Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent/Gen-Nullo and BSOD


  • This topic is locked This topic is locked
14 replies to this topic

#1 zirkaiva

zirkaiva

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 29 October 2010 - 11:33 AM

Hello
I have very frequent BSOD with a most common error win32k.sys. I also regularly on a program shutdown have "memory could not be read". That error is not related to any particular program and yes I did extended memtests and the memory has no errors. Some other BSOD are with the following errors 0x8e, 0x50. I have tested my system with MBAM, SAS, emsissoft, drweb, panda, trustport and many others and they found whatever they found and quarantined, renamed or deleted. I used as well combofix. I still can not get rid of the frequent BSOD. Most recent one was when used shift+alt combination for input language switching. See attached otl,DDS and GMER reports.

Additions
DDS (Ver_09-09-29.01) - NTFSx86
Run by zirkaiva at 23:00:10.70 on 2010-10-29
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2936.2038 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\ManageEngine\AssetExplorer\bin\agentmonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\Nuance\PDF Professional 6\PDFProFiltSrv.exe
C:\Program Files\Citrix\Streaming Client\RadeHlprSvc.exe
C:\Program Files\Advantech eAutomation\Serial Device Server Configuration Utility\RDRV2X.EXE
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\TetherBerry\TBService.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Citrix\Streaming Client\RadeSvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Documents and Settings\zirkaiva\My Documents\Downloads\fscapture\FSCapture.exe
C:\Documents and Settings\zirkaiva\My Documents\Downloads\gmer.exe
C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\zirkaiva\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ncr
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Virtual Account Numbers Helper: {17424104-1444-4810-85d7-b4da413c5a9a} - c:\program files\virtual account numbers\CitiVANHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PlusIEEventHelper Class: {551a852f-39a6-44a7-9c13-afbec9185a9d} - c:\program files\nuance\pdf professional 6\bin\PlusIEContextMenu.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf professional 6\bin\ZeonIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Norton Safe Web Lite BHO: {f0da78e9-6b60-42fb-bc26-ef2cfb8c8ff3} - c:\program files\norton safe web lite\engine\1.0.1.8\coIEPlg.dll
TB: Norton Safe Web Lite: {30ceeea2-3742-40e4-85dd-812bf1cbb83d} - c:\program files\norton safe web lite\engine\1.0.1.8\coIEPlg.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [NWTRAY] NWTRAY.EXE
mRun: [QlbCtrl.exe] "c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe" /Start
mRun: [SynTPEnh] "%ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_12\bin\jusched.exe"
StartupFolder: c:\docume~1\zirkaiva\startm~1\programs\startup\fastst~1.lnk - c:\documents and settings\zirkaiva\my documents\downloads\fscapture\FSCapture.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\applic~1.lnk - c:\program files\novell\zenworks\NalView.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: ForceStartMenuLogoff = 1 (0x1)
mPolicies-explorer: ForceStartMenuLogoff = 1 (0x1)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Append the content of the link to existing PDF file - c:\program files\nuance\pdf professional 6\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\nuance\pdf professional 6\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\nuance\pdf professional 6\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\nuance\pdf professional 6\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\nuance\pdf professional 6\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\nuance\pdf professional 6\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open with Nuance PDF Converter 6.0 - c:\program files\nuance\pdf professional 6\cnvres_eng.dll /100
IE: Open with PDF Professional 6 - c:\program files\nuance\pdf professional 6\bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll
Trusted Zone: amazon.com
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {00000130-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/ACELPACM.CAB
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1257715735531
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271972578406
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271972198625
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://govconsys.webex.com/client/T27LB/webex/ieatgpc.cab
TCP: {B2548AAB-7820-4190-AF5B-0483761C0B52} = 208.67.222.222,208.67.220.220
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - c:\novell\messenger\nmcg32.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2010-05-10 08:47 23 a--sh--- c:\windows\system32\edacded0.dat

============= FINISH: 23:00:35.01 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2009-09-29 18:12:00
System Uptime: 2010-10-29 22:45:33 (1 hours ago)

Motherboard: Hewlett-Packard | | 30DB
Processor: Intel® Core™2 Duo CPU P8700 @ 2.53GHz | Intel® Genuine processor | 2527/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 232 GiB total, 83.791 GiB free.
D: is FIXED (FAT32) - 1 GiB total, 0.971 GiB free.
K: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 2010-08-30 15:36:20 - Installed HiJackThis
RP2: 2010-08-30 15:39:28 - Before uninstalling HiJackThis
RP3: 2010-08-30 15:39:34 - Removed HiJackThis
RP4: 2010-08-30 15:41:55 - Before uninstalling Malwarebytes' Anti-Malware
RP5: 2010-08-30 15:43:42 - Before uninstalling RSDownloader 2.3
RP6: 2010-08-30 15:43:48 - Removed RSDownloader 2.3
RP7: 2010-08-30 15:46:58 - Installed HiJackThis
RP8: 2010-08-30 17:10:33 - SLOW-PCfighter Backup
RP9: 2010-08-30 17:11:57 - SLOW-PCfighter Backup
RP10: 2010-08-30 17:18:33 - Before uninstalling HiJackThis
RP11: 2010-08-30 17:18:53 - Removed HiJackThis
RP12: 2010-08-30 19:13:51 - Installed HiJackThis
RP13: 2010-08-30 19:44:53 - MalAware Cleaning
RP14: 2010-08-31 06:01:41 - Cleaned registry with Windows Live OneCare safety scanner
RP15: 2010-08-31 07:34:39 - Before uninstalling HiJackThis
RP16: 2010-08-31 07:34:49 - Removed HiJackThis
RP17: 2010-08-31 07:39:41 - Installed HiJackThis
RP18: 2010-08-31 13:27:21 - SLOW-PCfighter Backup
RP19: 2010-09-01 09:31:27 - SLOW-PCfighter Backup
RP20: 2010-09-01 11:53:50 - SLOW-PCfighter Backup
RP21: 2010-09-01 12:13:33 - SLOW-PCfighter Backup
RP22: 2010-09-02 13:48:35 - System Checkpoint
RP23: 2010-09-07 07:43:11 - System Checkpoint
RP24: 2010-09-07 10:19:07 - Installed Windows XP KB2286198.
RP25: 2010-09-07 20:02:01 - Before uninstalling HiJackThis
RP26: 2010-09-07 20:02:09 - Removed HiJackThis
RP27: 2010-09-08 23:11:00 - System Checkpoint
RP28: 2010-09-10 11:45:29 - System Checkpoint
RP29: 2010-09-13 09:56:12 - System Checkpoint
RP30: 2010-09-15 08:10:52 - Before uninstalling Anti-Twin (Installation 2010-09-08)
RP31: 2010-09-15 08:12:47 - Before uninstalling Duplicate Cleaner 1.4.7
RP32: 2010-09-15 08:16:16 - Before uninstalling Duplicate File Detective 3
RP33: 2010-09-15 08:23:08 - Before uninstalling Visual Similarity Duplicate Image Finder 3.8.0.1
RP34: 2010-09-15 08:29:24 - SLOW-PCfighter Backup
RP35: 2010-09-15 12:54:41 - Before uninstalling COMODO System - Cleaner
RP36: 2010-09-15 12:54:48 - [ErrorText_1717]
RP37: 2010-09-16 07:38:30 - Before uninstalling Gage InSite Enterprise for MSSQL
RP38: 2010-09-16 07:56:57 - SLOW-PCfighter Backup
RP39: 2010-09-17 08:54:31 - System Checkpoint
RP40: 2010-09-20 09:20:29 - System Checkpoint
RP41: 2010-09-20 12:03:47 - Installed Windows Media Player KB975558.
RP42: 2010-09-20 12:04:21 - Installed Windows XP KB2259922.
RP43: 2010-09-20 12:04:35 - Installed Windows Media Player KB975558.
RP44: 2010-09-20 12:04:52 - Installed Windows XP KB2290570.
RP45: 2010-09-20 12:05:12 - Installed Windows XP KB2124261.
RP46: 2010-09-21 11:54:09 - SPTD setup V1.62
RP47: 2010-09-21 12:11:39 - SLOW-PCfighter Backup
RP48: 2010-09-21 18:26:04 - SPTD setup V1.74
RP49: 2010-09-21 18:44:33 - Installed HP System Diagnostics UEFI
RP50: 2010-09-21 18:46:43 - Installed HP System Diagnostics UEFI
RP51: 2010-09-21 22:47:22 - Software Distribution Service 3.0
RP52: 2010-09-21 23:14:59 - Software Distribution Service 3.0
RP53: 2010-09-23 00:06:34 - System Checkpoint
RP54: 2010-09-23 06:12:28 - Cleaned registry with Windows Live OneCare safety scanner
RP55: 2010-09-24 17:55:02 - System Checkpoint
RP56: 2010-09-25 18:09:45 - System Checkpoint
RP57: 2010-09-26 18:14:12 - System Checkpoint
RP58: 2010-09-27 19:10:23 - System Checkpoint
RP59: 2010-09-28 19:39:38 - System Checkpoint
RP60: 2010-09-29 17:51:20 - Installed SOS Servlink OPC Server
RP61: 2010-10-04 11:47:55 - System Checkpoint
RP62: 2010-10-05 11:49:41 - System Checkpoint
RP63: 2010-10-05 12:23:59 - Before uninstalling EASEUS Partition Recovery 5.0.1
RP64: 2010-10-05 14:04:42 - Installed Control Assistant 4
RP65: 2010-10-06 12:34:45 - SLOW-PCfighter Backup
RP66: 2010-10-06 20:14:10 - Before uninstalling VMware Player
RP67: 2010-10-06 20:18:34 - SLOW-PCfighter Backup
RP68: 2010-10-06 20:32:55 - Before uninstalling Sandboxie 3.48
RP69: 2010-10-06 21:04:31 - SLOW-PCfighter Backup
RP70: 2010-10-07 07:47:34 - Before uninstalling AVG Anti-Rootkit Free
RP71: 2010-10-07 09:21:53 - Installed RSLogix Emulate 5000 16.00.29 (CPR 7)
RP72: 2010-10-07 09:23:09 - Installed RSLogix Emulate 500.
RP73: 2010-10-07 09:37:47 - Removed RSLinx
RP74: 2010-10-07 09:41:13 - Installed FactoryTalk Services Platform 2.30 (CPR 9 SR 3).
RP75: 2010-10-07 09:43:51 - Installed Redundancy Module Config Tool
RP76: 2010-10-07 09:44:13 - Installed RSLinx Classic 2.57.00 CPR 9 SR 3.
RP77: 2010-10-07 10:18:14 - Removed FactoryTalk Activation Client 3.01 (CPR 9 SR 1).
RP78: 2010-10-07 12:09:22 - Installed RSLogix 500 English 8.00.00 (CPR 9)
RP79: 2010-10-07 12:39:33 - Installed Translate PLC-5_SLC 2.0
RP80: 2010-10-07 13:12:15 - SLOW-PCfighter Backup
RP81: 2010-10-08 08:54:21 - Before uninstalling Babylon
RP82: 2010-10-08 09:00:06 - Before uninstalling Babylon toolbar
RP83: 2010-10-08 09:32:19 - SLOW-PCfighter Backup
RP84: 2010-10-08 09:45:35 - SLOW-PCfighter Backup
RP85: 2010-10-08 13:26:33 - SLOW-PCfighter Backup
RP86: 2010-10-09 11:01:48 - Installed ZoneOS ZoneScreen1.0.10.0
RP87: 2010-10-09 14:17:56 - Installed Nokia Connectivity Cable Driver
RP88: 2010-10-09 14:21:51 - Installed Windows XP Wdf01009.
RP89: 2010-10-09 16:41:12 - Before uninstalling Babylon
RP90: 2010-10-09 17:15:02 - SLOW-PCfighter Backup
RP91: 2010-10-09 18:48:46 - SLOW-PCfighter Backup
RP92: 2010-10-09 18:49:46 - SLOW-PCfighter Backup
RP93: 2010-10-10 14:37:16 - SLOW-PCfighter Backup
RP94: 2010-10-10 17:06:20 - Installed HP Quick Launch Buttons
RP95: 2010-10-10 18:39:18 - Installed HP Quick Launch Buttons
RP96: 2010-10-10 19:14:29 - SLOW-PCfighter Backup
RP97: 2010-10-10 19:22:14 - SLOW-PCfighter Backup
RP98: 2010-10-10 22:42:33 - SLOW-PCfighter Backup
RP99: 2010-10-11 23:03:20 - System Checkpoint
RP100: 2010-10-12 21:03:59 - Installed RSLogix Emulate 5
RP101: 2010-10-13 07:53:37 - Installed U3Launcher
RP102: 2010-10-13 07:58:02 - Removed U3Launcher
RP103: 2010-10-13 07:58:37 - Installed U3Launcher
RP104: 2010-10-13 10:51:00 - Before uninstalling U3Launcher
RP105: 2010-10-13 10:51:25 - Removed U3Launcher
RP106: 2010-10-13 11:00:25 - SLOW-PCfighter Backup
RP107: 2010-10-13 11:17:21 - Removed U3Launcher
RP108: 2010-10-13 11:18:27 - Installed U3Launcher
RP109: 2010-10-13 11:19:11 - Removed U3Launcher
RP110: 2010-10-13 11:23:06 - Installed U3Launcher
RP111: 2010-10-13 13:42:23 - Installed U3Launcher
RP112: 2010-10-13 13:44:29 - Before uninstalling U3Launcher
RP113: 2010-10-13 13:44:36 - Removed U3Launcher
RP114: 2010-10-14 07:56:54 - Before uninstalling System Protect
RP115: 2010-10-14 10:24:54 - SLOW-PCfighter Backup
RP116: 2010-10-15 10:28:41 - System Checkpoint
RP117: 2010-10-18 05:56:38 - Before uninstalling Sandboxie 3.48
RP118: 2010-10-18 19:41:22 - SLOW-PCfighter Backup
RP119: 2010-10-18 20:13:59 - Before uninstalling Emsisoft Anti-Malware 5.0
RP120: 2010-10-18 20:33:31 - Before uninstalling Sophos Anti-Rootkit 1.5.4
RP121: 2010-10-19 07:56:03 - SLOW-PCfighter Backup
RP122: 2010-10-19 12:16:48 - Removed BIOS Configuration for HP ProtectTools
RP123: 2010-10-19 12:28:07 - SLOW-PCfighter Backup
RP124: 2010-10-19 17:48:34 - SLOW-PCfighter Backup
RP125: 2010-10-19 17:51:32 - Before uninstalling Sentinel Protection Installer 7.4.0
RP126: 2010-10-19 17:51:50 - Removed Sentinel Protection Installer 7.4.0
RP127: 2010-10-19 18:01:43 - SLOW-PCfighter Backup
RP128: 2010-10-20 08:27:21 - Unsigned driver install
RP129: 2010-10-20 08:42:13 - Unsigned driver install
RP130: 2010-10-20 08:44:14 - Unsigned driver install
RP131: 2010-10-21 09:51:40 - System Checkpoint
RP132: 2010-10-22 07:30:19 - SLOW-PCfighter Backup
RP133: 2010-10-22 11:49:19 - Installed Windows XP KB2360131.
RP134: 2010-10-22 11:50:04 - Installed Windows XP KB981957.
RP135: 2010-10-22 11:51:03 - Installed Windows XP KB982132.
RP136: 2010-10-22 11:51:25 - Installed Windows Media Player KB2378111.
RP137: 2010-10-22 11:55:12 - Installed Windows XP KB2360937.
RP138: 2010-10-22 11:55:36 - Installed Windows XP KB2279986.
RP139: 2010-10-22 11:56:04 - Installed Windows XP KB979687.
RP140: 2010-10-22 11:56:35 - Installed Windows XP KB2387149.
RP141: 2010-10-22 20:36:09 - Before uninstalling Webroot Software
RP142: 2010-10-22 20:52:58 - SLOW-PCfighter Backup
RP143: 2010-10-22 21:27:26 - SLOW-PCfighter Backup
RP144: 2010-10-22 21:28:32 - SLOW-PCfighter Backup
RP145: 2010-10-22 21:42:18 - SLOW-PCfighter Backup
RP146: 2010-10-22 22:05:57 - SLOW-PCfighter Backup
RP147: 2010-10-22 22:09:41 - SLOW-PCfighter Backup
RP148: 2010-10-23 06:41:48 - Before uninstalling Webroot AntiVirus with Spy Sweeper
RP149: 2010-10-23 07:03:25 - SLOW-PCfighter Backup
RP150: 2010-10-23 07:42:45 - SLOW-PCfighter Backup
RP151: 2010-10-23 07:54:37 - SLOW-PCfighter Backup
RP152: 2010-10-23 19:49:35 - SLOW-PCfighter Backup
RP153: 2010-10-23 22:58:44 - Installed Windows XP Service Pack 3.
RP154: 2010-10-23 23:00:55 - Installed Windows XP KB949764.
RP155: 2010-10-23 23:14:22 - Software Distribution Service 3.0
RP156: 2010-10-23 23:47:15 - Software Distribution Service 3.0
RP157: 2010-10-24 07:54:53 - Software Distribution Service 3.0
RP158: 2010-10-25 10:03:18 - System Checkpoint
RP159: 2010-10-26 07:37:50 - SLOW-PCfighter Backup
RP160: 2010-10-27 07:53:02 - System Checkpoint
RP161: 2010-10-27 21:54:13 - Before uninstalling Malwarebytes' Anti-Malware
RP162: 2010-10-29 13:41:07 - SLOW-PCfighter Backup

==== Installed Programs ======================


==== Event Viewer Messages From Past Week ========


==== End Of File ===========================

EDIT: Posts merged ~BP

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-30 07:51:18
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\zirkaiva\LOCALS~1\Temp\kgldqpob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwAllocateVirtualMemory [0xA3432750]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xA3432880]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xA20466D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwWriteVirtualMemory [0xA34329B0]

---- Kernel code sections - GMER 1.0.15 ----

? nwfilter.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA23D1400, 0x87EE2, 0xE8000020]
.protect’’’’hardlockentry point in ".protect’’’’hardlockentry point in ".protect’’’’hardlockentry point in ".p" section [0xA2475620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect’’’’hardlockentry point in ".protect’’’’hardlockentry point in ".p" section [0xA2475620]
.protect’’’’hardlockunknown last code section [0xA2475400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA2475400, 0x5126, 0xE0000020]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\Novell\XTAgent.exe[172] ntdll.dll!LdrQueryImageFileExecutionOptions 7C91CCA3 5 Bytes JMP 7FFA0000
.text C:\WINDOWS\system32\svchost.exe[224] ntdll.dll!LdrQueryImageFileExecutionOptions 7C91CCA3 5 Bytes JMP 7FFA0000
.text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!LdrQueryImageFileExecutionOptions 7C91CCA3 5 Bytes JMP 7FFA0000
.text C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe[376] ntdll.dll!LdrQueryImageFileExecutionOptions 7C91CCA3 5 Bytes JMP 7FFA0000
.text C:\WINDOWS\System32\svchost.exe[392] ntdll.dll!LdrQueryImageFileExecutionOptions 7C91CCA3 5 Bytes JMP 7FFA0000
.text ...
.text C:\WINDOWS\system32\services.exe[1868] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 7FF90000
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2092] ntdll.dll!LdrQueryImageFileExecutionOptions 7C91CCA3 5 Bytes JMP 7FFA0000
.text C:\Program Files\Novell\ZENworks\nalntsrv.exe[2132] ntdll.dll!LdrQueryImageFileExecutionOptions 7C91CCA3 5 Bytes JMP 7FFA0000
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[2164] ntdll.dll!LdrQueryImageFileExecutionOptions 7C91CCA3 5 Bytes JMP 7FFA0000
.text C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe[2184] ntdll.dll!LdrQueryImageFileExecutionOptions 7C91CCA3 5 Bytes JMP 7FFA0000
.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[2212] ntdll.dll!LdrQueryImageFileExecutionOptions 7C91CCA3 5 Bytes JMP 7FFA0000
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs CtxSbx.sys (Citrix Application Isolation Environment Driver/Citrix Systems, Inc.)

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 KbdBlock2.SYS (Keyboard Block Driver/ILLC)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBB 0x1A 0x58 0x6D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xF5 0x54 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x66 0x9D 0x3C 0x70 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x72 0x62 0x55 0x6C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE2 0xBA 0xA1 0xC8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBB 0x1A 0x58 0x6D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xF5 0x54 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x66 0x9D 0x3C 0x70 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x72 0x62 0x55 0x6C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE2 0xBA 0xA1 0xC8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBB 0x1A 0x58 0x6D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x22 0x27 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x66 0x9D 0x3C 0x70 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x72 0x62 0x55 0x6C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x19 0xCD 0x57 0xA5 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\986E9DEAD2D55B145AFAE1F050883AC4\Usage@iFolder_Files 1029516518
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 43
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 41
Reg HKLM\SOFTWARE\Classes\CLSID\{76B00B36-EA8B-45f3-8B1D-549948097456}
Reg HKLM\SOFTWARE\Classes\CLSID\{76B00B36-EA8B-45f3-8B1D-549948097456}@EVM16 1855EACCE0BAA18B33F212B9B27ACAB6

---- Files - GMER 1.0.15 ----

File C:\Manuals\TSP's Scanned\TSP 2092, Sheets 5, 6, 8 and 14\TSP 2092 sheet 14.tif 71860 bytes
File C:\Manuals\TSP's Scanned\TSP 2092, Sheets 5, 6, 8 and 14\TSP 2092 sheet 5.tif 68494 bytes
File C:\Manuals\TSP's Scanned\TSP 2092, Sheets 5, 6, 8 and 14\TSP 2092 sheet 6.tif 44908 bytes
File C:\Manuals\TSP's Scanned\TSP 2092, Sheets 5, 6, 8 and 14\TSP 2092 sheet 8.tif 49988 bytes
File C:\Manuals\TSP's Scanned\TSP 2405, Sheets 4, 5 and 6\2405-456.doc 39424 bytes
File C:\Manuals\TSP's Scanned\TSP 2406, Sheet 123\TSP 2406, Sheet 123.TIF 134164 bytes
File C:\Manuals\TSP's Scanned\TSP 2406, Sheets 118 & 118A\TSP 2406, Sheets 118 & 118A.pdf 26776 bytes
File C:\Manuals\TSP's Scanned\TSP 2406, Sheets 119 & 119A\TSP 2406, Sheets 119 & 119A.pdf 44693 bytes
File C:\Manuals\TSP's Scanned\TSP 2406, Sheets 121 & 121A\TSP 2406, Sheets 121 & 121A.pdf 43801 bytes
File C:\Manuals\TSP's Scanned\TSP 14504\TSP-14504_NEW[1].docx 22559 bytes
File C:\Manuals\TSP's Scanned\TSP 14505\TSP-14505_NEW[1].docx 24500 bytes
File C:\Manuals\TSP's Scanned\TSP 14506\TSP-14506_NEW[1].docx 24065 bytes
File C:\Manuals\TSP's Scanned\TSP 14507\TSP-14507_NEW[1].docx 22606 bytes
File C:\Manuals\TSP's Scanned\TSP 152, Sheet 5 & 5A\HPPDEVX.DLL.log 172 bytes
File C:\Manuals\TSP's Scanned\TSP 152, Sheet 5 & 5A\TSP 152, Sheet 5 and 5A.pdf 230467 bytes
File C:\Manuals\TSP's Scanned\TSP 13850\TSP-13850_NEW[1].doc 30720 bytes
File C:\Manuals\TSP's Scanned\TSP 13876, Sheets 1 thru 5\Scan001.PDF 139776 bytes
File C:\Manuals\TSP's Scanned\TSP 13876, Sheets 1 thru 5\TSP 13876.pdf 268677 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 10\Scan0089.tif 112964 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 11\Scan0090.tif 126276 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 12\Scan0091.tif 123788 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 13\Scan0092.tif 120280 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 14\Scan0093.tif 87196 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 15\Scan0094.tif 84944 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 16\Scan0095.tif 72288 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 17\Scan0096.tif 89324 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 18\Scan0097.tif 68544 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 19\Scan0098.tif 75744 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 20\Scan0099.tif 85736 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 21\Scan0100.tif 59600 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 21\TSP-139_21.tif 16197 bytes
File C:\Manuals\TSP's Scanned\TSP 139, Sheet 22\TSP-139_22.tif 24917 bytes
File C:\Manuals\TSP's Scanned\TSP 13000, Sheets 1, 2 and 3\TSP-13000.doc 27648 bytes
File C:\Manuals\TSP's Scanned\TSP 13152, Sheet 1-2-3\TSP-13152_B[1].doc 90624 bytes
File C:\Manuals\TSP's Scanned\TSP 13417, Sheets 1 - 1B\HPPDEVX.DLL.log 172 bytes
File C:\Manuals\TSP's Scanned\TSP 13417, Sheets 1 - 1B\TSP 13417, Sheets 1 - 1B.pdf 91516 bytes
File C:\Manuals\TSP's Scanned\TSP 13658\TSP 13658.pdf 86513 bytes
File C:\Manuals\TSP's Scanned\TSP 13673\TSP-13673_NEW[1] Cullette.doc 82432 bytes
File C:\Manuals\TSP's Scanned\TSP 13691\TSP-13691_A[1]GCS.doc 574976 bytes
File C:\Manuals\TSP's Scanned\TSP 138, 1 to 6A\TSP 138, 1 to 6A.pdf 3751831 bytes
File C:\Manuals\TSP's Scanned\TSP 138, Sheet 1 to 9\TSP 138, Sheet 1 to 9.pdf 518171 bytes
File C:\Manuals\TSP's Scanned\TSP 138, Sheet 57\TSP 138, Sheet 57.pdf 47082 bytes
File C:\Manuals\TSP's Scanned\TSP 138, Sheets 128 & A-B-C\TSP 138, Sheet 128.pdf 288506 bytes
File C:\Manuals\TSP's Scanned\TSP 138, Sheets 128 & A-B-C\TSP 138, Sheets 128A-B-C.pdf 772827 bytes
File C:\Manuals\TSP's Scanned\TSP 1381, Sheet 10\TSP 1381, Sheet 10.pdf 351034 bytes
File C:\Manuals\TSP's Scanned\TSP 1381, Sheet 4\TSP 1381, Sheet 4.pdf 300811 bytes
File C:\Manuals\TSP's Scanned\TSP 1381, Sheet 8\TSP 1381, Sheet 8.pdf 342201 bytes
File C:\Manuals\TSP's Scanned\TSP 11829, Sheets 1, 2 and 3\Scan001.PDF 84397 bytes
File C:\Manuals\TSP's Scanned\TSP 11833, Sheets 1, 2 and 3\TSP-11833.doc 40448 bytes
File C:\Manuals\TSP's Scanned\TSP 11836, Sheets 1, 2 and 3\TSP-11836.doc 41472 bytes
File C:\Manuals\TSP's Scanned\TSP 11837\TSP 11837.pdf 1859155 bytes
File C:\Manuals\TSP's Scanned\TSP 11837\TSP-11837_C.pdf 32666 bytes
File C:\Manuals\TSP's Scanned\TSP 11846, Sheets 1, 2 and 3\TSP-11846_NEW[1].DOC 35328 bytes
File C:\Manuals\TSP's Scanned\TSP 1190, Sheet 5\TSP 1190, Sheet 5.pdf 288891 bytes
File C:\Manuals\TSP's Scanned\TSP 1190, Sheets 1-6\TSP 1190, Sheets 1-6.pdf 2176559 bytes
File C:\Manuals\TSP's Scanned\TSP 11979, Sheets 1 and 2\TSP-11979_E[1].pdf 96906 bytes
File C:\Manuals\TSP's Scanned\TSP 12151, Sheets 1 thru 7\TSP 12151, Sheet 1 thru 7.doc 640512 bytes
File C:\Manuals\TSP's Scanned\TSP 1247, Sheets 1 thru 17\TSP-1247_L8[1].doc 1272320 bytes
File C:\Manuals\TSP's Scanned\TSP 12666\TSP-12666_NEW.DOC 32256 bytes
File C:\Manuals\TSP's Scanned\TSP 12668, Sheet 1\HPPDEVX.DLL.log 172 bytes
File C:\Manuals\TSP's Scanned\TSP 12668, Sheet 1\TSP-12668.doc 21504 bytes
File C:\Manuals\TSP's Scanned\TSP 12680, Sheets 1 thru 3\DOC.tif 117336 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 11\TSP 1179, Sheet 11.pdf 45130 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 12\TSP 1179, Sheet 12pdf.pdf 49326 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 13\TSP 1179, Sheet 13.pdf 60818 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 14\TSP 1179, Sheet 14.pdf 52931 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 15\TSP 1179, Sheet 15.pdf 53721 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 16\TSP 1179, Sheet 16.pdf 41575 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 17\TSP 1179, Sheet 17.pdf 64468 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 18\TSP 1179, Sheet 18.pdf 52409 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 19\TSP 1179, Sheet 19.pdf 65295 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 20\TSP 1179, Sheet 20.pdf 25433 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 21\TSP 1179, Sheet 21.pdf 40146 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 22\TSP 1179, Sheet 22.pdf 42193 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, sheet 6\TSP 1179, Sheet 6.pdf 59541 bytes
File C:\Manuals\TSP's Scanned\TSP 1179, Sheet 7\TSP 1179, Sheet 7.pdf 41281 bytes

---- EOF - GMER 1.0.15 ----

The "memory could not be read" was most probably related to: KB2418241. I uninstalled it and so far there are no errors. See this topic:
http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/ebf5e0b9-3bc5-4f2e-983f-e32c12654419

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 05 November 2010 - 02:25 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 07 November 2010 - 04:39 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok,

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 zirkaiva

zirkaiva
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 08 November 2010 - 09:28 PM

Thank you for you reply. Please find attached the requested scans. I thought I found the reason for the "memory could not be read" I blamed it on KB 2418241, KB 2416473, KB976576, KB982524 the updates for the net framework, but I had them uninstalled and the error is still there. It is absolutely inconsistent and not related to any particular application. As far as the blue screens go I have found some buggy keyboard drivers. The bug was confirmed by the developer of these drivers. I still need more time to test the new drivers I have replaced them with. I did Windows repair a while ago hoping to restore affected system drivers. Also I had all net framework and updates uninstalled and installed again as standalone versions. As I write I still experience occasionally the "memory could not be read" error.

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 08 November 2010 - 09:56 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 zirkaiva

zirkaiva
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 09 November 2010 - 10:31 PM

Earlier today I had a BSOD 0x7e but there was no crash log because i shut it down prematurely. I beleive it was something related to usb to serial converter drivers since I was using that converter at that time.I had a BSOD on restart after the scan and attached is the crash dump log file. It is pointing to igxpdv32.DLL driver. Here is the log:

ComboFix 10-11-09.01 - zirkaiva 2010-11-09 21:54:02.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2936.1761 [GMT -5:00]
Running from: c:\documents and settings\zirkaiva\My Documents\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe
c:\windows\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
.

2010-11-09 02:07 . 2010-11-09 02:07 -------- d-----w- C:\RkUnhooker
2010-11-09 01:04 . 2010-11-09 01:04 -------- d-----w- c:\documents and settings\zirkaiva\Application Data\DivX
2010-11-09 00:55 . 2010-11-09 00:55 -------- d-----w- c:\program files\Common Files\Skype
2010-11-08 05:10 . 2010-11-08 05:11 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-11-07 23:54 . 2010-11-08 05:11 -------- d-----w- c:\program files\DivX
2010-11-07 23:42 . 2010-11-08 05:11 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-11-07 19:16 . 2010-11-07 19:16 -------- d-----w- c:\documents and settings\zirkaiva\Application Data\ElevatedDiagnostics
2010-11-06 16:42 . 2010-11-06 16:42 -------- d-----w- c:\documents and settings\zirkaiva\NetgearVPN-Tunnel
2010-11-06 14:13 . 2010-11-06 14:13 -------- d-----w- c:\documents and settings\zirkaiva\Application Data\Microsoft Corporation
2010-11-06 13:44 . 2010-11-06 13:44 102944 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2010-11-06 13:43 . 2010-11-06 13:43 -------- d-----w- C:\Documents
2010-11-06 13:39 . 2010-11-06 20:14 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-11-06 13:39 . 2010-11-06 13:39 -------- d-----w- c:\program files\IIS
2010-11-06 13:37 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2010-11-06 13:37 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2010-11-06 13:36 . 2010-11-06 13:36 -------- d-----w- c:\windows\system32\RsFx
2010-11-06 13:31 . 2010-11-06 13:36 -------- d-----w- c:\program files\Microsoft SQL Server
2010-11-06 13:27 . 2010-11-06 13:27 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-11-06 13:11 . 2010-11-06 13:11 -------- d-----w- c:\program files\Common Files\Microsoft KitSetup
2010-11-06 13:05 . 2010-11-06 13:05 -------- d-----w- c:\program files\dsf
2010-11-06 13:05 . 2010-11-06 13:05 -------- d-----w- C:\WinDDK
2010-11-06 13:01 . 2010-11-06 13:01 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-11-06 12:32 . 2010-11-06 12:32 -------- d-----w- c:\program files\Universal Extractor
2010-11-06 02:15 . 2010-11-06 02:15 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-06 02:10 . 2010-11-06 02:10 -------- d-----w- c:\windows\system32\URTTemp
2010-11-05 21:21 . 2010-11-05 21:22 -------- d-----w- C:\Training
2010-11-04 23:07 . 2010-11-04 23:07 -------- d-----w- c:\program files\CodeStuff
2010-11-04 22:15 . 2010-11-04 22:15 39424 ----a-w- c:\windows\zipinst.exe
2010-11-04 22:15 . 2010-11-04 23:49 -------- d-----w- c:\program files\WinUpdatesList
2010-11-04 16:20 . 2001-07-10 10:02 4480 ----a-w- c:\windows\system32\drivers\blankscreen.sys
2010-11-04 16:20 . 2003-03-17 17:16 98304 ----a-w- c:\windows\system32\loc32vc.dll
2010-11-04 16:20 . 2001-07-10 10:02 5600 ----a-w- c:\windows\system32\drivers\kbstuff.sys
2010-11-04 14:47 . 2010-04-28 11:44 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-11-04 14:47 . 2010-11-04 14:47 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-11-04 14:46 . 2010-11-04 14:47 -------- d-----w- c:\program files\Microsoft
2010-11-04 14:46 . 2010-11-04 14:46 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-11-04 14:45 . 2010-11-04 14:47 -------- d-----w- c:\program files\Windows Live
2010-11-04 14:27 . 2010-11-04 14:27 -------- d-----w- c:\program files\Common Files\Windows Live
2010-11-04 12:52 . 2010-09-09 13:38 468480 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-11-04 12:52 . 2010-09-09 13:38 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-11-04 12:52 . 2010-09-09 13:38 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-11-04 12:52 . 2010-09-09 13:38 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-11-04 12:52 . 2010-09-09 13:38 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-11-04 12:52 . 2010-08-31 12:09 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-11-04 12:52 . 2010-02-22 22:04 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-11-04 12:52 . 2010-09-09 13:38 6075904 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-11-04 12:00 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-11-04 11:57 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-11-04 11:57 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-11-04 11:55 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-11-04 11:52 . 2009-08-07 00:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-11-03 22:16 . 2008-04-14 12:00 30208 -c--a-w- c:\windows\system32\dllcache\sm87w.dll
2010-11-03 22:15 . 2008-04-14 12:00 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-11-03 22:14 . 2003-03-24 20:52 20540 -c--a-w- c:\windows\system32\dllcache\admin.dll
2010-11-03 22:10 . 2008-04-14 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-11-03 21:48 . 2008-04-14 09:42 20992 ----a-w- c:\windows\system32\dshowext.ax
2010-11-03 21:35 . 2008-04-14 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-11-03 21:35 . 2008-04-14 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-11-03 21:35 . 2008-04-14 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-11-03 21:35 . 2008-04-14 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-11-03 21:34 . 2008-04-14 12:00 16535 ----a-r- c:\windows\SET106.tmp
2010-11-03 21:34 . 2008-04-14 12:00 1088840 ----a-r- c:\windows\SETFA.tmp
2010-11-03 21:34 . 2008-04-14 12:00 1296669 ----a-r- c:\windows\SETF7.tmp
2010-11-03 21:02 . 2001-06-15 12:01 3779 ----a-w- c:\windows\system32\drivers\mouslock.sys
2010-11-03 21:02 . 2001-06-15 12:01 3742 ----a-w- c:\windows\system32\drivers\kblock.sys
2010-11-03 20:58 . 2001-08-08 12:47 27968 ----a-w- c:\windows\system32\wmutil.dll
2010-11-03 20:57 . 2010-11-03 21:00 -------- d-----w- C:\CLIENT
2010-11-03 17:23 . 2008-04-14 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-11-03 17:23 . 2008-04-14 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2010-11-03 17:19 . 2008-04-14 12:00 8192 -c--a-w- c:\windows\system32\dllcache\httpmb51.dll
2010-11-03 17:19 . 2008-04-14 12:00 61440 -c--a-w- c:\windows\system32\dllcache\httpod51.dll
2010-11-03 17:19 . 2008-04-14 12:00 46592 -c--a-w- c:\windows\system32\dllcache\sspifilt.dll
2010-11-03 17:19 . 2008-04-14 12:00 364032 -c--a-w- c:\windows\system32\dllcache\w3svc.dll
2010-11-03 17:08 . 2008-08-27 16:25 245842 ----a-r- c:\windows\system32\SET22A.tmp
2010-11-03 17:08 . 2007-05-08 12:51 61440 ----a-r- c:\windows\system32\SET21C.tmp
2010-11-03 17:08 . 2007-05-08 12:50 217088 ----a-r- c:\windows\system32\SET21F.tmp
2010-11-03 17:08 . 2007-05-08 12:48 208896 ----a-r- c:\windows\system32\SET21A.tmp
2010-11-03 17:08 . 2007-05-08 12:45 212992 ----a-r- c:\windows\system32\SET21E.tmp
2010-11-03 17:08 . 2007-05-08 12:45 86016 ----a-r- c:\windows\system32\SET21B.tmp
2010-11-03 17:08 . 2008-08-27 16:23 262227 ----a-r- c:\windows\system32\SET218.tmp
2010-11-03 17:08 . 2007-05-08 12:51 73728 ----a-r- c:\windows\system32\SET219.tmp
2010-11-03 17:08 . 2008-02-07 20:11 233554 ----a-r- c:\windows\system32\SET211.tmp
2010-11-03 17:08 . 2008-08-27 16:26 536658 ----a-r- c:\windows\system32\SET20B.tmp
2010-11-03 17:08 . 2007-05-08 12:42 143360 ----a-r- c:\windows\system32\SET206.tmp
2010-11-03 17:08 . 2006-03-27 17:08 40960 ----a-r- c:\windows\system32\SET207.tmp
2010-11-03 16:39 . 2008-04-14 12:00 16535 ----a-r- c:\windows\SET1B2.tmp
2010-11-03 16:39 . 2008-04-14 12:00 1088840 ----a-r- c:\windows\SET1A6.tmp
2010-11-03 16:39 . 2008-04-14 12:00 1296669 ----a-r- c:\windows\SET1A3.tmp
2010-11-03 15:22 . 2010-11-03 15:15 5556616 ----a-w- c:\temp\MDAC_TYP.EXE
2010-11-03 15:17 . 2010-11-03 15:17 -------- d-----w- C:\CompChecker
2010-11-03 14:24 . 2010-11-03 14:24 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-11-03 14:24 . 2010-11-04 14:45 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-11-03 14:24 . 2010-11-03 14:24 187808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2010-11-03 14:23 . 2010-11-03 14:23 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-11-03 14:21 . 2010-11-03 14:24 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-11-03 14:20 . 2010-11-06 13:39 -------- d-----w- c:\program files\Microsoft SDKs
2010-11-03 12:09 . 2010-11-03 12:08 1384 ----a-w- c:\windows\whichvers.bat
2010-11-03 11:23 . 2010-11-03 11:23 -------- d-----w- c:\program files\HashCalc
2010-11-03 03:03 . 2010-11-03 03:03 39 ---ha-w- c:\windows\system32\spfid.bin
2010-11-03 03:03 . 2010-11-03 03:03 39 ---ha-w- c:\windows\spfid.bin
2010-11-03 00:55 . 2010-11-03 00:55 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-11-02 19:32 . 2010-11-02 19:46 -------- d-----w- c:\program files\Advantech eAutomation
2010-11-02 17:32 . 2010-11-03 00:02 -------- d-----w- c:\documents and settings\zirkaiva\Application Data\GetRightToGo
2010-11-02 16:45 . 2010-11-02 16:45 -------- d-----w- c:\documents and settings\zirkaiva\Local Settings\Application Data\WinZip
2010-11-02 16:44 . 2010-11-02 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-11-02 14:20 . 2010-11-02 14:39 -------- d-----w- c:\program files\jv16 PowerTools 2010
2010-11-02 13:41 . 2010-11-02 13:41 -------- d-----w- c:\program files\UPHClean
2010-11-01 16:09 . 2010-11-01 17:12 -------- d-----w- c:\program files\Any PDF to DWG Converter
2010-11-01 13:54 . 2010-11-01 13:54 103424 ----a-w- c:\windows\system32\GAPLib_nat.dll
2010-11-01 10:34 . 2010-11-01 10:34 -------- d-----w- c:\program files\Fighters
2010-10-31 04:35 . 2010-10-31 04:35 -------- d-----w- c:\program files\ESET
2010-10-31 04:26 . 2010-11-02 23:11 -------- d-----w- c:\documents and settings\zirkaiva\Application Data\QuickScan
2010-10-30 18:50 . 2006-11-02 14:09 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2010-10-30 18:50 . 2010-02-25 19:19 16768 ----a-w- c:\windows\system32\drivers\HpqKbFiltr.sys
2010-10-28 01:57 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-28 01:57 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-25 16:49 . 2010-10-25 16:48 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-25 16:49 . 2010-10-25 16:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-25 16:49 . 2010-10-25 16:48 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-24 03:49 . 2010-10-24 03:49 -------- d-----w- c:\windows\system32\winrm
2010-10-24 03:49 . 2010-10-24 03:49 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-10-24 02:59 . 2007-04-03 04:12 1327320 ------w- c:\program files\MSN\MSNCoreFiles\Install\msnsusii.exe
2010-10-24 02:59 . 2007-04-03 04:04 884712 ------w- c:\program files\MSN\MSNCoreFiles\Install\MSN9Components\digcore.exe
2010-10-24 02:59 . 2007-04-03 04:09 11053008 ------w- c:\program files\MSN\MSNCoreFiles\Install\MSN9Components\msncli.exe
2010-10-24 02:59 . 2008-04-14 09:40 966656 ------w- c:\program files\MSN\MSNCoreFiles\OOBE\obemetal.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-07 17:51 . 2010-04-05 18:07 27872 ----a-w- c:\windows\UninstallVTPassage.exe
2010-11-07 17:51 . 2010-04-05 18:07 18656 ----a-w- c:\windows\ssldrv.sys
2010-11-06 03:23 . 2010-01-24 16:31 436792 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-10-09 15:01 . 2010-10-09 15:01 46272 ----a-r- c:\documents and settings\zirkaiva\Application Data\Microsoft\Installer\{E1FC7666-8BFC-11DD-8CC0-6FB956D89593}\zsserver.exe
2010-10-05 18:09 . 2010-10-05 18:09 103424 ----a-w- c:\windows\system32\LicenseAuthorization_nat.dll
2010-10-05 18:09 . 2010-10-05 18:09 103424 ----a-w- c:\windows\system32\Encryption_nat.dll
2010-09-24 21:21 . 2010-09-24 21:21 36472 ----a-w- c:\windows\system32\LINXVDD.DLL
2010-09-24 20:55 . 2010-09-24 20:55 401408 ----a-w- c:\windows\system32\DTL32.DLL
2010-09-24 19:38 . 2010-09-24 19:38 7449 ----a-w- c:\windows\system32\drivers\SDDHP.BIN
2010-09-24 19:38 . 2010-09-24 19:38 6400 ----a-w- c:\windows\system32\drivers\slcnewkt.bin
2010-09-24 19:38 . 2010-09-24 19:38 5433 ----a-w- c:\windows\system32\drivers\SDDH.BIN
2010-09-24 19:38 . 2010-09-24 19:38 39067 ----a-w- c:\windows\system32\RSIKT.SYS
2010-09-24 19:38 . 2010-09-24 19:38 1824 ----a-w- c:\windows\system32\drivers\PCMKST3.BIN
2010-09-24 19:38 . 2010-09-24 19:38 1800 ----a-w- c:\windows\system32\drivers\PCMKST1.BIN
2010-09-24 19:38 . 2010-09-24 19:38 11 ----a-w- c:\windows\system32\drivers\PCMKST2.BIN
2010-09-24 19:38 . 2010-09-24 19:38 9282 ----a-w- c:\windows\system32\drivers\PCMKPCL.BIN
2010-09-24 19:38 . 2010-09-24 19:38 9139 ----a-w- c:\windows\system32\drivers\KTXPCL.BIN
2010-09-24 19:38 . 2010-09-24 19:38 301 ----a-w- c:\windows\system32\drivers\PCMKST0.BIN
2010-09-24 19:38 . 2010-09-24 19:38 301 ----a-w- c:\windows\system32\drivers\KTXST0.BIN
2010-09-24 19:38 . 2010-09-24 19:38 1800 ----a-w- c:\windows\system32\drivers\KTXST1.BIN
2010-09-24 19:38 . 2010-09-24 19:38 15664 ----a-w- c:\windows\system32\drivers\PCMK485.BIN
2010-09-24 19:38 . 2010-09-24 19:38 15557 ----a-w- c:\windows\system32\drivers\KTX485.BIN
2010-09-24 19:38 . 2010-09-24 19:38 7575 ----a-w- c:\windows\system32\drivers\KLPCL.BIN
2010-09-24 19:38 . 2010-09-24 19:38 262144 ----a-w- c:\windows\system32\drivers\KTC.BIN
2010-09-24 19:38 . 2010-09-24 19:38 248 ----a-w- c:\windows\system32\drivers\KLST0.BIN
2010-09-24 19:38 . 2010-09-24 19:38 1825 ----a-w- c:\windows\system32\drivers\KT2ST2.BIN
2010-09-24 19:38 . 2010-09-24 19:38 1824 ----a-w- c:\windows\system32\drivers\KLST2.BIN
2010-09-24 19:38 . 2010-09-24 19:38 1801 ----a-w- c:\windows\system32\drivers\KT2ST1.BIN
2010-09-24 19:38 . 2010-09-24 19:38 1800 ----a-w- c:\windows\system32\drivers\KLST1.BIN
2010-09-24 19:38 . 2010-09-24 19:38 177 ----a-w- c:\windows\system32\drivers\KT2ST0.BIN
2010-09-24 19:38 . 2010-09-24 19:38 97740 ----a-w- c:\windows\system32\drivers\abpcic.sys
2010-09-24 19:38 . 2010-09-24 19:38 71448 ----a-w- c:\windows\system32\drivers\abktcx.sys
2010-09-24 19:38 . 2010-09-24 19:38 69132 ----a-w- c:\windows\system32\drivers\abpcics.sys
2010-09-18 17:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-11 03:32 . 2010-01-28 13:02 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-09-09 13:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2008-04-14 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-01 11:51 . 2008-04-14 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38 . 2008-04-14 12:00 1861888 ----a-w- c:\windows\system32\win32k.sys.old
2010-08-31 13:38 . 2008-04-14 12:00 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 12:10 . 2008-04-14 12:00 389120 ----a-w- c:\windows\system32\html.iec
2010-08-30 13:22 . 2010-08-30 13:23 389120 ----a-w- c:\windows\system32\CF1989.exe
2010-08-27 08:02 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-14 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-14 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-09-29 16:49 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-19 12:01 . 2010-08-19 12:01 45056 ----a-r- c:\documents and settings\zirkaiva\Application Data\Microsoft\Installer\{10C2D3CD-8F3C-4824-AD6A-5231A420D056}\NewShortcut11_D7525CD868F742D0B0E330A331389110.exe
2010-08-19 12:01 . 2010-08-19 12:01 45056 ----a-r- c:\documents and settings\zirkaiva\Application Data\Microsoft\Installer\{10C2D3CD-8F3C-4824-AD6A-5231A420D056}\NewShortcut1_D7525CD868F742D0B0E330A331389110.exe
2010-08-19 12:01 . 2010-08-19 12:01 45056 ----a-r- c:\documents and settings\zirkaiva\Application Data\Microsoft\Installer\{10C2D3CD-8F3C-4824-AD6A-5231A420D056}\ARPPRODUCTICON.exe
2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2008-04-14 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\iFolder0]
@="{AA81D830-3B41-497c-B508-E9D02F8DF421}"
[HKEY_CLASSES_ROOT\CLSID\{AA81D830-3B41-497c-B508-E9D02F8DF421}]
2009-07-30 21:56 98304 ----a-w- c:\program files\iFolder\iFolderShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\iFolder1]
@="{AA81D831-3B41-497c-B508-E9D02F8DF421}"
[HKEY_CLASSES_ROOT\CLSID\{AA81D831-3B41-497c-B508-E9D02F8DF421}]
2009-07-30 21:56 98304 ----a-w- c:\program files\iFolder\iFolderShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-06 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-02-25 287800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]
"iFolder"="c:\program files\iFolder\iFolderApp.exe" [2009-07-30 1536000]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-08 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-08 174616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-08 145432]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-27 298536]
"ZENRC Tray Icon"="zentray.exe" [2005-05-18 40960]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]

c:\documents and settings\zirkaiva\Start Menu\Programs\Startup\
FastStone Capture.lnk - c:\documents and settings\zirkaiva\My Documents\Downloads\fscapture\FSCapture.exe [2010-1-11 1111552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2006-6-13 35840]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-5-12 576104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogoff"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogoff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-11-27 22:41 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-11-27 22:40 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 13:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\prwntdrv]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\iFolder\\lib\\simias\\web\\bin\\Simias.exe"=
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\zirkaiva\\My Documents\\Downloads\\Utorr\\uTorrentPortable\\App\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v17\\Bin\\RS5000.Exe"=
"c:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RdcyHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\NmspHost.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\EventServer.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\DaClient.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\VStudio.exe"=
"c:\\Program Files\\Common Files\\Rockwell\\FTSPVStudio.exe"=
"c:\\WINDOWS\\system32\\OpcEnum.exe"=
"c:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"=
"c:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Program Files\\Novell\\GroupWise\\notify.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"49152:TCP"= 49152:TCP:49152
"135:TCP"= 135:TCP:Port 135 TCP
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 DSFKSVCS;Kernel Services for DSF;c:\windows\system32\drivers\dsfksvcs.sys [2010-02-08 479992]
R0 dsfroot;root enumerated bus driver;c:\windows\system32\drivers\dsfroot.sys [2010-02-08 31608]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-10-23 28552]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-03-28 24064]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010-01-24 436792]
R1 cdfdrv;cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [2010-01-19 31280]
R1 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [2010-02-19 60464]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2009-10-05 34592]
R1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\VirtualBackplane.sys [2007-02-02 63512]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2007-11-27 185896]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-05-23 6899]
R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [2010-02-19 200752]
R2 DisplayLinkService;DisplayLink Service;c:\program files\DisplayLink Core Software\DisplayLinkService.exe [2009-03-10 447848]
R2 Kblock;Kblock;c:\windows\system32\drivers\kblock.sys [2010-11-03 3742]
R2 ManageEngine AssetExplorer Agent;ManageEngine AssetExplorer Agent;c:\program files\ManageEngine\AssetExplorer\bin\agentmonitor.exe [2010-06-17 274432]
R2 Mouslock;Mouslock;c:\windows\system32\drivers\mouslock.sys [2010-11-03 3779]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe [2010-10-23 126904]
R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 6\PDFProFiltSrv.exe [2009-06-30 134944]
R2 Peakcan;Peakcan;c:\windows\system32\drivers\Peakcan.sys [2010-03-07 170288]
R2 Proteq;Proteq;c:\windows\system32\drivers\proteq.sys [2009-10-08 7598]
R2 RadeHlprSvc;Citrix Streaming Helper Service;c:\program files\Citrix\Streaming Client\RadeHlprSvc.exe [2010-03-10 120144]
R2 RadeSvc;Citrix Streaming Service;c:\program files\Citrix\Streaming Client\RadeSvc.exe [2010-03-10 873800]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-05-09 167936]
R2 TPPORT;TPPORT;c:\windows\system32\drivers\TPPORT.SYS [2009-10-07 5024]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-09-29 2058776]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2010-04-09 20480]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-05-02 61440]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-05-23 2773]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-09-26 239760]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-10-18 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-04-04 44800]
R3 KbdBlock2;KbdBlock2;c:\windows\system32\drivers\kbdblock2.sys [2009-10-08 4608]
R3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [2009-12-02 45608]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2008-09-26 49152]
R3 SSLDrv;Virtual Passage SSLDrv Adapter;c:\windows\system32\drivers\SSLDrv.sys [2010-04-05 18656]
R3 zonescreen;zonescreen;c:\windows\system32\drivers\zsport.sys [2009-03-29 8256]
S2 BlankScreen;HBDevice;c:\windows\system32\drivers\blankscreen.sys [2010-11-04 4480]
S3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;c:\program files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe [2007-02-02 102400]
S3 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-05-15 1176824]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-05-15 475520]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-11-20 113152]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-12-20 23888]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-09-26 227896]
S3 DBGMSG;DBGMSG;c:\windows\system32\drivers\DbgMsg.sys [2010-02-04 18240]
S3 EmuLogix 5868 Slot1;EmuLogix 5868 Slot1;c:\program files\Rockwell Software\RSLogix Emulate 5000\V16\EmuLogix5868.exe [2007-02-02 1716224]
S3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [2010-08-20 250728]
S3 HRMACPI;DSF ACPI Redirection Module;c:\windows\system32\DRIVERS\HRMACPI.SYS --> c:\windows\system32\DRIVERS\HRMACPI.SYS [?]
S3 HRMCFGSPC;DSF General Configuration Space Redirection Module;c:\windows\system32\drivers\hrmcfgspc.sys [2010-02-08 92664]
S3 HRMINTS;DSF Interrupt Redirection Module;c:\windows\system32\drivers\hrmints.sys [2010-02-08 89976]
S3 HRMPORTS;DSF IO Port Redirection Module;c:\windows\system32\drivers\hrmports.sys [2010-02-08 103160]
S3 ManageEngine AssetExplorer RemoteControl;ManageEngine AssetExplorer RemoteControl;c:\program files\ManageEngine\AssetExplorer\RemoteControl\Service.exe [2010-06-17 241664]
S3 mosuport;USB Serial/Parallel Ports;c:\windows\system32\drivers\mosuport.sys [2010-02-04 900736]
S3 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [2010-08-20 224104]
S3 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [2010-08-20 224104]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-08 1112560]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [2010-09-24 39067]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [2004-01-12 155440]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-04-09 587392]
S3 SimModuleService;1789-SIM Simulator Module;c:\program files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe [2007-02-02 98304]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\smcinst.exe [2010-01-28 669000]
S3 SOFTHIDUSBK;USB HID Layer;c:\windows\system32\DRIVERS\SOFTHIDUSBK.SYS --> c:\windows\system32\DRIVERS\SOFTHIDUSBK.SYS [?]
S3 SOFTUSBK;Generic USB device;c:\windows\system32\DRIVERS\SOFTUSBK.SYS --> c:\windows\system32\DRIVERS\SOFTUSBK.SYS [?]
S3 SOFTUSBTESTHUB;Generic USB Test Hub;c:\windows\system32\DRIVERS\SOFTUSBTESTHUB.SYS --> c:\windows\system32\DRIVERS\SOFTUSBTESTHUB.SYS [?]
S3 SOFTWADP;Wireless adapter devices;c:\windows\system32\DRIVERS\SOFTWADP.SYS --> c:\windows\system32\DRIVERS\SOFTWADP.SYS [?]
S3 Svk2pl;Gigaware USB to Serial Cable;c:\windows\system32\drivers\Svk2pl.sys [2010-04-01 51200]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [2008-08-20 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [2008-08-20 142976]
S3 TetherBerry;TetherBerry;c:\program files\TetherBerry\TBService.exe [2009-12-02 49056]
S3 WefiEngSvc;WeFi Engine Service;c:\program files\WeFi\WefiEngSvc.exe [2010-03-16 133976]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-04-14 14336]
S3 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-648UB\WLSVC.exe [2010-04-09 167936]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0; [x]
S3 WSOFTUSBK;Generic wireless USB device;c:\windows\system32\DRIVERS\WSOFTUSBK.SYS --> c:\windows\system32\DRIVERS\WSOFTUSBK.SYS [?]
S3 Xat20cd6;CANdy/CANdy lite kernel driver;c:\windows\system32\drivers\Xat20cd6.sys [2003-10-02 39616]
S3 XATucp03;Device driver (USB-to-CAN compact);c:\windows\system32\drivers\XatUcp03.sys [2003-10-02 48640]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-07-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-03-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 14:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ncr
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Open with Nuance PDF Converter 6.0 - c:\program files\Nuance\PDF Professional 6\cnvres_eng.dll /100
IE: Open with PDF Professional 6 - c:\program files\Nuance\PDF Professional 6\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: amazon.com
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {B2548AAB-7820-4190-AF5B-0483761C0B52} = 208.67.222.222,208.67.220.220
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {19DFFB5D-E30A-4E3B-8524-0AD8F4D88D32} - hxxps://wormhole.mshs.com/XTunnel.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\zirkaiva\Application Data\Mozilla\Firefox\Profiles\ya73eoro.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_1.0.1.8\coFFNST\components\coFFNST.dll
FF - component: c:\documents and settings\zirkaiva\Application Data\Mozilla\Firefox\Profiles\ya73eoro.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\zirkaiva\Application Data\Mozilla\Firefox\Profiles\ya73eoro.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\documents and settings\zirkaiva\Application Data\Mozilla\Firefox\Profiles\ya73eoro.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\zirkaiva\Application Data\Mozilla\Firefox\Profiles\ya73eoro.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll
FF - plugin: c:\documents and settings\zirkaiva\Application Data\Mozilla\Firefox\Profiles\ya73eoro.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\zirkaiva\Application Data\Mozilla\Firefox\Profiles\ya73eoro.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\zirkaiva\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\zirkaiva\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\Citrix\Streaming Client\nprade.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Nuance\PDF Professional 6\Bin\nppdf.dll
FF - plugin: c:\program files\Nuance\PDF Professional 6\bin\nppdf.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.scr=ScriptDebugEngine.7
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\DSFKSVCS\MofImagePath]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\LocalService\Software\Microsoft\Windows Script\Settings]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-20\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-20\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{76B00B36-EA8B-45f3-8B1D-549948097456}*FC29F34D]
"EVM16"="1855EACCE0BAA18B33F212B9B27ACAB6"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\WBEM\PROVIDERS\Logging\NTEVT]
@DACL=(02 0000)
"File"="c:\\WINDOWS\\system32\\WBEM\\Logs\\NTEVT.log"

[HKEY_LOCAL_MACHINE\software\Microsoft\WBEM\PROVIDERS\Logging\WBEMSNMP]
@DACL=(02 0000)
"Level"=dword:00000000
"File"="c:\\WINDOWS\\system32\\WBEM\\Logs\\\\WBEMSNMP.log"
"MaxFileSize"=dword:0000ffff
"Type"="File"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(252)
c:\windows\system32\NETWIN32.DLL
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\msi.dll
c:\windows\system32\ZenMup.dll
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\accrypto.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\windows\system32\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

- - - - - - - > 'lsass.exe'(320)
c:\program files\Citrix\system32\ctxsbxhook.dll
c:\program files\Citrix\system32\RADEAPHOOK.dll
c:\windows\system32\msi.dll
c:\windows\system32\Novell\NCredMgr.dll
c:\windows\system32\NETWIN32.DLL

- - - - - - - > 'Explorer.exe'(5628)
c:\windows\system32\WININET.dll
c:\program files\Citrix\system32\ctxsbxhook.dll
c:\program files\Citrix\system32\RADEAPHOOK.dll
c:\windows\system32\msi.dll
c:\windows\system32\AcSignIcon.dll
c:\program files\iFolder\iFolderShell.dll
c:\windows\system32\btmmhook.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\ieframe.dll
c:\program files\iFolder\iFolderComponent.dll
c:\program files\iFolder\Novell.iFolder.dll
c:\program files\iFolder\SimiasClient.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\msdtc.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Citrix\System32\CdfSvc.exe
c:\windows\system32\crypserv.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Novell\ZENworks\nalntsrv.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\PatchLink\Update Agent\GravitixService.exe
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Novell\ZENworks\wm.exe
c:\windows\system32\mqsvc.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\DisplayLink Core Software\DisplayLinkManager.exe
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\program files\DisplayLink Core Software\DisplayLinkUI.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\NWTRAY.EXE
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Novell\ZENworks\NalAgent.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2010-11-09 22:10:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-10 03:10

Pre-Run: 83,657,035,776 bytes free
Post-Run: 83,517,186,048 bytes free

Current=9 Default=9 Failed=7 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - 08B82325BD04386686B4368377F98855
Attached File  Memory dump.txt   4.76KB   0 downloads
Thanks and regardsAttached File  Memory dump.txt   4.76KB   0 downloads

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 10 November 2010 - 06:10 AM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 zirkaiva

zirkaiva
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 10 November 2010 - 08:41 AM

Here you have it:


2007 Microsoft Office Suite Service Pack 2 (SP2)
3500 Rack Configuration Software
ABLS 3.21
ABLS 4.00 -12
ABLS 4.00 -13
Activation Assistant for the 2007 Microsoft Office suites
ActivClient 6.1 x86
Add-ons
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
Advantech Studio v6.0
Advantech Studio v6.1 + Service Pack 4
Agere Systems HDA Modem
Annotations
Annotations Help
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AT&T Communication Manager
audiosamples
AuthenTec Fingerprint System
AutoCAD LT 2011 - English
AutoCAD LT 2011 Language Pack - English
Autodesk Material Library 2011
AviSynth 2.5
avstreamsamples
avstreamtools_ia64fre
avstreamtools_x64fre
avstreamtools_x86fre
BESTCOMS-DECS200
BESTCOMS-DECS300
BESTCOMS for DECS-100
BESTwave
biometricsamples
biometrictools_x64fre
biometrictools_x86fre
BlackBerry Desktop Software 5.0.1
BlackBerry® Media Sync
Block Diagrams
Block Diagrams Samples
bluetoothsamples
bluetoothtools_ia64fre
bluetoothtools_x64fre
bluetoothtools_x86fre
Bonjour
Borders and Backgrounds
Building Architecture
Building Architecture Help
Building Architecture Samples
Building Services
Building Services Help
Building Services Samples
buildsamples
buildtools_ia64fre
buildtools_x64fre
buildtools_x86fre
Bulgarian Keyboards XP V3.0 by Injinera
bussamples
CAD Drawing Converter
CAD Drawing Converter Help
CAD Drawing Converter Samples
CAD Drawing Display
CAD Drawing Display Samples
Callouts and Connectors
Callouts and Connectors Help
cancelsample
CCleaner
CDBurnerXP
cGPSmapper Personal 0100a with Routing support
chkinftool_x86fre
Citrix ICA Client
Citrix offline plug-in
Clip Art and Symbols
Clip Art and Symbols Help
CodeStuff Starter
Collins English Dictionary
Compatibility Pack for the 2007 Office system
Component Checker
Content Transfer
Control Assistant
Control Assistant 3.10
Control Assistant 3.8
Control Assistant 3.9
Control Assistant 4
ControlFLASH
ConvertHelper 2.2
Cscape 8.8
Cscape 9.10
Custom Patterns
Custom Properties Editor
CutePDF Writer 2.7
Database Wizard
Database Wizard Samples
DcDesk 2000 Version 5.15
debugfiles_win7
Debugging Tools for Windows (x86)
Developing Visio Solutions
Developing Visio Solutions Help
Device Simulation Framework 1.0.1
dfx_ia64fre
dfx_x64fre
dfx_x86fre
Directmedia
DisplayLink Core Software
displaysamples
DivX Setup
drvtools_ia64fre
drvtools_x64fre
drvtools_x86fre
DSF-KitSetup
dsfsamples
DVDFab 6.2.0.5 (11/11/2009)
DWG TrueView 2010
Electrical Engineering
Electrical Engineering Help
Electrical Engineering Samples
EnerVista 489 Setup
Equipment Selector
Equipment Selector Furniture Database
Equipment Selector Help
ESET Online Scanner v3
eventsample
evntdrvsample
Facilities Management
Facilities Management Help
FactoryTalk Services Platform 2.30 (CPR 9 SR 3)
fireflysample
Flowcharts
Flowcharts Samples
Fluid Power
Fluid Power Help
Fluid Power Samples
FlukeView Forms
FlukeView ScopeMeter 3.0 English
Forms and Charts
Forms and Charts Samples
Foundation technical
Free IP Switcher
Gap 2.11 Upgrade
Gap 2.14
Gap 2.14A
Gap 2.15 Upgrade
Gap 2.16 Upgrade
Gap 2.17 Upgrade
Gap 2.18
Gap 2.18A
GAP Editor
Gap Programmer version 2.10-0
Gap Programmer version 3.08-2
Gap Programmer version 4.00-1
Gap Programmer version 4.05-0
Gap Programmer version 4.06-1
Gap Programmer version 5.00-2
Gap Programmer version 5.01-0
Gap version 2.12
Gap version 2.13
GAP3
Garmin City Navigator North America NT 2010.40
Garmin MapInstall
Garmin MapSource
Garmin USB Drivers
generalsamples
generaltools_ia64fre
generaltools_x64fre
generaltools_x86fre
GmapTool 0.4.8
Google Chrome
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Update Helper
Graphics Filters
GroupWise
GroupWise Messenger
HashCalc 2.02
headers
Help for Visio 2000 (HTML Help)
Help_Technical
hid_inputsamples
hidsampleinput
hidsamples
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP 3D DriveGuard
HP BatteryCheck 2.10 A2
HP Doc Viewer
HP Drive Key Boot Utility
HP Help and Support
HP Integrated Module with Bluetooth wireless technology
HP Product Detection
HP Quick Launch Buttons
HP QuickLook 2
HP Software Setup 5.00.A.7
HP Update
HP USB Docking Video
HP User Guide Bluetooth Addendum 0062
HP User Guides 0098
HP Wallpaper
HP Webcam
HP Webcam Application
HP Wireless Assistant
HSyCon System Configurator
iFolder 3 Client
ifssamples
IIS 6.0 Resource Kit Tools
IIS6 Manager
imagingtools_ia64fre
imagingtools_x64fre
imagingtools_x86fre
infsample_ia64fre
infsample_x64fre
infsample_x86fre
installhelp
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Interface
Intel® Network Connections Drivers
Intel® Active Management Technology
Intel® Matrix Storage Manager
InterVideo DVD Check
InterVideo Register Manager
InterVideo WinDVD
ioctlsample
irsamples
iTunes
IXXAT VCI 2.16 for Windows 9x/ME/NT/2000/XP
J2SE Runtime Environment 5.0 Update 12
Java Auto Updater
Java™ 6 Update 22
JDownloader
jv16 PowerTools 2009
jv16 PowerTools 2010
LC Control
LeoPC1
libs_ia64fre
libs_x64fre
libs_x86fre
LightScribe System Software 1.14.17.1
LiveUpdate 3.3 (Symantec Corporation)
Magic ISO Maker v5.5 (build 0281)
Malwarebytes' Anti-Malware
ManageEngine AssetExplorer Agent
Maps
Maps Samples
Marathon Electric DVR2000E
Mechanical Engineering
Mechanical Engineering Help
Mechanical Engineering Samples
Media Manager for WALKMAN 1.2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET ValidatePath Module
Microsoft Baseline Security Analyzer 2.1
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Help Viewer 1.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Integration
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Repository
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Silverlight 4 SDK
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server System CLR Types
Microsoft SQL Server VSS Writer
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Team Foundation Server 2010 Object Model - ENU
Microsoft Visual Basic 2008 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
Microsoft Visual C++ 6.0 Standard Edition
Microsoft Visual Studio Service Pack 3
Microsoft Windows Driver Kit 7.1.0.7600
Microsoft Windows Driver Kit Documentation 7600.091201
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32
Microsoft WSE 3.0 Runtime
modemtools
Mozilla Firefox (3.6.12)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6.0 Parser (KB927977)
MultiView 2000
MyDefrag v4.2.3
Network Diagrams
Network Diagrams Samples
networklibraries_ia64fre
networklibraries_x64fre
networklibraries_x86fre
networksamples
NICI (Shared) U.S./Worldwide (128 bit) (2.7.4-1)
NMAS Challenge Response Method
NMAS Client
Nokia Connectivity Cable Driver
Norton Safe Web Lite
Novell Client for Windows
Novell iPrint Client v05.12.00
Nuance PDF Professional 6
oacr_x86fre
Office Layout
Office Layout Help
Office Layout Samples
offreg_ia64fre
offreg_x64fre
offreg_x86fre
OGA Notifier 2.0.0048.0
Online Documentation
OPC Core Components Redistributable
OPTIview 1.4
Orbit Downloader
Organization Charts
Organization Charts Samples
Page Layout Wizard
Panda ActiveScan 2.0
PanelBuilder32
Parker Isysnet Analog Module Profiles
Parker Isysnet ASCII Module Profile
Parker Isysnet Discrete Module Profiles
Parker Isysnet Discrete Module Profiles 2
Parker Isysnet Discrete Module Profiles 3
pcidrvsample
PeakHMI MB RLL Version 2.2.0.3
PeakHMI Slave Simulators
PerfectDisk 10 Professional
pfd_ia64fre
pfd_x64fre
pfd_x86fre
pnpportssample
pnptools_ia64fre
pnptools_x64fre
pnptools_x86fre
portiosample
powermanagement_ia64fre
powermanagement_x64fre
powermanagement_x86fre
Presto! BizCard 5
Print ShapeSheet
printsamples
printtools_ia64fre
printtools_x64fre
printtools_x86fre
Process Engineering
Process Engineering Help
Process Engineering Samples
Program Files
Program Files Help
Program Files Technical
Project Schedules
Project Schedules Samples
Property Reporting Wizard
QLBCASL
QuickTime
readme
Redundancy Module Config Tool
Release Notes Technical
RICOH Media Driver
RICOH R5C853 Media Driver Ver.1.02.00.06b
Rockwell Automation 1732 Discrete Module Profiles
Rockwell Automation 1734 Analog Module Profiles
Rockwell Automation 1734 ASCII Module Profiles
Rockwell Automation 1734 Discrete Module Profiles
Rockwell Automation 1734 Discrete Module Profiles 2
Rockwell Automation 1734 Specialty Module Profiles
Rockwell Automation 1738 Analog Module Profiles
Rockwell Automation 1738 ASCII Module Profiles
Rockwell Automation 1738 Discrete Module Profiles
Rockwell Automation 1738 Discrete Module Profiles 2
Rockwell Automation 1738 Discrete Module Profiles 3
Rockwell Automation 1738 Specialty Module Profiles
Rockwell Automation 1756 CNet Comms Module Profiles
Rockwell Automation 1756 ENet Comms Module Profiles
Rockwell Automation 1756 HART Module Profiles
Rockwell Automation 1769 Analog Module Profiles
Rockwell Automation 1769 ASCII Module Profiles
Rockwell Automation 1769 Boolean Module Profiles
Rockwell Automation 1769 Controller Module Profiles
Rockwell Automation 1769 Discrete Module Profiles
Rockwell Automation 1769 Embedded Module Profiles
Rockwell Automation 1769 Specialty Module Profiles
Rockwell Automation 1791DS Discrete Module Profiles
Rockwell Automation Drives PowerFlex 4 Module Profiles
Rockwell Automation Drives PowerFlex 7 2 Module Profiles
Rockwell Automation Drives PowerFlex 7 Module Profiles
Rockwell Automation Drives SCANport Module Profiles
Rockwell Automation Generic Safety Module Profiles
Rockwell Automation USB CIP Driver Package
Rockwell Windows Firewall Configuration Utility 1.00.05
Rootkit Unhooker Uninstall
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Business
Roxio Creator Business v10
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Media Manager
Roxio MyDVD
RSLinx Classic 2.57.00 CPR 9 SR 3
RSLogix 5 English 7.40.00 (CPR 9)
RSLogix 500 English 8.00.00 (CPR 9)
RSLogix 5000 Module Profile Core
RSLogix 5000 Module Profile Setup Utility
RSLogix 5000 Online Books v17.00.00
RSLogix 5000 Setup Installer
RSLogix 5000 Start Page Media v17.00.05
RSLogix 5000 System Updates
RSLogix 5000 v17.00.00 (CPR 9 SR 1)
RSLogix Emulate 5
RSLogix Emulate 500 6.00.00 (CPR 9)
RSLogix Emulate 5000 16.00.29 (CPR 7)
RSTrainer 2000 for RSLogix 5
SA Dictionary 2005 T2
Safari
Sample Drawings
Save as HTML
Scansoft PDF Professional
sdv
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows XP (KB923789)
Segoe UI
sensorsamples
Service Pack 1 for SQL Server 2008 (KB968369)
setupsamples
setuptools_ia64fre
setuptools_x64fre
setuptools_x86fre
Shape Explorer
Shape Explorer Help
sideshowsamples
Skype™ 5.0
SLOW-PCfighter
smartcardsamples
SmartShape Wizard
Solutions
Sonic CinePlayer Decoder Pack
SOS Servlink OPC Server
Spelling Dictionaries Support For Adobe Reader 9
Sql Server Customer Experience Improvement Program
Stencil Report Wizard
storagesamples
streammediasamples
swtuner
Symantec Endpoint Protection
Synaptics Pointing Device Driver
System Requirements Lab for Intel
TetherBerry 1.0.11
TimeClock Plus 6.0
toastermetadatapackagesample
toastersample
toolindex
tools_ia64fre
tools_x64fre
tools_x86fre
tracingtool_ia64fre
tracingtool_x64fre
tracingtool_x86fre
Translate PLC-5_SLC 2.0
Trend Tool
TRENDnet TEW-648UB Wireless N USB Adapter
umdfsamples
Universal Extractor 1.6.1
Universal PST v3.02
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb2410711)
USB Compound Device
usbsamples
User Profile Hive Cleanup Service
VBA
VC80CRTRedist - 8.0.50727.4053
Viking Vision 3.0
Virtual Account Numbers
Visio
Visio Core Files
Visio Technical Core Files
vistalibs_ia64fre
vistalibs_x64fre
vistalibs_x86fre
VLC media player 1.0.2
Watch Window Professional
Watch Window Standard
WCF RIA Services V1.0 for Visual Studio 2010
wcoinstallers
wdftools_ia64fre
wdftools_x64fre
wdftools_x86fre
wdtfbinaries_ia64fre
wdtfbinaries_x64fre
wdtfbinaries_x86fre
Web Deployment Tool
WebEx
WebFldrs XP
WeFi 3.9.3.1
WinDjView-0.4.3
Windows Driver Package - FTDI CDM Driver Package (03/13/2008 2.04.06)
Windows Driver Package - FTDI CDM Driver Package (10/22/2009 2.06.00)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows NT Messaging
Windows PowerShell™ 1.0
WinImage
WinRAR archiver
WinUpdatesList
WinZip 14.5
wmisamples
wnetlibs_ia64fre
wnetlibs_x64fre
wnetlibs_x86fre
Woodward L-Series Service Tool 2.5.0.16
Woodward ProAct ISC Service Tool 1.6.0.2
Woodward SPC Service Tool 1.5.0.5
Woodward ToolKit
Woodward Watch Window 1.04
wpdsamples
wpdtools_ia64fre
wpdtools_x64fre
wpdtools_x86fre
wsdtool_ia64fre
wsdtool_x64fre
wsdtool_x86fre
wxplibs_x86fre
Yahoo! BrowserPlus 2.9.8
Your Uninstaller! 2010
ZENworks Desktop Management Agent
ZENworks Patch Management Agent
ZoneOS ZoneScreen1.0.10.0
ZTE Mobile Connection Manager

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 10 November 2010 - 09:30 AM

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 zirkaiva

zirkaiva
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 10 November 2010 - 05:28 PM

When I run Hijackthis from trendmicro I get" An unexpected error has occurred at procedure: modMain_StartScan()
Error #5 - Invalid procedure call or argument"
Here is the log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:23, on 2010-11-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msdtc.exe
c:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\ManageEngine\AssetExplorer\bin\agentmonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\Nuance\PDF Professional 6\PDFProFiltSrv.exe
C:\Program Files\Citrix\Streaming Client\RadeHlprSvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Citrix\Streaming Client\RadeSvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Documents and Settings\zirkaiva\My Documents\Downloads\fscapture\FSCapture.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Virtual Account Numbers Helper - {17424104-1444-4810-85D7-B4DA413C5A9A} - C:\Program Files\Virtual Account Numbers\CitiVANHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: PlusIEEventHelper Class - {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files\Nuance\PDF Professional 6\Bin\PlusIEContextMenu.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: ZeonIEEventHelper Class - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - C:\Program Files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Norton Safe Web Lite BHO - {F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} - C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\coIEPlg.dll
O3 - Toolbar: Norton Safe Web Lite - {30CEEEA2-3742-40e4-85DD-812BF1CBB83D} - C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\coIEPlg.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QlbCtrl.exe] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [iFolder] "C:\Program Files\iFolder\iFolderApp.exe" -checkautorun
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [accrdsub] "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: FastStone Capture.lnk = Downloads\fscapture\FSCapture.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Append the content of the link to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Append the content of the selected links to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
O8 - Extra context menu item: Append to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Create PDF file - res://C:\Program Files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF file from the content of the link - res://C:\Program Files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF files from the selected links - res://C:\Program Files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O8 - Extra context menu item: Open with Nuance PDF Converter 6.0 - res://C:\Program Files\Nuance\PDF Professional 6\cnvres_eng.dll /100
O8 - Extra context menu item: Open with PDF Professional 6 - res://C:\Program Files\Nuance\PDF Professional 6\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.amazon.com
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {19DFFB5D-E30A-4E3B-8524-0AD8F4D88D32} (VPLaunch Class) - https://wormhole.mshs.com/XTunnel.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1257715735531
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271972578406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271972198625
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.13.0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} (RIM AxLoader) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://govconsys.webex.com/client/T27LB/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2548AAB-7820-4190-AF5B-0483761C0B52}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ackpbsc - c:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - c:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: 1784-PCIDS DeviceNet - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - c:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\AtService.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - SmithMicro Inc. - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Citrix Diagnostic Facility COM Server (CdfSvc) - Citrix Systems, Inc. - C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DisplayLink Service (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe
O23 - Service: dnWhoDisp - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: EmuLogix 5868 Slot1 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Harmony - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: ManageEngine AssetExplorer Agent - Unknown owner - C:\Program Files\ManageEngine\AssetExplorer\bin\agentmonitor.exe

--
End of file - 19513 bytes


MBAM log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5089

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2010-11-10 14:12:26
mbam-log-2010-11-10 (14-12-26).txt

Scan type: Quick scan
Objects scanned: 199319
Time elapsed: 8 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I still get the "memory could not be read" error. No BSOD so far.

Thanks

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 10 November 2010 - 06:42 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
      O4 - HKLM\..\Run: [iFolder] "C:\Program Files\iFolder\iFolderApp.exe" -checkautorun
      O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
      O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - Startup: FastStone Capture.lnk = Downloads\fscapture\FSCapture.exe
      O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 zirkaiva

zirkaiva
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 11 November 2010 - 07:50 AM

Here is the ESET log file. Only false positives:
C:\Documents and Settings\Ivelin\My Documents\Downloads\slow-pcfighter_Web.exe a variant of Win32/SlowPCfighter application
C:\Documents and Settings\Ivelin\My Documents\Downloads\H.BCD.11.0.RE\H.BCD.11.0.RE\H.BCD.11.0.RE\Hiren's.BootCD.11.0 RE.iso Win32/PSWTool.KonBoot.A application
C:\Program Files\Fighters\SLOW-PCfighter\SLOW-PCfighter.exe a variant of Win32/SlowPCfighter application
Thanks

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 11 November 2010 - 12:02 PM

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes
This will remove all restore points except the new one you just created and clean unneeded files


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

please read this great article by miekiemoes How to prevent Malware:

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 zirkaiva

zirkaiva
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 13 November 2010 - 02:01 PM

Thank you very much for your time and support. I still have some "memory could not be read failures" and BSOD, but I found out that the hard drive has some problems by running hardware test from the BIOS. It will be replaced by the manufacturer.
Thanks again

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 13 November 2010 - 02:41 PM

Hello

Very good!!

Thank you and you are most welcome.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 16 November 2010 - 12:35 AM

Since the issue is resolved, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users