bmdtech

-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Monday, December 14, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Friday, December 11, 2009 22:02:37 Records in database: 3360436 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: A:\ C:\ D:\ Scan statistics: Objects scanned: 59317 Threats found: 5 Infected objects found: 4 Suspicious objects found: 2 Scan duration: 02:40:03 File name / Threat / Threats count C:\4.js Suspicious: Trojan-Downloader.JS.gen 1 C:\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1 C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1 C:\Program Files\SAAZOD\ProcessedScripts\produkey.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.ap 1 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_dnonajax_.sys.zip Infected: Trojan.Win32.BHO.ext 1 C:\_OTL\MovedFiles\12102009_091950\C_\2.js Suspicious: Trojan-Downloader.JS.gen 1 Selected area has been scanned.

ComboFix 09-12-11.01 - avcc 12/11/2009 11:45:37.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.156 [GMT -8:00] Running from: c:\documents and settings\avcc\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\cleanup.exe c:\documents and settings\NetworkService\Application Data\PC c:\recycler\S-1-5-21-1844237615-1547161642-839522115-500 c:\windows\system32\_000006_.tmp.dll c:\windows\system32\_000124_.tmp.dll c:\windows\system32\_000125_.tmp.dll c:\windows\system32\drivers\dnonajax.sys c:\windows\system32\drivers\fad.sys c:\windows\system32\drivers\wmgdefmt.sys c:\windows\system32\dumphive.exe c:\windows\system32\eyiiprx.dll c:\windows\system32\gdwosyaj.dll c:\windows\system32\hvfpnxk.dll c:\windows\system32\Process.exe c:\windows\system32\SrchSTS.exe c:\windows\system32\tmp.reg . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_DNONAJAX -------\Legacy_XYSYZCFZ -------\Service_dnonajax -------\Service_xysyzcfz ((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 ))))))))))))))))))))))))))))))) . 2009-12-11 17:28 . 2009-12-11 17:28 -------- d-----w- c:\program files\ESET 2009-12-10 17:19 . 2009-12-10 17:19 -------- d-----w- C:\_OTL 2009-12-10 17:12 . 2009-12-10 17:12 0 ----a-w- c:\windows\system32\SBRC.dat 2009-12-08 23:16 . 2009-12-08 23:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-12-08 23:06 . 2009-12-08 23:06 -------- d-----w- c:\program files\CCleaner 2009-12-08 18:47 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll 2009-12-08 18:08 . 2005-03-28 18:19 220992 ----a-w- c:\windows\system32\drivers\smwdm.sys 2009-12-08 18:08 . 2004-12-09 01:16 49152 ----a-w- c:\windows\system32\DSndUp.exe 2009-12-08 18:08 . 2002-04-17 23:05 45056 ------w- c:\windows\system32\CleanUp.exe 2009-12-08 17:34 . 2005-04-05 22:18 135168 ----a-w- c:\windows\system32\igfxres.dll 2009-12-08 17:13 . 2009-12-08 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2009-12-08 16:18 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll 2009-12-07 22:52 . 2009-12-07 22:52 -------- d-----w- c:\windows\system32\XPSViewer 2009-12-07 22:52 . 2009-12-07 22:52 -------- d-----w- c:\program files\MSBuild 2009-12-07 22:52 . 2009-12-07 22:52 -------- d-----w- c:\program files\Reference Assemblies 2009-12-07 22:52 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll 2009-12-07 22:51 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-12-07 22:51 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-12-07 22:51 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe 2009-12-07 22:51 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-12-07 22:51 . 2009-12-07 22:52 -------- d-----w- C:\09c5265571c41cac313b 2009-12-07 22:51 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-12-07 22:51 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-12-07 22:51 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-12-07 22:51 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll 2009-12-07 18:30 . 2009-12-07 18:30 -------- d-----w- C:\IBMTOOLS 2009-11-19 08:19 . 2009-07-17 16:22 1435648 ------w- c:\windows\system32\dllcache\query.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-11 19:58 . 2008-06-05 05:36 -------- d-----w- c:\program files\SAAZOD 2009-12-11 16:08 . 2009-01-12 16:29 -------- d-----w- c:\program files\LogMeIn 2009-12-08 23:27 . 2009-06-23 17:53 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-12-08 23:27 . 2009-06-23 17:53 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-12-08 23:27 . 2009-05-26 17:53 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-12-08 23:27 . 2009-06-23 17:53 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2009-12-08 23:27 . 2009-12-08 23:27 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll 2009-12-08 23:27 . 2009-06-23 17:53 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2009-12-08 23:27 . 2009-05-26 17:53 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2009-12-08 23:27 . 2009-06-23 17:53 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll 2009-12-08 23:26 . 2009-06-23 17:53 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2009-12-08 23:26 . 2009-05-26 17:53 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2009-12-08 23:26 . 2009-05-26 17:53 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2009-12-08 23:26 . 2009-06-23 17:53 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2009-12-08 23:25 . 2009-09-21 17:53 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2009-12-08 23:25 . 2009-06-23 17:53 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2009-12-08 23:25 . 2009-06-23 17:53 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2009-12-08 23:25 . 2009-06-23 17:53 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2009-12-08 23:25 . 2009-06-23 17:53 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2009-12-08 23:25 . 2009-06-23 17:53 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2009-12-08 18:08 . 2008-12-31 21:49 -------- d-----w- c:\program files\Analog Devices 2009-12-08 18:07 . 2004-01-14 19:25 -------- d-----w- c:\program files\Common Files\InstallShield 2009-12-08 17:12 . 2008-02-02 09:32 -------- d-----w- c:\program files\Microsoft Silverlight 2009-12-07 18:57 . 2009-09-11 22:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-07 18:56 . 2009-12-07 18:56 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-12-07 18:27 . 2009-11-06 09:05 1100 ----a-w- c:\windows\system32\d3d8caps.dat 2009-12-04 16:49 . 2002-08-29 09:41 74752 ----a-w- c:\windows\system32\storprop.dll 2009-12-04 16:49 . 2002-08-29 11:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys 2009-12-04 00:14 . 2009-09-11 22:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-04 00:13 . 2009-09-11 22:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-21 15:51 . 2002-08-29 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-11-11 15:59 . 2009-11-11 15:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\TeamViewer 2009-11-10 21:18 . 2009-11-10 21:18 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\TeamViewer 2009-11-10 21:18 . 2009-11-10 21:18 -------- d-----w- c:\program files\TeamViewer 2009-11-01 21:48 . 2009-11-01 21:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\mnnkkola 2009-10-31 20:24 . 2009-10-31 20:24 -------- d-----w- c:\documents and settings\avcc\Application Data\mnnkkola 2009-10-29 07:46 . 2004-08-24 03:32 832512 ----a-w- c:\windows\system32\wininet.dll 2009-10-29 07:46 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-10-29 07:46 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll 2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys 2009-10-13 10:30 . 2002-08-29 11:00 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2002-08-29 11:00 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2002-08-29 11:00 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-03 08:15 . 2009-12-08 23:16 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe 2009-10-01 15:03 . 2008-06-06 10:17 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2009-10-01 15:03 . 2008-06-06 10:17 28984 ----a-w- c:\windows\system32\LMIport.dll 2009-10-01 15:03 . 2008-06-06 10:16 87352 ----a-w- c:\windows\system32\LMIinit.dll 2009-09-23 12:55 . 2009-04-07 17:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-09-21 17:53 . 2009-09-21 17:53 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll 2009-09-21 17:53 . 2009-09-21 17:53 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys 2009-09-21 17:53 . 2009-09-21 17:53 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe 2009-09-21 17:53 . 2009-06-23 17:53 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageServer\TrueImageMonitor.exe" [2007-05-10 1129176] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageServer\TimounterMonitor.exe" [2007-05-10 1866376] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-05-10 140832] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048] "Kaseya Agent Service Helper"="c:\program files\Kaseya\Agent\KaUsrTsk.exe" [2007-06-05 192512] "Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688] "SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-09-07 959784] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824] [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au] "NoAutoUpdate"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-10-01 15:03 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0stera\0lsdelete [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DL32] DL32 [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA] c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch] 2009-12-08 23:25 788880 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 12:42 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2005-04-05 22:19 77824 ----a-w- c:\windows\SYSTEM32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2005-04-05 22:22 94208 ----a-w- c:\windows\SYSTEM32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] 2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] 2007-03-16 15:06 868352 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.6] 2004-02-27 17:29 61440 ----a-w- c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5] 2004-05-20 16:40 188416 ----a-w- c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 23:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "Pml Driver HPZ12"=3 (0x3) "IDriverT"=3 (0x3) "Iap"=2 (0x2) "Lavasoft Ad-Aware Service"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"= "c:\\WINDOWS\\SYSTEM32\\ftp.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedul2.exe"= "c:\\Program Files\\SAAZOD\\DMPHelpDesk.exe"= "c:\\Program Files\\LogMeIn\\x86\\LogMeIn.exe"= "c:\\Program Files\\SAAZOD\\SAAZRemoteSupport.exe"= "c:\\WINDOWS\\SYSTEM32\\cmd.exe"= "c:\\Program Files\\SAAZOD\\RMHLPDSK.exe"= "c:\\Program Files\\Sunbelt Software\\VIPRE\\SBAMTray.exe"= "c:\\Program Files\\Windows Media Player\\wmplayer.exe"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"= "c:\\Program Files\\SAAZOD\\BaseComponents\\XSpy\\zCSS.exe"= "c:\\Program Files\\Acronis\\TrueImageServer\\TrueImageMonitor.exe"= "c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"= "c:\\Program Files\\NetworkViewer\\DMNetworkViewer.exe"= "c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3306:TCP"= 3306:TCP:MySQL R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [4/7/2009 9:53 AM 64288] R1 sbaphd;sbaphd;c:\windows\SYSTEM32\DRIVERS\sbaphd.sys [9/11/2009 2:24 PM 13360] R1 sbtis;sbtis;c:\windows\SYSTEM32\DRIVERS\sbtis.sys [4/6/2009 1:31 PM 202928] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [1/12/2009 8:29 AM 47640] R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.EXE [1/12/2009 8:45 AM 81920] R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [1/12/2009 8:45 AM 73728] R2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [1/12/2009 8:45 AM 77824] R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [11/21/2006 2:18 PM 77824] R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\\SAAZWatchDog --> c:\progra~1\SAAZOD\\SAAZWatchDog [?] R2 sbapifs;sbapifs;c:\windows\SYSTEM32\DRIVERS\sbapifs.sys [9/11/2009 2:26 PM 69936] R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [10/7/2009 4:50 AM 185640] R4 KAPFA;KAPFA;c:\windows\SYSTEM32\DRIVERS\KaPFA.sys [12/31/2008 2:05 PM 13696] S2 KaseyaAgent;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [12/31/2008 2:05 PM 520192] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1184912] S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [9/7/2009 1:02 PM 1012040] S3 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [8/5/2009 2:58 PM 93872] S4 LMIRfsClientNP;LMIRfsClientNP; [x] --- Other Services/Drivers In Memory --- *NewlyCreated* - KAPFA . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ DPF: {00A7BD45-3D5C-11D4-BDA7-00C0F02C56AB} - hxxp://192.168.0.10/webpages/DMWebX.ocx DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} - hxxp://66.172.99.233/common/NPRemvu.cab FF - ProfilePath - c:\documents and settings\avcc\Application Data\Mozilla\Firefox\Profiles\u62jnw47.default\ FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - BHO-{382A48C6-4454-40B6-B0D6-DEFA4B788E0f} - c:\windows\system32\gdwosyaj.dll MSConfigStartUp-54481ddc - c:\windows\system32\rurisugo.dll MSConfigStartUp-Ccokanomo - c:\windows\uxinosesoxikayi.dll MSConfigStartUp-CPM577b2e40 - c:\windows\system32\wenifalo.dll MSConfigStartUp-GetModule23 - c:\program files\GetModule\GetModule23.exe MSConfigStartUp-HP Software Update - c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe MSConfigStartUp-hugozobeta - c:\windows\system32\dazajatu.dll MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe MSConfigStartUp-Propel Accelerator - c:\program files\EarthLink TotalAccess\Accelerator\PropelAC.exe MSConfigStartUp-SoundMAX - c:\program files\Analog Devices\SoundMAX\Smax4.exe MSConfigStartUp-VnrBlock20 - c:\program files\VnrBlock\VnrBlock20.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-11 11:54 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAAZWatchDog] "ImagePath"="c:\progra~1\SAAZOD\\SAAZWatchDog" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ymdecwkidivrcjp] "imagepath"="\??\c:\windows\TEMP\192.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(536) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll - - - - - - - > 'lsass.exe'(592) c:\windows\system32\relog_ap.dll - - - - - - - > 'explorer.exe'(1692) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\progra~1\SAAZOD\RMHLPDSK.exe c:\progra~1\SAAZOD\SAAZWatchDog.exe c:\windows\System32\tlntsvr.exe c:\windows\System32\wbem\unsecapp.exe c:\program files\LogMeIn\x86\LMIGuardian.exe . ************************************************************************** . Completion time: 2009-12-11 11:59:45 - machine was rebooted ComboFix-quarantined-files.txt 2009-12-11 19:59 Pre-Run: 24,641,445,888 bytes free Post-Run: 24,599,543,808 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn - - End Of File - - FD6E55B66F880B9EC4DB5B48567C5396

Upon reboot from OTL scan/fix I get an error stateing Access violation at address 0059421A in module 'OTL.exe'. Read of address 00000000. ESET results below C:\WINDOWS\SYSTEM32\gdwosyaj.dll a variant of Win32/Kryptik.BDF trojan cleaned by deleting (after the next restart) - quarantined C:\WINDOWS\SYSTEM32\jjkmp.bak1 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\WINDOWS\SYSTEM32\jjkmp.bak2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\_OTL\MovedFiles\12102009_091950\C_WINDOWS\SYSTEM32\ankfdelc.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\_OTL\MovedFiles\12102009_091950\C_WINDOWS\SYSTEM32\ISrtvvut.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\_OTL\MovedFiles\12102009_091950\C_WINDOWS\SYSTEM32\ISrtvvut.ini2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\_OTL\MovedFiles\12102009_091950\C_WINDOWS\SYSTEM32\jjkmp.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\_OTL\MovedFiles\12102009_091950\C_WINDOWS\SYSTEM32\jjkmp.ini2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\_OTL\MovedFiles\12102009_091950\C_WINDOWS\SYSTEM32\nwpraqwl.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\_OTL\MovedFiles\12102009_091950\C_WINDOWS\SYSTEM32\tBdKlkkj.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\_OTL\MovedFiles\12102009_091950\C_WINDOWS\SYSTEM32\tBdKlkkj.ini2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined Operating memory a variant of Win32/Kryptik.BDF trojan contained infected files

GMER 1.0.15.15273 - http://www.gmer.net Rootkit scan 2009-12-09 16:22:11 Windows 5.1.2600 Service Pack 3 Running: bo6l8nc2.exe; Driver: C:\DOCUME~1\avcc\LOCALS~1\Temp\pxtdqpow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xF8B6E4D0] SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xF8B6E520] ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntoskrnl.exe!ExAcquireRundownProtection + 1AF 80570279 7 Bytes JMP 82F956D0 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software) AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software) AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ---- OTL logfile created on: 12/9/2009 2:30:55 PM - Run 1 OTL by OldTimer - Version 3.1.12.0 Folder = C:\Documents and Settings\avcc\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 502.98 Mb Total Physical Memory | 60.67 Mb Available Physical Memory | 12.06% Memory free 1.21 Gb Paging File | 0.89 Gb Available in Paging File | 73.44% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 34.93 Gb Total Space | 23.03 Gb Free Space | 65.93% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: CF1259 Current User Name: avcc Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\avcc\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft) PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft) PRC - C:\Program Files\TeamViewer\Version4\TeamViewer.exe (TeamViewer GmbH) PRC - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe (TeamViewer GmbH) PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.) PRC - C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.) PRC - C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe (Sunbelt Software) PRC - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe (Sunbelt Software) PRC - C:\Program Files\SAAZOD\RMHLPDSK.exe (Zenith Infotech Ltd) PRC - C:\Program Files\SAAZOD\SAAZWatchDog.exe (Zenith Infotech Ltd) PRC - C:\Program Files\SAAZOD\SAAZDPMACTL.exe (Zenith Infotech Ltd) PRC - C:\Program Files\SAAZOD\SAAZRemoteSupport.exe (Zenith Infotech Ltd) PRC - C:\Program Files\SAAZOD\SAAZScheduler.exe (Zenith Infotech Ltd) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.) PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.) PRC - C:\Program Files\Kaseya\Agent\KaUsrTsk.exe (Kaseya) PRC - C:\Program Files\Kaseya\Agent\AgentMon.exe (Kaseya) PRC - C:\Program Files\Acronis\TrueImageServer\TimounterMonitor.exe (Acronis) PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis) PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) PRC - C:\Program Files\Acronis\TrueImageServer\TrueImageMonitor.exe (Acronis) PRC - C:\Program Files\RealVNC\VNC4\WinVNC4.exe (RealVNC Ltd.) PRC - C:\Program Files\SAAZOD\SAAZServerPlus.exe (Zenith Infotech Ltd) PRC - C:\WINDOWS\SYSTEM32\igfxpers.exe (Intel Corporation) PRC - C:\WINDOWS\SYSTEM32\igfxtray.exe (Intel Corporation) PRC - C:\WINDOWS\SYSTEM32\hkcmd.exe (Intel Corporation) PRC - C:\WINDOWS\SYSTEM32\WBEM\UNSECAPP.EXE (Microsoft Corporation) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\avcc\Desktop\OTL.exe (OldTimer Tools) ========== Win32 Services (SafeList) ========== SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft) SRV - (TeamViewer4) -- C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe (TeamViewer GmbH) SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.) SRV - (SBAMSvc) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe (Sunbelt Software) SRV - (SAAZWatchDog) -- C:\Program Files\SAAZOD\SAAZWatchDog.exe (Zenith Infotech Ltd) SRV - (SAAZDPMACTL) -- C:\PROGRA~1\SAAZOD\\SAAZDPMACTL.EXE () SRV - (SAAZRemoteSupport) -- C:\PROGRA~1\SAAZOD\\SAAZRemoteSupport.exe () SRV - (SAAZScheduler) -- C:\Program Files\SAAZOD\SAAZScheduler.exe (Zenith Infotech Ltd) SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.) SRV - (KaseyaAgent) -- C:\Program Files\Kaseya\Agent\AgentMon.exe (Kaseya) SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) SRV - (WinVNC4) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe (RealVNC Ltd.) SRV - (SAAZServerPlus) -- C:\PROGRA~1\SAAZOD\\SAAZServerPlus.exe () SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation) SRV - (Pml Driver HPZ12) -- C:\WINDOWS\SYSTEM32\HPZipm12.exe (HP) SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation) SRV - (xysyzcfz) -- C:\WINDOWS\SYSTEM32\hvfpnxk.dll (U.S. Robotics Corporation) SRV - (Iap) -- C:\Program Files\Dell\OpenManage\Client\Iap.exe (Dell Computer Corporation) ========== Driver Services (SafeList) ========== DRV - (LMIRfsClientNP) -- C:\WINDOWS\SYSTEM32\LMIRfsClientNP.dll (LogMeIn, Inc.) DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB) DRV - (sbapifs) -- C:\WINDOWS\SYSTEM32\DRIVERS\sbapifs.sys (Sunbelt Software) DRV - (SBRE) -- C:\WINDOWS\SYSTEM32\DRIVERS\SBREDrv.sys (Sunbelt Software) DRV - (sbaphd) -- C:\WINDOWS\SYSTEM32\DRIVERS\sbaphd.sys (Sunbelt Software) DRV - (tmcomm) -- C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys (Trend Micro Inc.) DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.) DRV - (LMIRfsDriver) -- C:\WINDOWS\SYSTEM32\DRIVERS\LMIRfsDriver.sys (LogMeIn, Inc.) DRV - (sbtis) -- C:\WINDOWS\SYSTEM32\DRIVERS\sbtis.sys (Sunbelt Software) DRV - (amdagp) -- C:\WINDOWS\System32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.) DRV - (sisagp) -- C:\WINDOWS\System32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation) DRV - (HDAudBus) -- C:\WINDOWS\SYSTEM32\DRIVERS\hdaudbus.sys (Windows ® Server 2003 DDK provider) DRV - (ADIHdAudAddService) -- C:\WINDOWS\SYSTEM32\DRIVERS\ADIHdAud.sys (Analog Devices, Inc.) DRV - (Secdrv) -- C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) DRV - (timounter) -- C:\WINDOWS\system32\DRIVERS\timntr.sys (Acronis) DRV - (tifsfilter) -- C:\WINDOWS\SYSTEM32\DRIVERS\tifsfilt.sys (Acronis) DRV - (snapman) -- C:\WINDOWS\system32\DRIVERS\snapman.sys (Acronis) DRV - (lmimirr) -- C:\WINDOWS\SYSTEM32\DRIVERS\lmimirr.sys (LogMeIn, Inc.) DRV - (KAPFA) -- C:\WINDOWS\SYSTEM32\DRIVERS\KaPFA.sys (Kaseya) DRV - (b57w2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\b57xp32.sys (Broadcom Corporation) DRV - (ialm) -- C:\WINDOWS\SYSTEM32\DRIVERS\ialmnt5.sys (Intel Corporation) DRV - (smwdm) -- C:\WINDOWS\SYSTEM32\DRIVERS\smwdm.sys (Analog Devices, Inc.) DRV - (nv) -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys (NVIDIA Corporation) DRV - (iAimFP4) -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys (Intel® Corporation) DRV - (iAimFP3) -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys (Intel® Corporation) DRV - (iAimTV4) -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys (Intel® Corporation) DRV - (iAimTV3) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys (Intel® Corporation) DRV - (iAimTV1) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys (Intel® Corporation) DRV - (iAimTV0) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys (Intel® Corporation) DRV - (iAimFP0) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys (Intel® Corporation) DRV - (iAimFP1) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys (Intel® Corporation) DRV - (iAimFP2) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys (Intel® Corporation) DRV - (i81x) -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys (Intel® Corporation) DRV - (bcm4sbxp) -- C:\WINDOWS\SYSTEM32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation) DRV - ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel® Graphics Platform (SoftBIOS) -- C:\WINDOWS\SYSTEM32\DRIVERS\ialmsbw.sys (Intel Corporation) DRV - ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel® Graphics Chipset (KCH) -- C:\WINDOWS\SYSTEM32\DRIVERS\ialmkchw.sys (Intel Corporation) DRV - (E100B) Intel® -- C:\WINDOWS\SYSTEM32\DRIVERS\e100b325.sys (Intel Corporation) DRV - (omci) -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys (Dell Computer Corporation) DRV - (dnonajax) -- C:\WINDOWS\system32\drivers\dnonajax.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) DRV - (Ptilink) -- C:\WINDOWS\SYSTEM32\DRIVERS\PTILINK.SYS (Parallel Technologies, Inc.) DRV - (USRpdA) -- C:\WINDOWS\SYSTEM32\DRIVERS\USRpdA.sys (U.S. Robotics Corporation) DRV - (Sparrow) -- C:\WINDOWS\System32\DRIVERS\sparrow.sys (Adaptec, Inc.) DRV - (sym_u3) -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys (LSI Logic) DRV - (sym_hi) -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys (LSI Logic) DRV - (symc8xx) -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys (LSI Logic) DRV - (symc810) -- C:\WINDOWS\System32\DRIVERS\symc810.sys (Symbios Logic Inc.) DRV - (ultra) -- C:\WINDOWS\System32\DRIVERS\ultra.sys (Promise Technology, Inc.) DRV - (ql12160) -- C:\WINDOWS\System32\DRIVERS\ql12160.sys (QLogic Corporation) DRV - (ql1080) -- C:\WINDOWS\System32\DRIVERS\ql1080.sys (QLogic Corporation) DRV - (ql1280) -- C:\WINDOWS\System32\DRIVERS\ql1280.sys (QLogic Corporation) DRV - (dac2w2k) -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys (Mylex Corporation) DRV - (mraid35x) -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys (American Megatrends Inc.) DRV - (asc) -- C:\WINDOWS\System32\DRIVERS\asc.sys (Advanced System Products, Inc.) DRV - (asc3550) -- C:\WINDOWS\System32\DRIVERS\asc3550.sys (Advanced System Products, Inc.) DRV - (AliIde) -- C:\WINDOWS\System32\DRIVERS\aliide.sys (Acer Laboratories Inc.) DRV - (CmdIde) -- C:\WINDOWS\System32\DRIVERS\cmdide.sys (CMD Technology, Inc.) DRV - (EL90XBC) -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS (3Com Corporation) ========== Standard Registry (All) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/ IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default = 4F 25 70 3C E6 0A 00 4A 85 BA D0 09 09 B7 14 E7 [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = C6 48 2A 38 54 44 B6 40 B0 D6 DE FA 4B 78 8E 0F [binary data] IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\SYSTEM32\ieframe.dll (Microsoft Corporation) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 ========== FireFox ========== FF - prefs.js..extensions.enabledItems: {955ba191-df52-4708-ae34-538500724082}:1.0 FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10 FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/12/08 08:32:21 | 00,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/05/01 11:29:48 | 00,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/05/05 08:32:54 | 00,000,000 | ---D | M] [2009/05/01 11:29:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\avcc\Application Data\Mozilla\Extensions [2009/05/01 11:29:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\avcc\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2009/09/22 14:06:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\avcc\Application Data\Mozilla\Firefox\Profiles\u62jnw47.default\extensions [2009/12/09 14:29:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\avcc\Application Data\Mozilla\Firefox\Profiles\u62jnw47.default\extensions\{955ba191-df52-4708-ae34-538500724082} [2009/05/01 11:29:39 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2009/05/01 11:29:39 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2009/04/23 20:38:30 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll [2009/04/23 20:38:32 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll [2009/04/23 20:38:33 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll [2007/03/22 19:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL [2009/04/23 16:39:08 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml [2009/04/23 16:39:08 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml [2009/04/23 16:39:08 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml [2009/04/23 16:39:08 | 00,002,343 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml [2009/04/23 16:39:08 | 00,001,706 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml [2009/04/23 16:39:08 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml [2009/04/23 16:39:08 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml O1 HOSTS File: (21 bytes) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (no name) - {382A48C6-4454-40B6-B0D6-DEFA4B788E0f} - C:\WINDOWS\SYSTEM32\gdwosyaj.dll () O2 - BHO: (no name) - {F696F7C6-DA54-42E5-AB28-A4B11DDC976D} - C:\WINDOWS\SYSTEM32\hvfpnxk.dll (U.S. Robotics Corporation) O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\SYSTEM32\browseui.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\SYSTEM32\browseui.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\SYSTEM32\shell32.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\SYSTEM32\ieframe.dll (Microsoft Corporation) O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis) O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageServer\TimounterMonitor.exe (Acronis) O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM32\hkcmd.exe (Intel Corporation) O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\SYSTEM32\igfxtray.exe (Intel Corporation) O4 - HKLM..\Run: [Kaseya Agent Service Helper] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe (Kaseya) O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.) O4 - HKLM..\Run: [Persistence] C:\WINDOWS\SYSTEM32\igfxpers.exe (Intel Corporation) O4 - HKLM..\Run: [sBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe (Sunbelt Software) O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageServer\TrueImageMonitor.exe (Acronis) O4 - HKLM..\Run: [userFaultCheck] File not found O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\SYSTEM32\ctfmon.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\SYSTEM32\winrnr.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\SYSTEM32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\SYSTEM32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\SYSTEM32\mswsock.dll (Microsoft Corporation) O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {00A7BD45-3D5C-11D4-BDA7-00C0F02C56AB} http://192.168.0.10/webpages/DMWebX.ocx (DMSrvPushX Control) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.com/pc/support/acpir.cab (IASRunner Class) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1260223075859 (WUWebControl Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1260223592453 (MUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2) O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} http://ks.clearfocus.net/inc/kaxRemote.dll (kasRmtHlp Class) O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine) O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2) O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} http://66.172.99.233/common/NPRemvu.cab (NPRemvuPluginControl) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/shock...ash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.10.10.10 O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\SYSTEM32\msvidctl.dll (Microsoft Corporation) O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\SYSTEM32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\SYSTEM32\inetcomm.dll (Microsoft Corporation) O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\SYSTEM32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\SYSTEM32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\SYSTEM32\msvidctl.dll (Microsoft Corporation) O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\SYSTEM32\wiascr.dll (Microsoft Corporation) O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\SYSTEM32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\SYSTEM32\shell32.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\SYSTEM32\Userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation) O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation) O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation) O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation) O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\SYSTEM32\dimsntfy.dll (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.) O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation) O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation) O20 - Winlogon\Notify\wiheitbm: DllName - hvfpnxk.dll - C:\WINDOWS\System32\hvfpnxk.dll (U.S. Robotics Corporation) O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\SYSTEM32\shell32.dll (Microsoft Corporation) O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\SYSTEM32\shell32.dll (Microsoft Corporation) O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\SYSTEM32\stobject.dll (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\SYSTEM32\webcheck.dll (Microsoft Corporation) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\SYSTEM32\WPDShServiceObj.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\SYSTEM32\browseui.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\SYSTEM32\browseui.dll (Microsoft Corporation) O24 - Desktop Components:0 (My Current Home Page) - About:Home O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation) O28 - HKLM ShellExecuteHooks: {D7336D32-62F7-43B5-8B8C-3963C72CA498} - Reg Error: Key error. File not found O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation) O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis) O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\tuvvtrSI) - File not found O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation) O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation) O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation) O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2002/09/03 11:36:02 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{478d4d29-4cea-11db-8269-000d565e5e67}\Shell - "" = AutoRun O33 - MountPoints2\{478d4d29-4cea-11db-8269-000d565e5e67}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{478d4d29-4cea-11db-8269-000d565e5e67}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O34 - HKLM BootExecute: (stera) - File not found O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe () O35 - comfile [open] -- "%1" %* O35 - exefile [open] -- "%1" %* CREATERESTOREPOINT Error starting restore point: System Restore is disabled. Error closing restore point: System Restore is disabled. ========== Files/Folders - Created Within 30 Days ========== [2009/12/09 14:06:33 | 00,537,088 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\avcc\Desktop\OTL.exe [2009/12/08 15:16:55 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} [2009/12/08 15:13:52 | 77,086,488 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\avcc\Desktop\Ad-AwareInstallation.exe [2009/12/08 15:07:04 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\avcc\Recent [2009/12/08 15:06:29 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner [2009/12/08 10:47:44 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll [2009/12/08 10:08:07 | 00,220,992 | ---- | C] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smwdm.sys [2009/12/08 10:08:07 | 00,049,152 | ---- | C] (Analog Devices Inc.) -- C:\WINDOWS\System32\DSndUp.exe [2009/12/08 10:08:07 | 00,045,056 | ---- | C] (adi) -- C:\WINDOWS\System32\CleanUp.exe [2009/12/08 09:34:02 | 00,135,168 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll [2009/12/08 09:28:33 | 04,203,744 | ---- | C] (Lenovo Group Limited ) -- C:\Documents and Settings\avcc\Desktop\e49z86usa.exe [2009/12/08 09:13:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK [2009/12/08 08:32:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA [2009/12/07 14:52:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer [2009/12/07 14:52:29 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild [2009/12/07 14:52:21 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies [2009/12/07 14:51:43 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe [2009/12/07 14:51:43 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll [2009/12/07 14:51:43 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll [2009/12/07 14:51:42 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll [2009/12/07 14:51:42 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll [2009/12/07 14:51:42 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll [2009/12/07 14:51:42 | 00,000,000 | ---D | C] -- C:\09c5265571c41cac313b [2009/12/07 10:30:04 | 00,000,000 | ---D | C] -- C:\IBMTOOLS [2009/12/02 12:39:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\avcc\My Documents\EXPRESS LOANS [2009/11/19 00:19:04 | 01,435,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\query.dll [2009/11/18 11:37:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\avcc\My Documents\2008 DAILY'S & NUMBERS [2009/11/10 13:24:26 | 00,048,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\forfiles.exe [2009/11/10 13:18:15 | 00,000,000 | ---D | C] -- C:\Program Files\TeamViewer [49 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [4 C:\*.tmp files -> C:\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2009/12/09 14:29:18 | 00,012,540 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL [2009/12/09 14:29:00 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job [2009/12/09 14:18:05 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At14.job [2009/12/09 14:18:05 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At13.job [2009/12/09 14:18:05 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At12.job [2009/12/09 14:18:05 | 00,000,308 | ---- | M] () -- C:\WINDOWS\tasks\djqmezwx.job [2009/12/09 14:18:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2009/12/09 14:18:04 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At11.job [2009/12/09 14:18:01 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT [2009/12/09 14:06:34 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\avcc\Desktop\OTL.exe [2009/12/09 10:36:41 | 00,292,864 | ---- | M] () -- C:\Documents and Settings\avcc\Desktop\bo6l8nc2.exe [2009/12/09 10:26:30 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At10.job [2009/12/09 10:25:34 | 04,456,448 | ---- | M] () -- C:\Documents and Settings\avcc\NTUSER.DAT [2009/12/09 10:25:34 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\avcc\NTUSER.INI [2009/12/09 09:17:15 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At9.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At8.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At7.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At6.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At5.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At4.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At3.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At24.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At23.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At22.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At21.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At20.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At2.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At19.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At18.job [2009/12/09 08:31:17 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At17.job [2009/12/09 08:31:17 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At16.job [2009/12/09 08:31:17 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At1.job [2009/12/08 15:29:20 | 00,000,458 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [2009/12/08 15:27:58 | 05,853,018 | -H-- | M] () -- C:\Documents and Settings\avcc\Local Settings\Application Data\IconCache.db [2009/12/08 15:16:54 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk [2009/12/08 15:13:58 | 77,086,488 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\avcc\Desktop\Ad-AwareInstallation.exe [2009/12/08 15:06:30 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\avcc\Desktop\CCleaner.lnk [2009/12/08 14:54:56 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\At15.job [2009/12/08 11:07:20 | 00,503,932 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2009/12/08 11:07:20 | 00,428,974 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT [2009/12/08 11:07:20 | 00,065,924 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT [2009/12/08 09:28:34 | 04,203,744 | ---- | M] (Lenovo Group Limited ) -- C:\Documents and Settings\avcc\Desktop\e49z86usa.exe [2009/12/08 09:12:31 | 00,251,880 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2009/12/08 09:03:44 | 00,000,613 | ---- | M] () -- C:\WINDOWS\WIN.INI [2009/12/07 14:06:18 | 00,012,540 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak [2009/12/07 10:27:35 | 00,001,100 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat [2009/12/04 08:49:32 | 00,074,752 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\storprop.dll [2009/12/04 08:49:32 | 00,074,752 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\storprop.dll [2009/12/04 08:49:13 | 00,134,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\hal.dll [2009/12/04 08:48:49 | 00,000,211 | ---- | M] () -- C:\boot.ini [2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2009/12/02 20:03:26 | 00,521,728 | ---- | M] () -- C:\Documents and Settings\avcc\Desktop\DECEMBER DAILY'S & NUMBERS.xls [2009/12/02 16:37:08 | 00,689,664 | ---- | M] () -- C:\Documents and Settings\avcc\Desktop\NOVEMBER DAILY'S & NUMBERS.xls [2009/12/02 13:17:45 | 00,521,728 | ---- | M] () -- C:\Documents and Settings\avcc\Desktop\DO NOT USE OR DELETE DAILY'S & NUMBERS.xls [2009/12/02 11:36:10 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\avcc\Desktop\Microsoft Office Word 2003.lnk [2009/12/02 08:40:02 | 00,000,434 | ---- | M] () -- C:\2.js [2009/12/01 17:56:32 | 00,032,768 | ---- | M] () -- C:\Documents and Settings\avcc\Desktop\CATHERINE T.C..xls [2009/11/30 16:12:49 | 00,031,232 | ---- | M] () -- C:\Documents and Settings\avcc\Desktop\NICOLE,T.C..xls [2009/11/24 15:37:30 | 00,002,495 | ---- | M] () -- C:\Documents and Settings\avcc\Desktop\Microsoft Office Excel 2003.lnk [2009/11/21 07:51:42 | 01,206,508 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb [2009/11/21 07:51:04 | 00,471,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll [2009/11/20 11:17:54 | 00,033,280 | ---- | M] () -- C:\Documents and Settings\avcc\Desktop\BANK INFO SHEET.xls [2009/11/16 12:04:45 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\avcc\My Documents\ATTENTION.doc [2009/11/12 12:20:32 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\avcc\My Documents\OFFICE SUPPLIES.doc [2009/11/11 17:58:32 | 00,001,485 | ---- | M] () -- C:\Documents and Settings\avcc\Desktop\Remote Desktop Connection.lnk [49 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [4 C:\*.tmp files -> C:\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2099/01/01 12:00:00 | 00,011,168 | -H-- | C] () -- C:\WINDOWS\System32\jorosuzu [2009/12/09 10:36:41 | 00,292,864 | ---- | C] () -- C:\Documents and Settings\avcc\Desktop\bo6l8nc2.exe [2009/12/08 15:16:54 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk [2009/12/08 15:06:30 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\avcc\Desktop\CCleaner.lnk [2009/12/08 08:32:48 | 00,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job [2009/12/04 08:48:49 | 00,000,211 | ---- | C] () -- C:\boot.ini [2009/12/01 13:52:04 | 00,521,728 | ---- | C] () -- C:\Documents and Settings\avcc\Desktop\DECEMBER DAILY'S & NUMBERS.xls [2009/11/09 15:57:15 | 00,026,112 | ---- | C] () -- C:\Documents and Settings\avcc\My Documents\ATTENTION.doc [2009/08/03 15:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll [2009/04/30 07:48:49 | 00,004,326 | ---- | C] () -- C:\Documents and Settings\avcc\Local Settings\Application Data\F696F7C6-DA54-42E5-AB28-A4B11DDC976D.txt [2008/12/31 14:29:15 | 00,650,608 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll [2008/12/31 14:29:15 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4764.dll [2008/12/20 14:27:24 | 00,874,694 | -HS- | C] () -- C:\WINDOWS\System32\ISrtvvut.ini2 [2008/12/20 14:27:23 | 00,000,290 | -HS- | C] () -- C:\WINDOWS\System32\ISrtvvut.ini [2008/11/09 13:51:18 | 00,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI [2008/09/15 07:17:23 | 01,169,534 | -HS- | C] () -- C:\WINDOWS\System32\ankfdelc.ini [2008/09/13 13:42:47 | 01,117,487 | -HS- | C] () -- C:\WINDOWS\System32\nwpraqwl.ini [2008/09/13 13:41:08 | 00,861,090 | -HS- | C] () -- C:\WINDOWS\System32\tBdKlkkj.ini2 [2008/09/13 13:41:07 | 00,002,826 | -HS- | C] () -- C:\WINDOWS\System32\tBdKlkkj.ini [2006/07/28 12:38:27 | 00,908,741 | -HS- | C] () -- C:\WINDOWS\System32\jjkmp.ini2 [2006/05/15 07:07:02 | 00,004,975 | ---- | C] () -- C:\Documents and Settings\avcc\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log [2006/05/15 07:07:02 | 00,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini [2006/04/13 10:57:19 | 00,074,752 | ---- | C] () -- C:\WINDOWS\System32\jst.dll [2006/04/13 10:57:19 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\PMLJNI.dll [2006/04/13 10:54:26 | 00,192,512 | R--- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL [2006/04/13 10:53:24 | 00,012,696 | ---- | C] () -- C:\WINDOWS\hplj1320.ini [2006/04/05 09:52:58 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2006/03/27 14:31:32 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI [2006/03/04 08:25:46 | 00,541,292 | -HS- | C] () -- C:\WINDOWS\System32\jjkmp.ini [2005/10/25 12:38:34 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2005/06/02 18:27:33 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\avcc\Application Data\usb.dat.bin [2005/03/21 15:59:08 | 00,000,748 | ---- | C] () -- C:\WINDOWS\LMAAL2DD.ini [2004/07/27 15:28:52 | 00,000,000 | ---- | C] () -- C:\WINDOWS\WinInit.Ini [2004/05/18 19:03:46 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll [2004/04/19 11:11:45 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\BarracudaAddin.dll [2004/02/19 10:36:11 | 00,000,034 | ---- | C] () -- C:\WINDOWS\AuthMgr.INI [2004/02/05 15:12:21 | 00,008,340 | ---- | C] () -- C:\WINDOWS\hplj1300.ini [2004/02/05 15:10:20 | 00,000,375 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini [2004/02/05 15:10:18 | 00,000,783 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini [2004/02/05 15:10:13 | 00,196,608 | R--- | C] () -- C:\WINDOWS\System32\HPBVNSTP.DLL [2004/01/14 11:32:36 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2004/01/14 11:25:30 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini [2004/01/14 11:09:50 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll [2004/01/14 11:00:40 | 00,000,546 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2003/05/22 06:29:17 | 00,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL [2003/02/03 05:26:18 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll [2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI [2002/08/29 03:00:00 | 00,147,968 | ---- | C] () -- C:\WINDOWS\System32\gdwosyaj.dll ========== LOP Check ========== [2008/06/19 02:19:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn [2006/08/14 09:23:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla! [2009/01/12 08:46:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\VSoft [2009/12/08 15:16:59 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} [2009/10/31 12:24:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\avcc\Application Data\mnnkkola [2009/05/05 08:40:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\avcc\Application Data\OfficeUpdate12 [2006/08/10 08:50:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\avcc\Application Data\STOPzilla! [2009/10/01 10:13:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\avcc\Application Data\TeamViewer [2006/03/31 08:52:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\avcc\Application Data\Walgreens [2008/09/14 09:21:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\avcc\Application Data\Windows Search [2009/12/08 15:29:20 | 00,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job [2009/12/09 08:31:17 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job [2009/12/09 10:26:30 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job [2009/12/09 14:18:04 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job [2009/12/09 14:18:05 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job [2009/12/09 14:18:05 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job [2009/12/09 14:18:05 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job [2009/12/08 14:54:56 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job [2009/12/09 08:31:17 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job [2009/12/09 08:31:17 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job [2009/12/09 08:31:18 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job [2009/12/09 09:17:15 | 00,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job [2009/12/09 14:18:05 | 00,000,308 | ---- | M] () -- C:\WINDOWS\Tasks\djqmezwx.job [2009/12/09 14:29:00 | 00,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > [2008/04/16 06:27:22 | 00,028,672 | ---- | M] () -- C:\cleanup.exe [2009/05/01 11:28:42 | 07,526,856 | ---- | M] (Mozilla) -- C:\Firefox Setup 3.0.10.exe [2008/11/11 08:57:31 | 15,452,536 | ---- | M] (Microsoft Corporation) -- C:\IE7-WindowsXP-x86-enu.exe [2007/07/23 08:45:40 | 00,111,104 | ---- | M] (Angryziber Software) -- C:\ipscan.exe [2006/07/26 08:59:47 | 00,546,785 | ---- | M] () -- C:\PB.exe [2006/08/10 08:28:51 | 00,066,984 | ---- | M] (International Software Systems Solutions) -- C:\STOPzilla_Setup.exe [2009/03/04 10:50:42 | 73,313,504 | ---- | M] (Sunbelt Software ) -- C:\VIPRE-standalone.exe [2009/04/06 11:01:33 | 73,313,504 | ---- | M] (Sunbelt Software ) -- C:\VIPRE.exe [2009/05/01 11:34:06 | 00,359,656 | ---- | M] (Microsoft Corporation) -- C:\windowscleanuputility.exe [4 C:\*.tmp files -> C:\*.tmp -> ] < MD5 for: AGP440.SYS > [2008/04/13 23:06:40 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 23:06:40 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys [2004/08/03 22:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys [2001/08/17 11:58:00 | 00,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\I386\AGP440.SYS < MD5 for: ATAPI.SYS > [2002/08/28 23:27:50 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys [2008/04/13 23:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\DLLCACHE\atapi.sys [2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys [2008/12/30 06:08:42 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\i386\atapi.sys [2009/12/04 08:49:28 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0020\DriverFiles\i386\atapi.sys [2004/08/03 21:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys [2003/04/23 07:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\I386\atapi.sys < MD5 for: EVENTLOG.DLL > [2008/04/14 04:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/14 04:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SYSTEM32\eventlog.dll [2004/08/03 23:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll [2002/08/29 03:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\I386\EVENTLOG.DLL < MD5 for: NETLOGON.DLL > [2008/04/14 04:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008/04/14 04:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SYSTEM32\netlogon.dll [2002/08/29 03:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\I386\NETLOGON.DLL [2004/08/03 23:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll < MD5 for: SCECLI.DLL > [2004/08/03 23:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2002/08/29 03:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\I386\SCECLI.DLL [2008/04/14 04:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/14 04:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SYSTEM32\scecli.dll < End of report > OTL Extras logfile created on: 12/9/2009 2:30:55 PM - Run 1 OTL by OldTimer - Version 3.1.12.0 Folder = C:\Documents and Settings\avcc\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 502.98 Mb Total Physical Memory | 60.67 Mb Available Physical Memory | 12.06% Memory free 1.21 Gb Paging File | 0.89 Gb Available in Paging File | 73.44% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 34.93 Gb Total Space | 23.03 Gb Free Space | 65.93% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: CF1259 Current User Name: avcc Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation) htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation) htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation) http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation) https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation) CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "AntiVirusOverride" = 1 "FirewallOverride" = 1 "UpdatesDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 "3306:TCP" = 3306:TCP:*:Enabled:MySQL "80:TCP" = 80:TCP:*:Enabled:DL32 "7171:TCP" = 7171:TCP:*:Enabled:DL32 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation) "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation) "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Disabled:TaskPanl -- File not found "C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe" = C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe:*:Disabled:javaw -- File not found "C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows

Everytime I reboot the system to complete the removal process I rerun the scan and find the same viruses in the same locations. Below is my HJT log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:34:41 AM, on 12/9/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16945) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Kaseya\Agent\AgentMon.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\PROGRA~1\SAAZOD\SAAZDPMACTL.EXE C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe C:\PROGRA~1\SAAZOD\SAAZScheduler.exe C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe C:\PROGRA~1\SAAZOD\RMHLPDSK.exe C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe C:\WINDOWS\System32\tlntsvr.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\Program Files\TeamViewer\Version4\TeamViewer.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\wbem\unsecapp.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Acronis\TrueImageServer\TrueImageMonitor.exe C:\Program Files\Acronis\TrueImageServer\TimounterMonitor.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Kaseya\Agent\KaUsrTsk.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe O2 - BHO: (no name) - {382A48C6-4454-40B6-B0D6-DEFA4B788E0f} - C:\WINDOWS\system32\gdwosyaj.dll O2 - BHO: (no name) - {F696F7C6-DA54-42E5-AB28-A4B11DDC976D} - c:\windows\system32\hvfpnxk.dll O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageServer\TrueImageMonitor.exe O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageServer\TimounterMonitor.exe O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [Kaseya Agent Service Helper] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [sBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00A7BD45-3D5C-11D4-BDA7-00C0F02C56AB} (DMSrvPushX Control) - http://192.168.0.10/webpages/DMWebX.ocx O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1260223075859 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1260223592453 O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://ks.clearfocus.net/inc/kaxRemote.dll O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} (NPRemvuPluginControl) - http://66.172.99.233/common/NPRemvu.cab O20 - Winlogon Notify: wiheitbm - C:\WINDOWS\SYSTEM32\hvfpnxk.dll O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: SAAZDPMACTL - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\\SAAZDPMACTL.EXE O23 - Service: SAAZRemoteSupport - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\\SAAZRemoteSupport.exe O23 - Service: SAAZScheduler - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZScheduler.exe O23 - Service: SAAZServerPlus - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\\SAAZServerPlus.exe O23 - Service: SAAZWatchDog - Unknown owner - C:\PROGRA~1\SAAZOD\\SAAZWatchDog (file missing) O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 5972 bytes

I was able to run MWB 2 times through on full scan with no threats. Thank you for your help.

Second results ComboFix 09-09-14.02 - production 09/15/2009 12:49.3.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.493 [GMT -7:00] Running from: c:\documents and settings\production\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\production\Desktop\CFScript.txt AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C} FILE :: "c:\documents and settings\production\gkccuo.exe" "c:\documents and settings\production\PRFYXU.bat" "c:\documents and settings\production\WDTTNH.exe" "C:\mpro.exe" "c:\windows\svchasts.exe" "c:\windows\system32\drivers\smss.exe_" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\production\PRFYXU.bat C:\mpro.exe . ((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 ))))))))))))))))))))))))))))))) . 2009-09-15 16:48 . 2009-09-15 16:48 -------- d-----w- c:\documents and settings\production\Application Data\AVG8 2009-09-15 16:17 . 2009-09-15 16:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-09-15 16:15 . 2009-09-15 16:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn 2009-09-15 16:15 . 2009-09-15 16:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt 2009-09-15 16:15 . 2009-09-15 16:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\DellFaxCtr 2009-09-14 22:43 . 2009-09-15 17:31 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-11 03:00 . 2009-09-11 03:02 0 ----a-w- c:\windows\system32\SBRC.dat 2009-09-10 18:36 . 2009-09-10 18:36 46080 ----a-w- C:\Win32kDiag.exe 2009-09-10 18:16 . 2009-09-10 18:16 75 ----a-w- C:\FixExe.reg 2009-09-10 18:04 . 2009-09-10 18:04 -------- d-----w- c:\documents and settings\production\Application Data\Malwarebytes 2009-09-10 18:04 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 18:04 . 2009-09-15 16:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-10 18:04 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-10 18:04 . 2009-09-10 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-10 13:49 . 2009-09-10 13:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS 2009-09-02 14:09 . 2009-03-27 04:20 200704 ----a-w- c:\windows\system32\ssleay32.dll 2009-09-02 14:09 . 2009-03-27 04:20 200704 ----a-w- c:\windows\system32\libssl32.dll 2009-09-02 14:09 . 2009-03-27 04:20 1017344 ----a-w- c:\windows\system32\libeay32.dll 2009-09-02 14:09 . 2009-09-02 14:09 -------- d-----w- C:\OpenSSL 2009-08-28 21:46 . 2009-08-28 21:46 -------- d-----w- c:\documents and settings\LocalService\Application Data\Automise3 2009-08-18 14:03 . 2009-09-11 21:40 -------- d-----w- C:\Weight Optimizer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-15 19:33 . 2009-01-22 18:05 -------- d-----w- c:\program files\SAAZOD 2009-09-15 17:31 . 2008-03-05 17:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-09-15 16:58 . 2008-10-20 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-15 15:53 . 2009-01-24 19:36 -------- d-----w- c:\program files\LogMeIn 2009-09-14 15:34 . 2008-03-19 18:34 55292 ----a-w- c:\documents and settings\production\Application Data\wklnhst.dat 2009-09-11 06:29 . 2008-10-15 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-09-10 16:38 . 2008-04-18 00:56 104 --sh--r- c:\windows\system32\E9B42D69D1.sys 2009-09-10 16:38 . 2008-04-18 00:56 6216 --sha-w- c:\windows\system32\KGyGaAvL.sys 2009-09-10 13:47 . 2009-01-24 19:36 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2009-09-10 13:47 . 2009-01-24 19:36 28984 ----a-w- c:\windows\system32\LMIport.dll 2009-09-10 13:47 . 2007-11-16 02:46 11552 ----a-w- c:\windows\system32\lmimirr2.dll 2009-09-10 13:47 . 2009-01-24 19:36 87352 ----a-w- c:\windows\system32\LMIinit.dll 2009-09-10 13:47 . 2007-11-16 02:46 25248 ----a-w- c:\windows\system32\lmimirr.dll 2009-09-02 13:53 . 2009-01-23 14:40 -------- d-----w- c:\program files\SetupLogs 2009-09-02 13:42 . 2009-01-23 14:41 -------- d-----w- c:\program files\Common Files\VSoft 2009-08-26 14:41 . 2008-03-05 17:34 -------- d-----w- c:\program files\Common Files\InstallShield 2009-08-26 14:41 . 2008-03-05 17:32 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-18 14:06 . 2008-04-07 15:34 -------- d-----w- c:\program files\Dl_cats 2009-07-31 16:34 . 2008-10-20 23:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-07-31 16:34 . 2008-10-20 23:51 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-07-31 16:34 . 2008-10-20 23:51 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-07-29 01:01 . 2008-03-18 15:53 -------- d-----w- c:\documents and settings\production\Application Data\U3 2009-07-29 00:22 . 2009-07-29 00:22 -------- d-----w- c:\documents and settings\production\Application Data\Optical Measuring Systems 2009-07-24 06:18 . 2008-03-05 17:37 -------- d-----w- c:\program files\Microsoft Works . ((((((((((((((((((((((((((((( SnapShot@2009-09-15_15.53.54 ))))))))))))))))))))))))))))))))))))))))) . + 2008-04-07 15:33 . 2009-09-15 16:15 65536 c:\windows\Installer\{1A15507A-8551-4626-915D-3D5FA095CC1B}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe - 2008-04-07 15:33 . 2008-04-07 15:33 65536 c:\windows\Installer\{1A15507A-8551-4626-915D-3D5FA095CC1B}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe + 2008-04-07 15:33 . 2009-09-15 16:15 22486 c:\windows\Installer\{1A15507A-8551-4626-915D-3D5FA095CC1B}\ARPPRODUCTICON.exe - 2008-04-07 15:33 . 2008-04-07 15:33 22486 c:\windows\Installer\{1A15507A-8551-4626-915D-3D5FA095CC1B}\ARPPRODUCTICON.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-05 1838592] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336] "MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008] "FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200] "DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-12 2007832] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 188416] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageServer\TrueImageMonitor.exe" [2007-05-10 1129176] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageServer\TimounterMonitor.exe" [2007-05-10 1866376] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-05-10 140832] "SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2009-06-10 668968] "Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-06-14 16132608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-3-5 7168] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-07-31 16:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-09-10 13:47 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\dlcxcoms.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/20/2008 4:51 PM 12552] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/20/2008 4:51 PM 335240] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/20/2008 4:51 PM 108552] R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [6/12/2009 6:52 AM 202928] R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [8/23/2007 5:29 PM 5376] R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [1/24/2009 12:36 PM 47640] R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.EXE [9/2/2009 6:41 AM 81920] R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [9/2/2009 6:41 AM 73728] R2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [9/2/2009 6:41 AM 77824] R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [11/21/2006 3:18 PM 77824] R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\\SAAZWatchDog --> c:\progra~1\SAAZOD\\SAAZWatchDog [?] S2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [6/10/2009 6:00 AM 980264] S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/30/2009 1:56 PM 93360] S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/12/2009 10:09 AM 297752] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.gocurrency.com/v2/dorate.php?inV=1&from=USD&to=MXN&Calculate=Convert IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-15 12:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAAZWatchDog] "ImagePath"="c:\progra~1\SAAZOD\\SAAZWatchDog" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(836) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll c:\windows\system32\igfxdev.dll - - - - - - - > 'lsass.exe'(892) c:\windows\system32\relog_ap.dll . Completion time: 2009-09-15 12:54 ComboFix-quarantined-files.txt 2009-09-15 19:54 ComboFix2.txt 2009-09-15 18:37 ComboFix3.txt 2009-09-15 15:56 Pre-Run: 146,619,932,672 bytes free Post-Run: 146,598,719,488 bytes free 183 --- E O F --- 2009-05-20 14:07

Here is the log ComboFix 09-09-14.02 - Administrator 09/15/2009 8:46.1.2 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.690 [GMT -7:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\ADMINI~1\LOCALS~1\Temp\csrss.exe c:\docume~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe c:\documents and settings\All Users\Application Data\16620154 c:\documents and settings\All Users\Application Data\16620154\16620154 c:\documents and settings\All Users\Application Data\16620154\16620154.exe c:\documents and settings\All Users\Application Data\16620154\pc16620154ins c:\documents and settings\production\DFRLKH.exe c:\documents and settings\production\feilor.exe c:\documents and settings\production\xouuz.exe c:\program files\Windows Police Pro c:\program files\Windows Police Pro\msvcm80.dll c:\program files\Windows Police Pro\msvcp80.dll c:\program files\Windows Police Pro\msvcr80.dll c:\program files\Windows Police Pro\tmp\dbsinit.exe c:\program files\Windows Police Pro\tmp\images\i1.gif c:\program files\Windows Police Pro\tmp\images\i2.gif c:\program files\Windows Police Pro\tmp\images\i3.gif c:\program files\Windows Police Pro\tmp\images\j1.gif c:\program files\Windows Police Pro\tmp\images\j2.gif c:\program files\Windows Police Pro\tmp\images\j3.gif c:\program files\Windows Police Pro\tmp\images\jj1.gif c:\program files\Windows Police Pro\tmp\images\jj2.gif c:\program files\Windows Police Pro\tmp\images\jj3.gif c:\program files\Windows Police Pro\tmp\images\l1.gif c:\program files\Windows Police Pro\tmp\images\l2.gif c:\program files\Windows Police Pro\tmp\images\l3.gif c:\program files\Windows Police Pro\tmp\images\pix.gif c:\program files\Windows Police Pro\tmp\images\t1.gif c:\program files\Windows Police Pro\tmp\images\t2.gif c:\program files\Windows Police Pro\tmp\images\up1.gif c:\program files\Windows Police Pro\tmp\images\up2.gif c:\program files\Windows Police Pro\tmp\images\w1.gif c:\program files\Windows Police Pro\tmp\images\w11.gif c:\program files\Windows Police Pro\tmp\images\w2.gif c:\program files\Windows Police Pro\tmp\images\w3.gif c:\program files\Windows Police Pro\tmp\images\w3.jpg c:\program files\Windows Police Pro\tmp\images\wt1.gif c:\program files\Windows Police Pro\tmp\images\wt2.gif c:\program files\Windows Police Pro\tmp\images\wt3.gif c:\program files\Windows Police Pro\tmp\wispex.html c:\program files\Windows Police Pro\windows Police Pro.exe c:\windows\msa.exe c:\windows\msb.exe c:\windows\ppp3.dat c:\windows\ppp4.dat c:\windows\system32\11478.exe c:\windows\system32\15724.exe c:\windows\system32\18467.exe c:\windows\system32\19169.exe c:\windows\system32\24464.exe c:\windows\system32\26500.exe c:\windows\system32\26962.exe c:\windows\system32\29358.exe c:\windows\system32\41.exe c:\windows\system32\5705.exe c:\windows\system32\6334.exe c:\windows\system32\AVR09.exe c:\windows\system32\bennuar.old c:\windows\system32\bincd32.dat c:\windows\system32\config\systemprofile\Desktop\Total Security 2009.lnk c:\windows\system32\config\systemprofile\Start Menu\Programs\Total Security c:\windows\system32\config\systemprofile\Start Menu\Programs\Total Security\Total Security 2009.lnk c:\windows\system32\dddesot.dll c:\windows\system32\desote.exe c:\windows\system32\drivers\rotscxpgwmdipy.sys c:\windows\system32\drivers\smss.exe c:\windows\system32\onhelp.htm c:\windows\system32\rotscxbxnsenvs.dll c:\windows\system32\rotscxlkytlemp.dll c:\windows\system32\rotscxltargila.dat c:\windows\system32\rotscxrviycwxb.dll c:\windows\system32\rotscxtikosscv.dat c:\windows\system32\sonhelp.htm c:\windows\system32\sysnet.dat c:\windows\system32\tajf83ikdmf.dll c:\windows\system32\winhelper.dll c:\windows\system32\winupdate.exe E:\install.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ANTIPPRO2009_100 -------\Legacy_rotscxsnppmbcj -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Service_AntipPro2009_100 -------\Service_rotscxsnppmbcj ((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 ))))))))))))))))))))))))))))))) . 2009-09-14 22:43 . 2009-09-14 22:43 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-11 03:00 . 2009-09-11 03:02 0 ----a-w- c:\windows\system32\SBRC.dat 2009-09-10 18:36 . 2009-09-10 18:36 46080 ----a-w- C:\Win32kDiag.exe 2009-09-10 18:16 . 2009-09-10 18:16 75 ----a-w- C:\FixExe.reg 2009-09-10 18:04 . 2009-09-10 18:04 -------- d-----w- c:\documents and settings\production\Application Data\Malwarebytes 2009-09-10 18:04 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 18:04 . 2009-09-10 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-10 18:04 . 2009-09-10 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-10 18:04 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-10 17:59 . 2009-09-10 17:59 3942048 ----a-w- C:\mpro.exe 2009-09-10 16:52 . 2009-09-10 16:52 163840 ----a-w- c:\windows\svchasts.exe 2009-09-10 16:38 . 2009-09-10 16:38 91648 ----a-w- c:\documents and settings\production\gkccuo.exe 2009-09-10 13:49 . 2009-09-10 13:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS 2009-09-02 14:09 . 2009-03-27 04:20 200704 ----a-w- c:\windows\system32\ssleay32.dll 2009-09-02 14:09 . 2009-03-27 04:20 200704 ----a-w- c:\windows\system32\libssl32.dll 2009-09-02 14:09 . 2009-03-27 04:20 1017344 ----a-w- c:\windows\system32\libeay32.dll 2009-09-02 14:09 . 2009-09-02 14:09 -------- d-----w- C:\OpenSSL 2009-08-28 21:46 . 2009-08-28 21:46 -------- d-----w- c:\documents and settings\LocalService\Application Data\Automise3 2009-08-20 15:38 . 2009-08-20 15:38 93696 ----a-w- c:\documents and settings\production\WDTTNH.exe 2009-08-20 15:30 . 2009-08-20 15:30 311 ----a-w- c:\documents and settings\production\PRFYXU.bat 2009-08-18 14:03 . 2009-09-11 21:40 -------- d-----w- C:\Weight Optimizer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-15 15:53 . 2009-01-24 19:36 -------- d-----w- c:\program files\LogMeIn 2009-09-15 15:44 . 2008-10-20 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-14 21:50 . 2009-01-22 18:05 -------- d-----w- c:\program files\SAAZOD 2009-09-14 15:34 . 2008-03-19 18:34 55292 ----a-w- c:\documents and settings\production\Application Data\wklnhst.dat 2009-09-14 13:41 . 2009-09-14 13:42 42496 ----a-w- c:\windows\system32\drivers\smss.exe_ 2009-09-11 06:29 . 2008-10-15 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-09-10 16:41 . 2008-03-05 17:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-09-10 16:38 . 2008-04-18 00:56 104 --sh--r- c:\windows\system32\E9B42D69D1.sys 2009-09-10 16:38 . 2008-04-18 00:56 6216 --sha-w- c:\windows\system32\KGyGaAvL.sys 2009-09-10 13:47 . 2009-01-24 19:36 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2009-09-10 13:47 . 2009-01-24 19:36 28984 ----a-w- c:\windows\system32\LMIport.dll 2009-09-10 13:47 . 2007-11-16 02:46 11552 ----a-w- c:\windows\system32\lmimirr2.dll 2009-09-10 13:47 . 2009-01-24 19:36 87352 ----a-w- c:\windows\system32\LMIinit.dll 2009-09-10 13:47 . 2007-11-16 02:46 25248 ----a-w- c:\windows\system32\lmimirr.dll 2009-09-02 13:53 . 2009-01-23 14:40 -------- d-----w- c:\program files\SetupLogs 2009-09-02 13:42 . 2009-01-23 14:41 -------- d-----w- c:\program files\Common Files\VSoft 2009-08-26 14:41 . 2008-03-05 17:34 -------- d-----w- c:\program files\Common Files\InstallShield 2009-08-26 14:41 . 2008-03-05 17:32 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-18 14:06 . 2008-04-07 15:34 -------- d-----w- c:\program files\Dl_cats 2009-07-31 16:34 . 2008-10-20 23:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-07-31 16:34 . 2008-10-20 23:51 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-07-31 16:34 . 2008-10-20 23:51 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-07-29 01:01 . 2008-03-18 15:53 -------- d-----w- c:\documents and settings\production\Application Data\U3 2009-07-29 00:22 . 2009-07-29 00:22 -------- d-----w- c:\documents and settings\production\Application Data\Optical Measuring Systems 2009-07-24 06:18 . 2008-03-05 17:37 -------- d-----w- c:\program files\Microsoft Works . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-05 1838592] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336] "MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008] "FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200] "Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496] "DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-12 2007832] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 188416] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageServer\TrueImageMonitor.exe" [2007-05-10 1129176] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageServer\TimounterMonitor.exe" [2007-05-10 1866376] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-05-10 140832] "SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2009-06-10 668968] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-06-14 16132608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-3-5 7168] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-07-31 16:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-09-10 13:47 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\dlcxcoms.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC "135:TCP"= 135:TCP:TCP Port 135 "5000:TCP"= 5000:TCP:TCP Port 5000 "5001:TCP"= 5001:TCP:TCP Port 5001 "5002:TCP"= 5002:TCP:TCP Port 5002 "5003:TCP"= 5003:TCP:TCP Port 5003 "5004:TCP"= 5004:TCP:TCP Port 5004 "5005:TCP"= 5005:TCP:TCP Port 5005 "5006:TCP"= 5006:TCP:TCP Port 5006 "5007:TCP"= 5007:TCP:TCP Port 5007 "5008:TCP"= 5008:TCP:TCP Port 5008 "5009:TCP"= 5009:TCP:TCP Port 5009 "5010:TCP"= 5010:TCP:TCP Port 5010 "5011:TCP"= 5011:TCP:TCP Port 5011 "5012:TCP"= 5012:TCP:TCP Port 5012 "5013:TCP"= 5013:TCP:TCP Port 5013 "5014:TCP"= 5014:TCP:TCP Port 5014 "5015:TCP"= 5015:TCP:TCP Port 5015 "5016:TCP"= 5016:TCP:TCP Port 5016 "5017:TCP"= 5017:TCP:TCP Port 5017 "5018:TCP"= 5018:TCP:TCP Port 5018 "5019:TCP"= 5019:TCP:TCP Port 5019 "5020:TCP"= 5020:TCP:TCP Port 5020 R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/20/2008 4:51 PM 12552] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/20/2008 4:51 PM 335240] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/20/2008 4:51 PM 108552] R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [6/12/2009 6:52 AM 202928] R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [8/23/2007 5:29 PM 5376] R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [1/24/2009 12:36 PM 47640] R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.EXE [9/2/2009 6:41 AM 81920] R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [9/2/2009 6:41 AM 73728] R2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [9/2/2009 6:41 AM 77824] R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [11/21/2006 3:18 PM 77824] R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\\SAAZWatchDog --> c:\progra~1\SAAZOD\\SAAZWatchDog [?] S2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [6/10/2009 6:00 AM 980264] S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/30/2009 1:56 PM 93360] S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/12/2009 10:09 AM 297752] S4 LMIRfsClientNP;LMIRfsClientNP; [x] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3af5e2e6-5783-11de-a39b-001d0988001c}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL dIana.ExE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f366060-04b7-11dd-b3ea-001d0988001c}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL XouuZ.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c95ad2d2-f500-11dc-b3e1-001d0988001c}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.gocurrency.com/v2/dorate.php?inV=1&from=USD&to=MXN&Calculate=Convert IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - HKCU-Run-production - c:\documents and settings\production\production.exe HKCU-Run-feilor - c:\documents and settings\production\feilor.exe HKCU-Run-PopRock - c:\docume~1\PRODUC~1\LOCALS~1\Temp\a.exe HKCU-Run-xouuz - c:\documents and settings\production\xouuz.exe HKLM-Run-16620154 - c:\documents and settings\All Users\Application Data\16620154\16620154.exe AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-15 08:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAAZWatchDog] "ImagePath"="c:\progra~1\SAAZOD\\SAAZWatchDog" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(836) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll - - - - - - - > 'lsass.exe'(892) c:\windows\system32\relog_ap.dll - - - - - - - > 'explorer.exe'(3316) c:\windows\system32\mshtml.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Roxio\Drag-to-Disc\Shellex.dll c:\windows\system32\DLAAPI_W.DLL c:\windows\system32\CDRTC.DLL c:\program files\Roxio\Drag-to-Disc\ShellRes.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\progra~1\AVG\AVG8\avgrsx.exe c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\windows\system32\dlcxcoms.exe c:\program files\Dell Network Assistant\hnm_svc.exe c:\program files\LogMeIn\x86\ramaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\progra~1\SAAZOD\RMHLPDSK.exe c:\progra~1\SAAZOD\SAAZWatchDog.exe c:\program files\RealVNC\VNC4\WinVNC4.exe c:\windows\system32\igfxsrvc.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\Dell Network Assistant\ezi_hnm2.exe . ************************************************************************** . Completion time: 2009-09-15 8:56 - machine was rebooted [production] ComboFix-quarantined-files.txt 2009-09-15 15:56 Pre-Run: 147,531,337,728 bytes free Post-Run: 146,722,418,688 bytes free 321 --- E O F --- 2009-05-20 14:07

I can get Malwarebytes to start from a fresh install by renaming the .exe file. When the program is installed I select to update and run MWB. The scan will run for about 2 seconds, then close. If I try to run MWB from then application once it has been installed I get the following errors. Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. This computer has the Windows Police Pro malware on it. I have killed the processes, deleted the folder in program files and rebooted in safe mode. Still not able to finish a MWB scan.