Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Restore and Google redirect infection


  • This topic is locked This topic is locked
20 replies to this topic

#1 jumhoefer

jumhoefer

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 02 November 2011 - 09:20 PM

This started out with some fake "disk error" warnings. I attempted to follow procedures listed here for similar-looking infections. However, I could never get TDSSkiller to run. I used several of the tools listed in those procedures, but always ran into a dead end. I have started over and am following the Preparation Guide (topic34773).

Most recently, I had the "System Restore" virus take over the machine. Also, Internet Explorer kept appearing on task manager, but no session of IE was visible. Occasionally one would show up, which seemed to visit random webpages. I also repeatedly got an error stating that IE had an error and needed to close. I never use IE for any reason on this machine.

I had previously put Rkill on a USB drive, and ran it on the infected machine (XP Pro, everything updated, in safe mode with networking). I left it in this condition (did not restart), then I ran DDS (log below). When I tried to run GMER, it gave me the error "...local~1\Temp\kwiapoc.sys Cannot create a stable subkey under a volatile parent key." I continued to run GMER. All options on the right side were greyed out except Services, Registry, Files, and ADS. I ran it with those four (and C:\) checked.

Thanks for the help!

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Run by jumhoefer at 18:14:05 on 2011-11-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1575 [GMT -7:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [iiovsVgraP.exe] c:\documents and settings\all users\application data\iiovsVgraP.exe
mRun: [MgKPyEORiQUvGj.exe] c:\documents and settings\all users\application data\MgKPyEORiQUvGj.exe
uPolicies-explorer: NoSMMyPictures = 01000000
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263263650749
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263326333875
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.stellartec.com/dana-cached/sc/JuniperSetupClient.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jumhoefer\application data\mozilla\firefox\profiles\4nj270fc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npEModelPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-14 64512]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2011-10-26 27632]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-31 442200]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-21 320856]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-21 20568]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-21 44768]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-6-20 2152152]
S3 C751BUS;CASIO C751 USB Composite Device Driver;c:\windows\system32\drivers\C751BUS.sys [2011-10-13 56280]
S3 C751Mdm;CASIO C751 CDMA USB Modem;c:\windows\system32\drivers\C751Mdm.sys [2011-10-13 161112]
S3 C751Vsp;CASIO C751 USB Virtual Serial Port;c:\windows\system32\drivers\C751Vsp.sys [2011-10-13 161112]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\solidworks\swscheduler\DTSCoordinatorService.exe [2010-5-8 87336]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-6-20 15232]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2010-8-19 14848]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2007-9-27 79232]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
.
=============== Created Last 30 ================
.
2011-11-02 22:19:34 312816 ---ha-w- c:\documents and settings\all users\application data\6DSS92c31Apgjk.exe
2011-11-02 22:19:14 400368 ---ha-w- c:\documents and settings\all users\application data\MgKPyEORiQUvGj.exe
2011-11-02 01:45:02 -------- d--h--w- c:\program files\ESET
2011-11-01 22:08:29 -------- d--h--w- C:\13456
2011-11-01 19:20:19 -------- d--h--w- c:\documents and settings\jumhoefer\application data\SUPERAntiSpyware.com
2011-11-01 19:19:08 -------- d--h--w- c:\program files\SUPERAntiSpyware
2011-11-01 19:19:08 -------- d--h--w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-10-31 23:43:41 -------- d-sha-r- C:\cmdcons
2011-10-31 23:34:48 98816 ---ha-w- c:\windows\sed.exe
2011-10-31 23:34:48 518144 ---ha-w- c:\windows\SWREG.exe
2011-10-31 23:34:48 256000 ---ha-w- c:\windows\PEV.exe
2011-10-31 23:34:48 208896 ---ha-w- c:\windows\MBR.exe
2011-10-31 22:26:58 -------- d--h--w- c:\documents and settings\jumhoefer\application data\Malwarebytes
2011-10-31 22:26:32 -------- d--h--w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-31 22:26:23 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-10-31 22:26:21 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-10-26 19:32:09 27632 ---ha-w- c:\windows\system32\drivers\seehcri.sys
2011-10-26 19:22:09 -------- d--h--w- c:\program files\Compiled Driver Disc (Full)
2011-10-26 19:04:49 -------- d--h--w- c:\documents and settings\jumhoefer\application data\MOBILedit
2011-10-26 19:04:34 -------- d--h--w- c:\program files\COMPELSON Labs
2011-10-26 19:03:42 -------- d--h--w- c:\program files\MOBILedit!
2011-10-25 01:48:31 65536 ---ha-r- c:\documents and settings\jumhoefer\application data\microsoft\installer\{a27ec9fd-6bf7-4726-8d87-32ba44b41feb}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2011-10-22 01:37:00 65536 ---ha-r- c:\documents and settings\jumhoefer\application data\microsoft\installer\{f4c4b4ba-6b74-41a7-88d5-e5b0c96bdad2}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2011-10-22 01:37:00 45056 ---ha-r- c:\documents and settings\jumhoefer\application data\microsoft\installer\{f4c4b4ba-6b74-41a7-88d5-e5b0c96bdad2}\DPFrame.exe_0BBE7BA409C14ABCB18FB15BA367F3B6.exe
2011-10-22 01:36:54 -------- d--h--w- C:\CHMC
2011-10-14 22:56:18 -------- d--h--w- c:\program files\BitPim
2011-10-14 02:25:12 -------- d--h--w- c:\documents and settings\jumhoefer\local settings\application data\Help
2011-10-14 02:08:20 -------- d--h--w- c:\program files\Qualcomm
2011-10-13 19:52:42 161112 ---ha-w- c:\windows\system32\drivers\C751Vsp.sys
2011-10-13 19:52:41 161112 ---ha-w- c:\windows\system32\drivers\C751Mdm.sys
2011-10-13 19:52:40 56280 ---ha-w- c:\windows\system32\drivers\C751BUS.sys
2011-10-13 19:52:07 319456 ---ha-w- c:\windows\system32\DIFxAPI.dll
2011-10-13 19:52:06 -------- d--h--w- c:\program files\common files\VerizonWireless
2011-10-13 19:51:48 53248 ---ha-r- c:\documents and settings\jumhoefer\application data\microsoft\installer\{eb03fe2f-e043-4ef8-8c2a-d018a1e28291}\ARPPRODUCTICON.exe
2011-10-08 02:17:59 -------- d--h--w- c:\documents and settings\jumhoefer\application data\DVDVideoSoft
2011-10-08 02:17:54 -------- d--h--w- c:\program files\common files\DVDVideoSoft
2011-10-08 02:15:30 -------- d--h--w- c:\program files\Windows Media Connect 2
2011-10-08 02:12:12 -------- d--h--w- c:\windows\system32\LogFiles
.
==================== Find3M ====================
.
2011-10-12 17:19:03 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 18:41:20 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ---ha-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ---ha-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-09-06 20:45:29 41184 ---ha-w- c:\windows\avastSS.scr
2011-09-06 20:38:05 442200 ---ha-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 13:20:51 1858944 ---ha-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ---ha-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ---h--w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ---ha-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ---ha-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 18:20:00.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:32 AM

Posted 05 November 2011 - 08:23 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps


Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in

    %TEMP%\smtmp\*.* /s

  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.


information and logs:

  • In your next post I need the following

  • .logs from OTL
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jumhoefer

jumhoefer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 06 November 2011 - 07:07 PM

Hi Gringo,

Thank you very much for the help. I know you are doing this pro bono and I appreciate it!

I ran unhide, which unhid all the files except items in the Start menu. I could not bring up task manager to kill any remaining antivirus program which might have been blocking that from being fixed.

I rebooted, and on reboot all files were hidden again. I had downloaded the programs you requested onto a USB drive, so I was still able to access that and run OTL. Log is below. Nothing else, other than that the "System Restore" is still popping up, plus a fake dialog box indicating that "Files indexation process failed" and about two dozen recurring error boxes indicating "Windows - Delayed Write Failed."


OTL logfile created on: 11/6/2011 3:46:33 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = H:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.54 Gb Available Physical Memory | 76.99% Memory free
3.85 Gb Paging File | 3.55 Gb Available in Paging File | 92.20% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48.83 Gb Total Space | 26.47 Gb Free Space | 54.20% Space Free | Partition Type: NTFS
Drive D: | 25.70 Gb Total Space | 17.52 Gb Free Space | 68.16% Space Free | Partition Type: NTFS
Drive H: | 7.44 Gb Total Space | 7.44 Gb Free Space | 99.94% Space Free | Partition Type: FAT32

Computer Name: UMHOEFER | User Name: jumhoefer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - H:\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe ()
PRC - C:\Documents and Settings\All Users\Application Data\MgKPyEORiQUvGj.exe ()
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\HP\HP UT\bin\hppusg.exe (Hewlett-Packard Company)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\attrib.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe ()
MOD - C:\Documents and Settings\All Users\Application Data\MgKPyEORiQUvGj.exe ()
MOD - C:\Program Files\Alwil Software\Avast5\defs\11110102\algo.dll ()
MOD - C:\Program Files\Alwil Software\Avast5\defs\11110102\aswRep.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\24331b719aa25ac2b21099e32232840c\Microsoft.VisualBasic.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\81096bfe85eb0da5f05e8a127ffa43b2\System.Runtime.Serialization.Formatters.Soap.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\36bf3d5f05a40c9e3cadca5789c8a469\System.Runtime.Remoting.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\bce0720436dc6cb76006377f295ea365\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\70cacc44f0b4257f6037eda7a59a0aeb\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\71a2ae9ad561a62181cbd9fb11e9de7a\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c10bea3c4bb7ef654651141bf9419090\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll ()
MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\WINDOWS\system32\qedit.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\WINDOWS\system32\cpwmon2k.dll ()
MOD - C:\WINDOWS\system32\HPBHEALR.DLL ()


========== Win32 Services (SafeList) ==========

SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (CoordinatorServiceHost) -- C:\Program Files\SolidWorks\swScheduler\DTSCoordinatorService.exe (Dassault Systèmes SolidWorks Corp.)
SRV - (SolidWorks Licensing Service) -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe (SolidWorks)
SRV - (NMSAccessU) -- C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
SRV - (msvsmon80) -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (aswSnx) -- C:\WINDOWS\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()
DRV - (seehcri) -- C:\WINDOWS\system32\drivers\seehcri.sys (Sony Ericsson Mobile Communications)
DRV - (SIUSBXP) -- C:\WINDOWS\system32\drivers\SiUSBXp.sys (Silicon Laboratories)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (C751Mdm) -- C:\WINDOWS\system32\drivers\C751Mdm.sys (DEVGURU Co., LTD.(www.devguru.co.kr))
DRV - (C751BUS) -- C:\WINDOWS\system32\drivers\C751BUS.sys (DEVGURU Co., LTD.)
DRV - (C751Vsp) -- C:\WINDOWS\system32\drivers\C751Vsp.sys (DEVGURU Co., LTD.(www.devguru.co.kr))
DRV - (StarOpen) -- C:\WINDOWS\System32\drivers\StarOpen.sys ()
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (BANTExt) -- C:\WINDOWS\System32\Drivers\BANTExt.sys ()
DRV - (sxuptp) -- C:\WINDOWS\system32\drivers\sxuptp.sys (silex technology, Inc.)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\WINDOWS\system32\drivers\rimsptsk.sys (REDC)
DRV - (rismxdp) -- C:\WINDOWS\system32\drivers\rixdptsk.sys (REDC)
DRV - (USBCCID) -- C:\WINDOWS\system32\drivers\usbccid.sys (Microsoft Corporation)
DRV - (tosporte) -- C:\WINDOWS\system32\drivers\tosporte.sys (TOSHIBA Corporation)
DRV - (Tosrfbd) -- C:\WINDOWS\system32\drivers\TosRfbd.sys (TOSHIBA CORPORATION)
DRV - (Tosrfusb) -- C:\WINDOWS\system32\drivers\tosrfusb.sys (TOSHIBA CORPORATION)
DRV - (Tosrfhid) -- C:\WINDOWS\system32\drivers\TosRfhid.sys (TOSHIBA Corporation.)
DRV - (Tosrfbnp) -- C:\WINDOWS\system32\drivers\tosrfbnp.sys (TOSHIBA Corporation)
DRV - (TosRfSnd) Bluetooth Audio Device (WDM) -- C:\WINDOWS\system32\drivers\TosRfSnd.sys (TOSHIBA Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (BCOREUSB) -- C:\WINDOWS\system32\drivers\BCOREUSB.sys (CSR)
DRV - (Tosrfcom) -- C:\WINDOWS\system32\drivers\tosrfcom.sys (TOSHIBA Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (toshidpt) -- C:\WINDOWS\system32\drivers\toshidpt.sys (TOSHIBA Corporation.)
DRV - (tosrfnds) -- C:\WINDOWS\system32\drivers\tosrfnds.sys (TOSHIBA Corporation.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1659004503-764733703-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1659004503-764733703-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.67
FF - prefs.js..extensions.enabledItems: firefox@ghostery.com:2.5.3
FF - prefs.js..extensions.enabledItems: john@velvetcache.org:1.3.6

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.448: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/07 17:43:57 | 000,000,000 | -H-D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/23 16:44:27 | 000,000,000 | -H-D | M]

[2010/01/12 15:30:53 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\jumhoefer\Application Data\Mozilla\Extensions
[2011/09/07 12:44:14 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\jumhoefer\Application Data\Mozilla\Firefox\Profiles\4nj270fc.default\extensions
[2010/04/28 08:36:48 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\jumhoefer\Application Data\Mozilla\Firefox\Profiles\4nj270fc.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/08/22 09:44:39 | 000,000,000 | -H-D | M] ("BetterPrivacy") -- C:\Documents and Settings\jumhoefer\Application Data\Mozilla\Firefox\Profiles\4nj270fc.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2011/09/06 09:21:53 | 000,000,000 | -H-D | M] (Ghostery) -- C:\Documents and Settings\jumhoefer\Application Data\Mozilla\Firefox\Profiles\4nj270fc.default\extensions\firefox@ghostery.com
[2011/08/23 16:44:30 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\JUMHOEFER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\4NJ270FC.DEFAULT\EXTENSIONS\JOHN@VELVETCACHE.ORG.XPI
[2011/10/07 17:43:57 | 000,134,104 | -H-- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2009/10/14 16:21:24 | 000,155,648 | -H-- | M] (Dassault Systèmes SolidWorks Corp.) -- C:\Program Files\mozilla firefox\plugins\npEModelPlugin.dll
[2010/07/24 09:48:10 | 000,075,208 | -H-- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
[2011/08/11 19:16:35 | 000,002,252 | -H-- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/11/01 14:50:55 | 000,000,027 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [HPUsageTracking] C:\Program Files\HP\HP UT\bin\hppusg.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [iiovsVgraP.exe] C:\Documents and Settings\All Users\Application Data\iiovsVgraP.exe File not found
O4 - HKLM..\Run: [MgKPyEORiQUvGj.exe] C:\Documents and Settings\All Users\Application Data\MgKPyEORiQUvGj.exe ()
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKU\S-1-5-21-1659004503-764733703-839522115-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1659004503-764733703-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1659004503-764733703-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1659004503-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 327
O7 - HKU\S-1-5-21-1659004503-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1659004503-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1659004503-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1659004503-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 1
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263263650749 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263326333875 (MUWebControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://vpn.stellartec.com/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/11 16:37:58 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/11/02 17:28:34 | 000,000,000 | ---D | M] - H:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/06 15:52:50 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\jumhoefer\Recent
[2011/11/02 14:19:43 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Start Menu\Programs\System Restore
[2011/11/02 09:56:20 | 009,852,544 | -H-- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\jumhoefer\Desktop\mbam-setup-1.51.2.1300.exe
[2011/11/01 17:31:31 | 001,564,464 | -H-- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\jumhoefer\Desktop\bkfffk.com
[2011/11/01 15:12:49 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/11/01 15:08:11 | 000,000,000 | -H-D | C] -- C:\WINDOWS\temp
[2011/11/01 14:08:29 | 000,000,000 | -H-D | C] -- C:\13456
[2011/11/01 14:01:32 | 004,280,887 | RH-- | C] (Swearware) -- C:\Documents and Settings\jumhoefer\Desktop\13456.exe
[2011/11/01 13:55:34 | 001,564,464 | -H-- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\jumhoefer\Desktop\random.exe
[2011/11/01 11:20:19 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Application Data\SUPERAntiSpyware.com
[2011/11/01 11:19:11 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/11/01 11:19:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/11/01 11:19:08 | 000,000,000 | -H-D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/11/01 09:52:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Desktop\PhoneCrap
[2011/10/31 16:06:29 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/10/31 15:43:41 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/10/31 15:34:48 | 000,518,144 | -H-- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/10/31 15:34:48 | 000,406,528 | -H-- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/10/31 15:34:48 | 000,212,480 | -H-- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/10/31 15:34:48 | 000,060,416 | -H-- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/10/31 15:33:26 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ERDNT
[2011/10/31 15:31:17 | 000,000,000 | -H-D | C] -- C:\Qoobox
[2011/10/31 14:26:58 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Application Data\Malwarebytes
[2011/10/31 14:26:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/10/31 14:26:23 | 000,022,216 | -H-- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/10/31 14:26:21 | 000,000,000 | -H-D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/10/26 11:32:09 | 000,027,632 | -H-- | C] (Sony Ericsson Mobile Communications) -- C:\WINDOWS\System32\drivers\seehcri.sys
[2011/10/26 11:22:09 | 000,000,000 | -H-D | C] -- C:\Program Files\Compiled Driver Disc (Full)
[2011/10/26 11:04:49 | 000,000,000 | -H-D | C] -- D:\My Documents\MOBILedit!
[2011/10/26 11:04:49 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Application Data\MOBILedit
[2011/10/26 11:04:34 | 000,000,000 | -H-D | C] -- C:\Program Files\COMPELSON Labs
[2011/10/26 11:04:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Phone Applications
[2011/10/26 11:04:21 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\MobilEdit!
[2011/10/26 11:03:42 | 000,000,000 | -H-D | C] -- C:\Program Files\MOBILedit!
[2011/10/21 17:37:02 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2011/10/21 17:36:57 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Start Menu\Programs\Phone Applications
[2011/10/21 17:36:54 | 000,000,000 | -H-D | C] -- C:\CHMC
[2011/10/20 14:27:29 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Desktop\New Folder
[2011/10/14 14:56:42 | 000,000,000 | -H-D | C] -- D:\My Documents\bitpim
[2011/10/14 14:56:18 | 000,000,000 | -H-D | C] -- C:\Program Files\BitPim
[2011/10/13 18:25:12 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Local Settings\Application Data\Help
[2011/10/13 18:25:12 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Application Data\Help
[2011/10/13 18:23:13 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Desktop\QPST download
[2011/10/13 18:08:20 | 000,000,000 | -H-D | C] -- C:\Program Files\Qualcomm
[2011/10/13 11:52:42 | 000,161,112 | -H-- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\WINDOWS\System32\drivers\C751Vsp.sys
[2011/10/13 11:52:41 | 000,161,112 | -H-- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\WINDOWS\System32\drivers\C751Mdm.sys
[2011/10/13 11:52:40 | 000,056,280 | -H-- | C] (DEVGURU Co., LTD.) -- C:\WINDOWS\System32\drivers\C751BUS.sys
[2011/10/13 11:52:07 | 000,319,456 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\DIFxAPI.dll
[2011/10/13 11:52:06 | 000,000,000 | -H-D | C] -- C:\Program Files\Common Files\VerizonWireless
[2011/10/08 06:48:26 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Application Data\ImgBurn
[2011/10/08 06:43:11 | 000,000,000 | -H-D | C] -- C:\Program Files\ImgBurn
[2011/10/07 18:26:41 | 000,000,000 | RH-D | C] -- D:\My Documents\My Videos
[2011/10/07 18:17:59 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Application Data\DVDVideoSoft
[2011/10/07 18:17:54 | 000,000,000 | -H-D | C] -- D:\My Documents\DVDVideoSoft
[2011/10/07 18:17:54 | 000,000,000 | -H-D | C] -- C:\Program Files\Common Files\DVDVideoSoft
[2011/10/07 18:16:29 | 000,017,272 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2011/10/07 18:15:30 | 000,000,000 | -H-D | C] -- C:\Program Files\Windows Media Connect 2
[2011/10/07 18:12:12 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2011/10/07 18:12:12 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\LogFiles
[2011/10/07 18:01:19 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jumhoefer\Desktop\Mark

========== Files - Modified Within 30 Days ==========

[2011/11/06 15:44:37 | 000,007,680 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/11/06 15:43:05 | 000,000,064 | -H-- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/11/06 15:43:05 | 000,000,044 | -H-- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/11/06 15:42:54 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
[2011/11/06 15:41:43 | 000,000,486 | -H-- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/11/06 15:41:41 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/06 15:41:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/06 15:41:03 | 2145,533,952 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/02 14:21:28 | 000,000,448 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
[2011/11/02 14:19:44 | 000,000,200 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
[2011/11/02 14:19:43 | 000,000,867 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Application Data\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk
[2011/11/02 14:19:43 | 000,000,849 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Desktop\System Restore.lnk
[2011/11/02 14:19:34 | 000,312,816 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
[2011/11/02 14:19:13 | 000,400,368 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\MgKPyEORiQUvGj.exe
[2011/11/02 14:19:04 | 000,000,664 | -H-- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/02 12:23:28 | 000,302,592 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Desktop\lngtu4gv.exe
[2011/11/02 09:56:35 | 009,852,544 | -H-- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\jumhoefer\Desktop\mbam-setup-1.51.2.1300.exe
[2011/11/02 09:52:56 | 000,380,805 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Desktop\MiniToolBox.exe
[2011/11/02 09:42:34 | 000,869,194 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Desktop\SecurityCheck.exe
[2011/11/01 17:31:32 | 001,564,464 | -H-- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\jumhoefer\Desktop\bkfffk.com
[2011/11/01 15:33:26 | 000,436,590 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/01 15:33:26 | 000,069,128 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/01 14:50:55 | 000,000,027 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/11/01 14:01:30 | 004,280,887 | RH-- | M] (Swearware) -- C:\Documents and Settings\jumhoefer\Desktop\13456.exe
[2011/11/01 13:55:33 | 001,564,464 | -H-- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\jumhoefer\Desktop\random.exe
[2011/11/01 09:52:38 | 000,068,847 | -H-- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/10/31 15:43:58 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/10/31 15:05:49 | 000,187,235 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Local Settings\Application Data\census.cache
[2011/10/31 15:04:39 | 000,152,246 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Local Settings\Application Data\ars.cache
[2011/10/31 09:43:07 | 000,013,106 | -H-- | M] () -- D:\My Documents\opera6.adr
[2011/10/28 13:23:14 | 001,424,152 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Desktop\oetiker_194_stepless.pdf
[2011/10/28 11:24:05 | 001,789,612 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Desktop\oetiker_168_stepless.pdf
[2011/10/26 11:53:57 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf
[2011/10/24 17:24:44 | 000,757,159 | -H-- | M] () -- D:\My Documents\1023111348.jpg
[2011/10/14 11:48:42 | 595,534,848 | -H-- | M] () -- D:\My Documents\outlook1.ost
[2011/10/13 10:50:37 | 000,273,376 | -H-- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/12 13:23:18 | 000,001,393 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2011/10/12 09:19:03 | 000,414,368 | -H-- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/10/09 20:45:36 | 000,049,463 | -H-- | M] () -- D:\My Documents\IMG952011100995114553.jpg
[2011/10/07 18:16:11 | 000,023,392 | -H-- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/10/07 18:16:11 | 000,016,832 | -H-- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/10/07 18:12:15 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf

========== Files Created - No Company Name ==========

[2011/11/06 14:38:40 | 000,001,562 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\CDBurnerXP.lnk
[2011/11/06 14:38:40 | 000,001,540 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\ImgBurn.lnk
[2011/11/06 14:38:40 | 000,001,498 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Opera.lnk
[2011/11/06 14:38:40 | 000,001,469 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\PowerToy Calculator.lnk
[2011/11/06 14:38:40 | 000,000,895 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Foxit Reader.lnk
[2011/11/06 14:38:40 | 000,000,745 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\PhotoFiltre.lnk
[2011/11/06 14:38:40 | 000,000,730 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/11/06 14:38:40 | 000,000,647 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\IrfanView 4.25.lnk
[2011/11/02 17:56:37 | 000,000,867 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Application Data\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk
[2011/11/02 17:54:33 | 2145,533,952 | -HS- | C] () -- C:\hiberfil.sys
[2011/11/02 14:19:44 | 000,000,296 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
[2011/11/02 14:19:44 | 000,000,200 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
[2011/11/02 14:19:43 | 000,000,849 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Desktop\System Restore.lnk
[2011/11/02 14:19:39 | 000,000,448 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
[2011/11/02 14:19:34 | 000,312,816 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
[2011/11/02 14:19:14 | 000,400,368 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\MgKPyEORiQUvGj.exe
[2011/11/02 14:19:04 | 000,000,664 | -H-- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/02 12:23:29 | 000,302,592 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Desktop\lngtu4gv.exe
[2011/11/02 09:52:57 | 000,380,805 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Desktop\MiniToolBox.exe
[2011/11/02 09:42:33 | 000,869,194 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Desktop\SecurityCheck.exe
[2011/10/31 15:43:56 | 000,000,211 | -H-- | C] () -- C:\Boot.bak
[2011/10/31 15:43:44 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/10/31 15:34:48 | 000,256,000 | -H-- | C] () -- C:\WINDOWS\PEV.exe
[2011/10/31 15:34:48 | 000,208,896 | -H-- | C] () -- C:\WINDOWS\MBR.exe
[2011/10/31 15:34:48 | 000,098,816 | -H-- | C] () -- C:\WINDOWS\sed.exe
[2011/10/31 15:34:48 | 000,080,412 | -H-- | C] () -- C:\WINDOWS\grep.exe
[2011/10/31 15:34:48 | 000,068,096 | -H-- | C] () -- C:\WINDOWS\zip.exe
[2011/10/31 15:05:49 | 000,187,235 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Local Settings\Application Data\census.cache
[2011/10/31 15:04:39 | 000,152,246 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Local Settings\Application Data\ars.cache
[2011/10/31 09:43:04 | 000,013,106 | -H-- | C] () -- D:\My Documents\opera6.adr
[2011/10/28 13:25:27 | 001,424,152 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Desktop\oetiker_194_stepless.pdf
[2011/10/28 11:24:39 | 001,789,612 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Desktop\oetiker_168_stepless.pdf
[2011/10/26 11:53:57 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf
[2011/10/24 17:24:44 | 000,757,159 | -H-- | C] () -- D:\My Documents\1023111348.jpg
[2011/10/09 20:45:36 | 000,049,463 | -H-- | C] () -- D:\My Documents\IMG952011100995114553.jpg
[2011/10/07 18:15:55 | 000,000,788 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Start Menu\Programs\Windows Media Player.lnk
[2011/10/07 18:12:15 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2011/07/05 14:08:30 | 000,000,608 | -HS- | C] () -- C:\WINDOWS\System32\winzvprt5.sys
[2011/07/05 14:00:33 | 000,000,665 | -H-- | C] () -- C:\WINDOWS\System32\hppapr12.dat
[2011/07/05 13:59:40 | 000,000,171 | -H-- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2011/07/05 13:58:58 | 000,000,779 | -H-- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2011/07/05 13:47:04 | 000,177,426 | -H-- | C] () -- C:\WINDOWS\hppins12.dat
[2011/07/05 13:47:01 | 000,007,855 | -H-- | C] () -- C:\WINDOWS\hppmdl12.dat
[2011/07/05 13:35:00 | 000,131,072 | -H-- | C] () -- C:\WINDOWS\System32\hpsfs.dll
[2011/06/23 12:51:05 | 000,000,064 | -H-- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/06/23 12:51:05 | 000,000,044 | -H-- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/03/07 18:56:39 | 000,038,480 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Application Data\Comma Separated Values (Windows).ADR
[2011/03/07 18:55:17 | 000,038,471 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Application Data\Microsoft Excel 97-2003.ADR
[2011/03/07 18:54:14 | 000,009,361 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Application Data\Microsoft Excel 97-2003.EML
[2011/03/07 18:53:41 | 000,000,028 | -H-- | C] () -- C:\WINDOWS\ODBC.INI
[2010/08/06 17:34:38 | 000,389,552 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/04/15 16:55:07 | 000,003,840 | -H-- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2010/04/14 13:37:33 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2010/04/14 12:39:25 | 000,008,704 | -H-- | C] () -- C:\WINDOWS\System32\ibfs32.dll
[2010/02/27 10:31:18 | 000,000,192 | -H-- | C] () -- C:\WINDOWS\wininit.ini
[2010/02/27 10:06:30 | 000,000,437 | -H-- | C] () -- C:\WINDOWS\SIERRA.INI
[2010/02/05 17:28:34 | 000,007,680 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/26 10:49:18 | 000,000,036 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Local Settings\Application Data\housecall.guid.cache
[2010/01/19 15:54:17 | 000,007,168 | -H-- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2010/01/14 18:16:07 | 000,000,272 | -H-- | C] () -- C:\WINDOWS\ReadIris.ini
[2010/01/14 18:13:01 | 000,087,552 | -H-- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2010/01/14 18:11:45 | 000,000,331 | -H-- | C] () -- C:\WINDOWS\FMTMSAM.INI
[2010/01/14 18:11:34 | 000,000,177 | -H-- | C] () -- C:\WINDOWS\hpbafd.ini
[2010/01/14 18:11:13 | 000,023,040 | -H-- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2010/01/14 18:11:09 | 000,116,736 | -H-- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2010/01/14 18:11:09 | 000,000,033 | -H-- | C] () -- C:\WINDOWS\hppLangChoice.ini
[2010/01/14 18:11:08 | 000,343,040 | -H-- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2010/01/14 18:10:54 | 000,049,152 | -H-- | C] () -- C:\WINDOWS\System32\usbinst32.dll
[2010/01/14 18:07:46 | 000,094,274 | -H-- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2010/01/12 15:30:50 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\nsreg.dat
[2010/01/11 18:22:10 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\tosOBEX.INI
[2010/01/11 18:18:35 | 000,143,360 | -H-- | C] () -- C:\WINDOWS\System32\preflib.dll
[2010/01/11 18:18:34 | 000,757,760 | -H-- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2010/01/11 18:18:34 | 000,025,088 | -H-- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2010/01/11 18:16:03 | 000,016,480 | -H-- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2010/01/11 18:00:26 | 000,068,847 | -H-- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2010/01/11 17:59:12 | 001,703,936 | -H-- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2010/01/11 17:59:12 | 001,626,112 | -H-- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2010/01/11 17:59:12 | 001,019,904 | -H-- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2010/01/11 17:59:11 | 000,466,944 | -H-- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2010/01/11 17:59:10 | 001,474,560 | -H-- | C] () -- C:\WINDOWS\System32\nview.dll
[2010/01/11 17:59:10 | 001,339,392 | -H-- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2010/01/11 17:59:08 | 000,442,368 | -H-- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2010/01/11 17:59:07 | 000,425,984 | -H-- | C] () -- C:\WINDOWS\System32\keystone.exe
[2010/01/11 16:41:09 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/01/11 16:34:48 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/01/11 08:24:39 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/01/11 08:23:18 | 000,273,376 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/03 15:07:42 | 000,403,816 | -H-- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | -H-- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2008/04/09 16:00:30 | 000,053,478 | -H-- | C] () -- C:\WINDOWS\mvtcpui.ini
[2008/02/07 09:05:18 | 000,163,840 | -H-- | C] () -- C:\WINDOWS\System32\hppatusg01.dll
[2007/08/21 19:46:34 | 000,059,160 | -H-- | C] () -- C:\WINDOWS\System32\zlib.dll
[2007/03/16 16:00:00 | 000,003,403 | -H-- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2005/03/21 15:48:05 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/21 15:48:05 | 000,004,627 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 02:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 02:00:00 | 000,436,590 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 02:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 02:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 02:00:00 | 000,069,128 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 02:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 02:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 02:00:00 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 02:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 02:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/03/19 17:30:00 | 000,216,576 | -H-- | C] () -- C:\WINDOWS\System32\PowerCalc.exe

========== Custom Scans ==========


< %TEMP%\smtmp\*.* /s >
[2010/01/19 15:54:17 | 000,001,562 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\CDBurnerXP.lnk
[2010/01/12 17:20:48 | 000,000,895 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Foxit Reader.lnk
[2011/10/08 06:43:13 | 000,001,540 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\ImgBurn.lnk
[2010/01/13 17:52:40 | 000,000,647 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\IrfanView 4.25.lnk
[2011/08/23 16:44:34 | 000,000,730 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Mozilla Firefox.lnk
[2011/02/08 10:51:02 | 000,001,498 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Opera.lnk
[2010/10/04 10:45:52 | 000,000,745 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\PhotoFiltre.lnk
[2010/01/14 10:40:35 | 000,001,469 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\PowerToy Calculator.lnk
[2010/01/11 16:34:49 | 000,001,498 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Calculator.lnk
[2010/01/11 16:38:01 | 000,001,555 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Command Prompt.lnk
[2010/05/17 17:25:13 | 000,001,519 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Notepad.lnk
[2010/01/11 16:34:49 | 000,001,515 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Paint.lnk
[2011/08/25 16:27:24 | 000,000,710 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Scanner and Camera Wizard.lnk
[2010/01/11 16:36:53 | 000,001,487 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Windows Explorer.lnk
[2010/01/11 16:34:49 | 000,000,879 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\WordPad.lnk
[2010/01/11 16:34:49 | 000,001,520 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Accessibility\Accessibility Wizard.lnk
[2010/01/14 10:21:13 | 000,001,517 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\Bluetooth File Transfer Wizard.lnk
[2010/01/11 16:34:49 | 000,000,786 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\HyperTerminal.lnk
[2010/01/11 16:32:37 | 000,001,757 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\Network Connections.lnk
[2010/01/11 16:36:50 | 000,001,640 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\Network Setup Wizard.lnk
[2010/01/11 16:32:37 | 000,001,646 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\New Connection Wizard.lnk
[2010/01/11 19:10:46 | 000,001,656 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\Wireless Network Setup Wizard.lnk
[2010/01/11 16:34:49 | 000,001,528 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Entertainment\Sound Recorder.lnk
[2010/01/11 16:34:49 | 000,001,528 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Entertainment\Volume Control.lnk
[2010/01/11 16:38:01 | 000,001,532 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\Backup.lnk
[2010/01/11 16:34:49 | 000,001,521 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\Character Map.lnk
[2010/06/21 16:45:56 | 000,001,532 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\Disk Cleanup.lnk
[2010/01/11 16:36:51 | 000,001,572 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\Disk Defragmenter.lnk
[2010/01/11 16:38:01 | 000,001,591 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk
[2010/01/12 11:04:57 | 000,000,833 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
[2010/01/11 16:36:53 | 000,001,753 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\Scheduled Tasks.lnk
[2010/01/11 16:36:51 | 000,001,070 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\System Information.lnk
[2010/01/11 16:36:53 | 000,001,616 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\System Restore.lnk
[2010/01/11 16:34:37 | 000,001,582 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Component Services.lnk
[2010/01/11 16:38:01 | 000,001,602 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Computer Management.lnk
[2010/01/11 16:38:01 | 000,001,596 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Data Sources (ODBC).lnk
[2010/01/11 16:38:01 | 000,001,592 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Event Viewer.lnk
[2010/01/11 16:38:01 | 000,001,590 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Local Security Policy.lnk
[2010/09/07 14:13:07 | 000,001,214 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Microsoft .NET Framework 2.0 Configuration.lnk
[2010/01/11 16:38:01 | 000,001,591 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Performance.lnk
[2010/01/11 16:38:01 | 000,001,602 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\Services.lnk
[2010/01/11 16:34:49 | 000,001,522 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Games\Freecell.lnk
[2010/01/11 16:34:49 | 000,001,520 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Games\Hearts.lnk
[2010/01/13 18:18:31 | 000,000,913 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Games\Internet Backgammon.lnk
[2010/01/13 18:18:31 | 000,000,913 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Games\Internet Checkers.lnk
[2010/01/13 18:18:31 | 000,000,913 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Games\Internet Hearts.lnk
[2010/01/13 18:18:31 | 000,000,913 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Games\Internet Reversi.lnk
[2010/01/13 18:18:31 | 000,000,913 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Games\Internet Spades.lnk
[2010/01/11 16:34:49 | 000,001,515 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Games\Minesweeper.lnk
[2010/01/11 16:34:49 | 000,000,885 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Games\Pinball.lnk
[2010/01/11 16:34:49 | 000,001,491 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Games\Solitaire.lnk
[2010/01/11 16:34:49 | 000,001,502 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Games\Spider Solitaire.lnk
[2011/11/02 09:57:04 | 000,000,806 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Malwarebytes' Anti-Malware\Malwarebytes' Anti-Malware Help.lnk
[2011/11/02 09:57:04 | 000,000,806 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Malwarebytes' Anti-Malware\Malwarebytes' Anti-Malware.lnk
[2011/11/02 09:57:04 | 000,000,830 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Malwarebytes' Anti-Malware\Uninstall Malwarebytes' Anti-Malware.lnk
[2011/10/14 15:50:15 | 000,002,485 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Excel 2007.lnk
[2010/01/20 17:35:56 | 000,002,599 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Outlook 2007.lnk
[2010/01/20 17:35:56 | 000,002,551 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office PowerPoint 2007.lnk
[2010/01/12 11:49:06 | 000,002,517 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Publisher 2007.lnk
[2011/10/20 14:25:27 | 000,002,527 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Word 2007.lnk
[2010/01/20 17:35:56 | 000,002,553 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools\Digital Certificate for VBA Projects.lnk
[2010/01/20 17:35:56 | 000,002,533 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools\Microsoft Clip Organizer.lnk
[2010/01/20 17:35:56 | 000,002,433 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools\Microsoft Office 2007 Language Settings.lnk
[2010/01/20 17:35:56 | 000,002,531 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools\Microsoft Office Diagnostics.lnk
[2010/01/20 17:35:56 | 000,002,691 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools\Microsoft Office Document Imaging.lnk
[2010/01/20 17:35:56 | 000,002,693 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools\Microsoft Office Document Scanning.lnk
[2010/01/20 17:35:56 | 000,002,511 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools\Microsoft Office Picture Manager.lnk
[2010/10/22 13:39:55 | 000,001,630 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\MS Project\GanttProject\GanttProject.lnk
[2010/10/22 13:39:55 | 000,001,665 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\MS Project\GanttProject\HouseBuildingSample.lnk
[2010/10/22 13:39:55 | 000,001,603 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\MS Project\GanttProject\Uninstall.lnk
[2010/10/21 14:44:52 | 000,001,690 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\MS Project\KaDonk\LiveProject Online.lnk
[2010/10/21 14:44:52 | 000,000,835 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\MS Project\KaDonk\LiveProject.lnk
[2010/10/21 14:44:52 | 000,001,712 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\MS Project\KaDonk\Online Help.lnk
[2010/10/21 14:44:52 | 000,001,695 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\MS Project\KaDonk\Online Support.lnk
[2011/08/19 13:18:18 | 000,000,933 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\MS Project\OpenProj\OpenProj.lnk
[2011/10/26 11:04:23 | 000,000,668 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Phone Applications\MOBILedit!\MOBILedit!.lnk
[2011/10/26 11:04:25 | 000,000,730 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Phone Applications\MOBILedit!\Uninstall MOBILedit!.lnk
[2010/01/14 17:34:49 | 000,001,012 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\Belkin Network USB Hub Control Center.lnk
[2010/01/19 15:31:52 | 000,001,711 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\MP Navigator 3.0.lnk
[2011/07/05 14:05:30 | 000,000,863 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\HP Color LaserJet CM2320 MFP Series\HP Fax Setup Wizard.lnk
[2011/07/05 14:06:08 | 000,000,798 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\HP Color LaserJet CM2320 MFP Series\Scan.lnk
[2011/07/05 14:08:03 | 000,001,884 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\HP Color LaserJet CM2320 MFP Series\Send Fax.lnk
[2011/07/05 14:07:17 | 000,001,139 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\HP Color LaserJet CM2320 MFP Series\Uninstall.lnk
[2011/07/05 14:07:17 | 000,001,156 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\HP Color LaserJet CM2320 MFP Series\User Guide.lnk
[2010/01/14 18:11:53 | 000,000,786 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\hp LaserJet 3330\hp LaserJet Copier.lnk
[2010/01/14 18:11:53 | 000,000,787 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\hp LaserJet 3330\hp LaserJet Device Configuration.lnk
[2010/01/14 18:11:53 | 000,000,808 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\hp LaserJet 3330\hp LaserJet Director.lnk
[2010/01/14 18:11:53 | 000,000,808 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\hp LaserJet 3330\hp LaserJet Document Manager.lnk
[2010/01/14 18:11:54 | 000,000,823 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\hp LaserJet 3330\hp LaserJet Photo Center.lnk
[2010/01/14 18:11:54 | 000,000,786 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\hp LaserJet 3330\hp LaserJet Scan Control Viewer.lnk
[2010/01/14 18:11:54 | 000,000,922 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\hp LaserJet 3330\Software Configuration Page.lnk
[2010/01/14 18:11:54 | 000,000,883 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\hp LaserJet 3330\Readiris OCR\I.R.I.S. OCR Registration.lnk
[2010/01/14 18:11:54 | 000,000,890 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\hp LaserJet 3330\Readiris OCR\Readiris Help.lnk
[2010/01/14 18:11:54 | 000,000,890 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\hp LaserJet 3330\Readiris OCR\Readiris User's Guide.lnk
[2010/01/14 18:11:54 | 000,000,890 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Print & Scan\hp LaserJet 3330\Readiris OCR\Readiris.lnk
[2010/09/07 14:33:31 | 000,002,679 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SolidWorks 2010\DWGeditor 2010.lnk
[2011/06/07 22:02:09 | 000,002,299 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SolidWorks 2010\SolidWorks 2010.lnk
[2010/09/07 14:40:20 | 000,001,831 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SolidWorks 2010\SolidWorks eDrawings 2010.lnk
[2010/09/07 14:40:20 | 000,002,569 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SolidWorks 2010\SolidWorks Explorer 2010.lnk
[2010/09/07 15:07:13 | 000,002,487 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SolidWorks 2010\SolidWorks Tools\Copy Settings Wizard.lnk
[2010/09/07 15:07:13 | 000,002,687 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SolidWorks 2010\SolidWorks Tools\Property Tab Builder.lnk
[2010/09/07 15:07:13 | 000,002,503 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SolidWorks 2010\SolidWorks Tools\SolidNetWork License Manager.lnk
[2010/09/07 15:07:13 | 000,002,687 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SolidWorks 2010\SolidWorks Tools\SolidWorks Network Monitor.lnk
[2010/09/07 15:07:13 | 000,002,473 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SolidWorks 2010\SolidWorks Tools\SolidWorks Rx.lnk
[2010/09/07 15:07:13 | 000,002,481 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SolidWorks 2010\SolidWorks Tools\SolidWorks Task Scheduler.lnk
[2010/09/07 15:07:13 | 000,002,703 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SolidWorks 2010\SolidWorks Tools\Toolbox Settings.lnk
[2011/11/01 11:19:11 | 000,001,644 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SUPERAntiSpyware\BootSafe.lnk
[2011/11/01 11:19:11 | 000,001,628 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SUPERAntiSpyware\SUPERAntiSpyware Alternate Start.lnk
[2011/11/01 11:19:11 | 000,001,700 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SUPERAntiSpyware\SUPERAntiSpyware Free Edition.lnk
[2011/11/01 11:19:11 | 000,000,802 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SUPERAntiSpyware\SUPERAntiSpyware Help.lnk
[2011/11/01 11:19:11 | 000,001,722 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\SUPERAntiSpyware\SUPERAntiSpyware Registration-Activation.lnk
[2010/01/13 17:52:05 | 000,000,645 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Utilities\7-Zip File Manager.lnk
[2010/04/14 10:54:43 | 000,000,885 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Utilities\Ad-Aware.lnk
[2010/10/21 11:25:12 | 000,001,712 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Utilities\avast! Free Antivirus.lnk
[2010/04/15 16:55:09 | 000,001,754 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Utilities\Belarc Advisor.lnk
[2010/01/12 14:36:11 | 000,000,751 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Utilities\Command Prompt.lnk
[2010/01/14 11:08:02 | 000,000,745 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Utilities\DAEMON Tools Lite.lnk
[2010/04/29 14:00:46 | 000,001,542 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Utilities\Eraser.lnk
[2010/01/14 10:40:13 | 000,000,501 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Utilities\Tweak UI.lnk
[2011/02/23 14:56:09 | 000,001,589 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Video\DVD Flick.lnk
[2010/01/14 11:07:23 | 000,000,943 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Video\Media Player Classic.lnk
[2010/01/15 16:38:55 | 000,000,731 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Video\VLC media player.lnk
[2010/01/14 10:49:13 | 000,000,666 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Video\Winamp.lnk
[2010/01/12 10:37:45 | 000,000,804 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Video\Windows Media Player.lnk
[2010/01/11 16:36:55 | 000,000,786 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\1\Programs\Video\Windows Movie Maker.lnk
[2011/11/02 14:19:43 | 000,000,867 | -H-- | M] () -- C:\DOCUME~1\JUMHOE~1\LOCALS~1\Temp\smtmp\2\System Restore.lnk

< End of report >

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:32 AM

Posted 06 November 2011 - 08:47 PM

Open Notepad.
Copy all text from the following code box and paste it into Notepad window:

@echo off
xcopy "C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\1\*" "C:\Documents and Settings\All Users\Start Menu\" /s
xcopy "C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\2\*" "C:\Documents and Settings\user_name\Application Data\Microsoft\Internet Explorer\Quick Launch\" /s
xcopy "C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\3\*" "C:\Documents and Settings\user_name\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\" /s
xcopy "C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\4\*" "C:\Documents and Settings\All Users\Desktop\" /s 
exit

Save the file as fix.bat.

Double click fix.bat to run it.
A pop-up window will open and you'll see number of files being copied.
The window will close, when all copying is done.

I want you to run this custom OTL script for me and then let me know how things are after you finish.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    PRC - C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe ()
    PRC - C:\Documents and Settings\All Users\Application Data\MgKPyEORiQUvGj.exe ()
    MOD - C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe ()
    MOD - C:\Documents and Settings\All Users\Application Data\MgKPyEORiQUvGj.exe ()
    O2 - BHO: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
    O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
    [2011/11/02 14:21:28 | 000,000,448 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
    [2011/11/02 14:19:44 | 000,000,200 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
    [2011/11/02 14:19:43 | 000,000,867 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Application Data\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk
    [2011/11/02 14:19:43 | 000,000,849 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Desktop\System Restore.lnk
    [2011/11/02 14:19:34 | 000,312,816 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
    [2011/11/02 14:19:13 | 000,400,368 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\MgKPyEORiQUvGj.exe
    [2011/11/02 12:23:28 | 000,302,592 | -H-- | M] () -- C:\Documents and Settings\jumhoefer\Desktop\lngtu4gv.exe
    [2011/11/02 14:19:44 | 000,000,296 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
    [2011/11/02 14:19:44 | 000,000,200 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
    [2011/11/02 14:19:43 | 000,000,849 | -H-- | C] () -- C:\Documents and Settings\jumhoefer\Desktop\System Restore.lnk
    [2011/11/02 14:19:39 | 000,000,448 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
    [2011/11/02 14:19:34 | 000,312,816 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
    [2011/11/02 14:19:14 | 000,400,368 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\MgKPyEORiQUvGj.exe
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY] 
    [emptyjava]
    [EMPTYFLASH]
    [RESETHOSTS] 
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 jumhoefer

jumhoefer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 06 November 2011 - 10:01 PM

When I ran fix.bat, it gave me the following error (0 files copied)

invalid parameter - /s\par

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:32 AM

Posted 07 November 2011 - 02:21 AM

1. Copy the entire content of this folder:
C:\Documents and Settings\robert\Local Settings\Temp\smtmp\1
and paste it to this folder:
C:\Documents and Settings\All Users\Start Menu

2. Copy the entire content of this folder:
C:\Documents and Settings\robert\Local Settings\Temp\smtmp\2
and paste it to this folder:
C:\Documents and Settings\robert\Application Data\Microsoft\Internet Explorer\Quick Launch

3. Copy the entire content of this folder:
C:\Documents and Settings\robert\Local Settings\Temp\smtmp\3
and paste it to this folder:
C:\Documents and Settings\robert\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

4. Copy the entire content of this folder:
C:\Documents and Settings\robert\Local Settings\Temp\smtmp\4
and paste it to this folder:
C:\Documents and Settings\All Users\Desktop
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 jumhoefer

jumhoefer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 07 November 2011 - 02:01 PM

Okay. I accessed the files by going into Folder Options and re-enabling -Show Hidden.

I copied the Start Menu files back, but they are still hidden.

The only item in folder "2" is a shortcut to the fake Sytsem Restore program, so I left that.

Folder "3" is not there.

Folder 4 is empty. All of my Desktop items are still present in the localuser\Desktop folder, they are just hidden.

I ran OTL per your instructions above, pasting the custom scans/fixes text into the box, and changing no other settings from their default values. It did not ask me to reboot. Log below:

========== OTL ==========
No active process named 6DSS92c31Apgjk.exe was found!
No active process named MgKPyEORiQUvGj.exe was found!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk moved successfully.
C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr moved successfully.
C:\Documents and Settings\jumhoefer\Application Data\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk moved successfully.
C:\Documents and Settings\jumhoefer\Desktop\System Restore.lnk moved successfully.
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe moved successfully.
File C:\Documents and Settings\All Users\Application Data\MgKPyEORiQUvGj.exe not found.
C:\Documents and Settings\jumhoefer\Desktop\lngtu4gv.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk moved successfully.
File C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr not found.
File C:\Documents and Settings\jumhoefer\Desktop\System Restore.lnk not found.
File C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk not found.
File C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe not found.
File C:\Documents and Settings\All Users\Application Data\MgKPyEORiQUvGj.exe not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\cmd.bat deleted successfully.
C:\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: jumhoefer
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: jumhoefer
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.31.0 log created on 11072011_105733

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:32 AM

Posted 07 November 2011 - 02:44 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 jumhoefer

jumhoefer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 07 November 2011 - 05:59 PM

I had problems trying to disable Ad-Aware. Following the instructions given in the link above, many of the commands/settings were different when I went into the various Ad-Aware menus. I set it so that Ad Watch Live appeared to be off, with all settings available to me set to off or disabled. I then shut down Ad-Aware, and no AAW related processes that I recognized (i.e. with "AAW" or "AdAware" in their name) were running under task manager.

I disabled Avast per the instructions, but left the program running. It acknowledged that it was disabled.

When I ran Combofix, it gave an error that Ad-Aware was still running. I allowed Combofix to continue anyway.

Then, helpfully, during the Combofix run, Avast decided to start a system scan. I stopped Avast, and just let Combofix finish.

Below is the CF log. If this is junk and I need to redo something, I apologize.

Presently, all desktop and start menu items appear to be normal. There are no more fake errors or warning dialog boxes. There are no weird processes running in task manager. However, iexplore.exe keeps reopening in task manager, even though there is no IE window open that I can see, and I never use IE and have not opened it.

I will leave the machine on, and make no changes or reboot it until you tell me what to do next. Thanks!



ComboFix 11-11-07.03 - jumhoefer 11/07/2011 13:20:10.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1458 [GMT -8:00]
Running from: C:\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\jumhoefer\Start Menu\Programs\System Restore
c:\documents and settings\jumhoefer\Start Menu\Programs\System Restore\System Restore.lnk
c:\documents and settings\jumhoefer\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
c:\documents and settings\jumhoefer\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-10-07 to 2011-11-07 )))))))))))))))))))))))))))))))
.
.
2011-11-07 18:57 . 2011-11-07 18:57 -------- d-----w- C:\_OTL
2011-11-07 18:55 . 2011-11-07 18:55 584192 ----a-w- C:\OTL.exe
2011-11-07 18:40 . 2011-11-07 20:56 515778 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-11-07 03:00 . 2011-11-07 02:58 868 ----a-w- C:\fix.bat
2011-11-01 22:08 . 2011-11-01 23:08 -------- d-----w- C:\13456
2011-11-01 19:20 . 2011-11-01 19:20 -------- d--h--w- c:\documents and settings\jumhoefer\Application Data\SUPERAntiSpyware.com
2011-11-01 19:19 . 2011-11-01 19:20 -------- d--h--w- c:\program files\SUPERAntiSpyware
2011-11-01 19:19 . 2011-11-01 19:19 -------- d--h--w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-10-31 22:26 . 2011-10-31 22:26 -------- d--h--w- c:\documents and settings\jumhoefer\Application Data\Malwarebytes
2011-10-31 22:26 . 2011-10-31 22:26 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-31 22:26 . 2011-09-01 00:00 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-10-31 22:26 . 2011-11-02 17:57 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-10-26 19:32 . 2010-12-10 00:03 27632 ---ha-w- c:\windows\system32\drivers\seehcri.sys
2011-10-26 19:22 . 2011-10-26 19:23 -------- d--h--w- c:\program files\Compiled Driver Disc (Full)
2011-10-26 19:04 . 2011-10-26 20:15 -------- d--h--w- c:\documents and settings\jumhoefer\Application Data\MOBILedit
2011-10-26 19:04 . 2011-10-26 19:04 -------- d--h--w- c:\program files\COMPELSON Labs
2011-10-26 19:03 . 2011-10-26 19:04 -------- d--h--w- c:\program files\MOBILedit!
2011-10-25 01:48 . 2011-10-25 01:48 65536 ---ha-r- c:\documents and settings\jumhoefer\Application Data\Microsoft\Installer\{A27EC9FD-6BF7-4726-8D87-32BA44B41FEB}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2011-10-22 01:37 . 2011-10-22 01:37 -------- d--h--w- c:\documents and settings\All Users\Application Data\InstallShield
2011-10-22 01:37 . 2011-10-22 01:37 65536 ---ha-r- c:\documents and settings\jumhoefer\Application Data\Microsoft\Installer\{F4C4B4BA-6B74-41A7-88D5-E5B0C96BDAD2}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2011-10-22 01:37 . 2011-10-22 01:37 45056 ---ha-r- c:\documents and settings\jumhoefer\Application Data\Microsoft\Installer\{F4C4B4BA-6B74-41A7-88D5-E5B0C96BDAD2}\DPFrame.exe_0BBE7BA409C14ABCB18FB15BA367F3B6.exe
2011-10-22 01:36 . 2011-10-22 01:36 -------- d-----w- C:\CHMC
2011-10-14 22:56 . 2011-10-14 22:59 -------- d--h--w- c:\program files\BitPim
2011-10-14 02:25 . 2011-10-14 02:25 -------- d--h--w- c:\documents and settings\jumhoefer\Local Settings\Application Data\Help
2011-10-14 02:08 . 2011-10-14 02:08 -------- d--h--w- c:\program files\Qualcomm
2011-10-13 19:52 . 2010-01-14 14:07 161112 ---ha-w- c:\windows\system32\drivers\C751Vsp.sys
2011-10-13 19:52 . 2010-01-14 14:07 161112 ---ha-w- c:\windows\system32\drivers\C751Mdm.sys
2011-10-13 19:52 . 2010-01-14 14:07 56280 ---ha-w- c:\windows\system32\drivers\C751BUS.sys
2011-10-13 19:52 . 2010-06-28 06:08 319456 ---ha-w- c:\windows\system32\DIFxAPI.dll
2011-10-13 19:52 . 2011-10-13 19:52 -------- d--h--w- c:\program files\Common Files\VerizonWireless
2011-10-13 19:51 . 2011-10-13 19:51 53248 ---ha-r- c:\documents and settings\jumhoefer\Application Data\Microsoft\Installer\{EB03FE2F-E043-4EF8-8C2A-D018A1E28291}\ARPPRODUCTICON.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-12 17:19 . 2011-06-06 18:41 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 18:41 . 2008-07-30 03:59 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 10:00 220160 ---ha-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 10:00 20480 ---ha-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 10:00 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-09-06 20:45 . 2010-10-21 19:24 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:45 . 2010-10-21 19:24 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-06 20:38 . 2011-03-31 19:52 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:37 . 2010-10-21 19:25 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2010-10-21 19:25 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2010-10-21 19:25 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-06 20:36 . 2010-10-21 19:25 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-06 20:36 . 2010-10-21 19:25 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-06 20:36 . 2010-10-21 19:25 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-06 20:33 . 2010-10-21 19:25 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-09-06 13:20 . 2004-08-04 10:00 1858944 ---ha-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2006-03-04 03:33 916480 ---ha-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 10:00 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 10:00 1469440 ---h--w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 10:00 385024 ---ha-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 10:00 138496 ---ha-w- c:\windows\system32\drivers\afd.sys
2011-10-08 01:43 . 2011-08-24 00:44 134104 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-01_00.27.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 10:00 . 2011-11-01 23:33 69128 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2011-11-01 23:33 436590 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-17 4615552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2009-05-11 24576]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"iiovsVgraP.exe"="c:\documents and settings\All Users\Application Data\iiovsVgraP.exe" [BU]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ---ha-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2010-04-10 15:45 979344 ---ha-w- c:\progra~1\Eraser\Eraser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP AutoIndexer]
2002-04-22 20:57 90112 ---ha-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP SchedIndexer]
2002-04-22 20:56 94208 ---ha-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-11-17 11:03 8495104 ---ha-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-11-17 11:03 81920 ---ha-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-11-17 11:03 1626112 ---ha-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 18:22 405504 ---ha-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-19 23:34 149280 ---ha-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wltrysvc"=2 (0x2)
"UPS"=3 (0x3)
"TapiSrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"mnmsrvc"=3 (0x3)
"idsvc"=3 (0x3)
"NMSAccessU"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Belkin\\Network USB Hub Control Center\\Connect.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\HP LaserJet P2030 Series\\HPMSetup.exe"=
"\\\\192.168.1.100\\videos\\SOFTWARE\\Printers\\Color LaserJet CM2320 MFP\\PC\\HP_CM2320_MFP\\setup\\hppniprint01.exe"=
"\\\\192.168.1.100\\videos\\SOFTWARE\\Printers\\Color LaserJet CM2320 MFP\\PC\\HP_CM2320_MFP\\setup\\hppniprint64.exe"=
"\\\\192.168.1.100\\videos\\SOFTWARE\\Printers\\Color LaserJet CM2320 MFP\\PC\\HP_CM2320_MFP\\setup\\hppnicifs01.exe"=
"\\\\192.168.1.100\\videos\\SOFTWARE\\Printers\\Color LaserJet CM2320 MFP\\PC\\HP_CM2320_MFP\\setup\\customprndnld\\hppcstpg.exe"=
"\\\\192.168.1.100\\videos\\SOFTWARE\\Printers\\Color LaserJet CM2320 MFP\\PC\\HP_CM2320_MFP\\setup\\hpbtpg.exe"=
"\\\\192.168.1.100\\videos\\SOFTWARE\\Printers\\Color LaserJet CM2320 MFP\\PC\\HP_CM2320_MFP\\setup\\launchapp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19540:UDP"= 19540:UDP:SXUPTP
"9100:TCP"= 9100:TCP:Printer
"427:UDP"= 427:UDP:SLP
"161:TCP"= 161:TCP:SNMP
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/14/2010 11:04 AM 64512]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/14/2010 11:08 AM 691696]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/31/2011 11:52 AM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/21/2010 11:25 AM 320856]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 8:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 1:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 3:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/21/2010 11:25 AM 20568]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [10/26/2011 11:32 AM 27632]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [9/27/2007 3:53 AM 79232]
S3 C751BUS;CASIO C751 USB Composite Device Driver;c:\windows\system32\drivers\C751BUS.sys [10/13/2011 11:52 AM 56280]
S3 C751Mdm;CASIO C751 CDMA USB Modem;c:\windows\system32\drivers\C751Mdm.sys [10/13/2011 11:52 AM 161112]
S3 C751Vsp;CASIO C751 USB Virtual Serial Port;c:\windows\system32\drivers\C751Vsp.sys [10/13/2011 11:52 AM 161112]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks\swScheduler\DTSCoordinatorService.exe [5/8/2010 12:45 AM 87336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [6/20/2011 9:31 AM 2152152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [6/20/2011 9:31 AM 15232]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [8/19/2010 9:01 AM 14848]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 6:01 AM 2799808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-06-20 07:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1 192.168.1.100
FF - ProfilePath - c:\documents and settings\jumhoefer\Application Data\Mozilla\Firefox\Profiles\4nj270fc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
Supplementary scan did not complete!
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-07 14:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(976)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-11-07 14:43:43
ComboFix-quarantined-files.txt 2011-11-07 22:43
.
Pre-Run: 28,000,583,680 bytes free
Post-Run: 28,103,229,440 bytes free
.
- - End Of File - - BE07AD89061CF9275D3EBEC25CDBD6CB

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:32 AM

Posted 07 November 2011 - 06:16 PM

Greetings

I want you to run this first for me - http://download.bleepingcomputer.com/grinler/unhide.exe


Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 jumhoefer

jumhoefer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 07 November 2011 - 08:33 PM

I ran Unhide.

I ran Combofix with the extra script, and again it indicated an error due to Ad-Aware being active. I allowed Combofix to continue anyway. AAW does not show up in the task manager still. I have not rebooted it yet.

After all of this, the machine seems normal, except it is still reopening an iexplore.exe process, with no visible IE window. I end the process in task manager, and it reappears a minute later. It doesn't draw much CPU usage (usually about zero) and uses 50-100MB of memory.



ComboFix 11-11-07.03 - jumhoefer 11/07/2011 16:11:36.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1367 [GMT -8:00]
Running from: c:\documents and settings\jumhoefer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jumhoefer\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-08 to 2011-11-08 )))))))))))))))))))))))))))))))
.
.
2011-11-07 18:57 . 2011-11-07 18:57 -------- d-----w- C:\_OTL
2011-11-07 18:55 . 2011-11-07 18:55 584192 ----a-w- C:\OTL.exe
2011-11-07 18:40 . 2011-11-07 20:56 515778 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-11-07 03:00 . 2011-11-07 02:58 868 ----a-w- C:\fix.bat
2011-11-01 22:08 . 2011-11-01 23:08 -------- d-----w- C:\13456
2011-11-01 19:20 . 2011-11-01 19:20 -------- d-----w- c:\documents and settings\jumhoefer\Application Data\SUPERAntiSpyware.com
2011-11-01 19:19 . 2011-11-01 19:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-01 19:19 . 2011-11-01 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-10-31 22:26 . 2011-10-31 22:26 -------- d-----w- c:\documents and settings\jumhoefer\Application Data\Malwarebytes
2011-10-31 22:26 . 2011-10-31 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-31 22:26 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-31 22:26 . 2011-11-02 17:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-26 19:32 . 2010-12-10 00:03 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys
2011-10-26 19:22 . 2011-10-26 19:23 -------- d-----w- c:\program files\Compiled Driver Disc (Full)
2011-10-26 19:04 . 2011-10-26 20:15 -------- d-----w- c:\documents and settings\jumhoefer\Application Data\MOBILedit
2011-10-26 19:04 . 2011-10-26 19:04 -------- d-----w- c:\program files\COMPELSON Labs
2011-10-26 19:03 . 2011-10-26 19:04 -------- d-----w- c:\program files\MOBILedit!
2011-10-25 01:48 . 2011-10-25 01:48 65536 ----a-r- c:\documents and settings\jumhoefer\Application Data\Microsoft\Installer\{A27EC9FD-6BF7-4726-8D87-32BA44B41FEB}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2011-10-22 01:37 . 2011-10-22 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2011-10-22 01:37 . 2011-10-22 01:37 65536 ----a-r- c:\documents and settings\jumhoefer\Application Data\Microsoft\Installer\{F4C4B4BA-6B74-41A7-88D5-E5B0C96BDAD2}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2011-10-22 01:37 . 2011-10-22 01:37 45056 ----a-r- c:\documents and settings\jumhoefer\Application Data\Microsoft\Installer\{F4C4B4BA-6B74-41A7-88D5-E5B0C96BDAD2}\DPFrame.exe_0BBE7BA409C14ABCB18FB15BA367F3B6.exe
2011-10-22 01:36 . 2011-10-22 01:36 -------- d-----w- C:\CHMC
2011-10-14 22:56 . 2011-10-14 22:59 -------- d-----w- c:\program files\BitPim
2011-10-14 02:25 . 2011-10-14 02:25 -------- d-----w- c:\documents and settings\jumhoefer\Local Settings\Application Data\Help
2011-10-14 02:08 . 2011-10-14 02:08 -------- d-----w- c:\program files\Qualcomm
2011-10-13 19:52 . 2010-01-14 14:07 161112 ----a-w- c:\windows\system32\drivers\C751Vsp.sys
2011-10-13 19:52 . 2010-01-14 14:07 161112 ----a-w- c:\windows\system32\drivers\C751Mdm.sys
2011-10-13 19:52 . 2010-01-14 14:07 56280 ----a-w- c:\windows\system32\drivers\C751BUS.sys
2011-10-13 19:52 . 2010-06-28 06:08 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2011-10-13 19:52 . 2011-10-13 19:52 -------- d-----w- c:\program files\Common Files\VerizonWireless
2011-10-13 19:51 . 2011-10-13 19:51 53248 ----a-r- c:\documents and settings\jumhoefer\Application Data\Microsoft\Installer\{EB03FE2F-E043-4EF8-8C2A-D018A1E28291}\ARPPRODUCTICON.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-12 17:19 . 2011-06-06 18:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 18:41 . 2008-07-30 03:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 20:45 . 2010-10-21 19:24 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:45 . 2010-10-21 19:24 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-06 20:38 . 2011-03-31 19:52 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:37 . 2010-10-21 19:25 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2010-10-21 19:25 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2010-10-21 19:25 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-06 20:36 . 2010-10-21 19:25 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-06 20:36 . 2010-10-21 19:25 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-06 20:36 . 2010-10-21 19:25 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-06 20:33 . 2010-10-21 19:25 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-09-06 13:20 . 2004-08-04 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-08 01:43 . 2011-08-24 00:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-01_00.27.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 10:00 . 2011-11-01 23:33 69128 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2011-11-01 23:33 436590 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-17 4615552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2009-05-11 24576]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"iiovsVgraP.exe"="c:\documents and settings\All Users\Application Data\iiovsVgraP.exe" [BU]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2010-04-10 15:45 979344 ----a-w- c:\progra~1\Eraser\Eraser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP AutoIndexer]
2002-04-22 20:57 90112 ----a-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP SchedIndexer]
2002-04-22 20:56 94208 ----a-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-11-17 11:03 8495104 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-11-17 11:03 81920 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-11-17 11:03 1626112 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 18:22 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-19 23:34 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wltrysvc"=2 (0x2)
"UPS"=3 (0x3)
"TapiSrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"mnmsrvc"=3 (0x3)
"idsvc"=3 (0x3)
"NMSAccessU"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Belkin\\Network USB Hub Control Center\\Connect.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\HP LaserJet P2030 Series\\HPMSetup.exe"=
"\\\\192.168.1.100\\videos\\SOFTWARE\\Printers\\Color LaserJet CM2320 MFP\\PC\\HP_CM2320_MFP\\setup\\hppniprint01.exe"=
"\\\\192.168.1.100\\videos\\SOFTWARE\\Printers\\Color LaserJet CM2320 MFP\\PC\\HP_CM2320_MFP\\setup\\hppniprint64.exe"=
"\\\\192.168.1.100\\videos\\SOFTWARE\\Printers\\Color LaserJet CM2320 MFP\\PC\\HP_CM2320_MFP\\setup\\hppnicifs01.exe"=
"\\\\192.168.1.100\\videos\\SOFTWARE\\Printers\\Color LaserJet CM2320 MFP\\PC\\HP_CM2320_MFP\\setup\\customprndnld\\hppcstpg.exe"=
"\\\\192.168.1.100\\videos\\SOFTWARE\\Printers\\Color LaserJet CM2320 MFP\\PC\\HP_CM2320_MFP\\setup\\hpbtpg.exe"=
"\\\\192.168.1.100\\videos\\SOFTWARE\\Printers\\Color LaserJet CM2320 MFP\\PC\\HP_CM2320_MFP\\setup\\launchapp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19540:UDP"= 19540:UDP:SXUPTP
"9100:TCP"= 9100:TCP:Printer
"427:UDP"= 427:UDP:SLP
"161:TCP"= 161:TCP:SNMP
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/14/2010 11:04 AM 64512]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/14/2010 11:08 AM 691696]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/31/2011 11:52 AM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/21/2010 11:25 AM 320856]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 8:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 1:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 3:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/21/2010 11:25 AM 20568]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [10/26/2011 11:32 AM 27632]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [9/27/2007 3:53 AM 79232]
S3 C751BUS;CASIO C751 USB Composite Device Driver;c:\windows\system32\drivers\C751BUS.sys [10/13/2011 11:52 AM 56280]
S3 C751Mdm;CASIO C751 CDMA USB Modem;c:\windows\system32\drivers\C751Mdm.sys [10/13/2011 11:52 AM 161112]
S3 C751Vsp;CASIO C751 USB Virtual Serial Port;c:\windows\system32\drivers\C751Vsp.sys [10/13/2011 11:52 AM 161112]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks\swScheduler\DTSCoordinatorService.exe [5/8/2010 12:45 AM 87336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [6/20/2011 9:31 AM 2152152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [6/20/2011 9:31 AM 15232]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [8/19/2010 9:01 AM 14848]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 6:01 AM 2799808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-06-20 07:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1 192.168.1.100
FF - ProfilePath - c:\documents and settings\jumhoefer\Application Data\Mozilla\Firefox\Profiles\4nj270fc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-07 16:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(976)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3584)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-11-07 17:21:10
ComboFix-quarantined-files.txt 2011-11-08 01:20
ComboFix2.txt 2011-11-07 22:44
.
Pre-Run: 28,124,004,352 bytes free
Post-Run: 27,998,560,256 bytes free
.
- - End Of File - - C313EDAE6E558D0A95BA9282519AB14E

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:32 AM

Posted 07 November 2011 - 08:50 PM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 jumhoefer

jumhoefer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 07 November 2011 - 09:01 PM

When I double click on aswMBR.exe, it appears to begin to run, and then nothing happens. I repeated it a couple times while watching task manager, and sometimes a new entry briefly appears, and then disappears after less than a second.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:32 AM

Posted 07 November 2011 - 09:13 PM

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..



Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 07 November 2011 - 09:16 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 jumhoefer

jumhoefer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 07 November 2011 - 10:59 PM

All four items executed successfully, with no apparent issues.

The recurrent iexplore.exe is still popping up. There are a few more processes running, most of which I can identify (e.g. due to Java) and seem legit.

I still have a google redirect issue happening.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:53:29 PM, on 11/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263263650749
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263326333875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://vpn.stellartec.com/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sph.umich.edu,umich.edu,itd.umich.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sph.umich.edu,umich.edu,itd.umich.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks\swScheduler\DTSCoordinatorService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 5439 bytes


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8111

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/7/2011 7:50:55 PM
mbam-log-2011-11-07 (19-50-55).txt

Scan type: Quick scan
Objects scanned: 176350
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iiovsVgraP.exe (Rogue.Agent.SA) -> Value: iiovsVgraP.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users