Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Agent.RS Infection?


  • Please log in to reply
10 replies to this topic

#1 LA Freddy

LA Freddy

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 26 February 2013 - 01:35 PM

I fear that I've infected my computer with Backdoor.Agent.RS. I don't know what that is exactly but an internet search makes it sound pretty malicious.

 

WHAT HAPPENED?

* I got a call from friend who is not tech savvy. I occasionally help with problems, so I used Teamviewer to access his computer and see what he was doing.

* He was using Outlook Web Access over Firefox. He received an email with an attachment named "payment receipt.zip" and had tried to open it several times. The file was listed in his Downloads" box in Firefox but not present in his Downloads folder in his My Documents. The email looked like a typical spam message (money transferred or some such thing) and I feared he had a virus.

* I right-clicked and saved the attachment to his desktop. I then unzipped it and inside was a file named "payment receipt.exe".

* I then copied the file from his machine to mine (Stupid!) to take a quick look at it so he could continue working. After transferring the file, I accidentally hit the Enter key which ran the executable. Oh, no.

* I copied the file over again from his machine and scanned it with Malwarebytes' Anti-Malware and Virustotal.com and it does appear to be a virus. Malwarebytes describes it as Backdoor.Agent.RS and Virustotal.com returns detections on 23 of the 46 Antivirus programs.

 

 

This happened last night, and since then I haven't noticed any unusual behavior on the computer, but my internet search on the virus name makes me fear that my online usernames and passwords have been stolen. How can I tell if I have been infected?

 

Thank you so much for any help you can provide.



BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:09 PM

Posted 26 February 2013 - 01:43 PM

As a safety precaution,change your online banking username and passwords

 

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters




  • Check Loaded Modules  and Detect TDLFS file systemDo not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now




  • Click Start Scan and allow the scan process to run

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue




  • Click Reboot computer
  • Please post the contents of  TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply


===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.



  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.



  • Please post the contents of the log in your next reply.

NOTE:  aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan  This process may may take several hours, that is normal

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the   button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply.   Note:  If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log
  • aswMBR log
  • ESET results



#3 LA Freddy

LA Freddy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 26 February 2013 - 10:41 PM

Thank you so much for your quick and thorough reply.
 
You are correct that the scans took a while to complete. Below are the results for aswMBR and ESET. When I try to post the results of the TDSSKiller log, I'm getting a message "Your post was too long. Please go back and shorten it a little." Should I attach the log file instead? Or would you like me to post it in parts? Or am I doing something wrong?

 

 

 

 

 

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-26 14:28:34
-----------------------------
14:28:34.953    OS Version: Windows 5.1.2600 Service Pack 3
14:28:34.953    Number of processors: 2 586 0xE0C
14:28:34.953    ComputerName: MJOLLNIR  UserName: Mxyzptlk
14:28:35.265    Initialize success
14:30:51.796    AVAST engine defs: 13022600
14:31:47.906    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:31:47.906    Disk 0 Vendor: SAMSUNG_HN-M500MBB 2AR10001 Size: 476940MB BusType: 3
14:31:47.921    Disk 0 MBR read successfully
14:31:47.921    Disk 0 MBR scan
14:31:47.968    Disk 0 unknown MBR code
14:31:47.968    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        57187 MB offset 63
14:31:47.968    Disk 0 Partition - 00     05     Extended            419743 MB offset 117133312
14:31:48.000    Disk 0 Partition 2 00     BC              BOOTWIZ0       36 MB offset 117135360
14:31:48.015    Disk 0 Partition - 00     05     Extended            412676 MB offset 117211136
14:31:48.031    Disk 0 scanning sectors +976766976
14:31:48.109    Disk 0 scanning C:\WINDOWS\system32\drivers
14:32:06.125    Service scanning
14:32:25.484    Modules scanning
14:32:29.328    Module: C:\WINDOWS\System32\DLA\DLADResN.SYS  **SUSPICIOUS**
14:32:30.156    Disk 0 trace - called modules:
14:32:30.156    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
14:32:30.156    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b186ab8]
14:32:30.156    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000091[0x8b2135c8]
14:32:30.156    5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8b2504c0]
14:32:30.468    AVAST engine scan C:\WINDOWS
14:32:34.328    AVAST engine scan C:\WINDOWS\system32
14:35:33.671    AVAST engine scan C:\WINDOWS\system32\drivers
14:35:54.500    AVAST engine scan C:\Documents and Settings\Mxyzptlk
14:37:18.656    AVAST engine scan C:\Documents and Settings\All Users
14:40:28.328    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mxyzptlk\Desktop\2013-02-26 Malware\MBR.dat"
14:40:28.328    The log file has been saved successfully to "C:\Documents and Settings\Mxyzptlk\Desktop\2013-02-26 Malware\aswMBR.txt"

 

 

 

 

----------------

ESET results

----------------

 

C:\Documents and Settings\All Users\Local Settings\Temp\msykxjr.com    Win32/TrojanDownloader.Wauchos.A trojan    cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Mxyzptlk\Desktop\payment receipt\payment receipt.exe    Win32/TrojanDownloader.Wauchos.A trojan    cleaned by deleting - quarantined
D:\Dropbox\Technology\MsOfficeAndWindowsSettings\OtherApps\Install_ExcelWatermark.exe    probably a variant of Win32/VB.GLGVTUD trojan    cleaned by deleting - quarantined
D:\Dropbox\Technology\ProgramsToInstall-OtherComputerTools\SetupImgBurn_2.5.5.0.exe    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
D:\PersonalFiles\! ToFile\! ! FromTheComputer2012-02-13\Desktop\CuteWriter.exe    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
D:\PersonalFiles\! ToFile\! ! FromTheComputer2012-02-13\techTools\winXPKey\ShowXPKey.exe    Win32/PSWTool.RAS.A application    deleted - quarantined
D:\PersonalFiles\! ToFile\! ! FromTheDesktop 2012-04-18\Tech--ToFile\RegardingXpActivation\KeyFindingSoftwares\ShowXPKey.exe    Win32/PSWTool.RAS.A application    deleted - quarantined
D:\PersonalFiles\! ToFile\! ! FromTheDesktop 2012-06-13\UBCD\ubcd511.iso    Win32/PSWTool.KonBoot.A application    deleted - quarantined
D:\PersonalFiles\Technology\Computer\Software\BootDiscsSystemTools\UBCD4WinBuilder.iso    Win32/PrcView application    deleted - quarantined
D:\PersonalFiles\Technology\Computer\Software\ToInstall\zz_ObsoletePrograms\SetupImgBurn_2.5.5.0.exe    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
D:\PersonalFiles\Technology\Computer\Software\ToInstall\z_OtherApps\ExcelWatermark\Install_ExcelWatermark.exe    probably a variant of Win32/VB.GLGVTUD trojan    cleaned by deleting - quarantined
D:\PersonalFiles\Technology\Computer\Software\ToInstall\z_OtherApps\z_ForPortAppsPartition\StandaloneApps\wirelesskeyview.zip.bak    a variant of Win32/WirelessKeyView.A application    deleted - quarantined
 



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:09 PM

Posted 26 February 2013 - 10:44 PM

Malwarebytes

--------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.  If you already have it installed launch the program and update the database.

  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.  You can also right click on the link and select Save Link As

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings except to uncheck any offer for a free Pro trial version
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


===================================================


Farbar's MiniToolBox

--------------------

  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure the following options are checked:

    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Installed Programs
    • List Devices
    • List Users, Partitions and Memory size.
  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply


===================================================


Farbar's Service Scanner

--------------------

Please download Farbar Service Scanner, save it to your desktop, and run it.

  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


===================================================


AdwCleaner by Xplode - Search for Adware

-------------------

  • Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on DELETE
  • A logfile will automatically open after the scan has finished
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[R1].txt as well


===================================================


Junkware Removal Tooll by thisisu

-------------------

  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply


===================================================


Rkill

-------------------

Please download Rkill by Grinler from one of the 4 links below (if one of them does not work try another...) and save it to your desktop:


  • In order for Rkill to run properly you must disable your anti-malware software.  Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
    • Note:  You may have to run Rkill a few times before it is successful.  You may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear.  Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again.  If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.


===================================================


Autoruns

--------------------

  • Please download AutoRuns and save it to your desktop
  • Double click the AutoRuns.zip folder
  • Double click autoruns.exe (not autorunsc.exe), select Run, then Run again and allow the information to populate
  • Select File, Save, Desktop (in the left hand pane), then Save filename as Autoruns.txt and change Save as type to  Text(*.txt).
  • Double click on the text file,copy and paste the contents in your reply


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Malwarebytes log
  • MiniToolBox log
  • Farbar's Service Scanner log
  • AdwCleaner log
  • Junkware Removal Tool log
  • Rkill log
  • Autoruns log

 



#5 LA Freddy

LA Freddy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 27 February 2013 - 01:38 PM

----------------------

MALWAREBYTES

----------------------

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.27.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Mxyzptlk :: MJOLLNIR [administrator]

2/27/2013 10:14:03 AM
mbam-log-2013-02-27 (10-14-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 254997
Time elapsed: 6 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|46868 (Trojan.Agent) -> Data: C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msykxjr.com -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

-------------------

MINITOOLBOX

-------------------

 

MiniToolBox by Farbar  Version:10-01-2013
Ran by Mxyzptlk (administrator) on 27-02-2013 at 12:34:49
Running from "D:\PersonalFiles\Technology\Computer\MalwarePreventionRemoval\2013-02-26 MalwareIncident\4 MiniToolbox"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


::1  localhost

127.0.0.1  localhost
127.0.0.1  fr.a2dfp.net
127.0.0.1  m.fr.a2dfp.net
127.0.0.1  ad.a8.net
127.0.0.1  asy.a8ww.net
127.0.0.1  abcstats.com
127.0.0.1  a.abv.bg
127.0.0.1  adserver.abv.bg
127.0.0.1  adv.abv.bg
127.0.0.1  bimg.abv.bg
127.0.0.1  ca.abv.bg
127.0.0.1  www2.a-counter.kiev.ua
127.0.0.1  track.acclaimnetwork.com
127.0.0.1  accuserveadsystem.com
127.0.0.1  www.accuserveadsystem.com
127.0.0.1  achmedia.com
127.0.0.1  aconti.net
127.0.0.1  secure.aconti.net
127.0.0.1  www.aconti.net 127.0.0.1  am1.activemeter.com

There are 12775 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

Intel® PRO/1000 PL Network Connection = Local Area Connection (Connected)
Intel® PRO/Wireless 3945ABG Network Connection = WiFi Wireless (Media disconnected)


# ----------------------------------
# Interface IP Configuration         
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "WiFi Wireless"

set address name="WiFi Wireless" source=dhcp
set dns name="WiFi Wireless" source=dhcp register=PRIMARY
set wins name="WiFi Wireless" source=dhcp

# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



        Host Name . . . . . . . . . . . . : Mjollnir

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Hybrid

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

        DNS Suffix Search List. . . . . . : home



Ethernet adapter WiFi Wireless:



        Media State . . . . . . . . . . . : Media disconnected

        Description . . . . . . . . . . . : Intel® PRO/Wireless 3945ABG Network Connection

        Physical Address. . . . . . . . . : 00-1B-77-7D-19-B8



Ethernet adapter Local Area Connection:



        Connection-specific DNS Suffix  . : home

        Description . . . . . . . . . . . : Intel® PRO/1000 PL Network Connection

        Physical Address. . . . . . . . . : 00-15-58-C5-E6-98

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.1.3

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.1

        DHCP Server . . . . . . . . . . . : 192.168.1.1

        DNS Servers . . . . . . . . . . . : 192.168.1.1

        Lease Obtained. . . . . . . . . . : Wednesday, February 27, 2013 12:29:43 PM

        Lease Expires . . . . . . . . . . : Thursday, February 28, 2013 12:29:43 PM

Server:  Wireless_Broadband_Router.home
Address:  192.168.1.1

Name:    google.com
Addresses:  74.125.226.200, 74.125.226.193, 74.125.226.194, 74.125.226.197
      74.125.226.198, 74.125.226.195, 74.125.226.206, 74.125.226.192, 74.125.226.199
      74.125.226.196, 74.125.226.201



Pinging google.com [173.194.43.14] with 32 bytes of data:



Reply from 173.194.43.14: bytes=32 time=15ms TTL=252

Reply from 173.194.43.14: bytes=32 time=18ms TTL=252



Ping statistics for 173.194.43.14:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 15ms, Maximum = 18ms, Average = 16ms

Server:  Wireless_Broadband_Router.home
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  98.139.183.24, 206.190.36.45, 98.138.253.109



Pinging yahoo.com [206.190.36.45] with 32 bytes of data:



Reply from 206.190.36.45: bytes=32 time=867ms TTL=250

Reply from 206.190.36.45: bytes=32 time=874ms TTL=250



Ping statistics for 206.190.36.45:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 867ms, Maximum = 874ms, Average = 870ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1b 77 7d 19 b8 ...... Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
0x3 ...00 15 58 c5 e6 98 ...... Intel® PRO/1000 PL Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.3      20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1      1
      169.254.0.0      255.255.0.0      192.168.1.3     192.168.1.3      20
      192.168.1.0    255.255.255.0      192.168.1.3     192.168.1.3      20
      192.168.1.3  255.255.255.255        127.0.0.1       127.0.0.1      20
    192.168.1.255  255.255.255.255      192.168.1.3     192.168.1.3      20
        224.0.0.0        240.0.0.0      192.168.1.3     192.168.1.3      20
  255.255.255.255  255.255.255.255      192.168.1.3     192.168.1.3      1
  255.255.255.255  255.255.255.255      192.168.1.3               2      1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/26/2013 00:32:39 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (02/26/2013 00:32:39 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (02/15/2013 05:06:56 PM) (Source: Application Error) (User: )
Description: Faulting application vidalia.exe, version 0.2.21.0, faulting module qtcore4.dll, version 4.8.1.0, fault address 0x00249022.
Processing media-specific event for [vidalia.exe!ws!]

Error: (02/12/2013 10:10:19 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15657

Error: (02/12/2013 10:10:19 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15657

Error: (02/12/2013 10:10:19 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (02/06/2013 10:23:31 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 9134469

Error: (02/06/2013 10:23:31 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 9134469

Error: (02/06/2013 10:23:30 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/28/2013 02:01:48 PM) (Source: Application Error) (User: )
Description: Faulting application vidalia.exe, version 0.2.21.0, faulting module qtcore4.dll, version 4.8.1.0, fault address 0x00249022.
Processing media-specific event for [vidalia.exe!ws!]


System errors:
=============
Error: (02/27/2013 09:06:02 AM) (Source: PlugPlayManager) (User: )
Description: The device 'Intel® PRO/1000 PL Network Connection' (PCI\VEN_8086&DEV_109A&SUBSYS_200117AA&REV_00\4&192ac53f&0&00E0) disappeared from the system without first being prepared for removal.

Error: (02/26/2013 01:53:00 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
iaStor

Error: (02/25/2013 01:09:22 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.

Error: (02/25/2013 11:26:50 AM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.3 for the Network Card with network address 001B777D19B8 has been
denied by the DHCP server 192.168.5.1 (The DHCP Server sent a DHCPNACK message).

Error: (02/25/2013 11:25:17 AM) (Source: PlugPlayManager) (User: )
Description: The device 'Intel® PRO/1000 PL Network Connection' (PCI\VEN_8086&DEV_109A&SUBSYS_200117AA&REV_00\4&192ac53f&0&00E0) disappeared from the system without first being prepared for removal.

Error: (02/25/2013 11:25:00 AM) (Source: 0) (User: )
Description: C:

Error: (02/21/2013 03:13:04 PM) (Source: Windows Update Agent) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (02/21/2013 03:12:54 PM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.10.58 on the
Network Card with network address 001B777D19B8.

Error: (02/21/2013 00:01:34 PM) (Source: Service Control Manager) (User: )
Description: The Intuit Update Service v4 service hung on starting.

Error: (02/21/2013 11:58:24 AM) (Source: PlugPlayManager) (User: )
Description: The device 'Intel® PRO/1000 PL Network Connection' (PCI\VEN_8086&DEV_109A&SUBSYS_200117AA&REV_00\4&192ac53f&0&00E0) disappeared from the system without first being prepared for removal.


Microsoft Office Sessions:
=========================
Error: (02/26/2013 00:32:39 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (02/26/2013 00:32:39 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (02/15/2013 05:06:56 PM) (Source: Application Error)(User: )
Description: vidalia.exe0.2.21.0qtcore4.dll4.8.1.000249022

Error: (02/12/2013 10:10:19 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15657

Error: (02/12/2013 10:10:19 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15657

Error: (02/12/2013 10:10:19 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (02/06/2013 10:23:31 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 9134469

Error: (02/06/2013 10:23:31 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 9134469

Error: (02/06/2013 10:23:30 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/28/2013 02:01:48 PM) (Source: Application Error)(User: )
Description: vidalia.exe0.2.21.0qtcore4.dll4.8.1.000249022


=========================== Installed Programs ============================

Acronis AlignTool - Samsung Edition (Version: 1.0.117)
Adobe Acrobat 9 Pro - English, Français, Deutsch (Version: 9.5.4)
Adobe Acrobat 9.5.4 - CPSID_83708
Adobe Flash Player 11 ActiveX (Version: 11.5.502.149)
Adobe Flash Player 11 Plugin (Version: 11.5.502.149)
Advanced PDF Password Recovery (Version: 4.11)
Amazon Kindle
AnswerWorks 5.0 English Runtime (Version: 5.0.7)
Apple Application Support (Version: 2.1.6)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
ATI - Software Uninstall Utility (Version: 6.14.10.1014)
ATI Catalyst Control Center (Version: 1.2.2447.13670)
ATI Display Driver (Version: 8.293.1-060913a-036475C-Lenovo)
Bonjour (Version: 3.0.0.10)
Canon Camera Access Library (Version: 8.5.0.2)
Canon DIGITAL CAMERA Solution Disk Software Guide (Version: 1.6.0.1)
CANON iMAGE GATEWAY MyCamera Download Plugin (Version: 3.1.1.2)
Canon MOV Decoder (Version: 1.9.0.8)
Canon PowerShot S100 Camera User Guide (Version: 1.0.0.1)
Canon Utilities CameraWindow DC 8 (Version: 8.6.0.11)
Canon Utilities CameraWindow Launcher (Version: 7.6.0.1)
Canon Utilities MyCamera (Version: 7.5.0.1)
Canon Utilities PhotoStitch (Version: 3.1.22.46)
Carbonite (Version: 5.1.1 build 1022 (Feb-03-2012))
CCleaner (Version: 3.21)
CmdHere Powertoy For Windows XP (Version: 1.00.0001)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Dropbox (Version: 1.6.16)
ESET Online Scanner v3
Garmin BaseCamp (Version: 3.3.3)
Google Chrome (Version: 25.0.1364.97)
Google Talk Plugin (Version: 3.13.2.11592)
Help Center (Version: 1.03)
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software (Version: 10.1.1.3 API)
InterVideo WinDVD (Version: 5.0-B11.311)
iSEEK AnswerWorks English Runtime (Version: 010.000.0101)
iTunes (Version: 10.5.3.3)
KeyScrambler (Version: 2.9.2.0)
LastPass (uninstall only)
Magic ISO Maker v5.5 (build 0273)
MagicDisc 2.7.106
Malwarebytes Anti-Malware version 1.70.0.1100 (Version: 1.70.0.1100)
McAfee AntiSpyware Enterprise Module (Version: 8.5.0.163)
McAfee VirusScan Enterprise (Version: 8.6.0)
mCore (Version: 5.73.0000)
mDriver (Version: 5.73.0000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
mMHouse (Version: 5.73.0000)
mPfMgr (Version: 5.73.0000)
mProSafe (Version: 9.00.0000)
MSXML 4.0 SP2 (KB925672) (Version: 4.20.9839.0)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
mWlsSafe (Version: 9.00.0000)
mXML (Version: 5.73.0000)
PC-Doctor 5 for Windows (Version: 5.00.3371.03)
Productivity Center Supplement for ThinkPad (Version: 2.00)
Quicken 2011 (Version: 20.1.8.6)
RecordNow Audio (Version: 2.0.4)
RecordNow Copy (Version: 2.0.4)
RecordNow Data (Version: 2.0.4)
Rescue and Recovery - Client Security Solution (Version: 3.01.0037.00)
Rosetta Stone Version 3 (Version: 3.4.5.0)
Scroll Lock Indicator Utility (Version: 1.07)
Software Installer (Version: 4.01.0615)
Sonic DLA (Version: 5.1.0)
Sonic Express Labeler (Version: 2.1.0)
Sonic Update Manager (Version: 3.0.0)
SoundMAX (Version: 5.10.01.4326)
SpywareBlaster 4.6 (Version: 4.6.0)
System Migration Assistant (Version: 5.02.0014)
System Update (Version: 3.00.0028)
Target Context Menu (Remove Only)
TCPEye 1.0
ThinkPad Bluetooth with Enhanced Data Rate Software (Version: 5.1.0.2100)
ThinkPad Configuration (Version: 1.55)
ThinkPad EasyEject Utility  (Version: 2.30)
ThinkPad FullScreen Magnifier (Version: 1.17)
ThinkPad Keyboard Customizer Utility (Version: 1.3.42.0)
ThinkPad Modem (Version: 7.62.00)
ThinkPad PC Card Power Policy (Version: 1.02)
ThinkPad Power Management Driver (Version: 1.43)
ThinkPad Power Manager (Version: 1.14)
ThinkPad Presentation Director (Version: 2.56)
ThinkPad UltraNav Driver (Version: 15.0.18.0)
ThinkPad UltraNav Wizard (Version: 3.05)
ThinkVantage Active Protection System (Version: 1.51)
ThinkVantage Away Manager (Version: 2.0.8.0)
ThinkVantage Fingerprint Software 5.6 (Version: 5.6.0.3307)
ThinkVantage Productivity Center (Version: 2.01a)
ThinkVantage Technologies Welcome Message (Version: 1.12)
TrackPoint Accessibility Features (Version: 1.11.0.0)
TurboTax 2011
TurboTax 2011 WinPerFedFormset (Version: 011.000.3351)
TurboTax 2011 WinPerReleaseEngine (Version: 011.000.0496)
TurboTax 2011 WinPerTaxSupport (Version: 011.000.0222)
TurboTax 2011 wnyiper (Version: 011.000.1628)
TurboTax 2011 wrapper (Version: 011.000.0121)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows Internet Explorer 8 (KB2632503) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
User Profile Hive Cleanup Service (Version: 1.5.21)
Wallpapers (Version: 2.0)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20061107.210142)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows Rights Management Client Backwards Compatibility SP2 (Version: 5.2.95)
Windows Rights Management Client with Service Pack 2 (Version: 5.2.95)
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR archiver
Xirrus Wi-Fi Inspector (Version: 1.2.1.4)
XML Paper Specification Shared Components Pack 1.0
XP Themes (Version: 1.00.0000)

========================= Devices: ================================

Name: ThinkPad Modem
Description: ThinkPad Modem
Class Guid: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Manufacturer: CXT
Service: Modem
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: IBM ThinkPad Fast Infrared Port
Description: IBM ThinkPad Fast Infrared Port
Class Guid: {6BDD1FC5-810F-11D0-BEC7-08002BE2092F}
Manufacturer: IBM
Service: NSCIRDA
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


========================= Memory info: ===================================

Percentage of memory in use: 33%
Total physical RAM: 3070.36 MB
Available physical RAM: 2033.23 MB
Total Pagefile: 3665.11 MB
Available Pagefile: 2762.89 MB
Total Virtual: 2047.88 MB
Available Virtual: 1966.81 MB

========================= Partitions: =====================================

1 Drive c: (IBM_PRELOAD) (Fixed) (Total:55.85 GB) (Free:30.92 GB) NTFS
2 Drive d: (Data) (Fixed) (Total:403 GB) (Free:206.24 GB) NTFS
4 Drive f: (PortApps) (Fixed) (Total:6.86 GB) (Free:5.75 GB) NTFS

========================= Users: ========================================

User accounts for \\MJOLLNIR

Administrator            ASPNET                   Guest                    
HelpAssistant            Mxyzptlk                 SUPPORT_388945a0         


**** End of log ****
 

 

 

 

------------------------------

Farbar Service Scanner

------------------------------

 

Farbar Service Scanner Version: 20-02-2013
Ran by Mxyzptlk (administrator) on 27-02-2013 at 12:42:51
Running from "D:\PersonalFiles\Technology\Computer\MalwarePreventionRemoval\2013-02-26 MalwareIncident\5 FarbarServiceScanner"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".

sr Service is not running. Checking service configuration:
The start type of sr service is set to Disabled. The default start type is Boot.
The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".


System Restore Disabled Policy:
========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=DWORD:1


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll
[2004-08-09 12:52] - [2008-04-13 19:12] - 0006656 ____A (Microsoft Corporation) 35321FB577CDC98CE3EB3A3EB9E4610A

C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe
[1980-01-01 02:00] - [2009-02-06 06:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315


Extra List:
=======
AegisP(14) DNE(15) Gpc(6) IPSec(4) irda(13) mfetdik(11) NetBT(5) PSched(7) s24trans(9) Tcpip(3)
0x0F000000040000000100000002000000030000000B00000005000000060000000700000008000000090000000A0000000C0000000D0000000E0000000F000000
IpSec Tag value is correct.

**** End of log ****

 

 

 

 

---------------

AdwCleaner

---------------

 

# AdwCleaner v2.113 - Logfile created 02/27/2013 at 12:45:32
# Updated 23/02/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Mxyzptlk - MJOLLNIR
# Boot Mode : Normal
# Running from : D:\PersonalFiles\Technology\Computer\MalwarePreventionRemoval\2013-02-26 MalwareIncident\6 AdwCleaner\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Documents and Settings\Mxyzptlk\Application Data\Mozilla\Firefox\Profiles\r9mwn9h2.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bkkt5qn4.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.97

File : C:\Documents and Settings\Mxyzptlk\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1234 octets] - [27/02/2013 12:45:32]

########## EOF - C:\AdwCleaner[S1].txt - [1294 octets] ##########
 

 

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.6.5 (02.18.2013:1)
OS: Microsoft Windows XP x86
Ran by Mxyzptlk on Wed 02/27/2013 at 13:02:31.92
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 02/27/2013 at 13:07:43.71
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

 

------

Rkill

------
 

Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/27/2013 01:09:55 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\system32\IPSSVC.EXE (PID: 520) [WD-HEUR]
 * C:\WINDOWS\system32\HPZipm12.exe (PID: 652) [WD-HEUR]
 * C:\WINDOWS\system32\TpKmpSVC.exe (PID: 2540) [WD-HEUR]
 * C:\WINDOWS\System32\DLA\DLACTRLW.EXE (PID: 3596) [WD-HEUR]
 * C:\WINDOWS\system32\TpScrLk.exe (PID: 3732) [WD-HEUR]

5 proccesses terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * System Restore Disabled

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   "DisableSR" = dword:00000001

Checking Windows Service Integrity:

 * System Restore Service (srservice) is not Running.
   Startup Type set to: Automatic

 * System Restore Filter Driver (sr) is not Running.
   Startup Type set to: Disabled

Searching for Missing Digital Signatures:

 * C:\WINDOWS\System32\drivers\mqac.sys [NoSig]
 +-> C:\WINDOWS\$hf_mig$\KB971032\SP2QFE\mqac.sys : 91,776 : 06/22/2009 00:30 AM : 9229e191fe206628be17d1e67a5faed9 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\mqac.sys : 92,544 : 04/13/2008 02:39 PM : 70c14f5cca5cf73f8a645c73a01d8726 [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\mqac.sys : 91,776 : 06/22/2009 02:48 AM : eee50bf24caeedb515a8f3b22756d3bb [Pos Repl]

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1  localhost
  ::1  localhost #[IPv6]
  127.0.0.1  fr.a2dfp.net
  127.0.0.1  m.fr.a2dfp.net
  127.0.0.1  ad.a8.net
  127.0.0.1  asy.a8ww.net
  127.0.0.1  abcstats.com
  127.0.0.1  a.abv.bg
  127.0.0.1  adserver.abv.bg
  127.0.0.1  adv.abv.bg
  127.0.0.1  bimg.abv.bg
  127.0.0.1  ca.abv.bg
  127.0.0.1  www2.a-counter.kiev.ua
  127.0.0.1  track.acclaimnetwork.com
  127.0.0.1  accuserveadsystem.com
  127.0.0.1  www.accuserveadsystem.com
  127.0.0.1  achmedia.com
  127.0.0.1  aconti.net
  127.0.0.1  secure.aconti.net
  127.0.0.1  www.aconti.net #[Dialer.Aconti]

  20 out of 14575 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 02/27/2013 01:10:55 PM
Execution time: 0 hours(s), 0 minute(s), and 59 seconds(s)
 

 

 

------------

Autoruns

------------

 

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"    ""    ""    ""
+ "Acrobat Assistant 8.0"    "AcroTray"    "Adobe Systems Inc."    "c:\program files\adobe\acrobat 9.0\acrobat\acrotray.exe"
+ "Adobe Acrobat Speed Launcher"    "Adobe Acrobat SpeedLauncher"    "Adobe Systems Incorporated"    "c:\program files\adobe\acrobat 9.0\acrobat\acrobat_sl.exe"
+ "Adobe ARM"    "Adobe Reader and Acrobat Manager"    "Adobe Systems Incorporated"    "c:\program files\common files\adobe\arm\1.0\adobearm.exe"
+ "APSDaemon"    "Apple Push"    "Apple Inc."    "c:\program files\common files\apple\apple application support\apsdaemon.exe"
+ "ATICCC"    ""    ""    "c:\program files\ati technologies\ati.ace\clistart.exe"
+ "AwaySch"    "Away Scheduler"    "Lenovo Group Limited"    "c:\program files\lenovo\awaytask\awaysch.exe"
+ "BLOG"    ""    ""    "c:\program files\thinkpad\utilities\batlogex.dll"
+ "Carbonite Backup"    "Carbonite User Interface"    "Carbonite, Inc."    "c:\program files\carbonite\carbonite backup\carboniteui.exe"
+ "cssauth"    "cssauth"    "Lenovo Group Limited"    "c:\program files\ibm thinkvantage\client security solution\cssauth.exe"
+ "DLA"    "Drive Letter Access Component"    "Sonic Solutions"    "c:\windows\system32\dla\dlactrlw.exe"
+ "EZEJMNAP"    "ThinkPad EasyEject Support Application"    "Lenovo Group Limited"    "c:\program files\thinkpad\utilities\ezejmnap.exe"
+ "HotKeysCmds"    "hkcmd Module"    "Intel Corporation"    "c:\windows\system32\hkcmd.exe"
+ "IgfxTray"    "igfxTray Module"    "Intel Corporation"    "c:\windows\system32\igfxtray.exe"
+ "iTunesHelper"    "iTunesHelper"    "Apple Inc."    "c:\program files\itunes\ituneshelper.exe"
+ "LPManager"    "ThinkVantage Productivity Center Manager"    "Lenovo Group Limited"    "c:\program files\thinkvantage\prdctr\lpmgr.exe"
+ "McAfeeUpdaterUI"    "Common User Interface"    "McAfee, Inc."    "c:\program files\mcafee\common framework\udaterui.exe"
+ "PDService.exe"    "PrivateDisk Service"    "Utimaco Safeware AG"    "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
+ "Persistence"    "persistence Module"    "Intel Corporation"    "c:\windows\system32\igfxpers.exe"
+ "PWRMGRTR"    "ThinkPad Power Manager Background Monitor and Tray Battery Gauge"    "Lenovo Group Limited"    "c:\program files\thinkpad\utilities\pwrmgrtr.dll"
+ "ShStatEXE"    "VirusScan tray icon"    "McAfee, Inc."    "c:\program files\mcafee\virusscan enterprise\shstat.exe"
+ "SoundMAX"    "Audio Control Panel"    "Analog Devices, Inc."    "c:\program files\analog devices\soundmax\smax4.exe"
+ "SoundMAXPnP"    "SMax4PNP"    "Analog Devices, Inc."    "c:\program files\analog devices\core\smax4pnp.exe"
+ "SynTPEnh"    "Synaptics TouchPad Enhancements"    "Synaptics Incorporated"    "c:\program files\synaptics\syntp\syntpenh.exe"
+ "SynTPLpr"    "TouchPad Driver Helper Application"    "Synaptics Incorporated"    "c:\program files\synaptics\syntp\syntplpr.exe"
+ "TP4EX"    "TrackPoint Accessibility Features"    "Lenovo Group Limited"    "c:\windows\system32\tp4ex.exe"
+ "TPHOTKEY"    ""    ""    "c:\program files\lenovo\pkgmgr\hotkey\tphkmgr.exe"
+ "TPKBDLED"    ""    ""    "c:\windows\system32\tpscrlk.exe"
+ "TPKMAPHELPER"    "Keyboard Customizer"    "Lenovo"    "c:\program files\thinkpad\utilities\tpkmapap.exe"
+ "TpShocks"    "ThinkVantage Active Protection System"    "Lenovo."    "c:\windows\system32\tpshocks.exe"
+ "TVT Scheduler Proxy"    "scheduler_proxy Application"    "Lenovo Group Limited"    "c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe"
"C:\Documents and Settings\Mxyzptlk\Start Menu\Programs\Startup"    ""    ""    ""
+ "Dropbox.lnk"    "Dropbox"    "Dropbox, Inc."    "c:\documents and settings\mxyzptlk\application data\dropbox\bin\dropbox.exe"
"HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"    ""    ""    ""
+ "Address Book 6"    "Outlook Express Setup Library"    "Microsoft Corporation"    "c:\program files\outlook express\setup50.exe"
+ "Microsoft Outlook Express 6"    "Outlook Express Setup Library"    "Microsoft Corporation"    "c:\program files\outlook express\setup50.exe"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run"    ""    ""    ""
+ "Google Update"    "Google Installer"    "Google Inc."    "c:\documents and settings\mxyzptlk\local settings\application data\google\update\googleupdate.exe"
+ "WMPNSCFG"    "Windows Media Player Network Sharing Service Configuration Application"    "Microsoft Corporation"    "c:\program files\windows media player\wmpnscfg.exe"
"HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect"    ""    ""    ""
+ "BTW Setup Wizard"    "BtWizard Module"    "Broadcom Corporation."    "c:\windows\system32\btwizard.dll"
"HKLM\SOFTWARE\Classes\Protocols\Filter"    ""    ""    ""
+ "text/xml"    "Microsoft Office XML MIME Filter"    "Microsoft Corporation"    "c:\program files\common files\microsoft shared\office11\msoxmlmf.dll"
"HKLM\SOFTWARE\Classes\Protocols\Handler"    ""    ""    ""
+ "ms-itss"    "Microsoft® InfoTech Storage System Library"    "Microsoft Corporation"    "c:\program files\common files\microsoft shared\information retrieval\msitss.dll"
+ "mso-offdap"    "Microsoft Office XP Web Components"    "Microsoft Corporation"    "c:\program files\common files\microsoft shared\web components\10\owc10.dll"
+ "mso-offdap11"    "Microsoft Office Web Components 2003"    "Microsoft Corporation"    "c:\program files\common files\microsoft shared\web components\11\owc11.dll"
"HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components"    ""    ""    ""
+ "0"    ""    ""    "File not found: About:Home"
"HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers"    ""    ""    ""
+ "DropboxExt"    "Dropbox Shell Extension"    "Dropbox, Inc."    "c:\documents and settings\mxyzptlk\application data\dropbox\bin\dropboxext.17.dll"
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers"    ""    ""    ""
+ "Carbonite"    "Carbonite Explorer Extensions"    "Carbonite, Inc."    "c:\program files\carbonite\carbonite backup\carbonitense.dll"
+ "MagicISO"    "MagicISO Shell Extension Module"    "MagicISO, Inc."    "c:\program files\magiciso\misosh.dll"
+ "SGPDMenu"    "SafeGuard PrivateDisk Shell Extension DLL"    "Utimaco Safeware AG"    "c:\program files\ibm thinkvantage\safeguard privatedisk\pdshell.dll"
+ "VirusScan"    "Shell Extension"    "McAfee, Inc."    "c:\program files\mcafee\virusscan enterprise\shext.dll"
+ "WinRAR"    ""    ""    "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers"    ""    ""    ""
+ "Carbonite"    "Carbonite Explorer Extensions"    "Carbonite, Inc."    "c:\program files\carbonite\carbonite backup\carbonitense.dll"
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers"    ""    ""    ""
+ "MBAMShlExt"    "Malwarebytes Anti-Malware"    "Malwarebytes Corporation"    "c:\program files\malwarebytes' anti-malware\mbamext.dll"
"HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers"    ""    ""    ""
+ "DropboxExt"    "Dropbox Shell Extension"    "Dropbox, Inc."    "c:\documents and settings\mxyzptlk\application data\dropbox\bin\dropboxext.17.dll"
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers"    ""    ""    ""
+ "Carbonite"    "Carbonite Explorer Extensions"    "Carbonite, Inc."    "c:\program files\carbonite\carbonite backup\carbonitense.dll"
+ "MagicISO"    "MagicISO Shell Extension Module"    "MagicISO, Inc."    "c:\program files\magiciso\misosh.dll"
+ "VirusScan"    "Shell Extension"    "McAfee, Inc."    "c:\program files\mcafee\virusscan enterprise\shext.dll"
+ "WinRAR"    ""    ""    "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\Directory\Shellex\DragDropHandlers"    ""    ""    ""
+ "WinRAR"    ""    ""    "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers"    ""    ""    ""
+ "Monitor"    "BTNCopy Module"    "Broadcom Corporation."    "c:\windows\system32\btncopy.dll"
"HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers"    ""    ""    ""
+ "DropboxExt"    "Dropbox Shell Extension"    "Dropbox, Inc."    "c:\documents and settings\mxyzptlk\application data\dropbox\bin\dropboxext.17.dll"
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers"    ""    ""    ""
+ "ACE"    "ACE Context Menu"    ""    "c:\program files\ati technologies\ati.ace\atiacmxx.dll"
+ "igfxcui"    "igfxpph Module"    "Intel Corporation"    "c:\windows\system32\igfxpph.dll"
"HKLM\Software\Classes\Folder\Shellex\ColumnHandlers"    ""    ""    ""
+ "PDF Shell Extension"    "PDF Shell Extension"    "Adobe Systems, Inc."    "c:\program files\common files\adobe\acrobat\activex\pdfshell.dll"
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers"    ""    ""    ""
+ "MagicISO"    "MagicISO Shell Extension Module"    "MagicISO, Inc."    "c:\program files\magiciso\misosh.dll"
+ "MBAMShlExt"    "Malwarebytes Anti-Malware"    "Malwarebytes Corporation"    "c:\program files\malwarebytes' anti-malware\mbamext.dll"
+ "SGPDMenu"    "SafeGuard PrivateDisk Shell Extension DLL"    "Utimaco Safeware AG"    "c:\program files\ibm thinkvantage\safeguard privatedisk\pdshell.dll"
+ "VirusScan"    "Shell Extension"    "McAfee, Inc."    "c:\program files\mcafee\virusscan enterprise\shext.dll"
+ "WinRAR"    ""    ""    "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers"    ""    ""    ""
+ "WinRAR"    ""    ""    "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\Folder\ShellEx\PropertySheetHandlers"    ""    ""    ""
+ "Carbonite"    "Carbonite Explorer Extensions"    "Carbonite, Inc."    "c:\program files\carbonite\carbonite backup\carbonitense.dll"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers"    ""    ""    ""
+ "Carbonite.Green"    "Carbonite Explorer Extensions"    "Carbonite, Inc."    "c:\program files\carbonite\carbonite backup\carbonitense.dll"
+ "Carbonite.Partial"    "Carbonite Explorer Extensions"    "Carbonite, Inc."    "c:\program files\carbonite\carbonite backup\carbonitense.dll"
+ "Carbonite.Yellow"    "Carbonite Explorer Extensions"    "Carbonite, Inc."    "c:\program files\carbonite\carbonite backup\carbonitense.dll"
+ "DropboxExt1"    "Dropbox Shell Extension"    "Dropbox, Inc."    "c:\documents and settings\mxyzptlk\application data\dropbox\bin\dropboxext.17.dll"
+ "DropboxExt2"    "Dropbox Shell Extension"    "Dropbox, Inc."    "c:\documents and settings\mxyzptlk\application data\dropbox\bin\dropboxext.17.dll"
+ "DropboxExt3"    "Dropbox Shell Extension"    "Dropbox, Inc."    "c:\documents and settings\mxyzptlk\application data\dropbox\bin\dropboxext.17.dll"
+ "DropboxExt4"    "Dropbox Shell Extension"    "Dropbox, Inc."    "c:\documents and settings\mxyzptlk\application data\dropbox\bin\dropboxext.17.dll"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"    ""    ""    ""
+ "Adobe PDF Conversion Toolbar Helper"    "Adobe PDF Toolbar for Internet Explorer"    "Adobe Systems Incorporated"    "c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll"
+ "Adobe PDF Link Helper"    "Adobe PDF Helper for Internet Explorer"    "Adobe Systems Incorporated"    "c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll"
+ "DriveLetterAccess"    "Drive Letter Access Component"    "Sonic Solutions"    "c:\windows\system32\dla\dlashx_w.dll"
+ "Java™ Plug-In 2 SSV Helper"    ""    ""    "File not found: C:\Program Files\Java\jre6\bin\jp2ssv.dll"
+ "KeyScramblerBHO Class"    "KeyScrambler Program DLL"    "QFX Software Corporation"    "c:\program files\keyscrambler\keyscramblerie.dll"
+ "LastPass Browser Helper Object"    "LastPass Toolbar"    "LastPass"    "c:\program files\lastpass\lpbar.dll"
+ "scriptproxy"    "VSCore Script Scanner"    "McAfee, Inc."    "c:\program files\mcafee\virusscan enterprise\scriptcl.dll"
+ "SmartSelect Class"    "Adobe PDF Toolbar for Internet Explorer"    "Adobe Systems Incorporated"    "c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll"
"HKLM\Software\Microsoft\Internet Explorer\Toolbar"    ""    ""    ""
+ "Adobe PDF"    "Adobe PDF Toolbar for Internet Explorer"    "Adobe Systems Incorporated"    "c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll"
+ "LastPass Toolbar"    "LastPass Toolbar"    "LastPass"    "c:\program files\lastpass\lpbar.dll"
"HKLM\Software\Microsoft\Internet Explorer\Extensions"    ""    ""    ""
+ "&KeyScrambler Options"    "KeyScrambler Program DLL"    "QFX Software Corporation"    "c:\program files\keyscrambler\keyscramblerie.dll"
+ "LastPass"    "LastPass Toolbar"    "LastPass"    "c:\program files\lastpass\lpbar.dll"
+ "Send to &Bluetooth Device..."    ""    ""    "c:\program files\thinkpad\bluetooth software\btsendto_ie.htm"
+ "Software Installer"    "Software Installer"    "Lenovo Group Limited"    "c:\program files\lenovo\pkgmgr\pkgmgr.exe"
+ "Windows Messenger"    "Windows Messenger"    "Microsoft Corporation"    "c:\program files\messenger\msmsgs.exe"
"Task Scheduler"    ""    ""    ""
+ "Adobe Flash Player Updater.job"    "Adobe® Flash® Player Update Service 11.5 r502"    "Adobe Systems Incorporated"    "c:\windows\system32\macromed\flash\flashplayerupdateservice.exe"
+ "GoogleUpdateTaskUserS-1-5-21-1294312225-2868959269-3574560375-1005Core.job"    "Google Installer"    "Google Inc."    "c:\documents and settings\mxyzptlk\local settings\application data\google\update\googleupdate.exe"
+ "GoogleUpdateTaskUserS-1-5-21-1294312225-2868959269-3574560375-1005UA.job"    "Google Installer"    "Google Inc."    "c:\documents and settings\mxyzptlk\local settings\application data\google\update\googleupdate.exe"
X "PMTask.job"    ""    ""    "c:\program files\thinkpad\utilities\pwmidtsk.exe"
"HKLM\System\CurrentControlSet\Services"    ""    ""    ""
+ "AdobeFlashPlayerUpdateSvc"    "This service keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes."    "Adobe Systems Incorporated"    "c:\windows\system32\macromed\flash\flashplayerupdateservice.exe"
+ "Apple Mobile Device"    "Provides the interface to Apple mobile devices."    "Apple Inc."    "c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe"
+ "Ati HotKey Poller"    "ATI External Event Utility EXE Module"    "ATI Technologies Inc."    "c:\windows\system32\ati2evxx.exe"
+ "Bonjour Service"    "Enables hardware devices and software services to automatically configure themselves on the network and advertise their presence."    "Apple Inc."    "c:\program files\bonjour\mdnsresponder.exe"
+ "btwdins"    "Handles installation and removal of Bluetooth devices."    "Broadcom Corporation."    "c:\program files\thinkpad\bluetooth software\bin\btwdins.exe"
+ "CarboniteService"    "Carbonite Backup Service"    "Carbonite, Inc. (www.carbonite.com)"    "c:\program files\carbonite\carbonite backup\carboniteservice.exe"
+ "CCALib8"    "Canon Camera Access Library 8"    "Canon Inc."    "c:\program files\canon\cal\calmain.exe"
+ "EvtEng"    "Manages the event trace messages for all the components of Intel® PROSet/Wireless software."    "Intel Corporation"    "c:\program files\intel\wireless\bin\evteng.exe"
+ "FLEXnet Licensing Service"    "This service performs licensing functions on behalf of FLEXnet enabled products."    "Acresso Software Inc."    "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe"
+ "IBMPMSVC"    "ThinkPad Power Management Service"    "Lenovo"    "c:\windows\system32\ibmpmsvc.exe"
+ "IDriverT"    "Provides support for the Running Object Table for InstallShield Drivers"    "Macrovision Corporation"    "c:\program files\common files\installshield\driver\1150\intel 32\idrivert.exe"
+ "IntuitUpdateServiceV4"    "Helps Intuit applications automatically update themselves."    "Intuit Inc."    "c:\program files\common files\intuit\update service v4\intuitupdateservice.exe"
+ "iPod Service"    "iPod hardware management services"    "Apple Inc."    "c:\program files\ipod\bin\ipodservice.exe"
+ "IPSSVC"    "IPS Core Service"    "Lenovo Group Limited"    "c:\windows\system32\ipssvc.exe"
+ "McAfeeFramework"    "Shared component framework for McAfee products"    "McAfee, Inc."    "c:\program files\mcafee\common framework\frameworkservice.exe"
+ "McShield"    "Provides McAfee On-Access scanning protection of your computer system."    "McAfee, Inc."    "c:\program files\mcafee\virusscan enterprise\mcshield.exe"
+ "McTaskManager"    "Allows scheduling of McAfee scanning and updating activities."    "McAfee, Inc."    "c:\program files\mcafee\virusscan enterprise\vstskmgr.exe"
+ "MDM"    "Supports local and remote debugging for Visual Studio and script debuggers. If this service is stopped, the debuggers will not function properly."    "Microsoft Corporation"    "c:\program files\common files\microsoft shared\vs7debug\mdm.exe"
+ "ose"    "Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports."    "Microsoft Corporation"    "c:\program files\common files\microsoft shared\source engine\ose.exe"
+ "Pml Driver HPZ12"    "PML Driver"    "HP"    "c:\windows\system32\hpzipm12.exe"
+ "PsaSrv"    ""    ""    "File not found: C:\WINDOWS\system32\PsaSrv.exe"
+ "RegSrvc"    "Intel® PROSet/Wireless Registry Service"    "Intel Corporation"    "c:\program files\intel\wireless\bin\regsrvc.exe"
+ "S24EventMonitor"    "Wireless Management Service for Intel® PROSet/Wireless"    "Intel Corporation "    "c:\program files\intel\wireless\bin\s24evmon.exe"
+ "SUService"    "ThinkVantage System Update Service"    "Lenovo Group Limited"    "c:\program files\lenovo\system update\suservice.exe"
+ "TPHDEXLGSVC"    "ThinkVantage Active Protection System - HDD Logger Module"    "Lenovo."    "c:\windows\system32\tphdexlg.exe"
+ "TpKmpSVC"    ""    ""    "c:\windows\system32\tpkmpsvc.exe"
+ "TSSCoreService"    "ibmtcsd Application"    "IBM"    "c:\program files\ibm thinkvantage\client security solution\ibmtcsd.exe"
+ "TVT Backup Service"    "rrservice Module"    ""    "c:\program files\ibm thinkvantage\rescue and recovery\rrservice.exe"
+ "TVT Scheduler"    "ThinkVantage Scheduler"    "Lenovo Group Limited"    "c:\program files\common files\lenovo\scheduler\tvtsched.exe"
+ "UPHClean"    "User Profile Hive Cleanup Service"    "Microsoft Corporation"    "c:\program files\uphclean\uphclean.exe"
+ "WMPNetworkSvc"    "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play"    "Microsoft Corporation"    "c:\program files\windows media player\wmpnetwk.exe"
"HKLM\System\CurrentControlSet\Services"    ""    ""    ""
+ "ac97intc"    "Intel® Integrated Controller Hub Audio Driver"    "Intel Corporation"    "c:\windows\system32\drivers\ac97intc.sys"
+ "ADIHdAudAddService"    "High Definition Audio Function Driver(Release Candidate 1)"    "Analog Devices, Inc."    "c:\windows\system32\drivers\adihdaud.sys"
+ "AEAudioService"    "Audio Noise Filtering Driver (32-bit)"    "Andrea Electronics Corporation"    "c:\windows\system32\drivers\aeaudio.sys"
+ "AegisP"    "AEGIS Protocol (IEEE 802.1x) v3.4.10.0"    "Meetinghouse Data Communications"    "c:\windows\system32\drivers\aegisp.sys"
+ "ati2mtag"    "ATI Radeon WindowsNT Miniport Driver"    "ATI Technologies Inc."    "c:\windows\system32\drivers\ati2mtag.sys"
+ "atmeltpm"    "Atmel TPM Driver"    "Atmel, Inc."    "c:\windows\system32\drivers\atmeltpm.sys"
+ "btaudio"    "Bluetooth Audio Device"    "Broadcom Corporation."    "c:\windows\system32\drivers\btaudio.sys"
+ "BTDriver"    "Bluetooth BTPORT Driver for Windows 2000"    "Broadcom Corporation."    "c:\windows\system32\drivers\btport.sys"
+ "BTKRNL"    "Bluetooth Bus Enumerator"    "Broadcom Corporation."    "c:\windows\system32\drivers\btkrnl.sys"
+ "BTWDNDIS"    "Bluetooth LAN Access Server Driver"    "Broadcom Corporation."    "c:\windows\system32\drivers\btwdndis.sys"
+ "BTWUSB"    "Driver for Bluetooth USB Devices"    "Broadcom Corporation."    "c:\windows\system32\drivers\btwusb.sys"
+ "Changer"    ""    ""    "File not found: C:\WINDOWS\System32\Drivers\Changer.sys"
+ "CmdIde"    "CMD PCI IDE Bus Driver"    "CMD Technology, Inc."    "c:\windows\system32\drivers\cmdide.sys"
+ "CVirtA"    "Cisco Systems VPN Adapter"    "Cisco Systems, Inc."    "c:\windows\system32\drivers\cvirta.sys"
+ "DLABOIOM"    "Drive Letter Access Component"    "Sonic Solutions"    "c:\windows\system32\dla\dlaboiom.sys"
+ "DLACDBHM"    "Shared Driver Component"    "Sonic Solutions"    "c:\windows\system32\drivers\dlacdbhm.sys"
+ "DLADResN"    "Drive Letter Access Component"    "Sonic Solutions"    "c:\windows\system32\dla\dladresn.sys"
+ "DLAIFS_M"    "Drive Letter Access Component"    "Sonic Solutions"    "c:\windows\system32\dla\dlaifs_m.sys"
+ "DLAOPIOM"    "Drive Letter Access Component"    "Sonic Solutions"    "c:\windows\system32\dla\dlaopiom.sys"
+ "DLAPoolM"    "Drive Letter Access Component"    "Sonic Solutions"    "c:\windows\system32\dla\dlapoolm.sys"
+ "DLARTL_N"    "Shared Driver Component"    "Sonic Solutions"    "c:\windows\system32\drivers\dlartl_n.sys"
+ "DLAUDF_M"    "Drive Letter Access Component"    "Sonic Solutions"    "c:\windows\system32\dla\dlaudf_m.sys"
+ "DLAUDFAM"    "Drive Letter Access Component"    "Sonic Solutions"    "c:\windows\system32\dla\dlaudfam.sys"
+ "DRVMCDB"    "Device Driver"    "Sonic Solutions"    "c:\windows\system32\drivers\drvmcdb.sys"
+ "DRVNDDM"    "Device Driver Manager"    "Sonic Solutions"    "c:\windows\system32\drivers\drvnddm.sys"
+ "E100B"    "NDIS 5 driver"    "Intel Corporation"    "c:\windows\system32\drivers\e100b325.sys"
+ "e1express"    "Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver"    "Intel Corporation"    "c:\windows\system32\drivers\e1e5132.sys"
+ "EGATHDRV"    "IBM eGatherer Kernel Module"    "IBM Corporation"    "c:\windows\system32\egathdrv.sys"
+ "GEARAspiWDM"    "CD DVD Filter"    "GEAR Software Inc."    "c:\windows\system32\drivers\gearaspiwdm.sys"
+ "HDAudBus"    "High Definition Audio Bus Driver v1.0a"    "Windows ® Server 2003 DDK provider"    "c:\windows\system32\drivers\hdaudbus.sys"
+ "HPZius12"    "1284.4<->Usb Datalink Driver (Windows 2000)"    "HP"    "c:\windows\system32\drivers\hpzius12.sys"
+ "HSF_DPV"    "HSF_DP driver"    "Conexant Systems, Inc."    "c:\windows\system32\drivers\hsf_dpv.sys"
+ "HSFHWAZL"    "HSF_HWAZL WDM driver"    "Conexant Systems, Inc."    "c:\windows\system32\drivers\hsfhwazl.sys"
+ "HSXHWAZL"    "HSF_HWAZL WDM driver"    "Conexant Systems, Inc."    "c:\windows\system32\drivers\hsxhwazl.sys"
+ "ialm"    "Intel Graphics Miniport Driver"    "Intel Corporation"    "c:\windows\system32\drivers\igxpmp32.sys"
+ "iaStor"    "Intel Matrix Storage Manager driver"    "Intel Corporation"    "c:\windows\system32\drivers\iastor.sys"
+ "ibmfilter"    "IBM Rescue and Recovery filter driver"    "IBM"    "c:\windows\system32\drivers\ibmfilter.sys"
+ "IBMPMDRV"    "ThinkPad Power Management Driver"    "Lenovo."    "c:\windows\system32\drivers\ibmpmdrv.sys"
+ "ifcprusb"    "USB Projector Control Driver"    "InFocus AS"    "c:\windows\system32\drivers\ifcprusb.sys"
+ "KeyScrambler"    "KeyScrambler Keyboard Encryption Driver"    "QFX Software Corporation"    "c:\windows\system32\drivers\keyscrambler.sys"
+ "lbrtfdc"    ""    ""    "File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys"
+ "mcdbus"    "MagicISO SCSI Host Controller"    "MagicISO, Inc."    "c:\windows\system32\drivers\mcdbus.sys"
+ "mdmxsdk"    "Diagnostic Interface x86 Driver"    "Conexant"    "c:\windows\system32\drivers\mdmxsdk.sys"
+ "mfeapfk"    "Access Protection Filter Driver"    "McAfee, Inc."    "c:\windows\system32\drivers\mfeapfk.sys"
+ "mfeavfk"    "Anti-Virus File System Filter Driver"    "McAfee, Inc."    "c:\windows\system32\drivers\mfeavfk.sys"
+ "mfebopk"    "Buffer Overflow Protection Driver"    "McAfee, Inc."    "c:\windows\system32\drivers\mfebopk.sys"
+ "mfehidk"    "Host Intrusion Detection Link Driver"    "McAfee, Inc."    "c:\windows\system32\drivers\mfehidk.sys"
+ "mfetdik"    "Anti-Virus Mini-Firewall Driver"    "McAfee, Inc."    "c:\windows\system32\drivers\mfetdik.sys"
+ "NSCIRDA"    "NSC Fast Infrared Driver."    "National Semiconductor Corporation"    "c:\windows\system32\drivers\nscirda.sys"
+ "nv"    "NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 "    "NVIDIA Corporation"    "c:\windows\system32\drivers\nv4_mini.sys"
+ "PCIDump"    ""    ""    "File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys"
+ "PDCOMP"    ""    ""    "File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys"
+ "PDFRAME"    ""    ""    "File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys"
+ "PDRELI"    ""    ""    "File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys"
+ "PDRFRAME"    ""    ""    "File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys"
+ "PrivateDisk"    "SafeGuard® PrivateDisk Driver"    "Utimaco Safeware AG"    "c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys"
+ "PROCDD"    "IPS Helper Driver"    "Lenovo Group Limited"    "c:\windows\system32\drivers\procdd.sys"
+ "psadd"    "SMBIOS Driver"    "Lenovo (United States) Inc."    "c:\windows\system32\drivers\psadd.sys"
+ "Ptilink"    "Direct Parallel Link Driver"    "Parallel Technologies, Inc."    "c:\windows\system32\drivers\ptilink.sys"
+ "PxHelp20"    "Px Engine Device Driver for Windows 2000/XP"    "Sonic Solutions"    "c:\windows\system32\drivers\pxhelp20.sys"
+ "RimSerPort"    "RIM Virtual Serial Driver"    "Research in Motion Ltd"    "c:\windows\system32\drivers\rimserial.sys"
+ "s24trans"    "WLAN Transport"    "Intel Corporation"    "c:\windows\system32\drivers\s24trans.sys"
+ "Secdrv"    "SafeDisc driver"    "Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K."    "c:\windows\system32\drivers\secdrv.sys"
+ "Shockprf"    "Shockproof Disk Driver"    "Lenovo."    "c:\windows\system32\drivers\apsx86.sys"
+ "smi2"    "SMI BIOS driver"    "IBM Corp."    "c:\program files\smi2\smi2.sys"
+ "smihlp2"    "SMI helper driver"    "UPEK Inc."    "c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys"
+ "snapman"    "Acronis Snapshot API"    "Acronis"    "c:\windows\system32\drivers\snapman.sys"
+ "SynTP"    "Synaptics Touchpad Driver"    "Synaptics Incorporated"    "c:\windows\system32\drivers\syntp.sys"
+ "TcUsb"    "TouchChip USB Kernel Driver"    "UPEK Inc."    "c:\windows\system32\drivers\tcusb.sys"
+ "TDSMAPI"    ""    ""    "c:\windows\system32\drivers\tdsmapi.sys"
+ "TPDIGIMN"    "APS Digitizer Activity Monitor"    "Lenovo."    "c:\windows\system32\drivers\apshm86.sys"
+ "tpflhlp"    "SMI Driver for Lenovo system"    "Lenovo Group Limited"    "c:\drivers\79uj17us\tpflhlp.sys"
+ "TPHKDRV"    "ThinkPad Hotkey Driver"    "IBM Corporation"    "c:\windows\system32\drivers\tphkdrv.sys"
+ "TPPWRIF"    ""    ""    "c:\windows\system32\drivers\tppwrif.sys"
+ "TSMAPIP"    ""    ""    "c:\windows\system32\drivers\tsmapip.sys"
+ "USBAAPL"    "Apple Mobile Device USB Driver"    "Apple, Inc."    "c:\windows\system32\drivers\usbaapl.sys"
+ "vncdrv"    "Ultravnc Mirror Driver"    "RDV Soft"    "c:\windows\system32\drivers\vncdrv.sys"
+ "w39n51"    "Intel® Wireless LAN Driver"    "Intel® Corporation"    "c:\windows\system32\drivers\w39n51.sys"
+ "WDICA"    ""    ""    "File not found: C:\WINDOWS\System32\Drivers\WDICA.sys"
+ "winachsf"    "HSF_CNXT driver"    "Conexant Systems, Inc."    "c:\windows\system32\drivers\hsf_cnxt.sys"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32"    ""    ""    ""
+ "msacm.iac2"    "Indeo® audio software"    "Intel Corporation"    "c:\windows\system32\iac25_32.ax"
+ "msacm.l3acm"    "MPEG Layer-3 Audio Codec for MSACM"    "Fraunhofer Institut Integrierte Schaltungen IIS"    "c:\windows\system32\l3codeca.acm"
+ "msacm.sl_anet"    "Audio codec for MS ACM"    "Sipro Lab Telecom Inc."    "c:\windows\system32\sl_anet.acm"
+ "msacm.trspch"    "DSP Group TrueSpeech™ Audio Codec for MSACM V3.50"    "DSP GROUP, INC."    "c:\windows\system32\tssoft32.acm"
+ "vidc.cvid"    "Cinepak® Codec"    "Radius Inc."    "c:\windows\system32\iccvid.dll"
+ "vidc.iv31"    ""    ""    "c:\windows\system32\ir32_32.dll"
+ "vidc.iv32"    ""    ""    "c:\windows\system32\ir32_32.dll"
+ "vidc.iv41"    "Intel Indeo® Video 4.5"    "Intel Corporation"    "c:\windows\system32\ir41_32.ax"
+ "vidc.iv50"    "Intel Indeo® video 5.10"    "Intel Corporation"    "c:\windows\system32\ir50_32.dll"
"HKLM\Software\Classes\Filter"    ""    ""    ""
+ "Indeo® video 4.4 Compression Filter"    "Intel Indeo® Video 4.5"    "Intel Corporation"    "c:\windows\system32\ir41_32.ax"
+ "Indeo® video 4.4 Compression Filter"    "Intel Indeo® Video 4.5"    "Intel Corporation"    "c:\windows\system32\ir41_32.ax"
+ "Indeo® video 4.4 Decompression Filter"    "Intel Indeo® Video 4.5"    "Intel Corporation"    "c:\windows\system32\ir41_32.ax"
+ "Indeo® video 4.4 Decompression Filter"    "Intel Indeo® Video 4.5"    "Intel Corporation"    "c:\windows\system32\ir41_32.ax"
"HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance"    ""    ""    ""
+ "9x8Resize"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "ACELP.net Audio Decoder"    "ACELP.net Audio Decoder"    "Sipro Lab Telecom Inc."    "c:\windows\system32\acelpdec.ax"
+ "Allocator Fix"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "Bitmap"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "Canon H.264 Decode Filter"    "Canon H.264 Mov Filter"    "Canon Inc."    "c:\program files\canon\canon mov decoder\190\canonh264filter.ax"
+ "Canon Image Rotation Filter"    "Canon Image Rotation Filter "    "Canon Inc."    "c:\program files\canon\mdp\canonrotatefilter.dll"
+ "Canon MDP Motion-JPEG Decoder"    "Canon MDP Motion-JPEG Decoder Filter"    "Canon Inc."    "c:\program files\canon\mdp\canonmdpmjpegdecoder.ax"
+ "Canon Mov File Parser Filter"    "Canon H.264 Mov Filter"    "Canon Inc."    "c:\program files\canon\canon mov decoder\190\canonh264filter.ax"
+ "Canon Mov File Parser Filter2"    "Canon H.264 Mov Filter"    "Canon Inc."    "c:\program files\canon\canon mov decoder\190\canonh264filter.ax"
+ "Frame Eater"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "Indeo® audio software"    "Indeo® audio software"    "Intel Corporation"    "c:\windows\system32\iac25_32.ax"
+ "Indeo® video 5.10 Compression Filter"    "Intel Indeo® video 5.10"    "Intel Corporation"    "c:\windows\system32\ir50_32.dll"
+ "Indeo® video 5.10 Decompression Filter"    "Intel Indeo® video 5.10"    "Intel Corporation"    "c:\windows\system32\ir50_32.dll"
+ "InterVideo Audio Decoder"    "IVIAUDIO"    "InterVideo Inc."    "c:\program files\intervideo\common\bin\iviaudio.ax"
+ "InterVideo Audio Processor"    ""    ""    "c:\program files\intervideo\common\bin\iviaudioprocess.ax"
+ "InterVideo Navigator"    "IVINAV"    "InterVideo Inc."    "c:\program files\intervideo\common\bin\ivinav.ax"
+ "InterVideo Video Decoder"    "IVIVIDEO"    " InterVideo Inc."    "c:\program files\intervideo\common\bin\ivivideo.ax"
+ "MPEG Layer-3 Decoder"    "MPEG Layer-3 Audio Decoder"    "Fraunhofer Institut Integrierte Schaltungen IIS"    "c:\windows\system32\l3codecx.ax"
+ "psWav Dest"    "Canon Utilities Support Library"    "Canon Inc."    "c:\program files\canon\camerawindow\mycamera\pswavdes.ax"
+ "Record Queue"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "ShotDetect"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "Stetch"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WIA Stream Snapshot Filter"    "WIA Stream Snapshot Filter"    "MyCompanyName"    "c:\windows\system32\wiasf.ax"
+ "WM VIH2 Fix"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Audio Analyzer"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Black Frame Generator"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT DirectX Transform Wrapper"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT DV Extract Filter"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT FormatConversion"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Import Filter"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Interlacer"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Log Filter"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT MuxDeMux Filter"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Sample Info Filter"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Screen capture Filter"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Switch Filter"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Virtual Renderer"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Virtual Source"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Volume"    "Movie Maker Filters"    "Microsoft Corporation"    "c:\program files\movie maker\wmm2filt.dll"
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL"    ""    ""    ""
+ "vrlogon.dll"    "GINA replacement"    "UPEK Inc."    "c:\windows\system32\vrlogon.dll"
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"    ""    ""    ""
+ "AtiExtEvent"    "ATI External Event Utility DLL Module"    "ATI Technologies Inc."    "c:\windows\system32\ati2evxx.dll"
+ "AwayNotify"    "Away Manager notification package."    "Lenovo Group Limited"    "c:\program files\lenovo\awaytask\awaynotify.dll"
+ "igfxcui"    "igfxdev Module"    "Intel Corporation"    "c:\windows\system32\igfxdev.dll"
+ "psfus"    "Logon stub"    "UPEK Inc."    "c:\windows\system32\psqlpwd.dll"
+ "tpfnf2"    ""    ""    "c:\windows\system32\notifyf2.dll"
+ "tphotkey"    ""    ""    "c:\windows\system32\tphklock.dll"
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries"    ""    ""    ""
+ "mdnsNSP"    "Bonjour Namespace Provider"    "Apple Inc."    "c:\program files\bonjour\mdnsnsp.dll"
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors"    ""    ""    ""
+ "Adobe PDF Port Monitor"    "Adobe PDF Port  Monitor DLL"    "Adobe Systems Inc"    "c:\windows\system32\adobepdf.dll"
+ "Bluetooth Printer Port"    "bthcrp DLL"    "Broadcom Corporation."    "c:\windows\system32\bthcrp.dll"
+ "HP Master Monitor"    "Win32 Master Monitor"    "Hewlett-Packard"    "c:\windows\system32\hpbmmon.dll"
+ "HPLJ1020LM"    "Spooler Language Monitor for HP LaserJet Series 1020/2600"    "Zenographics, Inc."    "c:\windows\system32\zlhp1020.dll"
+ "OKI PSE Monitor"    "Oki pse monitor for Windows2000"    "Oki Data Corporation"    "c:\windows\system32\okpsemon.dll"
+ "PCL hpz3l054"    "LanguageMonitor"    "Hewlett-Packard Company"    "c:\windows\system32\hpz3l054.dll"
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages"    ""    ""    ""
+ "csspwntfy"    "Password change notification"    "Lenovo Group Limited"    "c:\program files\ibm thinkvantage\client security solution\csspwntfy.dll"
+ "psqlpwd"    "Logon stub"    "UPEK Inc."    "c:\windows\system32\psqlpwd.dll"
 



#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:09 PM

Posted 27 February 2013 - 01:51 PM

Restart the PC,run malwarebytes once again and post the new log



#7 LA Freddy

LA Freddy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 27 February 2013 - 04:38 PM

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.27.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Mxyzptlk :: MJOLLNIR [administrator]

2/27/2013 3:30:21 PM
mbam-log-2013-02-27 (15-30-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 254778
Time elapsed: 6 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 



#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:09 PM

Posted 27 February 2013 - 04:50 PM

That looks good

Remove temporary and junk files

Download

TFC

Launch it,it will close all running programs

click on START,it should ask for reboot.If TFC locks up the system,run it in safemode


Create a new restore point

Follow this guide to turn off and turn on your restore points

XP- http://support.microsoft.com/kb/310405

Vista & windows 7- http://windows.microsoft.com/en-US/windows7/Turn-System-Restore-on-or-off

Turn off your system restore-It deletes old infected restore points

Turn on system restore and create a new restore point

Update JAVA and Flash player

Uninstall old version of java from control panel-Add or remove programs.Download the latest version from here

http://java.com/en/

Update your flash player

Antivirus recommendations

Update your antivirus frequently.Two free antivirus that i would suggest are

Microsoft security essentials or Avast.You can select either one of them.

If you have a paid one,make sure to update it frequently.Do not use multiple security softwares.

Informative guides that could prevent you from being infected again

How did I get infected?

http://www.bleepingcomputer.com/forums/topic2520.html

Best Practices for Safe Computing - Prevention of Malware Infection

http://www.bleepingcomputer.com/forums/topic407147.html

Simple and easy ways to keep your computer safe and secure on the Internet

http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

Safe surfing :)



#9 LA Freddy

LA Freddy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 27 February 2013 - 06:49 PM

Thank you so much for your help! Can I ask a couple of questions as a follow-up?

 

1) My friend is also infected with the same thing, I'm sure. He does have a Acronis True Image backup of his operating system partition, though; if I have him replace his operating system partition with a backup from before this incident, that should get rid of the virus on his machine, correct? (Or could it have affected his data partition, too.)

 

2) Was this a virus that would steal my personal information and transmit it to someone else? If so, how worried should I be about what happened before the getting rid of the virus? (I did change online banking logins, but I have a password manager and am wondering if that was exposed and so if I need to change all logins to every store or web site, which would be a lot of work.)

 

3) Was the virus just these three items:


ESET results
* C:\Documents and Settings\All Users\Local Settings\Temp\msykxjr.com    Win32/TrojanDownloader.Wauchos.A trojan    cleaned by deleting (after the next restart) - quarantined
* C:\Documents and Settings\Mxyzptlk\Desktop\payment receipt\payment receipt.exe    Win32/TrojanDownloader.Wauchos.A trojan    cleaned by deleting - quarantined

MALWAREBYTES
Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|46868 (Trojan.Agent) -> Data: C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msykxjr.com -> Delete on reboot.

 

Or were some of the other items in the logs part of the virus, too?

 

 

Thank you again so much for taking the time to help me!!!



#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:09 PM

Posted 27 February 2013 - 07:11 PM

1)That should work

 

2)Please change your online banking passwordsWe do not know if the any of your personal details were compromised
 

3)yes



#11 4dude

4dude

  • Members
  • 578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 PM

Posted 28 November 2013 - 11:09 PM

I just wanted to add to this thread..

The last week I have been getting spam in 1 of my emails of this exact attachment.... However the idiot sending this to me DID NOT ZIP IT RIGHT! (I was going to look @ the exe file and see what the payload is (I was gonna look @ it with an edior)) and I cant unzip the file!!!! -- My UNZIP program says "Bad CRC in file: paymentreceipt.exe"

I DO THINK THIS IS A GOOD THING THAT WHOEVER IS SENDING THIS OUT THIS TIME MESSED UP THE ZIP FILE! (NO ONE CAN UNZIP IT)

Im am sorry to see so many people having had problems from this....

Does anyone know what the payload is of this exe file?? (I mean exactly) -- I cant see the file so i dont know...... (I wasnt gonna EXECUTE IT I was going to look @ it with an editor))


This person is desperate,i have gotton 10 or more emails the last week with this garbage!!

Edited by 4dude, 28 November 2013 - 11:11 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users