Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ohtgnoenriga search result redirect


  • Please log in to reply
19 replies to this topic

#1 I_Am_Doomed

I_Am_Doomed

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 28 July 2010 - 07:46 PM

Malware hit on July 18.
Installed F-Secure, and let it do its thing.
All that seems to be left is the redirect. F-Secure does not find it. Malwarebytes does not find it.
Links provided by a search (google, bing) redirect to ohtgnoenriga, and some other website.
I have put ohtgnoenriga on the dissalow list on my router.

GMER scan runs for hours, and then locks up the PC before I can save the results.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Kobus at 19:46:05.12 on Mon 07/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.375 [GMT -4:00]

AV: F-Secure Internet Security 2010 10.12 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2010 10.12 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSHDLL32.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TalkSwitch\UDPLogger\UDPLogger.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kobus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - c:\program files\f-secure\nrs\iescript\baselitmus.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - c:\program files\f-secure\nrs\iescript\baselitmus.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [PeachtreePrefetcher.exe] c:\program files\sage software\peachtree\PeachtreePrefetcher.exe /configfile:peachtreeprefetcher.winstart.config
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NA1Messenger] c:\ups\wstd\UPSNA1Msgr.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [F-Secure Manager] "c:\program files\f-secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\f-secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lpt1drv.lnk - c:\lpt1drv.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~2.lnk - c:\ups\wstd\WSTDMessaging.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~1.lnk - c:\ups\wstd\wstdPldReminder.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\f-secure\fsps\program\FSLSP.DLL
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} - hxxp://192.168.1.207/DVROcxEx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} - hxxp://speedtest.adelphia.net/customerdiag/speedtest/SPEEDTESTACTIVEX.CAB
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kobus\applic~1\mozilla\firefox\profiles\wpmgvvwd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - component: c:\program files\f-secure\nrs\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2010-7-18 41256]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2010-7-18 81864]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure\hips\drivers\fshs.sys [2010-7-18 69928]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure\anti-virus\fsgk32st.exe [2010-7-18 221608]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2008-6-6 435496]
R2 TSUDPLogger;Talkswitch UDP Logger Service;c:\program files\talkswitch\udplogger\UDPLogger.exe [2009-5-21 188416]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure\anti-virus\minifilter\fsgk.sys [2010-7-18 123056]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure\orsp client\fsorsp.exe [2010-7-18 57008]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2010-6-17 131664]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [2010-6-17 91728]
S2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\SSIPDDP.SYS [2007-10-15 54272]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\adm8511.sys [2006-7-29 20160]
S3 Peachtree SmartPosting 2011;Peachtree SmartPosting 2011;c:\program files\sage software\peachtree\SmartPostingService2011.exe [2010-4-10 43816]
S3 TED200M5;TED200M5 NDIS Protocol Driver;c:\windows\system32\drivers\ted200m5.sys --> c:\windows\system32\drivers\TED200M5.sys [?]
S3 TED200S5;TED200S5 NDIS Protocol Driver;c:\windows\system32\drivers\TED200S5.sys [2007-12-14 27072]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure\anti-virus\win2k\fsfilter.sys [2010-7-18 41640]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure\anti-virus\win2k\fsrec.sys [2010-7-18 27048]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-25 135664]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================


==================== Find3M ====================


============= FINISH: 19:47:16.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 07 August 2010 - 12:08 PM

Hello I_Am_Doomed

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 I_Am_Doomed

I_Am_Doomed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 09 August 2010 - 09:26 AM

Joy!

The redirect is currently dormant, or F-Secure finally did something. I am not sure. I do not trust the PC.

During the scan I got an error: "Exception Processing Message c0000013 Parameters 75b6bf7c 75b6bf7c 75b6bf7c"
It repeated several times. I also got a drive not found error, or something similar.

Below are the results.
Thanks.


OTL Extras logfile created on: 8/9/2010 10:09:35 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Kobus\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 354.00 Mb Available Physical Memory | 35.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.22 Gb Total Space | 12.46 Gb Free Space | 17.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive S: | 279.46 Gb Total Space | 80.52 Gb Free Space | 28.81% Space Free | Partition Type: NTFS
Drive U: | 74.45 Gb Total Space | 40.11 Gb Free Space | 53.87% Space Free | Partition Type: NTFS

Computer Name: FUZZY2
Current User Name: Kobus
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.js [@ = JSFile] -- C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe (Macromedia, Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
jsfile [open] -- "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- ()
"C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe:*:Enabled:Dreamweaver MX 2004 -- (Macromedia, Inc.)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\WS_FTP\WS_FTP95.exe" = C:\Program Files\WS_FTP\WS_FTP95.exe:*:Enabled:WS_FTP 95 -- (Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA)
"C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe" = C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe:*:Enabled:Database Service Manager -- (Pervasive Software Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{03CAB33F-D1C2-48C6-8766-DAE84DFC25FE}" = Microsoft Sync Framework Services v1.0 (x86)
"{04B7D634-7C88-4309-94A5-F4AB50FD08DC}" = TalkSwitch Ethernet Driver
"{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}" = Macromedia Dreamweaver MX 2004
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{07A540AB-D785-11D5-8E89-0090275862A0}" = Corel Graphics Suite 11
"{0A3238D7-AB32-1010-B717-F3E3F18B4A8C}" = Pervasive PSQL v10 SP2 Workgroup (32-bit)
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{10525FF1-4859-4F45-BEA5-CB61F9ED01AD}" = ViewMasterEZ 10.4
"{11E87CE5-C319-408D-8F2B-40F4DFC06D92}" = ViewMasterEZ 10.2
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{16115E10-502B-4EA0-BD39-4DA329AD89E2}" = BELKIN F5U109 V1.25
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1A0EBDE9-A7E1-4f57-996E-255A7061F572}" = TalkSwitch USB Driver
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F5075FE-3294-4EDB-9DFF-9ACFBFCDD769}" = City Navigator North America NT v7
"{1FAF0F08-7120-4192-BF6A-B1EC7E26A935}" = UPSVCMM
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2A033A00-FE0D-4609-B0E8-2C49CC494FC8}" = WorldShip
"{2FD94FBC-07AE-475C-B522-BFE899B9048E}" = Garmin WebUpdater
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{31ED608D-8826-41AA-913F-DBC45CB4DE09}" = Topo USA 4.0
"{3248F0A8-6813-11D6-A77B-00B0D0150010}" = J2SE Runtime Environment 5.0 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{33035862-543C-4405-9CC6-08593CF2C25F}" = ReportServer
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{33DA8C42-A494-4E5B-9211-8584304CEFDD}" = ViewMasterEZ 10.2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{359E21D9-FE6F-45A8-B5D8-44809E39A99B}" = Eudora
"{370BCBBA-67D7-4535-ADCD-58CD1C8DEC99}" = Zune Language Pack (DE)
"{390160B4-D276-4A04-8002-8D3101A0D367}" = UPSICC
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40EC6323-497B-44DA-8A88-74578622D9B3}" = Zune Language Pack (IT)
"{43094D3A-930E-4c36-9E43-9D0DB048ABDD}" = TalkSwitch 6.11
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{495C96CC-70AE-41C5-81BB-121ECA132756}" = ACH Origination Application
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5301C483-40FB-4F94-B56E-D7D5A114D2F6}" = Garmin City Navigator North America NT v8
"{53735ECE-E461-4FD0-B742-23A352436D3A}" = Logitech Updater
"{548EEA8E-8299-497F-8057-811D2D7097DC}" = Dell Support 3.1
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{56B59C2A-EFB8-44AC-88F5-3280171E4522}" = PolicyManager
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{597E70FF-7C46-4EED-8092-91B7C2E0529D}" = Google SketchUp 7
"{5A847475-157F-45AD-9919-CD40D344B8B1}" = QBFC3.0
"{5AE59A84-B2F3-42CC-A246-5AF80F6EE770}" = Reconciler
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{5E3CFCA6-C95A-47CB-A822-7FA80D423AF2}" = MapSource
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{63E949F6-03BC-5C40-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM Beta2
"{66332652-9C28-58B1-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 ATL.Policy (x86) WinSXS MSM Beta2
"{66A9D30D-1464-4C7F-B2F3-507DADAF2595}" = Microsoft IntelliPoint 6.3
"{6798DD4E-BD16-4735-87EB-D712637CCB8C}" = Sage Message Center
"{67B9AF41-C0B9-4960-84D9-A61D23DE85D8}" = Garmin Trip and Waypoint Manager v4
"{67E4EE98-59F4-4210-89A6-A20AF5BEC689}" = Microsoft Streets and Trips 2005
"{68AF09E3-1167-4771-903C-CCCDCF7E171C}" = NRF
"{68B7C6D9-1DF2-54C1-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 MFC.Policy (x86) WinSXS MSM Beta2
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7377CC2E-25C5-45be-8294-DF257A654000}" = TalkSwitch USB Driver 2.0
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{768EE88B-8DB6-4C90-8659-7B62B3A8C955}" = Topo USA 4.0 Region 1 Data
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7D25A304-C82D-41C3-85A8-3BEF84E04887}" = Garmin WebUpdater
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{80E75835-9AEF-4C76-BD35-8C784D79E545}" = ViewMasterEZ 10.6
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel® PROSet for Wired Connections
"{88415B8A-142E-43CA-86E5-05BB4F2F6357}" = Palm Desktop for 7135
"{888FFC82-688D-46AB-A776-B417885432B6}" = Zune
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8BCB844B-0814-4354-A413-1063DB4618E9}" = PeachTree Signature Ready Forms
"{8C5BD501-AD5D-4A75-9321-076509B438FC}" = WebHelp
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95749C5B-BC37-41E3-8D39-EEF4C21A2825}" = CCC
"{96327C3C-96BE-4C7A-A6F7-A71635E5949A}" = Microsoft SQL Server 2005 Backward compatibility
"{97F81AF1-0E47-DC99-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 ATL (x86) WinSXS MSM Beta2
"{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 CRT (x86) WinSXS MSM Beta2
"{9BAE13A2-E7AF-D6C3-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 MFC (x86) WinSXS MSM Beta2
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A15F4487-6AC1-4963-8483-CB8144D1C959}" = ViewMasterEZ 10.4
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4121C0A-438D-426D-986F-4E14BBBAB2A3}" = MGC Visual Studio 7 Runtime
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A5763105-D1D5-4862-A3FE-EC058F9AA73E}" = ICCHelp
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A8BD5A60-E843-46DC-8271-ABF20756BE0F}" = Microsoft Sync Framework Runtime v1.0 (x86)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB6972B2-CF5D-4CC8-AF4F-B5D6888AB120}" = Microsoft Office Live Meeting 2005
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{AFDFC350-C142-4790-BE12-8357AECD028F}" = SyncToy 2.0 (x86)
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B3F1E526-180B-4480-9FEC-3E2DCB8EA9CE}" = F-Secure PSC Prerequisites
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BC728F95-2D3F-4D05-9E1E-F2A3CEBF3FE8}" = FormsComponent
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C23415D8-FE94-4F52-B5C4-0FFA2202C6D9}" = UPSVCMM
"{C30E30A6-0AB5-470A-AB67-D322938F5429}" = SupportUtility
"{C41F4616-44B6-4E8D-BFC7-4267862A2CE1}" = CinepPlayer 30 Update
"{C484CC8D-03CF-4022-89C4-DB4F02E8A15B}" = Crystal Reports 2008 Runtime SP1
"{C62E0996-AE12-4D9B-8A38-27BB562828F3}" = EudoraProject
"{C9D43B38-34AD-4EC2-B696-46F42D49D174}" = MSIChecker
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF2962CB-E3E7-4AA5-B6CE-EE59A600ECBE}" = UnifiedPrinting
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D44E7219-947E-4F1B-830E-66EF11ACC543}" = NA1Messenger
"{DB2C58E0-6284-4B48-97F2-22A980B6360B}" = System
"{DEA82ED6-1B83-47FB-8DCA-5BAA2F891A25}" = ViewMasterEZ 10.0
"{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}" = Search Assist
"{E358CC1E-4953-4E27-ADEB-8B27D8BBC20E}" = UPSlinkHTTP
"{E5EDA1E6-5FDD-4B29-8399-6022B81C3A7C}" = ControlCenter
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EA2A8B44-4277-4555-8BFC-FA7D590C6301}" = MapSource - US Topo 24K National Parks, East v3
"{EA6EB7D0-C920-4434-B43D-0DDD0AF8F497}" = Garmin MapSource
"{EA9629DA-5715-48BA-B054-28169702B176}" = FOSS
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4FDE018-28CF-47AC-9B01-E5F63D9F5BC1}" = ImpExpSafety
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{FC87D80E-5BC6-4EE8-9B09-EBA4F9C0A1C2}" = Peachtree Accounting 2011
"{FD5D60CB-EF42-4919-8FFC-B4594C042611}" = ViewMate 10.0
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"ActiveTouchMeetingClient" = WebEx
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.1.4 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.10
"ATI Display Driver" = ATI Display Driver
"BitTorrent" = BitTorrent 4.26.0
"Citrix ICA Web Client" = MetaFrame Presentation Server Web Client for Win32
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Cool Edit 2000" = Cool Edit 2000
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"DVD Catalyst" = DVD Catalyst 3.90.2
"F-Secure Product 444" = F-Secure Internet Security 2010
"Gaim" = Gaim (remove only)
"GNU Aspell_is1" = GNU Aspell 0.50-3
"GTK 2.0" = GTK+ Runtime 2.6.9 rev a (remove only)
"H264" = H264 Video Codec
"Handbrake" = Handbrake 0.9.4
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{07A540AB-D785-11D5-8E89-0090275862A0}" = Corel Graphics Suite 11
"InstallShield_{EA2A8B44-4277-4555-8BFC-FA7D590C6301}" = MapSource - US Topo 24K National Parks, East v3
"InstallShield_{FC87D80E-5BC6-4EE8-9B09-EBA4F9C0A1C2}" = Peachtree Accounting 2011
"Integration Services" = Sage Software Integration Services
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MentorGraphicsJI" = Mentor Graphics Products
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Developer Network - Visual Studio 6.0a" = MSDN Library - Visual Studio 6.0a
"Mozilla Firefox (3.0.15)" = Mozilla Firefox (3.0.15)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OrCAD91DeinstKey" = OrCAD 9.1
"Peachtree Complete Accounting" = Peachtree Complete Accounting 2010
"Pegasus Mail" = Pegasus Mail
"Pegasus Mail for Windows" = Pegasus Mail for Windows
"PROSet" = Intel® PRO Network Connections Drivers
"RealPlayer 6.0" = RealPlayer
"Spamnix" = Spamnix
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TOPO!" = TOPO!
"TotalRecorder" = Total Recorder 8.1
"UPS WorldShip" = UPS WorldShip
"ViewpointMediaPlayer" = Viewpoint Media Player
"Visual Basic 6.0 Professional Edition" = Microsoft Visual Basic 6.0 Professional Edition
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell
"WebPost" = Microsoft Web Publishing Wizard 1.53
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"Winmail Opener" = Winmail Opener 1.4
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"Zune" = Zune

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"2f8d25aeed0b3ae4" = Sage Download Manager
"f269fca5d8764803" = Sage Exchange
"GoToMeeting" = GoToMeeting/GoToWebinar 3.0.0.198

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/2/2010 10:39:50 AM | Computer Name = FUZZY2 | Source = Application Error | ID = 1000
Description = Faulting application winpm-32.exe, version 4.5.2.0, faulting module
winpm-32.exe, version 4.5.2.0, fault address 0x0018b976.

Error - 8/2/2010 8:48:28 PM | Computer Name = FUZZY2 | Source = F-Secure Anti-Virus | ID = 103
Description = 1 2010-08-02 20:48:28-04:00 FUZZY2 FUZZY2\Kobus F-Secure Anti-Virus

Manual scanning was not completed successfully.

Error - 8/2/2010 8:52:52 PM | Computer Name = FUZZY2 | Source = F-Secure Anti-Virus | ID = 103
Description = 2 2010-08-02 20:52:52-04:00 FUZZY2 FUZZY2\Kobus F-Secure Anti-Virus

Manual scanning was not completed successfully.

Error - 8/2/2010 11:08:04 PM | Computer Name = FUZZY2 | Source = Application Error | ID = 1000
Description = Faulting application winpm-32.exe, version 4.5.2.0, faulting module
unknown, version 0.0.0.0, fault address 0x01b2c0d0.

Error - 8/2/2010 11:14:14 PM | Computer Name = FUZZY2 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/3/2010 3:40:46 AM | Computer Name = FUZZY2 | Source = F-Secure Anti-Virus | ID = 103
Description = 1 2010-08-03 03:40:45-04:00 FUZZY2 FUZZY2\Kobus F-Secure Anti-Virus

Manual scanning was finished - workstation was found infected!

Error - 8/3/2010 10:55:41 AM | Computer Name = FUZZY2 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/3/2010 10:55:41 AM | Computer Name = FUZZY2 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/3/2010 3:00:27 PM | Computer Name = FUZZY2 | Source = F-Secure Anti-Virus | ID = 103
Description = 2 2010-08-03 15:00:26-04:00 FUZZY2 FUZZY2\Kobus F-Secure Anti-Virus

Manual scanning was finished - spyware was found in the system.

Error - 8/4/2010 10:10:19 AM | Computer Name = FUZZY2 | Source = Application Error | ID = 1000
Description = Faulting application winpm-32.exe, version 4.5.2.0, faulting module
winpm-32.exe, version 4.5.2.0, fault address 0x0018b976.

[ System Events ]
Error - 8/6/2010 9:13:46 PM | Computer Name = FUZZY2 | Source = NetBT | ID = 4321
Description = The name "OSI :1d" could not be registered on the Interface
with IP address 192.168.1.10. The machine with the IP address 192.168.1.201 did
not allow the name to be claimed by this machine.

Error - 8/6/2010 9:18:56 PM | Computer Name = FUZZY2 | Source = NetBT | ID = 4321
Description = The name "OSI :1d" could not be registered on the Interface
with IP address 192.168.1.10. The machine with the IP address 192.168.1.201 did
not allow the name to be claimed by this machine.

Error - 8/9/2010 9:56:48 AM | Computer Name = FUZZY2 | Source = Service Control Manager | ID = 7000
Description = The SSIPDDP service failed to start due to the following error: %%1332

Error - 8/9/2010 9:57:09 AM | Computer Name = FUZZY2 | Source = NetBT | ID = 4321
Description = The name "OSI :1d" could not be registered on the Interface
with IP address 192.168.1.10. The machine with the IP address 192.168.1.201 did
not allow the name to be claimed by this machine.

Error - 8/9/2010 9:59:06 AM | Computer Name = FUZZY2 | Source = NetBT | ID = 4321
Description = The name "OSI :1d" could not be registered on the Interface
with IP address 192.168.1.10. The machine with the IP address 192.168.1.201 did
not allow the name to be claimed by this machine.

Error - 8/9/2010 10:01:18 AM | Computer Name = FUZZY2 | Source = NetBT | ID = 4321
Description = The name "OSI :1d" could not be registered on the Interface
with IP address 192.168.1.10. The machine with the IP address 192.168.1.201 did
not allow the name to be claimed by this machine.

Error - 8/9/2010 10:06:28 AM | Computer Name = FUZZY2 | Source = NetBT | ID = 4321
Description = The name "OSI :1d" could not be registered on the Interface
with IP address 192.168.1.10. The machine with the IP address 192.168.1.201 did
not allow the name to be claimed by this machine.

Error - 8/9/2010 10:11:38 AM | Computer Name = FUZZY2 | Source = NetBT | ID = 4321
Description = The name "OSI :1d" could not be registered on the Interface
with IP address 192.168.1.10. The machine with the IP address 192.168.1.201 did
not allow the name to be claimed by this machine.

Error - 8/9/2010 10:11:38 AM | Computer Name = FUZZY2 | Source = BROWSER | ID = 8009
Description = The browser was unable to promote itself to master browser. The computer
that currently believes it is the master browser is SHIPPING.

Error - 8/9/2010 10:13:31 AM | Computer Name = FUZZY2 | Source = NetBT | ID = 4321
Description = The name "OSI :1d" could not be registered on the Interface
with IP address 192.168.1.10. The machine with the IP address 192.168.1.201 did
not allow the name to be claimed by this machine.


< End of report >





OTL logfile created on: 8/9/2010 10:09:35 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Kobus\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 354.00 Mb Available Physical Memory | 35.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.22 Gb Total Space | 12.46 Gb Free Space | 17.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive S: | 279.46 Gb Total Space | 80.52 Gb Free Space | 28.81% Space Free | Partition Type: NTFS
Drive U: | 74.45 Gb Total Space | 40.11 Gb Free Space | 53.87% Space Free | Partition Type: NTFS

Computer Name: FUZZY2
Current User Name: Kobus
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Kobus\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\F-Secure\Anti-Virus\fssm32.exe (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\Anti-Virus\fsav32.exe (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\ORSP Client\fsorsp.exe (F-Secure Corporation)
PRC - C:\UPS\WSTD\WSTDMessaging.exe ()
PRC - C:\Program Files\PMAIL\Programs\winpm-32.exe (David Harris)
PRC - C:\UPS\WSTD\UPSNA1Msgr.exe ()
PRC - C:\Program Files\F-Secure\Common\FSM32.EXE (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\Common\FSMA32.EXE (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\Common\FSHDLL32.EXE (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\FWES\program\fsdfwd.exe (F-Secure Corporation)
PRC - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe (F-Secure Corporation)
PRC - C:\Program Files\TalkSwitch\UDPLogger\UDPLogger.exe ()
PRC - C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe (Pervasive Software Inc.)
PRC - C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Kobus\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\F-Secure\Spam Control\fsscoepl.dll (F-Secure Corporation)
MOD - c:\Program Files\F-Secure\HIPS\fshook32.dll (F-Secure Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (gusvc) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe File not found
SRV - (FSORSPClient) -- C:\Program Files\F-Secure\ORSP Client\fsorsp.exe (F-Secure Corporation)
SRV - (Peachtree SmartPosting 2011) -- C:\Program Files\Sage Software\Peachtree\SmartPostingService2011.exe (Sage Software, Inc.)
SRV - (ZuneWlanCfgSvc) -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe (Microsoft Corporation)
SRV - (ZuneBusEnum) -- C:\WINDOWS\system32\ZuneBusEnum.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc) -- c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (FSMA) -- C:\Program Files\F-Secure\Common\FSMA32.EXE (F-Secure Corporation)
SRV - (FSDFWD) -- C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe (F-Secure Corporation)
SRV - (F-Secure Gatekeeper Handler Starter) -- C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe (F-Secure Corporation)
SRV - (TSUDPLogger) -- C:\Program Files\TalkSwitch\UDPLogger\UDPLogger.exe ()
SRV - (psqlWGE) -- C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe (Pervasive Software Inc.)
SRV - (SNMP) -- C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)
SRV - (W3SVC) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (SMTPSVC) Simple Mail Transfer Protocol (SMTP) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (IISADMIN) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SRV - (Macromedia Licensing Service) -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe ()
SRV - (LPDSVC) -- C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys File not found
DRV - (TED200M5) -- C:\WINDOWS\System32\Drivers\TED200M5.sys File not found
DRV - (F-Secure Gatekeeper) -- C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys ()
DRV - (Kbdclass) -- C:\WINDOWS\system32\drivers\kbdclass.sys ()
DRV - (fsbts) -- C:\WINDOWS\system32\Drivers\fsbts.sys ()
DRV - (TotRec8) -- C:\WINDOWS\system32\drivers\TotRec8.sys (High Criteria inc.)
DRV - (TotRec7) -- C:\WINDOWS\system32\drivers\TotRec7.sys (High Criteria inc.)
DRV - (zumbus) -- C:\WINDOWS\system32\drivers\zumbus.sys (Microsoft Corporation)
DRV - (F-Secure HIPS) -- C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (F-Secure Corporation)
DRV - (FSFW) -- C:\WINDOWS\System32\drivers\fsdfw.sys (F-Secure Corporation)
DRV - (F-Secure Filter) -- C:\Program Files\F-Secure\Anti-Virus\win2k\fsfilter.sys ()
DRV - (F-Secure Recognizer) -- C:\Program Files\F-Secure\Anti-Virus\win2k\fsrec.sys ()
DRV - (Haspnt) -- C:\WINDOWS\system32\drivers\Haspnt.sys (Aladdin Knowledge Systems)
DRV - (HidBatt) -- C:\WINDOWS\system32\drivers\hidbatt.sys (Microsoft Corporation)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (FTDIBUS) -- C:\WINDOWS\system32\drivers\ftdibus.sys (FTDI Ltd.)
DRV - (FTSER2K) -- C:\WINDOWS\system32\drivers\ftser2k.sys (FTDI Ltd.)
DRV - (LMouFilt) -- C:\WINDOWS\system32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\WINDOWS\system32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (WinDriver6) -- C:\WINDOWS\system32\drivers\windrvr9.sys (Jungo)
DRV - (TED200S5) -- C:\WINDOWS\system32\drivers\TED200S5.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (Hardlock) -- C:\WINDOWS\system32\drivers\hardlock.sys (Aladdin Knowledge Systems Ltd.)
DRV - (aksusb) -- C:\WINDOWS\system32\drivers\aksusb.sys (Aladdin Knowledge Systems Ltd.)
DRV - (akshasp) -- C:\WINDOWS\system32\drivers\akshasp.sys (Aladdin Knowledge Systems Ltd.)
DRV - (WinUSB) -- C:\WINDOWS\system32\drivers\winusb.sys (Microsoft Corporation)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Sonic Solutions)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (SSIPDDP) -- C:\WINDOWS\system32\drivers\SSIPDDP.SYS ()
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (U2SP) USB to Serial Converter Driver(Philips) -- C:\WINDOWS\system32\drivers\U2S2KXP.sys (Magic Control Technology Corp.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (Ser2pl) -- C:\WINDOWS\system32\drivers\ser2pl.sys (Prolific Technology Inc.)
DRV - (PalmUSBD) -- C:\WINDOWS\system32\drivers\PalmUSBD.sys (Palm, Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (ADM8511) -- C:\WINDOWS\system32\drivers\adm8511.sys (ADMtek Incorporated)
DRV - (PfModNT) -- C:\WINDOWS\system32\PfModNT.sys (Creative Technology Ltd.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 0
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.drudgereport.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: litmus-ff@f-secure.com:1.10
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.15

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/01 22:38:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\litmus-ff@f-secure.com: C:\Program Files\F-Secure\NRS\litmus-ff@f-secure.com [2010/07/18 20:24:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/07/21 18:10:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/21 21:04:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/21 21:04:47 | 000,000,000 | ---D | M]

[2010/07/21 21:05:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\Mozilla\Extensions
[2010/07/21 21:05:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Kobus\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/02 13:10:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\Mozilla\Firefox\Profiles\wpmgvvwd.default\extensions
[2009/09/02 13:10:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Kobus\Application Data\Mozilla\Firefox\Profiles\wpmgvvwd.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/21 18:10:26 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/21 21:04:47 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/02/28 18:18:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2010/07/21 18:10:27 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/21 21:04:30 | 000,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/07/21 21:04:30 | 000,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2006/10/10 16:57:38 | 000,049,152 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
[2010/07/21 18:10:10 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/05/02 14:01:52 | 000,717,312 | ---- | M] (DivX,Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
[2007/05/02 14:02:43 | 000,094,208 | ---- | M] (DivX, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
[2010/07/21 21:04:40 | 000,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2008/10/14 21:33:29 | 000,095,600 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2007/08/22 16:16:58 | 000,144,984 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
[2010/06/24 19:11:08 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2010/06/24 19:11:08 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2010/06/24 19:11:08 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2010/06/24 19:11:08 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2010/06/24 19:11:08 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2010/06/24 19:11:08 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2010/06/24 19:11:08 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2007/08/22 16:17:05 | 000,024,576 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
[2007/08/22 16:16:53 | 000,081,920 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
[2010/07/21 21:04:42 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2010/07/21 21:04:42 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/07/21 21:04:42 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2010/07/21 21:04:42 | 000,002,343 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2010/07/21 21:04:42 | 000,001,706 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010/07/21 21:04:42 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2010/07/21 21:04:42 | 000,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Browsing Protection Class) - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Oracle)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Oracle)
O3 - HKLM\..\Toolbar: (Browsing Protection Toolbar) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\F-Secure\Common\FSM32.EXE (F-Secure Corporation)
O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\F-Secure\FSGUI\TNBUtil.exe (F-Secure Corporation)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe ()
O4 - HKLM..\Run: [PeachtreePrefetcher.exe] C:\Program Files\Sage Software\Peachtree\PeachtreePrefetcher.exe (Sage Software, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lpt1drv.lnk = C:\lpt1drv.bat ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe (UPS)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O15 - HKCU\..Trusted Domains: ameritrade.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: tdameritrade.com ([]https in Trusted sites)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/install-ie/alttiff.cab (AlternaTIFF ActiveX)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/3/9...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab (Citrix ICA Client)
O16 - DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} http://192.168.1.207/DVROcxEx.cab (DVROcxEx Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} http://speedtest.adelphia.net/customerdiag...TESTACTIVEX.CAB (SpdTCtl Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_01)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Kobus\My Documents\My Pictures\critters\Sketch b.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Kobus\My Documents\My Pictures\critters\Sketch b.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2007/05/11 17:55:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{b2c08691-75af-11db-b01e-00a0c920b8e8}\Shell - "" = AutoRun
O33 - MountPoints2\{b2c08691-75af-11db-b01e-00a0c920b8e8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b2c08691-75af-11db-b01e-00a0c920b8e8}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 30 Days ==========

[2010/08/09 10:07:28 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kobus\Desktop\OTL.exe
[2010/07/26 19:00:24 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/07/21 18:10:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/07/21 18:10:24 | 000,423,656 | ---- | C] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/21 18:10:24 | 000,153,376 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/21 18:10:24 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/21 18:10:24 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/21 10:16:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kobus\My Documents\zz f-secure
[2010/07/19 11:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kobus\Application Data\F-Secure
[2010/07/18 20:08:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\F-Secure
[2010/07/18 20:08:01 | 000,081,864 | ---- | C] (F-Secure Corporation) -- C:\WINDOWS\System32\drivers\fsdfw.sys
[2010/07/18 20:07:17 | 000,000,000 | ---D | C] -- C:\Program Files\F-Secure
[2010/07/18 18:41:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/18 18:41:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/18 18:29:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kobus\Local Settings\Application Data\njvphrcup
[2010/07/14 17:21:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Peachtree
[2010/07/14 09:57:56 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/09 10:07:28 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kobus\Desktop\OTL.exe
[2010/08/09 09:59:16 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/09 09:57:18 | 000,000,508 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled scanning task.job
[2010/08/09 09:56:51 | 000,052,241 | ---- | M] () -- C:\WINDOWS\System32\null (blank)
[2010/08/09 09:56:37 | 000,000,304 | -HS- | M] () -- C:\WINDOWS\tasks\Hwbatbybg.job
[2010/08/09 09:56:37 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/09 09:56:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/09 09:56:30 | 1071,796,224 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/06 21:22:05 | 015,204,352 | ---- | M] () -- C:\Documents and Settings\Kobus\NTUSER.DAT
[2010/08/06 21:21:58 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Kobus\ntuser.ini
[2010/08/06 16:12:44 | 003,624,960 | ---- | M] () -- C:\Documents and Settings\Kobus\Local Settings\Application Data\filesync.metadata
[2010/08/06 15:44:05 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\Excel.lnk
[2010/08/06 15:35:14 | 000,000,214 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\stuff.url
[2010/08/06 14:03:03 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\Word.lnk
[2010/08/05 19:23:41 | 000,000,724 | ---- | M] () -- C:\WINDOWS\salesdb.ini
[2010/08/05 10:50:32 | 000,000,133 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\pallet jack.url
[2010/08/04 15:04:45 | 001,056,387 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\OPTI.pdf
[2010/08/04 15:04:45 | 000,218,112 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\IJ35 -40 Return Instructions.doc
[2010/08/04 15:04:45 | 000,202,240 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\Neopost_MMR_Rev_02_2010.doc
[2010/08/03 17:12:06 | 000,000,139 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\App Inventor for Android.url
[2010/08/03 15:57:51 | 000,018,253 | ---- | M] () -- C:\WINDOWS\COOL.INI
[2010/08/03 15:57:51 | 000,010,828 | ---- | M] () -- C:\WINDOWS\coolkb2k.ini
[2010/08/03 15:57:51 | 000,000,000 | ---- | M] () -- C:\WINDOWS\COOLSYS.INI
[2010/08/03 15:53:22 | 000,000,824 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/03 15:53:22 | 000,000,027 | ---- | M] () -- C:\WINDOWS\winzip32.ini
[2010/08/03 15:45:56 | 012,702,153 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\Android22UsersGuide.pdf
[2010/08/02 10:00:51 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/02 10:00:51 | 000,000,211 | -H-- | M] () -- C:\boot.ini
[2010/07/29 10:56:49 | 000,000,635 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\pmail.lnk
[2010/07/29 10:31:55 | 000,192,512 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\33411ROpti-Sciences.xls
[2010/07/27 17:05:07 | 000,000,682 | ---- | M] () -- C:\WINDOWS\DataCapture.ini
[2010/07/27 02:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
[2010/07/26 19:40:12 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Kobus\defogger_reenable
[2010/07/26 18:24:33 | 000,039,936 | ---- | M] () -- C:\Documents and Settings\Kobus\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/21 18:10:07 | 000,153,376 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/21 18:10:07 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/21 18:10:07 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/21 18:10:07 | 000,073,728 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/21 18:10:04 | 000,423,656 | ---- | M] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/21 13:30:40 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\Notepad.lnk
[2010/07/21 11:50:42 | 000,000,355 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\xxxhosts
[2010/07/20 19:00:22 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\Windows Explorer.lnk
[2010/07/19 12:35:41 | 000,063,779 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\nashua stair project.pdf
[2010/07/18 21:31:09 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cafe72c2f08570.job
[2010/07/18 21:30:58 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/07/18 21:04:00 | 000,024,576 | ---- | M] () -- C:\WINDOWS\System32\drivers\kbdclass.sys
[2010/07/18 20:25:36 | 000,041,256 | ---- | M] () -- C:\WINDOWS\System32\drivers\fsbts.sys
[2010/07/18 20:20:55 | 000,000,876 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\F-Secure Internet Security 2010.lnk
[2010/07/18 20:08:05 | 000,646,302 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/18 20:08:05 | 000,529,856 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/18 20:08:05 | 000,104,348 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/14 17:48:04 | 000,000,110 | ---- | M] () -- C:\Documents and Settings\Kobus\Desktop\Arrow.url
[2010/07/14 17:21:38 | 000,162,991 | ---- | M] () -- C:\WINDOWS\PeachWLog.XML
[2010/07/14 10:05:37 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/13 14:09:40 | 000,001,208 | ---- | M] () -- C:\Documents and Settings\Kobus\ViewMasterEZ.cfg
[2010/07/13 14:09:40 | 000,000,017 | -H-- | M] () -- C:\WINDOWS\System32\servdat.slm
[2010/07/13 14:03:48 | 000,000,219 | ---- | M] () -- C:\WINDOWS\System32\lsprst7.tgz
[2010/07/13 14:03:48 | 000,000,205 | ---- | M] () -- C:\WINDOWS\System32\lsprst7.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/05 10:50:32 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\Kobus\Desktop\pallet jack.url
[2010/08/04 15:04:45 | 000,218,112 | ---- | C] () -- C:\Documents and Settings\Kobus\Desktop\IJ35 -40 Return Instructions.doc
[2010/08/04 15:04:45 | 000,202,240 | ---- | C] () -- C:\Documents and Settings\Kobus\Desktop\Neopost_MMR_Rev_02_2010.doc
[2010/08/04 15:04:44 | 001,056,387 | ---- | C] () -- C:\Documents and Settings\Kobus\Desktop\OPTI.pdf
[2010/08/03 17:12:06 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Kobus\Desktop\App Inventor for Android.url
[2010/08/03 15:45:56 | 012,702,153 | ---- | C] () -- C:\Documents and Settings\Kobus\Desktop\Android22UsersGuide.pdf
[2010/08/02 23:19:16 | 000,000,508 | ---- | C] () -- C:\WINDOWS\tasks\Scheduled scanning task.job
[2010/07/29 10:56:49 | 000,000,635 | ---- | C] () -- C:\Documents and Settings\Kobus\Desktop\pmail.lnk
[2010/07/29 10:31:54 | 000,192,512 | ---- | C] () -- C:\Documents and Settings\Kobus\Desktop\33411ROpti-Sciences.xls
[2010/07/29 10:16:06 | 000,000,214 | ---- | C] () -- C:\Documents and Settings\Kobus\Desktop\stuff.url
[2010/07/26 19:40:12 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Kobus\defogger_reenable
[2010/07/20 12:57:22 | 1071,796,224 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/19 12:34:03 | 000,063,779 | ---- | C] () -- C:\Documents and Settings\Kobus\Desktop\nashua stair project.pdf
[2010/07/18 21:04:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\kbdclass.sys
[2010/07/18 20:20:55 | 000,000,876 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\F-Secure Internet Security 2010.lnk
[2010/07/18 20:08:26 | 000,041,256 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsbts.sys
[2010/07/18 18:29:27 | 000,000,304 | -HS- | C] () -- C:\WINDOWS\tasks\Hwbatbybg.job
[2010/07/14 17:48:04 | 000,000,110 | ---- | C] () -- C:\Documents and Settings\Kobus\Desktop\Arrow.url
[2010/05/05 10:31:36 | 000,540,672 | R--- | C] () -- C:\WINDOWS\System32\softcoin.dll
[2010/05/05 10:31:36 | 000,360,448 | R--- | C] () -- C:\WINDOWS\System32\gencoin.dll
[2010/03/26 10:19:23 | 000,021,504 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2010/01/18 15:02:47 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\amd422codec.dll
[2009/08/28 15:13:46 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\PlayerDll.dll
[2009/08/28 15:13:42 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\DVRConfig.dll
[2009/08/28 15:13:38 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\ResourceDll.dll
[2009/08/20 11:36:54 | 000,258,048 | ---- | C] () -- C:\WINDOWS\System32\DVRTH264.dll
[2009/04/06 18:51:44 | 000,001,774 | ---- | C] () -- C:\WINDOWS\PCW170.INI_upg2011
[2009/02/04 20:10:16 | 000,000,285 | ---- | C] () -- C:\WINDOWS\quotedb.ini
[2008/09/15 19:17:08 | 000,001,789 | ---- | C] () -- C:\WINDOWS\PCW160.INI_upg2010
[2008/07/18 12:11:55 | 000,000,085 | ---- | C] () -- C:\WINDOWS\cutlist.ini
[2008/05/06 17:37:58 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2008/05/06 17:37:58 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2008/04/17 17:55:24 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2008/04/08 20:40:11 | 000,000,127 | ---- | C] () -- C:\WINDOWS\xprobe.INI
[2008/03/27 13:06:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vgenui.INI
[2008/03/19 19:12:42 | 000,399,360 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2008/03/19 19:12:41 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2008/02/01 21:17:54 | 000,000,153 | ---- | C] () -- C:\WINDOWS\wstdUPSWSHIP.INI
[2007/10/15 16:55:23 | 000,054,272 | R--- | C] () -- C:\WINDOWS\System32\drivers\SSIPDDP.SYS
[2007/10/03 15:09:59 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2007/09/02 18:32:59 | 000,000,118 | ---- | C] () -- C:\WINDOWS\TOPO.INI
[2007/08/30 10:10:40 | 000,953,344 | ---- | C] () -- C:\WINDOWS\System32\pg32.dll
[2007/08/30 10:10:40 | 000,193,024 | ---- | C] () -- C:\WINDOWS\System32\co2c40en.dll
[2007/08/30 10:10:40 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\implode.dll
[2007/07/27 13:39:33 | 000,000,724 | ---- | C] () -- C:\WINDOWS\salesdb.ini
[2007/07/27 13:12:50 | 000,000,519 | ---- | C] () -- C:\WINDOWS\Copy of salesdb.ini
[2007/06/13 16:21:49 | 000,000,133 | ---- | C] () -- C:\WINDOWS\coolacm.ini
[2007/05/02 14:04:19 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/05/01 22:33:57 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/04/18 11:02:25 | 000,000,062 | ---- | C] () -- C:\WINDOWS\ccolwiz.ini
[2007/03/15 17:05:24 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2007/02/22 21:09:47 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2007/02/22 21:09:47 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2007/02/22 21:09:31 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2007/02/22 21:09:31 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2007/02/22 21:09:30 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2007/02/12 11:58:00 | 000,000,682 | ---- | C] () -- C:\WINDOWS\DataCapture.ini
[2007/02/12 11:58:00 | 000,000,404 | ---- | C] () -- C:\WINDOWS\DataCapture old.ini
[2006/12/03 16:57:32 | 000,001,516 | ---- | C] () -- C:\WINDOWS\CoolCD1.ini
[2006/10/08 12:51:13 | 000,002,233 | ---- | C] () -- C:\WINDOWS\coolmp3.ini
[2006/10/08 12:51:13 | 000,000,772 | ---- | C] () -- C:\WINDOWS\wordpad.ini
[2006/10/08 12:51:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\COOLSYS.INI
[2006/10/08 12:51:12 | 000,010,828 | ---- | C] () -- C:\WINDOWS\coolkb2k.ini
[2006/10/08 12:50:55 | 000,000,027 | ---- | C] () -- C:\WINDOWS\winzip32.ini
[2006/10/08 12:49:42 | 000,018,253 | ---- | C] () -- C:\WINDOWS\COOL.INI
[2006/10/06 20:53:25 | 000,000,041 | ---- | C] () -- C:\WINDOWS\loc2.INI
[2006/10/06 20:53:22 | 000,000,041 | ---- | C] () -- C:\WINDOWS\FindServ.INI
[2006/10/06 20:47:50 | 000,000,038 | ---- | C] () -- C:\WINDOWS\Topo4.ini
[2006/10/06 13:59:12 | 000,002,516 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/10/06 13:59:12 | 000,000,008 | RHS- | C] () -- C:\WINDOWS\System32\03BA3F4C70.sys
[2006/07/29 20:32:07 | 000,319,696 | ---- | C] () -- C:\WINDOWS\System32\BOCOF.DLL
[2006/07/28 18:32:43 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ACROREAD.INI
[2006/07/28 18:27:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SPLASH.INI
[2006/07/28 17:45:42 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\rsUtil.dll
[2006/07/27 18:47:15 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/07/21 17:08:03 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/07/21 17:00:13 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/07/21 16:50:16 | 000,001,669 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/21 16:22:46 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/12/01 13:33:56 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\hppapr02.DLL
[2005/11/10 01:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/11 17:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 17:12:00 | 000,000,037 | ---- | C] () -- C:\WINDOWS\vbaddinxxx.ini
[2004/08/11 17:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/07/13 15:35:48 | 000,001,616 | ---- | C] () -- C:\WINDOWS\PCW130.INI_upg2009
[2003/04/08 14:41:20 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\nssckbi.dll
[2003/02/25 01:49:56 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/03/30 09:53:50 | 000,000,793 | ---- | C] () -- C:\WINDOWS\BTI.INI
[1998/06/10 00:00:00 | 000,015,120 | ---- | C] () -- C:\WINDOWS\System32\REPUTIL.DLL

========== LOP Check ==========

[2010/07/06 20:53:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Aatrix Software
[2010/07/18 20:08:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2010/07/18 20:06:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\fssg
[2009/03/13 15:08:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2008/11/25 19:12:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\mgc
[2008/11/25 19:03:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pads
[2008/12/02 21:19:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pervasive Software
[2010/06/21 10:00:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TotalRecorder
[2006/07/21 16:53:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/12/05 22:10:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\.gaim
[2010/07/06 20:53:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\Aatrix Software
[2008/07/02 21:21:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\Amazon
[2006/10/24 14:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\BitTorrent
[2010/02/02 17:19:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\callas software
[2010/07/01 15:28:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\DVD Catalyst3
[2010/05/19 20:54:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\Email
[2010/07/20 19:39:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\F-Secure
[2009/05/10 15:53:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\GARMIN
[2008/04/17 15:00:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\gtk-2.0
[2010/03/26 11:37:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\HandBrake
[2007/11/07 13:47:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\ICAClient
[2006/10/09 12:38:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\Leadertech
[2010/02/18 12:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\osi
[2006/07/28 17:46:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\Peachtree
[2009/02/05 14:08:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\PentaLogix
[2006/10/06 20:29:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\Qualcomm
[2010/07/08 12:04:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\Sage
[2010/06/22 10:02:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\TotalRecorder
[2007/09/23 15:57:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\Viewpoint
[2007/10/03 15:10:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kobus\Application Data\webex
[2010/08/09 09:56:37 | 000,000,304 | -HS- | M] () -- C:\WINDOWS\Tasks\Hwbatbybg.job
[2010/08/09 09:57:18 | 000,000,508 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled scanning task.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009/08/13 15:09:44 | 000,249,856 | ---- | M] () -- C:\20100116.mdb
[2009/08/13 15:09:44 | 000,249,856 | ---- | M] () -- C:\20100118.mdb
[2009/08/13 15:09:44 | 000,249,856 | ---- | M] () -- C:\20100608.mdb
[2009/05/14 17:51:55 | 000,000,395 | ---- | M] () -- C:\aaw7boot.log
[2007/05/11 17:55:12 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/08/02 10:00:51 | 000,000,211 | -H-- | M] () -- C:\boot.ini
[2008/10/15 10:04:04 | 000,000,211 | RH-- | M] () -- C:\BOOT.PCP
[2006/07/27 19:04:34 | 001,048,576 | -H-- | M] () -- C:\cache.dmx
[2004/08/11 17:15:00 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/03/06 12:57:47 | 000,000,187 | ---- | M] () -- C:\CtDrvIns.log
[2006/07/21 16:30:20 | 000,006,679 | RH-- | M] () -- C:\dell.sdr
[2010/08/09 09:56:30 | 1071,796,224 | -HS- | M] () -- C:\hiberfil.sys
[2006/07/27 19:20:48 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2004/08/11 17:15:00 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2006/07/21 16:53:29 | 000,000,830 | -H-- | M] () -- C:\IPH.PH
[2007/05/11 17:54:59 | 000,000,041 | ---- | M] () -- C:\lpt1drv.bat
[2002/01/05 04:48:16 | 000,974,848 | ---- | M] (Microsoft Corporation) -- C:\mfc70.dll
[2002/01/05 04:36:38 | 000,964,608 | ---- | M] (Microsoft Corporation) -- C:\mfc70u.dll
[2009/12/07 21:19:45 | 002,235,888 | ---- | M] () -- C:\msde2000_setup.log
[2004/08/11 17:15:00 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/10/13 14:11:14 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/02/02 19:37:00 | 087,672,511 | ---- | M] () -- C:\optisci.xxx
[2010/08/09 09:56:24 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2010/07/06 20:48:04 | 021,475,126 | ---- | M] () -- C:\PSQL_v10_Install.log
[2009/08/13 15:09:44 | 000,294,912 | ---- | M] () -- C:\RecDevice.mdb
[2010/07/06 20:54:48 | 000,891,632 | ---- | M] () -- C:\SageMessageCenter_Install.log
[2006/07/21 16:53:35 | 000,000,087 | ---- | M] () -- C:\SystemInfo.ini

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >
[2010/08/09 09:56:37 | 000,000,304 | -HS- | M] () Unable to obtain MD5 -- C:\WINDOWS\Tasks\Hwbatbybg.job

< %systemroot%\System32\config\*.sav >
[2004/08/11 17:06:14 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/11 17:06:14 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/11 17:06:14 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/07/18 20:25:36 | 000,041,256 | ---- | M] () -- C:\WINDOWS\system32\drivers\fsbts.sys
[2010/07/18 21:04:00 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\drivers\kbdclass.sys

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2005/09/23 03:25:16 | 000,069,120 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp053.dll
[2004/12/06 00:09:50 | 000,062,976 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\HPZPP38Y.DLL
[2008/09/23 22:53:00 | 000,062,976 | ---- | M] (Lexmark International Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LMACGL4C.DLL
[2008/02/12 13:45:58 | 000,028,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lmdippr.dll
[2004/03/22 15:17:08 | 000,025,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
< End of report >


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 09 August 2010 - 01:42 PM

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

========
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 I_Am_Doomed

I_Am_Doomed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 09 August 2010 - 02:34 PM

I have tried the fix, as reinstalling everything from scratch is too large a job at this point. This PC is old, and will be getting replaced in a few months.

TDSSKiller found nothing.

ComboFix did, I think.



ComboFix 10-08-08.03 - Kobus 08/09/2010 15:06:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.491 [GMT -4:00]
Running from: c:\documents and settings\Kobus\Desktop\ComboFix.exe
AV: F-Secure Internet Security 2010 10.12 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2010 10.12 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kobus\g2mdlhlpx.exe
c:\windows\jestertb.dll
c:\windows\system32\Cache
c:\windows\system32\lsprst7.dll
c:\windows\system32\zip32.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2010-07-26 23:00 . 2010-07-26 23:00 388096 ----a-r- c:\documents and settings\Kobus\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-26 23:00 . 2010-07-26 23:00 -------- d-----w- c:\program files\Trend Micro
2010-07-21 22:11 . 2010-07-21 22:11 503808 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1501914b-n\msvcp71.dll
2010-07-21 22:11 . 2010-07-21 22:11 499712 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1501914b-n\jmc.dll
2010-07-21 22:11 . 2010-07-21 22:11 348160 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1501914b-n\msvcr71.dll
2010-07-21 22:11 . 2010-07-21 22:11 61440 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-580be89c-n\decora-sse.dll
2010-07-21 22:11 . 2010-07-21 22:11 12800 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-580be89c-n\decora-d3d.dll
2010-07-21 22:10 . 2010-07-21 22:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-20 16:51 . 2010-07-20 16:51 157880 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-20 16:50 . 2010-07-20 16:50 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-20 16:49 . 2010-07-20 16:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-19 15:07 . 2010-07-20 23:39 -------- d-----w- c:\documents and settings\Kobus\Application Data\F-Secure
2010-07-19 01:04 . 2010-07-19 01:04 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-07-19 00:08 . 2010-07-19 00:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2010-07-19 00:08 . 2010-07-19 00:25 41256 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-07-19 00:08 . 2009-11-18 16:02 81864 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2010-07-19 00:07 . 2010-07-19 00:35 -------- d-----w- c:\program files\F-Secure
2010-07-18 22:29 . 2010-07-19 13:55 -------- d-----w- c:\documents and settings\Kobus\Local Settings\Application Data\njvphrcup
2010-07-14 21:21 . 2010-07-14 21:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Peachtree
2010-07-14 13:57 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 19:57 . 2006-10-08 16:49 -------- d-----w- c:\program files\Cool2000
2010-07-21 22:10 . 2006-07-21 20:42 -------- d-----w- c:\program files\Common Files\Java
2010-07-21 22:10 . 2006-07-21 20:42 -------- d-----w- c:\program files\Java
2010-07-20 15:35 . 2006-07-21 21:00 -------- d-----w- c:\program files\Google
2010-07-19 00:08 . 2008-08-18 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-07-19 00:06 . 2008-08-18 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2010-07-16 23:54 . 2010-07-08 01:08 152400 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-14 21:20 . 2006-07-21 20:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-08 16:04 . 2010-07-08 16:04 -------- d-----w- c:\documents and settings\Kobus\Application Data\Sage
2010-07-08 14:01 . 2008-07-24 16:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-07 00:55 . 2006-07-27 22:54 157880 ----a-w- c:\documents and settings\Kobus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-07 00:53 . 2010-07-07 00:53 -------- d-----w- c:\documents and settings\Kobus\Application Data\Aatrix Software
2010-07-07 00:53 . 2010-07-07 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Aatrix Software
2010-07-07 00:52 . 2006-07-28 21:45 -------- d-----w- c:\program files\Common Files\Peach
2010-07-07 00:45 . 2009-12-15 23:26 804 ----a-w- c:\windows\PSODBCEI.reg
2010-07-07 00:45 . 2009-12-15 23:26 610 ----a-w- c:\windows\PSOA.reg
2010-07-07 00:45 . 2009-12-15 23:26 804 ----a-w- c:\windows\PSODBCCI.reg
2010-07-07 00:45 . 2009-12-15 23:26 18218 ----a-w- c:\windows\PriorPervasive.reg
2010-07-01 19:52 . 2010-07-01 19:52 208896 ------w- c:\documents and settings\Kobus\Application Data\DVD Catalyst3\Codecs\drv33260.dll
2010-07-01 19:41 . 2010-03-26 17:02 -------- d-----w- c:\program files\DVD Catalyst
2010-07-01 19:28 . 2010-03-26 17:03 -------- d-----w- c:\documents and settings\Kobus\Application Data\DVD Catalyst3
2010-07-01 18:24 . 2010-07-01 19:45 507904 ------w- c:\documents and settings\Kobus\Application Data\DVD Catalyst3\Codecs\TH264Codec.dll
2010-06-25 19:37 . 2007-12-27 19:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-24 23:11 . 2007-07-30 17:23 -------- d-----w- c:\program files\QuickTime
2010-06-24 23:10 . 2006-11-14 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-24 23:09 . 2010-06-24 23:09 -------- d-----w- c:\program files\Common Files\Apple
2010-06-24 23:09 . 2010-06-24 23:09 -------- d-----w- c:\program files\Apple Software Update
2010-06-24 23:09 . 2010-06-24 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-23 14:04 . 2010-06-23 14:04 501936 ------w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb4.tmp.exe
2010-06-22 23:00 . 2009-12-02 23:46 -------- d-----w- c:\program files\Bonjour
2010-06-22 21:32 . 2010-06-22 21:32 -------- d-----w- c:\program files\Windows Defender
2010-06-22 14:02 . 2010-06-17 15:03 -------- d-----w- c:\documents and settings\Kobus\Application Data\TotalRecorder
2010-06-21 14:00 . 2010-06-21 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\TotalRecorder
2010-06-17 15:03 . 2006-10-20 14:37 -------- d-----w- c:\program files\HighCriteria
2010-06-14 19:27 . 2010-06-14 19:27 -------- d-----w- c:\program files\ITI
2010-06-14 14:31 . 2004-08-11 21:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-08 22:21 . 2010-01-18 19:02 507904 ----a-w- c:\windows\system32\TH264Codec.dll
2010-05-21 18:14 . 2010-06-22 21:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2006-10-06 17:59 . 2006-10-06 17:59 8 --sh--r- c:\windows\system32\03BA3F4C70.sys
2006-10-06 21:50 . 2006-10-06 17:59 2516 --sh--w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2010-07-19 01:04 . 20815450057C67A3F546507482591FAE . 24576 . . [------] . . c:\windows\system32\drivers\kbdclass.sys
[7] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\kbdclass.sys
[7] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeachtreePrefetcher.exe"="c:\program files\Sage Software\Peachtree\PeachtreePrefetcher.exe" [2010-06-11 29480]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2009-12-02 24576]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2009-11-18 201128]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2009-11-18 1655208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
lpt1drv.lnk - C:\lpt1drv.bat [2007-5-11 41]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 393216]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-09-29 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Alarm Manager.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Alarm Manager.LNK
backup=c:\windows\pss\Alarm Manager.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kobus^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Kobus\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kobus^Start Menu^Programs^Startup^TalkSwitch Auto Update.lnk]
path=c:\documents and settings\Kobus\Start Menu\Programs\Startup\TalkSwitch Auto Update.lnk
backup=c:\windows\pss\TalkSwitch Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 01:38 623992 ------w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 09:20 122940 ------w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-11-01 07:12 94208 ------w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 14:44 249856 ------w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 14:44 81920 ------w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
2010-04-12 21:13 154704 ----a-w- c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSM_AutoUpdate]
2009-05-21 17:13 193832 ------w- c:\program files\TalkSwitch\TalkSwitch Configuration 6.11\TSAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 19:38 158448 ------w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"ZuneWlanCfgSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [7/18/2010 8:08 PM 41256]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [7/18/2010 8:08 PM 81864]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [7/18/2010 8:07 PM 69928]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 2:03 PM 435496]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [7/18/2010 8:07 PM 124072]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [6/17/2010 10:58 AM 131664]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [6/17/2010 10:58 AM 91728]
S2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\SSIPDDP.SYS [10/15/2007 4:55 PM 54272]
S2 TSUDPLogger;Talkswitch UDP Logger Service;c:\program files\TalkSwitch\UDPLogger\UDPLogger.exe [5/21/2009 1:45 PM 188416]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\adm8511.sys [7/29/2006 8:02 PM 20160]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [7/18/2010 8:07 PM 57008]
S3 Peachtree SmartPosting 2011;Peachtree SmartPosting 2011;c:\program files\Sage Software\Peachtree\SmartPostingService2011.exe [4/10/2010 2:32 PM 43816]
S3 TED200M5;TED200M5 NDIS Protocol Driver;c:\windows\system32\Drivers\TED200M5.sys --> c:\windows\system32\Drivers\TED200M5.sys [?]
S3 TED200S5;TED200S5 NDIS Protocol Driver;c:\windows\system32\drivers\TED200S5.sys [12/14/2007 4:16 PM 27072]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [7/18/2010 8:07 PM 41640]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [7/18/2010 8:07 PM 27048]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/25/2010 9:10 PM 135664]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD24
*Deregistered* - klmd24
.
Contents of the 'Scheduled Tasks' folder

2010-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cafe72c2f08570.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-26 01:10]

2010-08-09 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-Secure\ANTI-V~1\fsav.exe [2010-07-19 16:01]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} - hxxp://192.168.1.207/DVROcxEx.cab
DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} - hxxp://speedtest.adelphia.net/customerdiag/speedtest/SPEEDTESTACTIVEX.CAB
FF - ProfilePath - c:\documents and settings\Kobus\Application Data\Mozilla\Firefox\Profiles\wpmgvvwd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - component: c:\program files\F-Secure\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-JDK5SWFMZY - c:\docume~1\Kobus\LOCALS~1\Temp\Ll1.exe
MSConfigStartUp-MChk - c:\windows\system32\rgzgp.exe
MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
MSConfigStartUp-net - c:\windows\system32\net.net
MSConfigStartUp-ocppvfxk - c:\documents and settings\Kobus\Local Settings\Application Data\njvphrcup\bvsujattssd.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{04B7D634-7C88-4309-94A5-F4AB50FD08DC} - c:\program files\TalkSwitch\TalkSwitch Ethernet Driver\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 15:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\l3codeca.acm
c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(708)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\program files\f-secure\hips\fshook32.dll
.
Completion time: 2010-08-09 15:18:23
ComboFix-quarantined-files.txt 2010-08-09 19:18

Pre-Run: 13,450,153,984 bytes free
Post-Run: 14,053,662,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7B22A748A1E9DD07934AF36518D98C9C


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 09 August 2010 - 03:37 PM

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
TDL::
c:\windows\system32\drivers\kbdclass.sys



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
=============
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 I_Am_Doomed

I_Am_Doomed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 09 August 2010 - 04:00 PM

After ComboFix alerted me that my AV software was running (and I disabled it), it reported that a newer version (of ComboFix) was available. This was unexpected, so I killed the process from the task manager.

Should I let it update?

I downloaded the program from bleepingcomputer.com this morning.

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 09 August 2010 - 05:20 PM

YEs let it update then close the blue command prompt window after it restarts.
Then drag the script into it and let it run.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 I_Am_Doomed

I_Am_Doomed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 09 August 2010 - 05:52 PM

Microsoft .NET Framework 3.5 SP1 is unhappy. I attribute that to what we have done so far. Please let me know when it is safe to re-install it.

The only other strange thing is that F-Secure does not want to run until I reboot after a combofix session. I assume this is normal.

A big thank you for the help so far.




ComboFix 10-08-09.02 - Kobus 08/09/2010 18:31:00.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.456 [GMT -4:00]
Running from: c:\documents and settings\Kobus\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kobus\Desktop\CFScript.txt
AV: F-Secure Internet Security 2010 10.12 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2010 10.12 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2010-07-26 23:00 . 2010-07-26 23:00 388096 ----a-r- c:\documents and settings\Kobus\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-26 23:00 . 2010-07-26 23:00 -------- d-----w- c:\program files\Trend Micro
2010-07-21 22:11 . 2010-07-21 22:11 503808 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1501914b-n\msvcp71.dll
2010-07-21 22:11 . 2010-07-21 22:11 499712 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1501914b-n\jmc.dll
2010-07-21 22:11 . 2010-07-21 22:11 348160 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1501914b-n\msvcr71.dll
2010-07-21 22:11 . 2010-07-21 22:11 61440 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-580be89c-n\decora-sse.dll
2010-07-21 22:11 . 2010-07-21 22:11 12800 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-580be89c-n\decora-d3d.dll
2010-07-21 22:10 . 2010-07-21 22:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-20 16:51 . 2010-07-20 16:51 157880 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-20 16:50 . 2010-07-20 16:50 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-20 16:49 . 2010-07-20 16:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-19 15:07 . 2010-07-20 23:39 -------- d-----w- c:\documents and settings\Kobus\Application Data\F-Secure
2010-07-19 01:04 . 2010-07-19 01:04 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-07-19 00:08 . 2010-07-19 00:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2010-07-19 00:08 . 2010-07-19 00:25 41256 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-07-19 00:08 . 2009-11-18 16:02 81864 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2010-07-19 00:07 . 2010-07-19 00:35 -------- d-----w- c:\program files\F-Secure
2010-07-18 22:29 . 2010-07-19 13:55 -------- d-----w- c:\documents and settings\Kobus\Local Settings\Application Data\njvphrcup
2010-07-14 21:21 . 2010-07-14 21:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Peachtree
2010-07-14 13:57 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 19:57 . 2006-10-08 16:49 -------- d-----w- c:\program files\Cool2000
2010-07-21 22:10 . 2006-07-21 20:42 -------- d-----w- c:\program files\Common Files\Java
2010-07-21 22:10 . 2006-07-21 20:42 -------- d-----w- c:\program files\Java
2010-07-20 15:35 . 2006-07-21 21:00 -------- d-----w- c:\program files\Google
2010-07-19 00:08 . 2008-08-18 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-07-19 00:06 . 2008-08-18 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2010-07-16 23:54 . 2010-07-08 01:08 152400 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-14 21:20 . 2006-07-21 20:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-08 16:04 . 2010-07-08 16:04 -------- d-----w- c:\documents and settings\Kobus\Application Data\Sage
2010-07-08 14:01 . 2008-07-24 16:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-07 00:55 . 2006-07-27 22:54 157880 ----a-w- c:\documents and settings\Kobus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-07 00:53 . 2010-07-07 00:53 -------- d-----w- c:\documents and settings\Kobus\Application Data\Aatrix Software
2010-07-07 00:53 . 2010-07-07 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Aatrix Software
2010-07-07 00:52 . 2006-07-28 21:45 -------- d-----w- c:\program files\Common Files\Peach
2010-07-07 00:45 . 2009-12-15 23:26 804 ----a-w- c:\windows\PSODBCEI.reg
2010-07-07 00:45 . 2009-12-15 23:26 610 ----a-w- c:\windows\PSOA.reg
2010-07-07 00:45 . 2009-12-15 23:26 804 ----a-w- c:\windows\PSODBCCI.reg
2010-07-07 00:45 . 2009-12-15 23:26 18218 ----a-w- c:\windows\PriorPervasive.reg
2010-07-01 19:52 . 2010-07-01 19:52 208896 ------w- c:\documents and settings\Kobus\Application Data\DVD Catalyst3\Codecs\drv33260.dll
2010-07-01 19:41 . 2010-03-26 17:02 -------- d-----w- c:\program files\DVD Catalyst
2010-07-01 19:28 . 2010-03-26 17:03 -------- d-----w- c:\documents and settings\Kobus\Application Data\DVD Catalyst3
2010-07-01 18:24 . 2010-07-01 19:45 507904 ------w- c:\documents and settings\Kobus\Application Data\DVD Catalyst3\Codecs\TH264Codec.dll
2010-06-25 19:37 . 2007-12-27 19:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-24 23:11 . 2007-07-30 17:23 -------- d-----w- c:\program files\QuickTime
2010-06-24 23:10 . 2006-11-14 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-24 23:09 . 2010-06-24 23:09 -------- d-----w- c:\program files\Common Files\Apple
2010-06-24 23:09 . 2010-06-24 23:09 -------- d-----w- c:\program files\Apple Software Update
2010-06-24 23:09 . 2010-06-24 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-23 14:04 . 2010-06-23 14:04 501936 ------w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb4.tmp.exe
2010-06-22 23:00 . 2009-12-02 23:46 -------- d-----w- c:\program files\Bonjour
2010-06-22 21:32 . 2010-06-22 21:32 -------- d-----w- c:\program files\Windows Defender
2010-06-22 14:02 . 2010-06-17 15:03 -------- d-----w- c:\documents and settings\Kobus\Application Data\TotalRecorder
2010-06-21 14:00 . 2010-06-21 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\TotalRecorder
2010-06-17 15:03 . 2006-10-20 14:37 -------- d-----w- c:\program files\HighCriteria
2010-06-14 19:27 . 2010-06-14 19:27 -------- d-----w- c:\program files\ITI
2010-06-14 14:31 . 2004-08-11 21:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-08 22:21 . 2010-01-18 19:02 507904 ----a-w- c:\windows\system32\TH264Codec.dll
2010-05-21 18:14 . 2010-06-22 21:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2006-10-06 17:59 . 2006-10-06 17:59 8 --sh--r- c:\windows\system32\03BA3F4C70.sys
2006-10-06 21:50 . 2006-10-06 17:59 2516 --sh--w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2010-07-19 01:04 . 20815450057C67A3F546507482591FAE . 24576 . . [------] . . c:\windows\system32\drivers\kbdclass.sys
[7] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\kbdclass.sys
[7] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\kbdclass.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-08-09_19.14.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-09 21:18 . 2010-08-09 21:18 16384 c:\windows\Temp\Perflib_Perfdata_1f8.dat
+ 2008-08-13 17:13 . 2010-08-09 21:20 246812 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeachtreePrefetcher.exe"="c:\program files\Sage Software\Peachtree\PeachtreePrefetcher.exe" [2010-06-11 29480]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2009-12-02 24576]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2009-11-18 201128]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2009-11-18 1655208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
lpt1drv.lnk - C:\lpt1drv.bat [2007-5-11 41]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 393216]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-09-29 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Alarm Manager.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Alarm Manager.LNK
backup=c:\windows\pss\Alarm Manager.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kobus^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Kobus\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kobus^Start Menu^Programs^Startup^TalkSwitch Auto Update.lnk]
path=c:\documents and settings\Kobus\Start Menu\Programs\Startup\TalkSwitch Auto Update.lnk
backup=c:\windows\pss\TalkSwitch Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 01:38 623992 ------w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 09:20 122940 ------w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-11-01 07:12 94208 ------w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 14:44 249856 ------w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 14:44 81920 ------w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
2010-04-12 21:13 154704 ----a-w- c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSM_AutoUpdate]
2009-05-21 17:13 193832 ------w- c:\program files\TalkSwitch\TalkSwitch Configuration 6.11\TSAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 19:38 158448 ------w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"ZuneWlanCfgSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [7/18/2010 8:08 PM 41256]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [7/18/2010 8:08 PM 81864]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [7/18/2010 8:07 PM 69928]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 2:03 PM 435496]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [7/18/2010 8:07 PM 124072]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [6/17/2010 10:58 AM 131664]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [6/17/2010 10:58 AM 91728]
S2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\SSIPDDP.SYS [10/15/2007 4:55 PM 54272]
S2 TSUDPLogger;Talkswitch UDP Logger Service;c:\program files\TalkSwitch\UDPLogger\UDPLogger.exe [5/21/2009 1:45 PM 188416]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\adm8511.sys [7/29/2006 8:02 PM 20160]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [7/18/2010 8:07 PM 57008]
S3 Peachtree SmartPosting 2011;Peachtree SmartPosting 2011;c:\program files\Sage Software\Peachtree\SmartPostingService2011.exe [4/10/2010 2:32 PM 43816]
S3 TED200M5;TED200M5 NDIS Protocol Driver;c:\windows\system32\Drivers\TED200M5.sys --> c:\windows\system32\Drivers\TED200M5.sys [?]
S3 TED200S5;TED200S5 NDIS Protocol Driver;c:\windows\system32\drivers\TED200S5.sys [12/14/2007 4:16 PM 27072]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [7/18/2010 8:07 PM 41640]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [7/18/2010 8:07 PM 27048]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/25/2010 9:10 PM 135664]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cafe72c2f08570.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-26 01:10]

2010-08-09 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-Secure\ANTI-V~1\fsav.exe [2010-07-19 16:01]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} - hxxp://192.168.1.207/DVROcxEx.cab
DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} - hxxp://speedtest.adelphia.net/customerdiag/speedtest/SPEEDTESTACTIVEX.CAB
FF - ProfilePath - c:\documents and settings\Kobus\Application Data\Mozilla\Firefox\Profiles\wpmgvvwd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - component: c:\program files\F-Secure\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 18:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(708)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(2768)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-09 18:43:10
ComboFix-quarantined-files.txt 2010-08-09 22:43
ComboFix2.txt 2010-08-09 19:18

Pre-Run: 14,021,238,784 bytes free
Post-Run: 14,027,612,160 bytes free

- - End Of File - - 0E20166403107DE68F1A85AC88C2A6FB


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 10 August 2010 - 06:14 AM

QUOTE
Microsoft .NET Framework 3.5 SP1 is unhappy. I attribute that to what we have done so far. Please let me know when it is safe to re-install it.

The only other strange thing is that F-Secure does not want to run until I reboot after a combofix session. I assume this is normal.
Strange Combofix doesn't mess with either program.
Either way let's continue.

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
FCopy::
c:\windows\$NtServicePackUninstall$\kbdclass.sys|c:\windows\system32\drivers\kbdclass.sys



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 I_Am_Doomed

I_Am_Doomed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 August 2010 - 09:32 AM

Here it is.



ComboFix 10-08-09.03 - Kobus 08/10/2010 10:10:30.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.487 [GMT -4:00]
Running from: c:\documents and settings\Kobus\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kobus\Desktop\CFScript.txt
AV: F-Secure Internet Security 2010 10.12 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2010 10.12 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\kbdclass.sys --> c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.

2010-07-26 23:00 . 2010-07-26 23:00 388096 ----a-r- c:\documents and settings\Kobus\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-26 23:00 . 2010-07-26 23:00 -------- d-----w- c:\program files\Trend Micro
2010-07-21 22:11 . 2010-07-21 22:11 503808 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1501914b-n\msvcp71.dll
2010-07-21 22:11 . 2010-07-21 22:11 499712 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1501914b-n\jmc.dll
2010-07-21 22:11 . 2010-07-21 22:11 348160 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1501914b-n\msvcr71.dll
2010-07-21 22:11 . 2010-07-21 22:11 61440 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-580be89c-n\decora-sse.dll
2010-07-21 22:11 . 2010-07-21 22:11 12800 ----a-w- c:\documents and settings\Kobus\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-580be89c-n\decora-d3d.dll
2010-07-21 22:10 . 2010-07-21 22:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-20 16:51 . 2010-07-20 16:51 157880 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-20 16:50 . 2010-07-20 16:50 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-20 16:49 . 2010-07-20 16:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-19 15:07 . 2010-07-20 23:39 -------- d-----w- c:\documents and settings\Kobus\Application Data\F-Secure
2010-07-19 01:04 . 2004-08-04 02:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-07-19 01:04 . 2004-08-04 02:58 24576 ----a-w- c:\windows\system32\dllcache\kbdclass.sys
2010-07-19 00:08 . 2010-07-19 00:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2010-07-19 00:08 . 2010-07-19 00:25 41256 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-07-19 00:08 . 2009-11-18 16:02 81864 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2010-07-19 00:07 . 2010-07-19 00:35 -------- d-----w- c:\program files\F-Secure
2010-07-18 22:29 . 2010-07-19 13:55 -------- d-----w- c:\documents and settings\Kobus\Local Settings\Application Data\njvphrcup
2010-07-14 21:21 . 2010-07-14 21:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Peachtree
2010-07-14 13:57 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 19:57 . 2006-10-08 16:49 -------- d-----w- c:\program files\Cool2000
2010-07-21 22:10 . 2006-07-21 20:42 -------- d-----w- c:\program files\Common Files\Java
2010-07-21 22:10 . 2006-07-21 20:42 -------- d-----w- c:\program files\Java
2010-07-20 15:35 . 2006-07-21 21:00 -------- d-----w- c:\program files\Google
2010-07-19 00:08 . 2008-08-18 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-07-19 00:06 . 2008-08-18 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2010-07-16 23:54 . 2010-07-08 01:08 152400 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-14 21:20 . 2006-07-21 20:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-08 16:04 . 2010-07-08 16:04 -------- d-----w- c:\documents and settings\Kobus\Application Data\Sage
2010-07-08 14:01 . 2008-07-24 16:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-07 00:55 . 2006-07-27 22:54 157880 ----a-w- c:\documents and settings\Kobus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-07 00:53 . 2010-07-07 00:53 -------- d-----w- c:\documents and settings\Kobus\Application Data\Aatrix Software
2010-07-07 00:53 . 2010-07-07 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Aatrix Software
2010-07-07 00:52 . 2006-07-28 21:45 -------- d-----w- c:\program files\Common Files\Peach
2010-07-07 00:45 . 2009-12-15 23:26 804 ----a-w- c:\windows\PSODBCEI.reg
2010-07-07 00:45 . 2009-12-15 23:26 610 ----a-w- c:\windows\PSOA.reg
2010-07-07 00:45 . 2009-12-15 23:26 804 ----a-w- c:\windows\PSODBCCI.reg
2010-07-07 00:45 . 2009-12-15 23:26 18218 ----a-w- c:\windows\PriorPervasive.reg
2010-07-01 19:52 . 2010-07-01 19:52 208896 ------w- c:\documents and settings\Kobus\Application Data\DVD Catalyst3\Codecs\drv33260.dll
2010-07-01 19:41 . 2010-03-26 17:02 -------- d-----w- c:\program files\DVD Catalyst
2010-07-01 19:28 . 2010-03-26 17:03 -------- d-----w- c:\documents and settings\Kobus\Application Data\DVD Catalyst3
2010-07-01 18:24 . 2010-07-01 19:45 507904 ------w- c:\documents and settings\Kobus\Application Data\DVD Catalyst3\Codecs\TH264Codec.dll
2010-06-25 19:37 . 2007-12-27 19:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-24 23:11 . 2007-07-30 17:23 -------- d-----w- c:\program files\QuickTime
2010-06-24 23:10 . 2006-11-14 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-24 23:09 . 2010-06-24 23:09 -------- d-----w- c:\program files\Common Files\Apple
2010-06-24 23:09 . 2010-06-24 23:09 -------- d-----w- c:\program files\Apple Software Update
2010-06-24 23:09 . 2010-06-24 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-23 14:04 . 2010-06-23 14:04 501936 ------w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb4.tmp.exe
2010-06-22 23:00 . 2009-12-02 23:46 -------- d-----w- c:\program files\Bonjour
2010-06-22 21:32 . 2010-06-22 21:32 -------- d-----w- c:\program files\Windows Defender
2010-06-22 14:02 . 2010-06-17 15:03 -------- d-----w- c:\documents and settings\Kobus\Application Data\TotalRecorder
2010-06-21 14:00 . 2010-06-21 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\TotalRecorder
2010-06-17 15:03 . 2006-10-20 14:37 -------- d-----w- c:\program files\HighCriteria
2010-06-14 19:27 . 2010-06-14 19:27 -------- d-----w- c:\program files\ITI
2010-06-14 14:31 . 2004-08-11 21:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-08 22:21 . 2010-01-18 19:02 507904 ----a-w- c:\windows\system32\TH264Codec.dll
2010-05-21 18:14 . 2010-06-22 21:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2006-10-06 17:59 . 2006-10-06 17:59 8 --sh--r- c:\windows\system32\03BA3F4C70.sys
2006-10-06 21:50 . 2006-10-06 17:59 2516 --sh--w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-08-09_19.14.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-10 13:54 . 2010-08-10 13:54 16384 c:\windows\Temp\Perflib_Perfdata_7ac.dat
+ 2008-08-13 17:13 . 2010-08-10 13:54 246811 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeachtreePrefetcher.exe"="c:\program files\Sage Software\Peachtree\PeachtreePrefetcher.exe" [2010-06-11 29480]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2009-12-02 24576]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2009-11-18 201128]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2009-11-18 1655208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
lpt1drv.lnk - C:\lpt1drv.bat [2007-5-11 41]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 393216]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-09-29 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Alarm Manager.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Alarm Manager.LNK
backup=c:\windows\pss\Alarm Manager.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kobus^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Kobus\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kobus^Start Menu^Programs^Startup^TalkSwitch Auto Update.lnk]
path=c:\documents and settings\Kobus\Start Menu\Programs\Startup\TalkSwitch Auto Update.lnk
backup=c:\windows\pss\TalkSwitch Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 01:38 623992 ------w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 09:20 122940 ------w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-11-01 07:12 94208 ------w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 14:44 249856 ------w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 14:44 81920 ------w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
2010-04-12 21:13 154704 ----a-w- c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSM_AutoUpdate]
2009-05-21 17:13 193832 ------w- c:\program files\TalkSwitch\TalkSwitch Configuration 6.11\TSAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 19:38 158448 ------w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"ZuneWlanCfgSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [7/18/2010 8:08 PM 41256]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [7/18/2010 8:08 PM 81864]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [7/18/2010 8:07 PM 69928]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 2:03 PM 435496]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [7/18/2010 8:07 PM 124072]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [6/17/2010 10:58 AM 131664]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [6/17/2010 10:58 AM 91728]
S2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\SSIPDDP.SYS [10/15/2007 4:55 PM 54272]
S2 TSUDPLogger;Talkswitch UDP Logger Service;c:\program files\TalkSwitch\UDPLogger\UDPLogger.exe [5/21/2009 1:45 PM 188416]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\adm8511.sys [7/29/2006 8:02 PM 20160]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [7/18/2010 8:07 PM 56992]
S3 Peachtree SmartPosting 2011;Peachtree SmartPosting 2011;c:\program files\Sage Software\Peachtree\SmartPostingService2011.exe [4/10/2010 2:32 PM 43816]
S3 TED200M5;TED200M5 NDIS Protocol Driver;c:\windows\system32\Drivers\TED200M5.sys --> c:\windows\system32\Drivers\TED200M5.sys [?]
S3 TED200S5;TED200S5 NDIS Protocol Driver;c:\windows\system32\drivers\TED200S5.sys [12/14/2007 4:16 PM 27072]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [7/18/2010 8:07 PM 41640]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [7/18/2010 8:07 PM 27048]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/25/2010 9:10 PM 135664]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cafe72c2f08570.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-26 01:10]

2010-08-10 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-Secure\ANTI-V~1\fsav.exe [2010-07-19 16:01]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: {4D0A481A-7155-498C-84D8-9CB84DEA237E} - hxxp://192.168.1.207/DVROcxEx.cab
DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} - hxxp://speedtest.adelphia.net/customerdiag/speedtest/SPEEDTESTACTIVEX.CAB
FF - ProfilePath - c:\documents and settings\Kobus\Application Data\Mozilla\Firefox\Profiles\wpmgvvwd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - component: c:\program files\F-Secure\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-10 10:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(708)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(4020)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-10 10:21:57
ComboFix-quarantined-files.txt 2010-08-10 14:21
ComboFix2.txt 2010-08-09 22:43
ComboFix3.txt 2010-08-09 19:18

Pre-Run: 13,795,790,848 bytes free
Post-Run: 13,785,583,616 bytes free

- - End Of File - - DC42E5F3A6C535433C0BDA0ABD672FF8


#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 10 August 2010 - 12:59 PM

What is Net framework doing that is abnormal?

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
========
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 I_Am_Doomed

I_Am_Doomed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 August 2010 - 02:56 PM

A full MBAM scan takes a few hours, so while I wait....

.Net came up with a missing or damaged (component?) error. Unfortunately, I needed it to work so I ran the Install/Repair utility from the microsoft website. This was at about 11AM today. I deeply regret any trouble this may cause. I fully intend to donate to this website. I'm not entirely sure as to what's going on, but I assume that the end result will make everything clear.

We may have also munched a component of GoToMeeting, but I do not use that as much, and will wait until I need it.

Don't know if it matters, but I just noticed that one of these scans emptied my recycle bin.

Sorry for any problems I am causing. Let me know what I should not be doing. I wish to make things as easy as possible for us.

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 10 August 2010 - 03:21 PM

No you are not causing any trouble I am just trying to understand what has caused this to happen.
Does gotomeeting not work at all?
Can you repair install it or re-download and install it?

We should be about done the threat has been removed I am just having you run some follow up scanners to check for any leftovers.
Once those are complete post the logs and we can wrap it up. smile.gif
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 I_Am_Doomed

I_Am_Doomed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 11 August 2010 - 09:29 AM

Scans completed and included below. KASPERSKY found some stuff in my deleted emails file (PMail). Impressive actually, as nothing else found them. I have known that they were there - I get a lot of spam with attachments. Pegasus is good about not running anything, so I do not worry too much about it.

I have not had a chance to try GoToMeeting. Should be able to try that later today. I am assuming there will be a problem as one of the logs indicated that it deleted c:\documents and settings\Kobus\g2mdlhlpx.exe. I think this file is part of that program.

Has anything been deleted beyond
c:\windows\jestertb.dll
c:\windows\system32\Cache
c:\windows\system32\lsprst7.dll
c:\windows\system32\zip32.dll
?

Now I am nervous as to why .NET broke. None of these files above should have made a difference. The logs are a bit tricky for me to decifer.

On my PC there is C:\WINDOWS\system32\lsprst7.tgz should I delete this? I assume this is the compressed version of lsprst7.dll. Also with the same date, time and location is servdat.slm, but that could be part of something inportant.

Is there anything you cal tell me about what I had, or point me to a resource that might tell me? I assume that jesterb.dll and lsprst7.dll were the important ones.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4413

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/10/2010 5:54:44 PM
mbam-log-2010-08-10 (17-54-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 432207
Time elapsed: 2 hour(s), 52 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, August 11, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, August 10, 2010 17:50:47
Records in database: 4128652
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\
S:\
U:\

Scan statistics:
Objects scanned: 279764
Threats found: 2
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 07:38:12


File name / Threat / Threats count
C:\Program Files\PMAIL\MAIL\ADMIN\FOL06BD6.PMM Infected: Trojan-Spy.Win32.Zbot.alpm 6
C:\Program Files\PMAIL\MAIL\ADMIN\FOL06BD6.PMM Infected: Trojan-Downloader.Win32.FraudLoad.xels 5

Selected area has been scanned.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users