logfile created on: 7/30/2010 5:42:53 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\john\My Documents
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.82 Gb Total Space | 33.40 Gb Free Space | 47.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 2.32 Gb Total Space | 2.09 Gb Free Space | 90.21% Space Free | Partition Type: FAT32
Drive F: | 7.47 Gb Total Space | 6.39 Gb Free Space | 85.42% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 451.41 Gb Total Space | 344.37 Gb Free Space | 76.29% Space Free | Partition Type: NTFS
Drive L: | 451.41 Gb Total Space | 344.37 Gb Free Space | 76.29% Space Free | Partition Type: NTFS

Computer Name: JFT_DT
Current User Name: john
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\john\My Documents\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files\IObit\IObit Security 360\is360tray.exe (IObit)
PRC - C:\Program Files\IObit\IObit Security 360\is360srv.exe (IObit)
PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Nuance\NaturallySpeaking10\Program\natspeak.exe (Nuance Communications, Inc.)
PRC - C:\Program Files\Common Files\Lacerte Shared\update scheduler\updsched.exe ()
PRC - C:\Program Files\a-squared Free\a2service.exe (Emsi Software GmbH)
PRC - C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe (BUFFALO INC.)
PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
PRC - C:\Program Files\BUFFALO\NASNAVI\nassvc.exe (BUFFALO INC.)
PRC - C:\Program Files\BUFFALO\NASNAVI\nassche.exe (BUFFALO INC.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Nuance\PDF Professional 5\PdfPro5Hook.exe (Nuance Communications, Inc.)
PRC - C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe (Nuance Communications, Inc.)
PRC - C:\Program Files\Nuance\PDF Professional 5\bin\PDFDirect.exe (Zeon International Investment Corp. )
PRC - C:\WINDOWS\tsnp2std.exe ()
PRC - C:\WINDOWS\vsnp2std.exe (Sonix)
PRC - C:\WINDOWS\FixCamera.exe ()
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
PRC - C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\john\My Documents\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\IObit\IObit Security 360\is360mon.dll (IObit)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (vsmon) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
SRV - (IS360service) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe (IObit)
SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)
SRV - (a2free) -- C:\Program Files\a-squared Free\a2service.exe (Emsi Software GmbH)
SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
SRV - (NasPmService) -- C:\Program Files\BUFFALO\NASNAVI\nassvc.exe (BUFFALO INC.)
SRV - (PDFProFiltSrv) -- C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe (Nuance Communications, Inc.)
SRV - (SavRoam) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (DefWatch) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (ccPwdSvc) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (SNDSrvc) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)
SRV - (SPBBCSvc) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)


========== Driver Services (SafeList) ==========

DRV - (catchme) -- C:\DOCUME~1\john\LOCALS~1\Temp\catchme.sys File not found
DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100728.002\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100728.002\NAVENG.SYS (Symantec Corporation)
DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Check Point Software Technologies LTD)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)
DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (SNP2STD) USB2.0 PC Camera (SNP2STD) -- C:\WINDOWS\system32\drivers\snp2sxp.sys ()
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (SymEvent) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (SAVRTPEL) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (SAVRT) -- C:\Program Files\Symantec AntiVirus\savrt.sys (Symantec Corporation)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.irs.gov/"
FF - prefs.js..extensions.enabledItems: smarterwiki@wikiatic.com:4.1.5
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.2.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}:6.0.19
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.8

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/10/08 03:00:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/04/07 12:28:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/30 15:37:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/23 20:42:16 | 000,000,000 | ---D | M]

[2009/09/21 17:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\john\Application Data\Mozilla\Extensions
[2009/09/21 17:05:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\john\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/07/28 11:33:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\extensions
[2010/04/28 17:19:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/11 10:39:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\7r2z7691.default\extensions\smarterwiki@wikiatic.com
[2010/07/28 11:33:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/23 20:42:10 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2010/04/07 12:28:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
[2010/07/16 09:24:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/23 20:42:10 | 000,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/07/23 20:42:10 | 000,138,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2010/06/22 04:36:30 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/23 20:42:12 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/26 21:12:16 | 000,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2010/07/15 22:50:19 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2010/07/15 22:50:20 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2010/07/15 22:50:20 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2010/07/15 22:50:20 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2010/07/15 22:50:20 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2010/07/15 22:50:20 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2010/07/15 22:50:20 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2010/07/13 13:49:58 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2010/07/13 13:49:58 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/07/13 13:49:58 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2010/07/13 13:49:58 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2010/07/13 13:49:58 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010/07/13 13:49:58 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2010/07/13 13:49:58 | 000,001,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/07/28 12:13:13 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ZeonIEEventHelper Class) - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll (Zeon Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Oracle)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Oracle)
O3 - HKLM\..\Toolbar: (Nuance PDF) - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll (Zeon Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe ()
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [Nuance PDF Professional 5-reminder] C:\Program Files\Nuance\PDF Professional 5\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [Nuance PDF Professional 6-reminder] C:\Program Files\Nuance\PDF Professional 6\Ereg\Ereg.exe File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PDF5 Registry Controller] C:\Program Files\Nuance\PDF Professional 5\RegistryController.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PDFHook] C:\Program Files\Nuance\PDF Professional 5\PdfPro5Hook.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe (Sonix)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe ()
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [RegBooster] C:\Program Files\RegBooster\RegBooster.exe File not found
O4 - HKCU..\Run: [Updates Scheduler] C:\Program Files\Common Files\Lacerte Shared\update scheduler\updsched.exe ()
O4 - Startup: C:\Documents and Settings\john\Start Menu\Programs\Startup\BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe (BUFFALO INC.)
O4 - Startup: C:\Documents and Settings\john\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking10\Program\natspeak.exe (Nuance Communications, Inc.)
O4 - Startup: C:\Documents and Settings\john\Start Menu\Programs\Startup\NAS Scheduler.lnk = C:\Program Files\BUFFALO\NASNAVI\nassche.exe (BUFFALO INC.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append the content of the link to existing PDF file - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll (Zeon Corporation)
O8 - Extra context menu item: Append the content of the selected links to existing PDF file - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll (Zeon Corporation)
O8 - Extra context menu item: Append to existing PDF file - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll (Zeon Corporation)
O8 - Extra context menu item: Create PDF file - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll (Zeon Corporation)
O8 - Extra context menu item: Create PDF file from the content of the link - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll (Zeon Corporation)
O8 - Extra context menu item: Create PDF files from the selected links - C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll (Zeon Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Open with Nuance PDF Converter 5.0 - C:\Program Files\Nuance\PDF Professional 5\cnvres_eng.dll ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.238.64.12
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 15:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/30 17:27:31 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/07/30 17:18:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/07/28 17:53:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\john\Application Data\Brother
[2010/07/28 12:00:08 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/28 11:54:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/28 11:54:50 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/28 11:54:50 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/28 11:54:50 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/28 11:54:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/28 11:54:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/28 11:53:51 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\john\My Documents\OTL.exe
[2010/07/19 13:22:56 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/07/19 13:22:00 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/07/19 13:03:17 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/07/16 14:55:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton
[2010/07/16 14:55:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\john\Local Settings\Application Data\NPE
[2010/07/16 13:50:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\IObit
[2010/07/16 13:50:17 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/07/16 12:03:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\john\My Documents\ForceField Shared Files
[2010/07/16 12:03:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\john\Application Data\CheckPoint
[2010/07/16 12:02:26 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2010/07/16 12:02:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\john\Local Settings\Application Data\Conduit
[2010/07/16 12:02:01 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/07/16 12:01:48 | 000,058,368 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsregexp.dll
[2010/07/16 12:01:44 | 000,103,936 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcommdb.dll
[2010/07/16 12:01:43 | 000,069,120 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcomm.dll
[2010/07/16 12:01:35 | 000,043,008 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vswmi.dll
[2010/07/16 12:01:33 | 001,238,528 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zpeng25.dll
[2010/07/16 12:01:32 | 000,110,080 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsxml.dll
[2010/07/16 12:01:31 | 000,302,592 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vspubapi.dll
[2010/07/16 12:01:31 | 000,108,032 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsmonapi.dll
[2010/07/16 12:01:29 | 000,532,224 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys
[2010/07/16 11:57:57 | 000,713,728 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsutil.dll
[2010/07/16 11:57:57 | 000,228,864 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsinit.dll
[2010/07/16 11:57:57 | 000,112,128 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdata.dll
[2010/07/16 11:06:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
[2010/07/16 10:38:38 | 000,939,368 | ---- | C] (Macromedia, Inc.) -- C:\WINDOWS\System32\Flash.ocx
[2010/07/16 10:38:38 | 000,512,688 | ---- | C] (Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com) -- C:\WINDOWS\System32\XceedCry.dll
[2010/07/16 10:38:38 | 000,423,784 | ---- | C] (Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com) -- C:\WINDOWS\System32\XceedBkp.dll
[2010/07/16 10:38:38 | 000,109,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.OCX
[2010/07/16 10:38:38 | 000,065,536 | ---- | C] (vbAccelerator) -- C:\WINDOWS\System32\vbalProgBar6.ocx
[2010/07/16 10:38:38 | 000,024,576 | ---- | C] (VBSmart) -- C:\WINDOWS\System32\SmartSubClass.dll
[2010/07/16 10:38:37 | 000,597,834 | ---- | C] (Cyotek) -- C:\WINDOWS\System32\AS-IFce1.ocx
[2010/07/16 10:38:37 | 000,164,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\COMCT232.OCX
[2010/07/16 10:38:36 | 000,188,416 | ---- | C] (SoftShape Development) -- C:\WINDOWS\System32\actsplash.ocx
[2010/07/16 10:38:32 | 000,000,000 | ---D | C] -- C:\Program Files\MalwareScanner
[2010/07/16 09:26:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2010/07/16 09:24:02 | 000,423,656 | ---- | C] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/16 09:24:02 | 000,153,376 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/16 09:24:02 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/16 09:24:02 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/16 09:19:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\NOS
[2010/07/15 22:51:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\john\Application Data\Apple Computer
[2010/07/15 22:47:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
[2010/07/15 22:46:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/07/15 22:46:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\john\Local Settings\Application Data\Apple
[2010/07/15 22:46:37 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/07/15 22:46:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
[2010/07/15 22:46:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\john\Local Settings\Application Data\Apple Computer
[2010/07/14 11:36:57 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2009/10/22 11:17:47 | 000,151,552 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2std.dll
[2009/10/22 11:17:47 | 000,077,824 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2std.dll

========== Files - Modified Within 30 Days ==========

[2010/07/30 17:38:01 | 007,602,176 | -H-- | M] () -- C:\Documents and Settings\john\NTUSER.DAT
[2010/07/30 17:34:06 | 000,189,689 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/07/30 17:33:11 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/30 17:31:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/30 17:31:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/30 17:30:13 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\john\ntuser.ini
[2010/07/30 16:28:06 | 005,018,778 | -H-- | M] () -- C:\Documents and Settings\john\Local Settings\Application Data\IconCache.db
[2010/07/30 15:38:51 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\john\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk
[2010/07/30 14:49:05 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{8D750676-AE12-40A9-B0C5-7A3980039579}.job
[2010/07/30 14:39:32 | 000,000,257 | ---- | M] () -- C:\WINDOWS\UpdSched.INI
[2010/07/29 23:27:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/07/28 17:52:52 | 000,000,410 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2010/07/28 17:16:53 | 000,000,327 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/28 12:13:13 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/28 12:00:14 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/07/28 11:53:22 | 003,746,488 | R--- | M] () -- C:\Documents and Settings\john\My Documents\ComboFix.exe
[2010/07/28 11:26:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\john\My Documents\OTL.exe
[2010/07/25 16:53:35 | 000,045,568 | ---- | M] () -- C:\Documents and Settings\john\My Documents\HOUSEHOLD INVENTORY.xls
[2010/07/25 16:30:30 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\john\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2007.lnk
[2010/07/21 12:41:32 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\john\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/21 12:18:01 | 000,000,079 | ---- | M] () -- C:\WINDOWS\WTAXSYNC.ini
[2010/07/21 12:17:59 | 000,001,465 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\2009 Lacerte Tax.LNK
[2010/07/21 10:47:00 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\john\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/07/21 10:47:00 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/07/20 17:38:11 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\john\defogger_reenable
[2010/07/19 11:50:02 | 000,001,286 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/19 11:50:02 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/07/16 12:03:52 | 000,421,442 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/07/16 12:01:51 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/07/15 22:47:53 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\QuickTime Player.lnk
[2010/07/15 19:57:54 | 000,000,122 | ---- | M] () -- C:\Documents and Settings\john\Application Data\Microsoft\Internet Explorer\Quick Launch\CAL FIRE.URL
[2010/07/15 16:44:21 | 000,004,452 | ---- | M] () -- C:\WINDOWS\w07tax.ini
[2010/07/15 16:41:36 | 000,000,031 | ---- | M] () -- C:\WINDOWS\lacerte.ini
[2010/07/15 15:47:49 | 000,005,756 | ---- | M] () -- C:\WINDOWS\w08tax.ini
[2010/07/13 00:42:17 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/02 17:52:53 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\john\Application Data\Microsoft\Internet Explorer\Quick Launch\-TIMECARD JFT.lnk

========== Files Created - No Company Name ==========

[2010/07/28 17:52:52 | 000,000,410 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2010/07/28 12:00:14 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/07/28 12:00:11 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/28 11:54:51 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/28 11:54:50 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/28 11:54:50 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/28 11:54:50 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/28 11:54:50 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/28 11:53:52 | 003,746,488 | R--- | C] () -- C:\Documents and Settings\john\My Documents\ComboFix.exe
[2010/07/25 16:31:44 | 000,045,568 | ---- | C] () -- C:\Documents and Settings\john\My Documents\HOUSEHOLD INVENTORY.xls
[2010/07/21 10:47:00 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\john\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/07/21 10:47:00 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/07/20 18:24:51 | 000,047,505 | ---- | C] () -- C:\Documents and Settings\john\gmer mc1.log
[2010/07/20 17:38:11 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\john\defogger_reenable
[2010/07/16 12:01:51 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/07/16 12:01:29 | 000,421,442 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/07/16 10:38:38 | 000,057,399 | ---- | C] () -- C:\WINDOWS\System32\Registry Control.ocx
[2010/07/16 10:38:36 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\ACTSKN43.OCX
[2010/07/15 22:47:53 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\QuickTime Player.lnk
[2010/07/15 22:46:40 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/07/15 19:57:54 | 000,000,122 | ---- | C] () -- C:\Documents and Settings\john\Application Data\Microsoft\Internet Explorer\Quick Launch\CAL FIRE.URL
[2010/02/12 11:48:03 | 000,000,257 | ---- | C] () -- C:\WINDOWS\UpdSched.INI
[2009/12/04 15:55:55 | 000,002,147 | ---- | C] () -- C:\WINDOWS\W06TAX.INI
[2009/12/04 15:54:12 | 000,001,660 | ---- | C] () -- C:\WINDOWS\W05TAX.INI
[2009/12/04 15:52:30 | 000,001,528 | ---- | C] () -- C:\WINDOWS\W04TAX.INI
[2009/10/22 11:17:55 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2std.ini
[2009/10/22 11:17:53 | 000,025,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncamd.sys
[2009/10/22 11:17:52 | 012,212,864 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2sxp.sys
[2009/09/22 15:51:50 | 000,000,057 | ---- | C] () -- C:\WINDOWS\taxpln07.INI
[2009/09/22 15:49:31 | 000,000,057 | ---- | C] () -- C:\WINDOWS\taxpln08.INI
[2009/09/22 15:25:46 | 000,000,045 | ---- | C] () -- C:\WINDOWS\LTBUI08.INI
[2009/09/22 15:25:42 | 000,000,079 | ---- | C] () -- C:\WINDOWS\WTAXSYNC.ini
[2009/09/22 15:25:41 | 000,000,046 | ---- | C] () -- C:\WINDOWS\TaxSetup.INI
[2009/09/22 15:24:41 | 000,005,756 | ---- | C] () -- C:\WINDOWS\w08tax.ini
[2009/09/22 15:14:38 | 000,004,452 | ---- | C] () -- C:\WINDOWS\w07tax.ini
[2009/09/22 15:14:37 | 000,000,031 | ---- | C] () -- C:\WINDOWS\lacerte.ini
[2009/09/22 08:26:54 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/09/21 17:27:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/07/26 10:18:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/07/26 10:18:00 | 001,499,136 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/07/26 10:18:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/07/26 10:18:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/07/26 10:18:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/03/11 20:50:02 | 000,014,344 | ---- | C] () -- C:\WINDOWS\UN060501.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 217 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:F35A93AD
@Alternate Data Stream - 173 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:527B6DAD
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8E55808C
< End of report >


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:07 PM

Posted 01 August 2010 - 02:03 AM

Hi,

it seems you missed the first line of the script I gave you, could you please rerun it and make sure you include the first line :files.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users