JKREAM

THANKS A LOT - I APPRECIATE ALL YOUR HELP

Pstpassword.exe isn't an installer - I think its a tool I used to recover a pst file with a lost pwd once. The PC seems fine - thanks - is there anything else I need to do?

Kaspersky just scans, correct? It didn't seem to resolve anything it found: KASPERSKY ONLINE SCANNER 7.0: scan report Thursday, May 27, 2010 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Thursday, May 27, 2010 11:44:39 Records in database: 4188194 Scan settings scan using the following database extended Scan archives yes Scan e-mail databases yes Scan area My Computer A:\ C:\ D:\ E:\ Scan statistics Objects scanned 84225 Threats found 4 Infected objects found 9 Suspicious objects found 0 Scan duration 03:11:38 File name Threat Threats count C:\Documents and Settings\jokream\Desktop\PstPassword.exe Infected: not-a-virus:PSWTool.Win32.WinPassViewer.m 1 C:\Documents and Settings\jokream\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.Win32.Goldun.ayt 1 C:\Documents and Settings\jokream\Local Settings\Application Data\Microsoft\Outlook\outlook2.pst Infected: Trojan-Spy.Win32.Goldun.ayt 1 C:\Program Files\LogMeIn\update\2-30-517.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1 C:\Program Files\LogMeIn\update\2-30-537.bak\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.i 1 C:\Program Files\LogMeIn\update\2-30-537.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1 C:\Program Files\LogMeIn\update\2-30-547.bak\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1 C:\Program Files\LogMeIn\update\2-30-547.bak\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1 C:\Program Files\LogMeIn\update\2-30-547.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1 Selected area has been scanned. Here is the new DDS: DDS (Ver_10-03-17.01) - NTFSx86 Run by jokream at 14:28:24.20 on Thu 05/27/2010 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2288 [GMT -4:00] AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\System32\svchost.exe -k eapsvcs svchost.exe C:\WINDOWS\System32\svchost.exe -k dot3svc C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\Explorer.EXE C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\WINDOWS\system32\NWTRAY.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Cactus Spam Filter 3.00\cactusspamfilter.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\HP Universal Print Driver v5.0.3 for Windows - PCL 6\hpmup094.bin C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\IMASTER\FVIEW32.EXE C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre6\bin\java.exe C:\Documents and Settings\jokream\Local Settings\temp\jkos-jokream\binaries\ScanningProcess.exe C:\Documents and Settings\jokream\Local Settings\temp\jkos-jokream\binaries\ScanningProcess.exe C:\Documents and Settings\jokream\Local Settings\temp\jkos-jokream\binaries\ScanningProcess.exe C:\Documents and Settings\jokream\Local Settings\temp\jkos-jokream\binaries\ScanningProcess.exe C:\Documents and Settings\jokream\Desktop\UNI\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - EB: {32004B8A-44A9-43E7-84E9-808838809519} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [com.codeode.cactusspamfilter] "c:\program files\cactus spam filter 3.00\cactusspamfilter.exe" -minimized mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [nwiz] nwiz.exe /install mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey mRun: [NWTRAY] NWTRAY.EXE mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe mPolicies-system: CompatibleRUPSecurity = 1 (0x1) IE: &Dial with CTI DATA CONNECTOR ENTERPRISE EDITION - file://c:\documents and settings\jokream\application data\cdc\CDCWebDial.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html IE: Open PDF in Word (PDF Converter 2.0) - c:\program files\scansoft\pdf converter 2.0 professional\pdfconv\IEShellExt.dll /100 IE: Open with WordPerfect - c:\program files\corelx4\wordperfect office x4\programs\WPLauncher.hta IE: Attach.zip

Maybe it just found the quarantined copy in the Qoobox directory: Microsoft Security Essentials encountered the following error: Error code 0x800704ec. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Category: Virus Description: This program is dangerous and replicates by infecting other files. Recommendation: Remove this software immediately. Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help. Items: file:C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\kbdhid.sys.vir Get more information about this item online. So am I completely clean, then. Besides practicing Safer computing, is there anything else I should do now?

Malwarebytes found nothing Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4139 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 5/24/2010 9:42:02 PM mbam-log-2010-05-24 (21-42-02).txt Scan type: Quick scan Objects scanned: 127003 Time elapsed: 7 minute(s), 10 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS.txt DDS (Ver_10-03-17.01) - NTFSx86 Run by jokream at 21:53:48.71 on Mon 05/24/2010 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2457 [GMT -4:00] AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\System32\svchost.exe -k eapsvcs svchost.exe C:\WINDOWS\System32\svchost.exe -k dot3svc C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\Explorer.EXE C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\WINDOWS\system32\NWTRAY.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Cactus Spam Filter 3.00\cactusspamfilter.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\IMASTER\FVIEW32.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Documents and Settings\jokream\Desktop\UNI\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - EB: {32004B8A-44A9-43E7-84E9-808838809519} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [com.codeode.cactusspamfilter] "c:\program files\cactus spam filter 3.00\cactusspamfilter.exe" -minimized mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [nwiz] nwiz.exe /install mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey mRun: [NWTRAY] NWTRAY.EXE dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-system: CompatibleRUPSecurity = 1 (0x1) IE: &Dial with CTI DATA CONNECTOR ENTERPRISE EDITION - file://c:\documents and settings\jokream\application data\cdc\CDCWebDial.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html IE: Open PDF in Word (PDF Converter 2.0) - c:\program files\scansoft\pdf converter 2.0 professional\pdfconv\IEShellExt.dll /100 IE: Open with WordPerfect - c:\program files\corelx4\wordperfect office x4\programs\WPLauncher.hta IE: Attach.zip

During the Malwarebytes Scan Microsoft Security Essentials detected Alureon.H - I clicked on 'Remove' - That shouldn't have come up -should it? I doubt MSE was able to remove it, never was before. Malwarebytes shows zero objects infected

Ok, I'll run Malwarebytes now. Did that last ComboFix run kill Alureon? Now I'm just looking for the subordinate malware that was hidden from Malwarebytes while Alureon was active? Side note, and maybe Malware bytes will fix this now, but I've noticed seemingly unimportant changes to setting in my MS Outlook, views, setting on how it deals with incoming messages changing without explanation, and my default browser switched from Firefox to IE The Browser redirects seem to be gone though

Thanks, Here is the new ComboFix log: ComboFix 10-05-22.01 - jokream 05/24/2010 8:17.3.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2837 [GMT -4:00] Running from: c:\documents and settings\jokream\Desktop\UNI\ComboFix.exe Command switches used :: c:\documents and settings\jokream\Desktop\UNI\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of c:\windows\System32\DRIVERS\kbdhid.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 ))))))))))))))))))))))))))))))) . 2010-05-17 17:03 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-05-17 17:03 . 2010-05-17 17:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-05-17 16:26 . 2010-05-17 16:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-05-17 16:26 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe 2010-05-17 15:39 . 2010-05-17 15:39 -------- d-----w- c:\windows\RestoreSafeDeleted 2010-05-17 15:33 . 2010-05-17 15:33 2 --shatr- c:\windows\winstart.bat 2010-05-17 15:32 . 2010-05-17 16:05 -------- d-----w- c:\program files\UnHackMe 2010-05-17 12:16 . 2010-05-17 12:16 63488 ----a-w- c:\documents and settings\jokream\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-05-17 12:16 . 2010-05-17 12:16 52224 ----a-w- c:\documents and settings\jokream\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-05-17 12:15 . 2010-05-17 12:16 117760 ----a-w- c:\documents and settings\jokream\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-05-17 12:15 . 2010-05-17 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-05-17 12:15 . 2010-05-17 12:15 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-05-17 12:15 . 2010-05-17 12:15 -------- d-----w- c:\documents and settings\jokream\Application Data\SUPERAntiSpyware.com 2010-05-17 12:15 . 2010-05-17 12:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-05-14 19:32 . 2010-05-14 19:32 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-05-14 19:24 . 2010-05-14 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 2010-05-14 19:24 . 2010-05-14 19:24 -------- d-----w- c:\program files\Hitman Pro 3.5 2010-05-13 14:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-13 14:37 . 2010-05-13 14:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-13 14:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-12 18:45 . 2010-05-12 18:45 -------- d-s---w- c:\documents and settings\LocalService\UserData 2010-05-12 15:41 . 2010-05-12 15:41 96512 ----a-w- c:\windows\system32\drivers\iijedsve.sys 2010-05-12 12:15 . 2010-05-12 16:14 -------- d-----w- c:\windows\system32\MpEngineStore 2010-05-11 14:10 . 2010-05-11 14:10 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2010-05-04 13:31 . 2010-05-04 13:31 -------- d-----w- c:\windows\Performance 2010-05-04 13:31 . 2010-05-04 13:31 -------- d-----w- c:\documents and settings\jokream\Local Settings\Application Data\Microsoft Corporation 2010-05-04 13:31 . 2010-05-04 13:31 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor 2010-04-28 12:11 . 2010-04-27 19:41 650240 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-24 04:02 . 2005-12-08 21:06 -------- d-----w- c:\program files\LogMeIn 2010-05-21 14:05 . 2005-12-12 14:32 -------- d-----w- c:\program files\Google 2010-05-20 14:15 . 2010-01-05 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LDM 2010-05-20 13:54 . 2005-12-11 00:58 102904 ----a-w- c:\documents and settings\jokream\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-05-18 15:01 . 2009-04-23 17:20 -------- d-----w- c:\documents and settings\jokream\Application Data\CoreFTP 2010-05-17 17:04 . 2005-12-08 20:02 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-17 16:26 . 2005-12-08 20:58 -------- d-----w- c:\program files\Lavasoft 2010-05-17 16:26 . 2008-01-23 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-05-17 16:03 . 2005-12-08 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-05-17 14:47 . 2006-02-03 16:54 -------- d-----w- c:\program files\Java 2010-05-13 19:39 . 2006-08-09 13:03 -------- d-----w- c:\program files\CCleaner 2010-05-13 15:01 . 2009-12-14 15:59 -------- d-----w- c:\program files\PayWindow Payroll 2010-05-13 15:01 . 2006-03-27 14:30 -------- d-----w- c:\documents and settings\jokream\Application Data\paywin 2010-05-13 13:16 . 2007-04-12 19:41 -------- d-----w- c:\program files\PrintConductor 2010-05-06 14:36 . 2009-11-12 13:48 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-04 15:22 . 2008-08-06 16:21 -------- d-----w- c:\documents and settings\jokream\Application Data\Download Manager 2010-04-23 18:25 . 2010-04-23 18:25 -------- d-----w- c:\documents and settings\jokream\Application Data\com.codeode 2010-04-23 18:10 . 2010-04-23 18:05 -------- d-----w- c:\documents and settings\jokream\Application Data\MailWasherFree 2010-04-23 18:09 . 2010-04-23 18:09 -------- d-----w- c:\program files\Cactus Spam Filter 3.00 2010-04-14 16:52 . 2010-04-14 16:52 -------- d-----w- c:\program files\Pale Moon project 2010-04-07 16:35 . 2005-12-08 22:10 -------- d-----w- c:\program files\Corel 2010-04-07 15:56 . 2009-07-31 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel 2010-04-07 14:12 . 2008-12-01 14:35 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys 2010-03-17 21:39 . 2010-03-23 15:55 659456 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe 2010-03-11 08:03 . 2010-03-11 08:03 103296 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-03-09 11:09 . 2001-08-23 12:00 430080 ------w- c:\windows\system32\vbscript.dll 2010-03-03 15:14 . 2010-03-03 15:14 651776 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\5rnnus1f.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll 2010-02-26 05:43 . 2004-01-08 20:23 667136 ----a-w- c:\windows\system32\wininet.dll 2010-02-26 05:43 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll 2010-02-24 13:11 . 2001-08-23 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2005-09-09 23:55 . 2006-01-27 16:33 7155864 ----a-w- c:\program files\NGhost10.msi 2005-09-09 23:55 . 2006-01-27 16:33 35 ----a-w- c:\program files\SCSSDist.ini 2005-09-09 23:55 . 2006-01-27 16:33 37766164 ----a-w- c:\program files\Data1.cab 2007-08-09 17:08 . 2007-04-11 11:54 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll 2007-08-09 17:10 . 2007-04-11 11:54 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible] @="{3DBF5F01-3287-46EB-82CF-45AA5C241162}" [HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}] 2009-10-09 18:53 613496 ----a-w- c:\windows\system32\PGPfsshl.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] "com.codeode.cactusspamfilter"="c:\program files\Cactus Spam Filter 3.00\cactusspamfilter.exe" [2009-11-08 1053184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048] "nwiz"="nwiz.exe" [2004-08-03 917504] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-08-03 4493312] "NvMediaCenter"="NvMCTray.dll" [2004-08-03 86016] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208] "NWTRAY"="NWTRAY.EXE" [2002-03-12 28672] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-3-1 221295] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "CompatibleRUPSecurity"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-10-07 12:25 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0 Notification Packages REG_MULTI_SZ PGPpwflt [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "WmdmPmSN"=3 (0x3) "WebClient"=2 (0x2) "TlntSvr"=3 (0x3) "TermService"=3 (0x3) "SysmonLog"=3 (0x3) "srservice"=2 (0x2) "SENS"=2 (0x2) "SCardSvr"=3 (0x3) "RemoteRegistry"=2 (0x2) "RDSessMgr"=3 (0x3) "RasMan"=3 (0x3) "RasAuto"=3 (0x3) "IDriverT"=3 (0x3) "helpsvc"=2 (0x2) "FastUserSwitchingCompatibility"=3 (0x3) "Eventlog"=2 (0x2) "ERSvc"=2 (0x2) "cisvc"=3 (0x3) "gusvc"=3 (0x3) "W32Time"=2 (0x2) "VSS"=3 (0x3) "Themes"=2 (0x2) "SwPrv"=3 (0x3) "stllssvr"=3 (0x3) "SQLWriter"=2 (0x2) "SharedAccess"=2 (0x2) "RoxWatch9"=2 (0x2) "RoxMediaDB9"=3 (0x3) "PSI_SVC_2"=2 (0x2) "Pml Driver HPZ12"=2 (0x2) "Net Driver HPZ12"=2 (0x2) "MSSQLSERVER"=2 (0x2) "MSSQL$SQLEXPRESS"=2 (0x2) "mnmsrvc"=3 (0x3) "LanmanServer"=2 (0x2) "JavaQuickStarterService"=2 (0x2) "iPod Service"=3 (0x3) "idsvc"=3 (0x3) "FontCache3.0.0.0"=3 (0x3) "cusrvc"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Toshiba CTX TAPI Service Provider\\NHSTAPIServer.exe"= "c:\\TSP for BPCI\\program files\\Toshiba BPCI TAPI Service Provider\\NHSTAPIServer.exe"= "c:\\Program Files\\Toshiba BPCI TAPI Service Provider\\NHSTAPIServer.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/17/2010 1:03 PM 64288] R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [10/9/2009 2:53 PM 136312] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/12/2007 8:41 AM 12856] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2010 3:22 PM 135664] S2 NHSUSB;NHSUSB;c:\windows\system32\drivers\WINDRVR.SYS --> c:\windows\system32\drivers\WINDRVR.SYS [?] S4 CASMsgEngine;CA BrightStor Message Engine;c:\program files\CA\BrightStor ARCserve Backup\msgeng.exe [2/28/2007 3:54 PM 41026] S4 HPWJAService;HPWJA Service;c:\program files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe [9/12/2007 5:39 PM 28672] S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1291544] S4 MSSQL$HPWJA;SQL Server (HPWJA);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 9:29 AM 29178224] --- Other Services/Drivers In Memory --- *Deregistered* - uphcleanhlp [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder 2010-05-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:02] 2010-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cadc07ed895484.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 19:22] 2010-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-492894223-682003330-1003Core.job - c:\documents and settings\jokream\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 15:36] 2010-05-24 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02] 2009-06-26 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 02:18] . . ------- Supplementary Scan ------- . uStart Page = about:blank uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Dial with CTI DATA CONNECTOR ENTERPRISE EDITION - file://c:\documents and settings\jokream\Application Data\CDC\CDCWebDial.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html IE: Open PDF in Word (PDF Converter 2.0) - c:\program files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\IEShellExt.dll /100 IE: Open with WordPerfect - c:\program files\CorelX4\WordPerfect Office X4\Programs\WPLauncher.hta IE:

Ok, Here is the ComboFix Log. Thanks again for your help Combo Fix insists that McAfee Virusscan Enterprise and MS Security Essentials were running - but I uninstalled McAfee months ago, and ran their cleaner removal tool to be sure, and I killed MS Security Essentials from the Services panel and then in Task Manager and I confirmed they were not actually running with Sysinternals Process Explorer, so I felt comfortable running ComboFix despite the warning to the contrary. ComboFix experienced no errors, and given that a catastrophic error means a format and rebuild which is what I'm looking at anyway, unless we're successful, I was comfortable with the risk. This PC really has very little actual data stored locally that I would lose under those circumstances. ComboFix 10-05-20.A1 - jokream 05/21/2010 8:59.2.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2964 [GMT -4:00] Running from: c:\documents and settings\jokream\Desktop\UNI\ComboFix.exe AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 ))))))))))))))))))))))))))))))) . 2010-05-17 17:03 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-05-17 17:03 . 2010-05-17 17:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-05-17 16:26 . 2010-05-17 16:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-05-17 16:26 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe 2010-05-17 15:39 . 2010-05-17 15:39 -------- d-----w- c:\windows\RestoreSafeDeleted 2010-05-17 15:33 . 2010-05-17 15:33 2 --shatr- c:\windows\winstart.bat 2010-05-17 15:32 . 2010-05-17 16:05 -------- d-----w- c:\program files\UnHackMe 2010-05-17 12:16 . 2010-05-17 12:16 63488 ----a-w- c:\documents and settings\jokream\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-05-17 12:16 . 2010-05-17 12:16 52224 ----a-w- c:\documents and settings\jokream\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-05-17 12:15 . 2010-05-17 12:16 117760 ----a-w- c:\documents and settings\jokream\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-05-17 12:15 . 2010-05-17 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-05-17 12:15 . 2010-05-17 12:15 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-05-17 12:15 . 2010-05-17 12:15 -------- d-----w- c:\documents and settings\jokream\Application Data\SUPERAntiSpyware.com 2010-05-17 12:15 . 2010-05-17 12:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-05-14 19:32 . 2010-05-14 19:32 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-05-14 19:24 . 2010-05-14 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 2010-05-14 19:24 . 2010-05-14 19:24 -------- d-----w- c:\program files\Hitman Pro 3.5 2010-05-13 14:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-13 14:37 . 2010-05-13 14:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-13 14:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-12 18:45 . 2010-05-12 18:45 -------- d-s---w- c:\documents and settings\LocalService\UserData 2010-05-12 15:41 . 2010-05-12 15:41 96512 ----a-w- c:\windows\system32\drivers\iijedsve.sys 2010-05-12 12:15 . 2010-05-12 16:14 -------- d-----w- c:\windows\system32\MpEngineStore 2010-05-11 14:10 . 2010-05-11 14:10 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2010-05-04 13:31 . 2010-05-04 13:31 -------- d-----w- c:\windows\Performance 2010-05-04 13:31 . 2010-05-04 13:31 -------- d-----w- c:\documents and settings\jokream\Local Settings\Application Data\Microsoft Corporation 2010-05-04 13:31 . 2010-05-04 13:31 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor 2010-04-28 12:11 . 2010-04-27 19:41 650240 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll 2010-04-28 12:10 . 2010-03-26 14:33 43008 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll 2010-04-28 12:10 . 2010-03-26 14:33 339456 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll 2010-04-28 12:10 . 2010-03-26 14:33 1496064 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll 2010-04-28 12:10 . 2010-03-26 14:32 346112 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll 2010-04-23 18:25 . 2010-04-23 18:25 -------- d-----w- c:\documents and settings\jokream\Application Data\com.codeode 2010-04-23 18:09 . 2010-04-23 18:09 -------- d-----w- c:\program files\Cactus Spam Filter 3.00 2010-04-23 18:05 . 2010-04-23 18:10 -------- d-----w- c:\documents and settings\jokream\Application Data\MailWasherFree 2010-04-21 14:38 . 2006-05-05 20:56 77824 ----a-w- c:\windows\system32\DellSPMsg.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-21 12:36 . 2005-12-08 21:06 -------- d-----w- c:\program files\LogMeIn 2010-05-20 14:15 . 2010-01-05 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LDM 2010-05-20 13:54 . 2005-12-11 00:58 102904 ----a-w- c:\documents and settings\jokream\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-05-18 15:01 . 2009-04-23 17:20 -------- d-----w- c:\documents and settings\jokream\Application Data\CoreFTP 2010-05-17 17:04 . 2005-12-08 20:02 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-17 16:26 . 2005-12-08 20:58 -------- d-----w- c:\program files\Lavasoft 2010-05-17 16:26 . 2008-01-23 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-05-17 16:03 . 2005-12-08 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-05-17 14:47 . 2006-02-03 16:54 -------- d-----w- c:\program files\Java 2010-05-13 19:39 . 2006-08-09 13:03 -------- d-----w- c:\program files\CCleaner 2010-05-13 15:01 . 2009-12-14 15:59 -------- d-----w- c:\program files\PayWindow Payroll 2010-05-13 15:01 . 2006-03-27 14:30 -------- d-----w- c:\documents and settings\jokream\Application Data\paywin 2010-05-13 13:16 . 2007-04-12 19:41 -------- d-----w- c:\program files\PrintConductor 2010-05-06 14:36 . 2009-11-12 13:48 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-04 15:22 . 2008-08-06 16:21 -------- d-----w- c:\documents and settings\jokream\Application Data\Download Manager 2010-04-14 19:22 . 2005-12-12 14:32 -------- d-----w- c:\program files\Google 2010-04-14 16:52 . 2010-04-14 16:52 -------- d-----w- c:\program files\Pale Moon project 2010-04-07 16:35 . 2005-12-08 22:10 -------- d-----w- c:\program files\Corel 2010-04-07 15:56 . 2009-07-31 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel 2010-04-07 14:12 . 2008-12-01 14:35 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys 2010-03-17 21:39 . 2010-03-23 15:55 659456 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe 2010-03-11 08:03 . 2010-03-11 08:03 103296 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-03-09 11:09 . 2001-08-23 12:00 430080 ------w- c:\windows\system32\vbscript.dll 2010-03-03 15:14 . 2010-03-03 15:14 651776 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\5rnnus1f.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll 2010-02-26 05:43 . 2004-01-08 20:23 667136 ----a-w- c:\windows\system32\wininet.dll 2010-02-26 05:43 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll 2010-02-24 13:11 . 2001-08-23 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2005-09-09 23:55 . 2006-01-27 16:33 7155864 ----a-w- c:\program files\NGhost10.msi 2005-09-09 23:55 . 2006-01-27 16:33 35 ----a-w- c:\program files\SCSSDist.ini 2005-09-09 23:55 . 2006-01-27 16:33 37766164 ----a-w- c:\program files\Data1.cab 2007-08-09 17:08 . 2007-04-11 11:54 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll 2007-08-09 17:10 . 2007-04-11 11:54 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible] @="{3DBF5F01-3287-46EB-82CF-45AA5C241162}" [HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}] 2009-10-09 18:53 613496 ----a-w- c:\windows\system32\PGPfsshl.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] "com.codeode.cactusspamfilter"="c:\program files\Cactus Spam Filter 3.00\cactusspamfilter.exe" [2009-11-08 1053184] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048] "nwiz"="nwiz.exe" [2004-08-03 917504] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-08-03 4493312] "NvMediaCenter"="NvMCTray.dll" [2004-08-03 86016] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208] "NWTRAY"="NWTRAY.EXE" [2002-03-12 28672] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-3-1 221295] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "CompatibleRUPSecurity"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-10-07 12:25 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0 Notification Packages REG_MULTI_SZ PGPpwflt [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "WmdmPmSN"=3 (0x3) "WebClient"=2 (0x2) "TlntSvr"=3 (0x3) "TermService"=3 (0x3) "SysmonLog"=3 (0x3) "srservice"=2 (0x2) "SENS"=2 (0x2) "SCardSvr"=3 (0x3) "RemoteRegistry"=2 (0x2) "RDSessMgr"=3 (0x3) "RasMan"=3 (0x3) "RasAuto"=3 (0x3) "IDriverT"=3 (0x3) "helpsvc"=2 (0x2) "FastUserSwitchingCompatibility"=3 (0x3) "Eventlog"=2 (0x2) "ERSvc"=2 (0x2) "cisvc"=3 (0x3) "gusvc"=3 (0x3) "W32Time"=2 (0x2) "VSS"=3 (0x3) "Themes"=2 (0x2) "SwPrv"=3 (0x3) "stllssvr"=3 (0x3) "SQLWriter"=2 (0x2) "SharedAccess"=2 (0x2) "RoxWatch9"=2 (0x2) "RoxMediaDB9"=3 (0x3) "PSI_SVC_2"=2 (0x2) "Pml Driver HPZ12"=2 (0x2) "Net Driver HPZ12"=2 (0x2) "MSSQLSERVER"=2 (0x2) "MSSQL$SQLEXPRESS"=2 (0x2) "mnmsrvc"=3 (0x3) "LanmanServer"=2 (0x2) "JavaQuickStarterService"=2 (0x2) "iPod Service"=3 (0x3) "idsvc"=3 (0x3) "FontCache3.0.0.0"=3 (0x3) "cusrvc"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Toshiba CTX TAPI Service Provider\\NHSTAPIServer.exe"= "c:\\TSP for BPCI\\program files\\Toshiba BPCI TAPI Service Provider\\NHSTAPIServer.exe"= "c:\\Program Files\\Toshiba BPCI TAPI Service Provider\\NHSTAPIServer.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/17/2010 1:03 PM 64288] R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [10/9/2009 2:53 PM 136312] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/12/2007 8:41 AM 12856] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2010 3:22 PM 135664] S2 NHSUSB;NHSUSB;c:\windows\system32\drivers\WINDRVR.SYS --> c:\windows\system32\drivers\WINDRVR.SYS [?] S4 CASMsgEngine;CA BrightStor Message Engine;c:\program files\CA\BrightStor ARCserve Backup\msgeng.exe [2/28/2007 3:54 PM 41026] S4 HPWJAService;HPWJA Service;c:\program files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe [9/12/2007 5:39 PM 28672] S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1291544] S4 MSSQL$HPWJA;SQL Server (HPWJA);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 9:29 AM 29178224] --- Other Services/Drivers In Memory --- *Deregistered* - uphcleanhlp [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder 2010-05-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:02] 2010-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cadc07ed895484.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 19:22] 2010-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-492894223-682003330-1003Core.job - c:\documents and settings\jokream\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 15:36] 2010-05-21 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02] 2009-06-26 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 02:18] . . ------- Supplementary Scan ------- . uStart Page = about:blank uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Dial with CTI DATA CONNECTOR ENTERPRISE EDITION - file://c:\documents and settings\jokream\Application Data\CDC\CDCWebDial.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html IE: Open PDF in Word (PDF Converter 2.0) - c:\program files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\IEShellExt.dll /100 IE: Open with WordPerfect - c:\program files\CorelX4\WordPerfect Office X4\Programs\WPLauncher.hta IE:

OTL.txt OTL logfile created on: 5/18/2010 8:17:02 PM - Run 1 OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\jokream\Desktop\UNI Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free 7.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free Paging file location(s): C:\pagefile.sys 3500 4096 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 74.50 Gb Total Space | 37.47 Gb Free Space | 50.29% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded Drive F: | 832.08 Gb Total Space | 775.94 Gb Free Space | 93.25% Space Free | Partition Type: NWFS G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive N: | 832.08 Gb Total Space | 775.94 Gb Free Space | 93.25% Space Free | Partition Type: NWFS Drive Z: | 832.08 Gb Total Space | 775.94 Gb Free Space | 93.25% Space Free | Partition Type: NWFS Computer Name: JKREAM Current User Name: jokream Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2010/05/18 20:15:16 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jokream\Desktop\UNI\OTL.exe PRC - [2010/04/14 07:56:08 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2010/02/21 06:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe PRC - [2009/12/09 19:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe PRC - [2009/12/09 19:02:36 | 000,202,776 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe PRC - [2009/11/08 10:59:50 | 001,053,184 | ---- | M] (Codeode) -- C:\Program Files\Cactus Spam Filter 3.00\cactusspamfilter.exe PRC - [2009/10/07 08:25:15 | 000,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe PRC - [2009/10/07 08:25:02 | 000,378,176 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe PRC - [2009/03/05 17:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe PRC - [2008/08/25 10:04:22 | 002,510,848 | ---- | M] () -- N:\CLSINC\WBWIN\WB32.Exe PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2007/04/17 14:03:50 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe PRC - [2007/04/17 14:03:50 | 000,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe PRC - [2005/04/27 15:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe PRC - [2004/07/21 17:28:02 | 000,413,807 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe PRC - [2004/07/21 17:26:36 | 000,176,241 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe PRC - [2002/09/19 09:24:14 | 000,049,152 | ---- | M] (PEERNET Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\PNSrv6.exe PRC - [2002/03/12 11:37:28 | 000,028,672 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\nwtray.exe ========== Modules (SafeList) ========== MOD - [2010/05/18 20:15:16 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jokream\Desktop\UNI\OTL.exe MOD - [2009/10/07 08:25:03 | 000,083,288 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\LMIRfsClientNP.dll MOD - [2008/08/27 11:26:18 | 000,536,658 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\novnpnt.dll MOD - [2008/08/27 11:26:18 | 000,184,320 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\nls\ENGLISH\novnpntr.dll MOD - [2008/08/27 11:25:08 | 000,245,842 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\mapbase.dll MOD - [2008/08/27 11:25:08 | 000,106,496 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\nls\ENGLISH\mapbaser.dll MOD - [2008/08/27 11:23:52 | 000,262,227 | ---- | M] () -- C:\WINDOWS\system32\nwshlxnt.dll MOD - [2008/08/27 11:23:52 | 000,110,592 | ---- | M] () -- C:\WINDOWS\system32\nls\ENGLISH\nwshlxnr.dll MOD - [2008/04/13 20:12:10 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wsock32.dll MOD - [2008/04/13 20:12:02 | 000,245,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui1.dll MOD - [2008/04/13 20:12:02 | 000,080,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui0.dll MOD - [2008/04/13 20:12:02 | 000,044,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntlanman.dll MOD - [2008/04/13 20:12:01 | 000,011,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netrap.dll MOD - [2008/04/13 20:11:52 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drprov.dll MOD - [2008/04/13 20:11:51 | 000,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\davclnt.dll MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx MOD - [2007/05/08 07:51:04 | 000,061,440 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\clxwin32.dll MOD - [2007/05/08 07:50:48 | 000,217,088 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\netwin32.dll MOD - [2007/05/08 07:48:32 | 000,208,896 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\calwin32.dll MOD - [2007/05/08 07:45:56 | 000,212,992 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\ncpwin32.dll MOD - [2007/05/08 07:45:52 | 000,086,016 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\clnwin32.dll MOD - [2007/05/08 07:42:38 | 000,143,360 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\locwin32.dll MOD - [2004/08/02 21:03:00 | 001,437,696 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nview.dll MOD - [2004/08/02 21:03:00 | 001,019,904 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwimg.dll MOD - [2004/08/02 21:03:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwddi.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- -- (iPod Service) SRV - [2010/05/17 13:02:17 | 001,291,544 | ---- | M] (Lavasoft) [Disabled | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service) SRV - [2009/12/09 19:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc) SRV - [2009/10/09 14:53:26 | 000,103,032 | ---- | M] (PGP Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\PGPserv.exe -- (PGPserv) SRV - [2009/10/07 08:25:15 | 000,116,032 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint) SRV - [2009/05/27 04:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe -- (MSSQLSERVER) SQL Server (MSSQLSERVER) SRV - [2009/05/27 04:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS) SRV - [2008/11/25 02:31:07 | 000,239,968 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser) SRV - [2008/11/25 02:31:07 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper) SRV - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter) SRV - [2008/08/04 15:59:00 | 000,053,339 | ---- | M] (Novell, Inc.) [Disabled | Stopped] -- C:\WINDOWS\system32\cusrvc.exe -- (cusrvc) SRV - [2008/04/13 20:12:36 | 000,033,280 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\snmp.exe -- (SNMP) SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC) SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP) SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN) SRV - [2007/09/12 17:39:52 | 000,028,672 | ---- | M] (Hewlett-Packard Company) [Disabled | Stopped] -- C:\Program Files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe -- (HPWJAService) SRV - [2007/04/17 14:03:50 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn) SRV - [2007/02/28 15:54:42 | 000,041,026 | ---- | M] (CA) [Disabled | Stopped] -- C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe -- (CASMsgEngine) SRV - [2007/02/10 09:29:54 | 029,178,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$HPWJA) SQL Server (HPWJA) SRV - [2005/04/27 15:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean) SRV - [2004/07/21 17:26:36 | 000,176,241 | ---- | M] (American Power Conversion Corporation) [Auto | Running] -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service) ========== Driver Services (SafeList) ========== DRV - [2010/05/06 17:10:20 | 000,068,168 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL) DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV) DRV - [2010/02/04 11:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd) DRV - [2009/12/02 16:23:40 | 000,149,040 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter) DRV - [2009/10/09 14:53:30 | 000,246,392 | ---- | M] (PGP Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PGPdisk.sys -- (PGPdisk) DRV - [2009/10/09 14:53:30 | 000,041,080 | ---- | M] (PGP Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PGPsdk.sys -- (PGPsdkDriver) DRV - [2009/10/09 14:53:26 | 000,215,672 | ---- | M] (PGP Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PGPwded.sys -- (PGPwded) DRV - [2009/10/09 14:53:26 | 000,136,312 | ---- | M] (PGP Corporation) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\PGPfsfd.sys -- (pgpfs) DRV - [2009/10/07 08:25:03 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\LMIRfsClientNP.dll -- (LMIRfsClientNP) DRV - [2008/10/18 09:31:56 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver) DRV - [2008/08/28 15:00:14 | 000,553,216 | ---- | M] (Novell, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\NetWare\nwfs.sys -- (NetwareWorkstation) DRV - [2008/08/04 17:17:14 | 000,185,216 | ---- | M] (Novell, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\NetWare\srvloc.sys -- (SRVLOC) DRV - [2008/08/04 17:06:32 | 000,058,496 | ---- | M] (Novell, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\NetWare\nwsipx32.sys -- (NWSIPX32) DRV - [2008/07/21 14:45:20 | 000,017,664 | ---- | M] (Novell, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\NetWare\nwfilter.sys -- (NWFILTER) DRV - [2008/07/21 13:47:04 | 000,029,440 | ---- | M] (Novell, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\NetWare\resmgr.sys -- (RESMGR) DRV - [2008/07/21 13:39:20 | 000,045,824 | ---- | M] (Novell, Inc.) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\NetWare\nwdns.sys -- (NWDNS) DRV - [2008/04/13 14:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx) DRV - [2008/04/13 14:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hidbatt.sys -- (HidBatt) DRV - [2008/04/04 15:32:46 | 000,020,208 | ---- | M] (Novell, Inc.) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\NetWare\nwslp.sys -- (NWSLP) DRV - [2008/02/28 15:31:50 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo) DRV - [2008/02/20 21:19:56 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL) DRV - [2008/01/08 10:27:32 | 000,038,603 | ---- | M] (Novell, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nicm.sys -- (NICM) DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM) DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM) DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M) DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM) DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM) DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM) DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M) DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM) DRV - [2006/08/11 11:05:58 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM) DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM) DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M) DRV - [2006/07/21 11:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB) DRV - [2005/11/22 10:51:22 | 000,018,353 | ---- | M] (Novell, Inc.) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\NetWare\nwdhcp.sys -- (NWDHCP) DRV - [2005/10/12 13:12:18 | 000,009,297 | ---- | M] (Novell, Inc.) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\NetWare\nwhost.sys -- (NWHOST) DRV - [2005/10/12 13:11:32 | 000,006,128 | ---- | M] (Novell, Inc.) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\NetWare\nwsns.sys -- (NWSNS) Novell Simple Naming Services (NWSNS) DRV - [2005/08/10 07:48:26 | 000,329,072 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\windrvr6.sys -- (WinDriver6) DRV - [2004/08/02 21:03:00 | 002,627,328 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv) DRV - [2004/08/02 21:03:00 | 000,007,012 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pmemnt.sys -- (pmem) DRV - [2004/03/30 19:23:30 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aspi32.sys -- (ASPI32) DRV - [2003/02/26 14:51:18 | 000,023,232 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\NetWare\nwsap.sys -- (NWSAP) DRV - [2002/07/15 12:43:56 | 000,028,672 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\NHSUSB.dll -- (NHSUSB) DRV - [2001/08/23 08:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb) DRV - [2001/08/23 08:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx) DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?hl=en&source=iglk" FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6 FF - prefs.js..extensions.enabledItems: {B17C1C5A-04B1-11DB-9804-B622A1EF5492}:1.2 FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.68.0 FF - prefs.js..extensions.enabledItems: {E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}:1.4.5 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/14 07:56:20 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/14 07:56:20 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Pale Moon project 3.6.3\extensions\\Components: C:\Program Files\Pale Moon project\components [2010/04/14 12:52:09 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Pale Moon project 3.6.3\extensions\\Plugins: C:\Program Files\Pale Moon project\plugins [2010/04/14 12:52:08 | 000,000,000 | ---D | M] [2009/12/03 13:38:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Mozilla\Extensions [2010/03/03 11:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\5rnnus1f.default\extensions [2009/12/03 13:15:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\5rnnus1f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/12/03 13:15:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\5rnnus1f.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2010/03/03 11:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\5rnnus1f.default\extensions\support@lastpass.com [2010/05/18 09:56:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions [2010/04/28 08:10:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/04/28 08:10:59 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/12/03 14:07:44 | 000,000,000 | ---D | M] (Password Exporter) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492} [2010/03/23 11:55:10 | 000,000,000 | ---D | M] (Memory Fox) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B} [2010/04/14 12:52:52 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [2010/04/28 08:11:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\support@lastpass.com [2010/05/14 11:55:29 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2008/01/17 13:17:00 | 002,609,152 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npRACtrl.dll [2007/03/09 19:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll [2007/08/09 13:08:00 | 000,008,784 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ractrlkeyhook.dll [2007/08/09 13:10:00 | 000,245,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\unicows.dll O1 HOSTS File: ([2010/05/14 11:27:37 | 000,394,487 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 008i.com O1 - Hosts: 127.0.0.1 www.008k.com O1 - Hosts: 127.0.0.1 008k.com O1 - Hosts: 127.0.0.1 www.00hq.com O1 - Hosts: 127.0.0.1 00hq.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.0scan.com O1 - Hosts: 127.0.0.1 0scan.com O1 - Hosts: 127.0.0.1 1000gratisproben.com O1 - Hosts: 127.0.0.1 www.1000gratisproben.com O1 - Hosts: 127.0.0.1 1001namen.com O1 - Hosts: 127.0.0.1 www.1001namen.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 www.1-2005-search.com O1 - Hosts: 127.0.0.1 1-2005-search.com O1 - Hosts: 13648 more lines... O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.) O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.) O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation) O4 - HKLM..\Run: [NWTRAY] C:\WINDOWS\System32\nwtray.exe (Novell, Inc.) O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation) O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation) O4 - HKU\S-1-5-21-1644491937-492894223-682003330-1003..\Run: [com.codeode.cactusspamfilter] C:\Program Files\Cactus Spam Filter 3.00\cactusspamfilter.exe (Codeode) O4 - HKU\S-1-5-21-1644491937-492894223-682003330-1003..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found O4 - HKLM..\RunOnceEx: [Title] File not found O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: CompatibleRUPSecurity = 1 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: &Dial with CTI DATA CONNECTOR ENTERPRISE EDITION - C:\Documents and Settings\jokream\Application Data\CDC\CDCWebDial.html () O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.) O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - C:\Program Files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\IEShellExt.dll (ScanSoft, Inc.) O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\NetWare\nwws2nds.dll (Novell, Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\NetWare\nwws2sap.dll (Novell, Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\WINDOWS\system32\NetWare\nwws2slp.dll (Novell, Inc.) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\PGPlsp.dll (PGP Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\System32\PGPlsp.dll (PGP Corporation) O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: internet ([]about in Trusted sites) O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: IVIEW-DDNS.COM ([MHL1.DDNS] https in Trusted sites) O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: lexis.com ([]* in Trusted sites) O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: lexisnexis.com ([]* in Trusted sites) O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: lexis-nexis.com ([]* in Trusted sites) O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: mcafee.com ([]http in Trusted sites) O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: mcafee.com ([]https in Trusted sites) O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Ranges: Range78 ([http] in Trusted sites) O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control) O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} https://components.viewpoint.com/MTSInstall...w.viewpoint.com (Reg Error: Key error.) O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool) O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support) O16 - DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} http://65.254.18.46:100/RemoteWeb.cab (Remote200 Control) O16 - DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} http://65.254.18.46:100/VideoViewer.cab (CViewerControl Object) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1170433613046 (MUWebControl Class) O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan) O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} https://www.vericheckonline.com/viewer/acti...tivexviewer.cab (Crystal Report Viewer Control) O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine) O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} http://10.0.0.248/xplugLite.cab (Gif89 Lite Class) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object) O16 - DPF: {D5EBF06F-9BAF-11D0-B12D-00C04FC39CEA} http://www.imagemaster.org/PCA/pawrem.cab (pcANYWHERE Remote) O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1 10.0.0.1 10.0.0.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: GinaDLL - (NWGINA.DLL) - C:\WINDOWS\System32\nwgina.dll (Novell, Inc.) O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com) O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.) O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O30 - LSA: Authentication Packages - (nwv1_0) - C:\WINDOWS\System32\nwv1_0.dll (Novell, Inc.) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2005/12/08 15:24:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2010/03/12 15:26:48 | 000,042,496 | ---- | M] () - Z:\AutoLiaison3.1-Filed.xls -- [ NWFS ] O32 - AutoRun File - [2010/04/23 10:45:30 | 000,011,593 | ---- | M] () - Z:\AutoLiason2.1-placed-KNKRESPONSE.xlsx -- [ NWFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* CREATERESTOREPOINT Restore point Set: OTL Restore Point (17183528496136192) ========== Files/Folders - Created Within 30 Days ========== [2010/05/17 13:03:29 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys [2010/05/17 13:03:25 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys [2010/05/17 12:26:50 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} [2010/05/17 11:39:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\RestoreSafeDeleted [2010/05/17 11:32:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\My Documents\RegRun2 [2010/05/17 11:32:08 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe [2010/05/17 10:49:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Desktop\javara [2010/05/17 08:15:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [2010/05/17 08:15:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Application Data\SUPERAntiSpyware.com [2010/05/17 08:15:24 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware [2010/05/17 08:15:03 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard [2010/05/14 15:24:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro [2010/05/14 15:24:06 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5 [2010/05/14 15:17:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Desktop\KILLER [2010/05/14 11:16:40 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2010/05/14 11:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp [2010/05/14 10:30:36 | 000,000,000 | RHSD | C] -- C:\cmdcons [2010/05/14 09:21:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010/05/13 10:37:28 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/05/13 10:37:25 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/05/13 10:37:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/05/12 13:33:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia [2010/05/12 13:33:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe [2010/05/12 11:41:10 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\iijedsve.sys [2010/05/12 08:15:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore [2010/05/11 09:36:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2010/05/11 09:36:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2010/05/04 11:56:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Desktop\7600.16385.090713-1255_x86fre_enterprise_en-us_EVAL_Eval_Enterprise-GRMCENEVAL_EN_DVD [2010/05/04 11:56:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Application Data\WinRAR [2010/05/04 11:55:06 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR [2010/05/04 09:31:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\Performance [2010/05/04 09:31:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Local Settings\Application Data\Microsoft Corporation [2010/05/04 09:31:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor [2010/04/23 14:25:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Application Data\com.codeode [2010/04/23 14:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\Cactus Spam Filter 3.00 [2010/04/23 14:05:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Application Data\MailWasherFree [2010/04/21 11:54:08 | 000,257,088 | ---- | C] (Xceed Software Inc. 1-450-442-2626 info@xceedsoft.com www.xceedsoft.com) -- C:\Documents and Settings\jokream\Desktop\R82265.EXE [2010/04/21 11:01:24 | 001,180,384 | ---- | C] (Dell, Inc.) -- C:\Documents and Settings\jokream\Desktop\RAID_DRVR_WIN_R99973.EXE [2010/04/21 10:44:38 | 000,361,666 | ---- | C] (RegNow.com) -- C:\Documents and Settings\jokream\Desktop\Download_DriverDetective-6.3.1.5.exe [2010/04/21 10:38:10 | 000,077,824 | ---- | C] (Dell, Inc.) -- C:\WINDOWS\System32\DellSPMsg.dll [2010/04/21 10:35:06 | 001,225,144 | ---- | C] (Dell, Inc.) -- C:\Documents and Settings\jokream\Desktop\RAID_DRVR_WIN_R100373.EXE [2010/04/21 10:19:24 | 000,161,592 | ---- | C] (Xceed Software Inc. 1-450-442-2626 info@xceedsoft.com www.xceedsoft.com) -- C:\Documents and Settings\jokream\Desktop\R76713.EXE [2010/04/20 10:28:49 | 000,345,448 | ---- | C] (Corel Corporation) -- C:\Documents and Settings\jokream\Desktop\wplook.exe [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/05/18 16:03:01 | 000,000,044 | ---- | M] () -- C:\WINDOWS\hpmnwun.ini [2010/05/18 12:35:03 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\PNTIF6 [2010/05/18 10:54:47 | 000,000,202 | ---- | M] () -- C:\WINDOWS\PrintCon.INI [2010/05/18 08:39:24 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [2010/05/17 15:11:22 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job [2010/05/17 15:09:00 | 000,004,598 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml [2010/05/17 15:08:50 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/05/17 15:05:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/05/17 14:04:56 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\jokream\ntuser.ini [2010/05/17 14:04:55 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\jokream\NTUSER.DAT [2010/05/17 13:03:20 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys [2010/05/17 12:26:49 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk [2010/05/17 11:33:24 | 000,002,577 | R--- | M] () -- C:\WINDOWS\System32\CONFIG.NT [2010/05/17 11:33:24 | 000,001,688 | R--- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT [2010/05/17 11:33:24 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat [2010/05/17 10:06:33 | 000,005,697 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\LOGS.zip [2010/05/17 08:15:33 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2010/05/14 21:26:28 | 000,102,904 | ---- | M] () -- C:\Documents and Settings\jokream\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2010/05/14 21:08:36 | 000,391,976 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/05/14 15:32:01 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys [2010/05/14 15:31:33 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk [2010/05/14 15:08:52 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\tdsskiller.zip [2010/05/14 11:27:37 | 000,394,487 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2010/05/14 10:55:52 | 000,000,271 | ---- | M] () -- C:\WINDOWS\system.ini [2010/05/14 10:54:52 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100514-112737.backup [2010/05/14 10:52:20 | 000,778,922 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/05/14 10:52:20 | 000,624,480 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010/05/14 10:52:20 | 000,138,662 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010/05/14 10:30:43 | 000,000,292 | RHS- | M] () -- C:\boot.ini [2010/05/14 09:16:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\jokream\defogger_reenable [2010/05/13 15:39:44 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\CCleaner.lnk [2010/05/13 13:13:31 | 000,047,104 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\CHECK.xls [2010/05/13 10:37:33 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/05/13 09:16:12 | 000,000,666 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\PrintConductor.lnk [2010/05/12 18:45:43 | 000,000,750 | ---- | M] () -- C:\WINDOWS\win.ini [2010/05/12 18:45:43 | 000,000,222 | ---- | M] () -- C:\Boot.bak [2010/05/12 11:41:10 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\iijedsve.sys [2010/05/12 09:16:50 | 000,288,229 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-L.pdf [2010/05/12 09:16:41 | 000,143,780 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-K.pdf [2010/05/12 09:16:30 | 000,507,784 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-J.pdf [2010/05/12 09:16:15 | 000,144,940 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-I.pdf [2010/05/12 09:15:56 | 000,543,688 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-H.pdf [2010/05/12 09:15:45 | 000,197,348 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-G.pdf [2010/05/12 09:15:39 | 000,271,827 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-F.pdf [2010/05/12 09:15:19 | 000,109,287 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-E.pdf [2010/05/12 09:15:13 | 000,151,036 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-D.pdf [2010/05/12 09:15:06 | 000,315,853 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-C.pdf [2010/05/12 09:14:45 | 000,298,069 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-B.pdf [2010/05/12 09:14:27 | 000,274,404 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-A.pdf [2010/05/12 09:13:28 | 000,509,747 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042.pdf [2010/05/12 03:04:10 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI [2010/05/11 10:05:00 | 000,164,352 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\TRAK AMERICA 2010 ACH REPORT11111111111111111111121112 (3).xls [2010/05/07 13:38:18 | 000,079,715 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\Part4-Agency Formats.pdf [2010/05/07 13:36:00 | 000,011,870 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\MAP.100427.00002.NB.pdf [2010/05/07 11:28:07 | 000,548,455 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\ygc.pdf [2010/05/07 09:48:00 | 000,005,419 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\REKream050310.zip [2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe [2010/05/06 08:34:57 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\WordPerfect 10.lnk [2010/05/04 11:55:54 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\WinRAR.lnk [2010/05/04 09:31:17 | 000,001,900 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/04/28 13:30:32 | 000,001,942 | ---- | M] () -- C:\WINDOWS\KOFAX200.INI [2010/04/27 14:48:16 | 000,016,983 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\gloria.pdf [2010/04/27 12:47:20 | 000,304,611 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\digiacomo.pdf [2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe [2010/04/26 10:27:23 | 002,915,608 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\SETTLEMENT DOCS.pdf [2010/04/23 08:34:30 | 000,594,214 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\CU LISTING.pdf [2010/04/22 14:40:58 | 002,902,052 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\c00189910.pdf [2010/04/22 09:18:53 | 000,657,361 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\kreamwires2.pdf [2010/04/22 08:54:19 | 000,046,592 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\Wire Exhibit.doc [2010/04/21 14:56:00 | 000,130,159 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\win_xp_2k3_32-14.0.0.7a.zip [2010/04/21 11:54:09 | 022,437,715 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\Bcom_LAN_14.2.0_W2K3_8_A00.exe [2010/04/21 11:54:04 | 000,257,088 | ---- | M] (Xceed Software Inc. 1-450-442-2626 info@xceedsoft.com www.xceedsoft.com) -- C:\Documents and Settings\jokream\Desktop\R82265.EXE [2010/04/21 11:01:20 | 001,180,384 | ---- | M] (Dell, Inc.) -- C:\Documents and Settings\jokream\Desktop\RAID_DRVR_WIN_R99973.EXE [2010/04/21 10:44:35 | 000,361,666 | ---- | M] (RegNow.com) -- C:\Documents and Settings\jokream\Desktop\Download_DriverDetective-6.3.1.5.exe [2010/04/21 10:35:04 | 001,225,144 | ---- | M] (Dell, Inc.) -- C:\Documents and Settings\jokream\Desktop\RAID_DRVR_WIN_R100373.EXE [2010/04/21 10:19:23 | 000,161,592 | ---- | M] (Xceed Software Inc. 1-450-442-2626 info@xceedsoft.com www.xceedsoft.com) -- C:\Documents and Settings\jokream\Desktop\R76713.EXE [2010/04/21 10:14:15 | 000,076,800 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\perc-cerc-w2k3-6.46.2.32-A05.exe [2010/04/20 10:28:50 | 000,345,448 | ---- | M] (Corel Corporation) -- C:\Documents and Settings\jokream\Desktop\wplook.exe [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/05/17 13:09:09 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [2010/05/17 12:26:49 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk [2010/05/17 11:33:24 | 000,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat [2010/05/17 09:16:14 | 000,005,697 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\LOGS.zip [2010/05/17 08:15:33 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2010/05/14 15:32:00 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys [2010/05/14 15:24:13 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk [2010/05/14 15:17:23 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\tdsskiller.zip [2010/05/14 10:30:42 | 000,000,222 | ---- | C] () -- C:\Boot.bak [2010/05/14 10:30:37 | 000,260,272 | ---- | C] () -- C:\cmldr [2010/05/14 09:24:18 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010/05/14 09:24:18 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010/05/14 09:16:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\jokream\defogger_reenable [2010/05/13 11:29:32 | 000,047,104 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\CHECK.xls [2010/05/13 11:18:15 | 000,021,678 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\30004345.xltx [2010/05/13 10:37:33 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/05/13 09:16:12 | 000,000,666 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\PrintConductor.lnk [2010/05/12 09:16:50 | 000,288,229 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-L.pdf [2010/05/12 09:16:41 | 000,143,780 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-K.pdf [2010/05/12 09:16:30 | 000,507,784 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-J.pdf [2010/05/12 09:16:15 | 000,144,940 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-I.pdf [2010/05/12 09:15:56 | 000,543,688 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-H.pdf [2010/05/12 09:15:45 | 000,197,348 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-G.pdf [2010/05/12 09:15:39 | 000,271,827 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-F.pdf [2010/05/12 09:15:19 | 000,109,287 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-E.pdf [2010/05/12 09:15:13 | 000,151,036 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-D.pdf [2010/05/12 09:15:06 | 000,315,853 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-C.pdf [2010/05/12 09:14:45 | 000,298,069 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-B.pdf [2010/05/12 09:14:27 | 000,274,404 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-A.pdf [2010/05/12 09:13:28 | 000,509,747 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042.pdf [2010/05/12 03:04:10 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI [2010/05/11 10:05:20 | 000,164,352 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\TRAK AMERICA 2010 ACH REPORT11111111111111111111121112 (3).xls [2010/05/07 13:38:18 | 000,079,715 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\Part4-Agency Formats.pdf [2010/05/07 13:36:00 | 000,011,870 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\MAP.100427.00002.NB.pdf [2010/05/07 11:28:07 | 000,548,455 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\ygc.pdf [2010/05/07 09:48:00 | 000,005,419 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\REKream050310.zip [2010/05/04 11:55:54 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\WinRAR.lnk [2010/05/04 09:31:17 | 000,001,900 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk [2010/04/27 14:48:16 | 000,016,983 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\gloria.pdf [2010/04/27 12:47:20 | 000,304,611 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\digiacomo.pdf [2010/04/26 10:27:23 | 002,915,608 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\SETTLEMENT DOCS.pdf [2010/04/22 14:40:58 | 002,902,052 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\c00189910.pdf [2010/04/22 13:53:23 | 000,594,214 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\CU LISTING.pdf [2010/04/22 09:18:40 | 000,657,361 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\kreamwires2.pdf [2010/04/21 14:56:00 | 000,130,159 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\win_xp_2k3_32-14.0.0.7a.zip [2010/04/21 11:53:27 | 022,437,715 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\Bcom_LAN_14.2.0_W2K3_8_A00.exe [2010/04/21 10:14:19 | 000,076,800 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\perc-cerc-w2k3-6.46.2.32-A05.exe [2009/11/13 14:54:44 | 000,000,997 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini [2009/11/09 13:16:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CorelDrw.INI [2009/10/09 14:53:26 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\PGPsdk.dll.sig [2008/12/01 10:35:25 | 000,004,184 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys [2008/08/27 11:23:52 | 000,262,227 | ---- | C] () -- C:\WINDOWS\System32\nwshlxnt.dll [2008/08/13 10:10:20 | 000,225,356 | ---- | C] () -- C:\WINDOWS\System32\lgnwnt32.dll [2008/03/18 10:43:49 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig [2008/02/04 18:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL [2008/01/17 14:12:10 | 000,000,044 | ---- | C] () -- C:\WINDOWS\hpmnwun.ini [2007/10/31 10:25:48 | 000,000,991 | ---- | C] () -- C:\WINDOWS\System32\hpipxmon.ini [2007/10/31 10:25:48 | 000,000,121 | ---- | C] () -- C:\WINDOWS\System32\AddPortX.ini [2007/08/20 10:09:14 | 000,000,301 | ---- | C] () -- C:\WINDOWS\hpqcopy.INI [2007/05/21 09:36:16 | 000,111,616 | ---- | C] () -- C:\WINDOWS\System32\FF_CORE.dll [2007/04/13 08:08:53 | 000,000,202 | ---- | C] () -- C:\WINDOWS\PrintCon.INI [2007/03/26 14:16:50 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\custmon32.dll [2007/03/16 18:00:00 | 000,003,403 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini [2007/03/15 08:42:02 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL [2007/03/15 08:42:01 | 000,000,168 | ---- | C] () -- C:\WINDOWS\wininit.ini [2007/02/26 13:40:09 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini [2007/02/23 14:52:12 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini [2007/02/23 14:52:12 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini [2007/02/23 14:51:19 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini [2007/02/23 14:51:18 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini [2007/02/23 14:51:16 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini [2007/02/21 16:00:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Vcdem32p.INI [2007/02/12 18:43:54 | 000,065,619 | ---- | C] () -- C:\WINDOWS\System32\setupw2k.dll [2007/01/08 17:17:18 | 000,000,153 | ---- | C] () -- C:\WINDOWS\FOXPRO.INI [2007/01/08 12:05:33 | 002,285,568 | ---- | C] () -- C:\WINDOWS\System32\PdfEnc.dll [2007/01/08 12:05:33 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\JJpxWriter.dll [2007/01/08 12:05:33 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\CVPDFWriter.dll [2007/01/08 12:05:32 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\JPXDecoder.dll [2007/01/08 12:05:32 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\JpgReader.dll [2007/01/08 12:05:32 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Jbig2Reader.dll [2007/01/08 12:05:32 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\JBIG2Decoder.dll [2007/01/08 12:05:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\CVPDFReader.dll [2007/01/08 12:05:32 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JPGDecoder.dll [2007/01/08 12:05:31 | 005,934,080 | ---- | C] () -- C:\WINDOWS\System32\CVPDFParser.dll [2007/01/08 12:05:31 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\SX32W.DLL [2007/01/08 12:05:31 | 000,000,106 | ---- | C] () -- C:\WINDOWS\JET311.ini [2007/01/08 12:05:31 | 000,000,022 | ---- | C] () -- C:\WINDOWS\KofaxKim.ini [2007/01/08 12:05:18 | 000,004,907 | ---- | C] () -- C:\WINDOWS\KPMSW.INI [2007/01/08 12:05:18 | 000,001,142 | ---- | C] () -- C:\WINDOWS\KPMADR.INI [2007/01/08 12:05:18 | 000,001,102 | ---- | C] () -- C:\WINDOWS\KPM.INI [2007/01/08 12:05:11 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\KCVWrapper.dll [2007/01/08 12:05:11 | 000,003,145 | ---- | C] () -- C:\WINDOWS\kpmcrtnt.ini [2007/01/08 12:05:10 | 000,086,528 | ---- | C] () -- C:\WINDOWS\System32\KCL310.DLL [2007/01/08 12:05:10 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\KDB310.DLL [2007/01/08 12:05:10 | 000,001,942 | ---- | C] () -- C:\WINDOWS\KOFAX200.INI [2006/11/29 15:08:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2006/09/30 10:08:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\caAdmin.INI [2006/09/20 23:02:32 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll [2006/09/20 23:02:32 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll [2006/08/16 09:53:55 | 000,000,240 | ---- | C] () -- C:\WINDOWS\pixcache.ini [2006/08/13 12:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI [2006/08/10 12:16:19 | 000,003,484 | ---- | C] () -- C:\WINDOWS\setscan.ini [2006/03/27 13:08:34 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\nwslog32.dll [2006/02/07 13:26:33 | 000,033,280 | ---- | C] () -- C:\WINDOWS\System32\SP32W.DLL [2006/01/03 16:57:53 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\NHSUSB.dll [2006/01/03 14:04:00 | 000,000,169 | ---- | C] () -- C:\WINDOWS\LDMPC.INI [2005/12/12 11:10:22 | 000,000,122 | ---- | C] () -- C:\WINDOWS\WB.INI [2005/12/12 10:28:07 | 000,000,036 | ---- | C] () -- C:\WINDOWS\iltwain.ini [2005/12/12 10:11:23 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHealr.dll [2005/12/08 17:11:00 | 000,000,686 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2005/12/05 14:37:50 | 000,007,912 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll [2005/11/04 12:38:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll [2005/11/04 12:38:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll [2005/11/04 12:38:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll [2004/11/12 09:49:30 | 000,000,559 | ---- | C] () -- C:\WINDOWS\BR.INI [2004/08/02 21:03:00 | 000,102,441 | ---- | C] () -- C:\WINDOWS\System32\getvpd.dll [2004/08/02 21:03:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\pmemw.dll [2004/02/03 16:32:06 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\znlib6.dll [2001/08/23 08:00:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\NSREG.DLL [2000/01/20 09:15:14 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\lgncon32.dll [1999/01/11 04:37:36 | 000,002,757 | ---- | C] () -- C:\WINDOWS\System32\rdrstats.ini [1997/06/25 16:24:16 | 000,040,448 | --S- | C] () -- C:\WINDOWS\System32\regobj.dll [1996/05/14 09:50:22 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\prtwin32.dll [1995/08/22 08:36:12 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\nwpsrv32.dll ========== LOP Check ========== [2009/09/17 15:53:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Borland [2010/05/14 15:24:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro [2010/05/04 14:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LDM [2008/02/08 11:59:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Locktime [2008/06/23 07:59:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn [2008/08/07 14:01:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound [2009/05/15 08:50:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Network Associates [2007/01/08 12:04:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PEERNET [2009/12/15 16:49:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PGP Corporation [2009/09/17 16:01:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft [2008/01/14 16:14:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2006/05/10 10:05:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2007/11/02 11:12:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip [2005/12/12 10:41:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\zeon [2010/05/17 12:26:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} [2007/10/25 14:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\BitTorrent [2006/01/25 14:42:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\CDC [2010/04/23 14:25:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\com.codeode [2010/05/18 11:01:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\CoreFTP [2006/12/06 10:16:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\DVD2AVI Ripper [2009/05/13 09:00:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\GetRightToGo [2009/10/26 13:18:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\gtk-2.0 [2009/12/03 13:13:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\id Software [2008/10/08 09:01:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Livestation [2008/02/08 11:59:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Locktime [2010/04/23 14:10:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\MailWasherFree [2008/08/07 14:00:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\NCH Swift Sound [2008/08/08 11:13:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\OfficeUpdate12 [2007/12/06 10:37:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Participatory Culture Foundation [2010/05/13 11:01:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\paywin [2007/12/06 12:56:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\PCF-VLC [2009/12/15 16:59:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\PGP Corporation [2007/03/26 13:51:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\SmartDraw [2006/12/19 09:36:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Uniblue [2007/10/17 15:07:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\URSE Games [2005/12/12 10:41:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\zeon [2010/05/18 08:39:24 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job [2010/05/17 15:11:22 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job [2009/06/26 08:23:08 | 000,000,262 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job ========== Purity Check ========== ========== Custom Scans ========== < MD5 for: ATAPI.SYS > [2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\slipstream\XP\I386\sp2.cab:atapi.sys [2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\slipstream\XP\I386\sp3.cab:atapi.sys [2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\slipstream\XP-SP3\i386\sp3.cab:atapi.sys [2005/12/08 18:08:25 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2008/09/18 10:35:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2005/12/08 18:08:25 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys [2008/09/18 10:35:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys [2010/05/17 13:04:41 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2001/08/23 08:00:00 | 000,086,656 | ---- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys < MD5 for: KBDHID.SYS > [2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\slipstream\XP\I386\sp2.cab:kbdhid.sys [2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\slipstream\XP\I386\sp3.cab:kbdhid.sys [2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\slipstream\XP-SP3\i386\sp3.cab:kbdhid.sys [2005/12/08 18:08:25 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:kbdhid.sys [2008/09/18 10:35:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:kbdhid.sys [2005/12/08 18:08:25 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:kbdhid.sys [2008/09/18 10:35:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:kbdhid.sys [2008/04/13 14:39:48 | 000,014,592 | ---- | M] (Microsoft Corporation) MD5=9EF487A186DEA361AA06913A75B3FA99 -- C:\WINDOWS\ServicePackFiles\i386\kbdhid.sys [2008/04/13 14:39:48 | 000,014,592 | ---- | M] (Microsoft Corporation) MD5=9EF487A186DEA361AA06913A75B3FA99 -- C:\WINDOWS\system32\drivers\kbdhid.sys < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > [2008/04/13 20:11:52 | 000,357,888 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll [2008/04/13 20:11:52 | 000,205,312 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll [2010/02/26 01:43:54 | 000,251,904 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll [1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ] ========== Alternate Data Streams ========== @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\jokream\Desktop\trakam docs:Roxio EMC Stream < End of report > Extras.txt OTL Extras logfile created on: 5/18/2010 8:17:02 PM - Run 1 OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\jokream\Desktop\UNI Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free 7.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free Paging file location(s): C:\pagefile.sys 3500 4096 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 74.50 Gb Total Space | 37.47 Gb Free Space | 50.29% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded Drive F: | 832.08 Gb Total Space | 775.94 Gb Free Space | 93.25% Space Free | Partition Type: NWFS G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive N: | 832.08 Gb Total Space | 775.94 Gb Free Space | 93.25% Space Free | Partition Type: NWFS Drive Z: | 832.08 Gb Total Space | 775.94 Gb Free Space | 93.25% Space Free | Partition Type: NWFS Computer Name: JKREAM Current User Name: jokream Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Pale Moon project\palemoon.exe (Mozilla Corporation) [HKEY_USERS\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Pale Moon project\palemoon.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation) https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\Toshiba CTX TAPI Service Provider\NHSTAPIServer.exe" = C:\Program Files\Toshiba CTX TAPI Service Provider\NHSTAPIServer.exe:*:Enabled:NHSTAPIServer -- (Computer Telephony Solutions) "C:\TSP for BPCI\program files\Toshiba BPCI TAPI Service Provider\NHSTAPIServer.exe" = C:\TSP for BPCI\program files\Toshiba BPCI TAPI Service Provider\NHSTAPIServer.exe:*:Enabled:NHSTAPIServer -- (Computer Telephony Solutions) "C:\Program Files\Toshiba BPCI TAPI Service Provider\NHSTAPIServer.exe" = C:\Program Files\Toshiba BPCI TAPI Service Provider\NHSTAPIServer.exe:*:Enabled:NHSTAPIServer -- (Computer Telephony Solutions) "C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "_{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW® Graphics Suite X4 - Windows Shell Extension "{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools "{058C8EB2-6DDB-4431-BBF4-C79A1E773C1C}" = HP LaserJet Fonts "{08094E03-AFE4-4853-9D31-6D0743DF5328}" = QuickTime "{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data "{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1 "{1DF03ECE-6AF4-414E-B118-C316F151A9A2}" = Corel WordPerfect Office - iFilter "{21F4789D-C4AD-4A88-A854-FFCD46123197}" = CA BrightStor ARCserve Backup for NetWare "{2223FC2F-B862-4F83-BC9E-DDF2DADF2859}" = Intel® Network Connections 13.0.42.0 "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition "{29790AC7-AD34-4F3D-A92D-EBED66F49461}" = HP Web Registration "{29D88826-2AB9-11D5-8854-00902761A46D}" = WordPerfect Office 2002 "{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (HPWJA) "{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc "{31B5E213-025A-47AA-B586-E41A60507DC5}" = WIA and Minimal TWAIN for hp Scanjet 5590 "{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module "{5305386A-B4A5-4F47-98CB-823301E495DA}" = ScanSoft PDF Converter 2.0 "{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English) "{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer "{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition "{5A8F669B-5BBE-4DD5-8F0C-89C93600BA1A}" = Toshiba BPCI TAPI Service Provider V1.4.3 "{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy "{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0 "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.1 "{6870FD05-9324-4E8A-90EB-6DBDAC29B74F}" = ScanSoft PDF Create 2.0 "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin "{6A034CA0-A2D1-4F34-82AE-643A822B2569}" = For and About Law "{6DEF11C0-35FF-4160-A543-FDD336C4DAE5}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{747AD110-B7AA-449F-B0B3-098A9F717FA0}" = Collection-Master Client Install - 2.0 "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{90110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{9B427732-573E-4E78-B6FA-AC3E5A218BA2}" = NMAS Client "{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor "{AC76BA86-1033-F400-BA7E-100000000002}" = Adobe Acrobat 7.0 Standard - English, Fran

Yeah, I guess I deserve that. I got desperate and caved to my fear I'd lose my machine. I'll wait for your instructions before I do anything else. Nothing I do seems to work anyway. Thanks for your help by the way. It seems I didn't run ComboFix on this PC - I can't find the Qoobox directory there. I must have run it on a Laptop I was playing with ideas on. Here is the TDSSKiller log: 12:03:25:437 3144 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04 12:03:25:437 3144 ================================================================================ 12:03:25:437 3144 SystemInfo: 12:03:25:437 3144 OS Version: 5.1.2600 ServicePack: 3.0 12:03:25:437 3144 Product type: Workstation 12:03:25:437 3144 ComputerName: JKREAM 12:03:25:437 3144 UserName: jokream 12:03:25:437 3144 Windows directory: C:\WINDOWS 12:03:25:437 3144 Processor architecture: Intel x86 12:03:25:437 3144 Number of processors: 4 12:03:25:437 3144 Page size: 0x1000 12:03:25:437 3144 Boot type: Normal boot 12:03:25:437 3144 ================================================================================ 12:03:25:437 3144 UnloadDriverW: NtUnloadDriver error 2 12:03:25:437 3144 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 12:03:25:515 3144 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 12:03:25:515 3144 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 12:03:25:515 3144 wfopen_ex: Trying to KLMD file open 12:03:25:515 3144 wfopen_ex: File opened ok (Flags 2) 12:03:25:515 3144 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 12:03:25:515 3144 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 12:03:25:515 3144 wfopen_ex: Trying to KLMD file open 12:03:25:515 3144 wfopen_ex: File opened ok (Flags 2) 12:03:25:515 3144 Initialize success 12:03:25:515 3144 12:03:25:515 3144 Scanning Services ... 12:03:25:953 3144 Raw services enum returned 381 services 12:03:25:968 3144 12:03:25:968 3144 Scanning Kernel memory ... 12:03:25:968 3144 Devices to scan: 4 12:03:25:968 3144 12:03:25:968 3144 Driver Name: Disk 12:03:25:968 3144 IRP_MJ_CREATE : F763DBB0 12:03:25:968 3144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759 12:03:25:968 3144 IRP_MJ_CLOSE : F763DBB0 12:03:25:968 3144 IRP_MJ_READ : F7637D1F 12:03:25:968 3144 IRP_MJ_WRITE : F7637D1F 12:03:25:968 3144 IRP_MJ_QUERY_INFORMATION : 804F9759 12:03:25:968 3144 IRP_MJ_SET_INFORMATION : 804F9759 12:03:25:968 3144 IRP_MJ_QUERY_EA : 804F9759 12:03:25:968 3144 IRP_MJ_SET_EA : 804F9759 12:03:25:968 3144 IRP_MJ_FLUSH_BUFFERS : F76382E2 12:03:25:968 3144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759 12:03:25:968 3144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759 12:03:25:984 3144 IRP_MJ_DIRECTORY_CONTROL : 804F9759 12:03:25:984 3144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759 12:03:25:984 3144 IRP_MJ_DEVICE_CONTROL : F76383BB 12:03:25:984 3144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28 12:03:25:984 3144 IRP_MJ_SHUTDOWN : F76382E2 12:03:25:984 3144 IRP_MJ_LOCK_CONTROL : 804F9759 12:03:25:984 3144 IRP_MJ_CLEANUP : 804F9759 12:03:25:984 3144 IRP_MJ_CREATE_MAILSLOT : 804F9759 12:03:25:984 3144 IRP_MJ_QUERY_SECURITY : 804F9759 12:03:25:984 3144 IRP_MJ_SET_SECURITY : 804F9759 12:03:25:984 3144 IRP_MJ_POWER : F7639C82 12:03:25:984 3144 IRP_MJ_SYSTEM_CONTROL : F763E99E 12:03:25:984 3144 IRP_MJ_DEVICE_CHANGE : 804F9759 12:03:25:984 3144 IRP_MJ_QUERY_QUOTA : 804F9759 12:03:25:984 3144 IRP_MJ_SET_QUOTA : 804F9759 12:03:26:015 3144 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 12:03:26:015 3144 12:03:26:015 3144 Driver Name: USBSTOR 12:03:26:015 3144 IRP_MJ_CREATE : F77B4218 12:03:26:015 3144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759 12:03:26:015 3144 IRP_MJ_CLOSE : F77B4218 12:03:26:015 3144 IRP_MJ_READ : F77B423C 12:03:26:015 3144 IRP_MJ_WRITE : F77B423C 12:03:26:015 3144 IRP_MJ_QUERY_INFORMATION : 804F9759 12:03:26:015 3144 IRP_MJ_SET_INFORMATION : 804F9759 12:03:26:015 3144 IRP_MJ_QUERY_EA : 804F9759 12:03:26:015 3144 IRP_MJ_SET_EA : 804F9759 12:03:26:015 3144 IRP_MJ_FLUSH_BUFFERS : 804F9759 12:03:26:015 3144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759 12:03:26:015 3144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759 12:03:26:015 3144 IRP_MJ_DIRECTORY_CONTROL : 804F9759 12:03:26:015 3144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759 12:03:26:015 3144 IRP_MJ_DEVICE_CONTROL : F77B4180 12:03:26:015 3144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77AF9E6 12:03:26:015 3144 IRP_MJ_SHUTDOWN : 804F9759 12:03:26:015 3144 IRP_MJ_LOCK_CONTROL : 804F9759 12:03:26:015 3144 IRP_MJ_CLEANUP : 804F9759 12:03:26:015 3144 IRP_MJ_CREATE_MAILSLOT : 804F9759 12:03:26:015 3144 IRP_MJ_QUERY_SECURITY : 804F9759 12:03:26:015 3144 IRP_MJ_SET_SECURITY : 804F9759 12:03:26:015 3144 IRP_MJ_POWER : F77B35F0 12:03:26:015 3144 IRP_MJ_SYSTEM_CONTROL : F77B1A6E 12:03:26:015 3144 IRP_MJ_DEVICE_CHANGE : 804F9759 12:03:26:015 3144 IRP_MJ_QUERY_QUOTA : 804F9759 12:03:26:015 3144 IRP_MJ_SET_QUOTA : 804F9759 12:03:26:031 3144 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1 12:03:26:031 3144 12:03:26:031 3144 Driver Name: Disk 12:03:26:031 3144 IRP_MJ_CREATE : F763DBB0 12:03:26:031 3144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759 12:03:26:031 3144 IRP_MJ_CLOSE : F763DBB0 12:03:26:031 3144 IRP_MJ_READ : F7637D1F 12:03:26:031 3144 IRP_MJ_WRITE : F7637D1F 12:03:26:031 3144 IRP_MJ_QUERY_INFORMATION : 804F9759 12:03:26:031 3144 IRP_MJ_SET_INFORMATION : 804F9759 12:03:26:031 3144 IRP_MJ_QUERY_EA : 804F9759 12:03:26:031 3144 IRP_MJ_SET_EA : 804F9759 12:03:26:031 3144 IRP_MJ_FLUSH_BUFFERS : F76382E2 12:03:26:031 3144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759 12:03:26:031 3144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759 12:03:26:031 3144 IRP_MJ_DIRECTORY_CONTROL : 804F9759 12:03:26:031 3144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759 12:03:26:031 3144 IRP_MJ_DEVICE_CONTROL : F76383BB 12:03:26:031 3144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28 12:03:26:031 3144 IRP_MJ_SHUTDOWN : F76382E2 12:03:26:031 3144 IRP_MJ_LOCK_CONTROL : 804F9759 12:03:26:031 3144 IRP_MJ_CLEANUP : 804F9759 12:03:26:031 3144 IRP_MJ_CREATE_MAILSLOT : 804F9759 12:03:26:031 3144 IRP_MJ_QUERY_SECURITY : 804F9759 12:03:26:031 3144 IRP_MJ_SET_SECURITY : 804F9759 12:03:26:031 3144 IRP_MJ_POWER : F7639C82 12:03:26:031 3144 IRP_MJ_SYSTEM_CONTROL : F763E99E 12:03:26:031 3144 IRP_MJ_DEVICE_CHANGE : 804F9759 12:03:26:031 3144 IRP_MJ_QUERY_QUOTA : 804F9759 12:03:26:031 3144 IRP_MJ_SET_QUOTA : 804F9759 12:03:26:031 3144 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 12:03:26:031 3144 12:03:26:031 3144 Driver Name: atapi 12:03:26:031 3144 IRP_MJ_CREATE : 8A149EE4 12:03:26:031 3144 IRP_MJ_CREATE_NAMED_PIPE : 8A149EE4 12:03:26:031 3144 IRP_MJ_CLOSE : 8A149EE4 12:03:26:031 3144 IRP_MJ_READ : 8A149EE4 12:03:26:031 3144 IRP_MJ_WRITE : 8A149EE4 12:03:26:031 3144 IRP_MJ_QUERY_INFORMATION : 8A149EE4 12:03:26:031 3144 IRP_MJ_SET_INFORMATION : 8A149EE4 12:03:26:031 3144 IRP_MJ_QUERY_EA : 8A149EE4 12:03:26:031 3144 IRP_MJ_SET_EA : 8A149EE4 12:03:26:031 3144 IRP_MJ_FLUSH_BUFFERS : 8A149EE4 12:03:26:031 3144 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A149EE4 12:03:26:031 3144 IRP_MJ_SET_VOLUME_INFORMATION : 8A149EE4 12:03:26:031 3144 IRP_MJ_DIRECTORY_CONTROL : 8A149EE4 12:03:26:031 3144 IRP_MJ_FILE_SYSTEM_CONTROL : 8A149EE4 12:03:26:031 3144 IRP_MJ_DEVICE_CONTROL : 8A149EE4 12:03:26:031 3144 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A149EE4 12:03:26:031 3144 IRP_MJ_SHUTDOWN : 8A149EE4 12:03:26:031 3144 IRP_MJ_LOCK_CONTROL : 8A149EE4 12:03:26:031 3144 IRP_MJ_CLEANUP : 8A149EE4 12:03:26:031 3144 IRP_MJ_CREATE_MAILSLOT : 8A149EE4 12:03:26:031 3144 IRP_MJ_QUERY_SECURITY : 8A149EE4 12:03:26:031 3144 IRP_MJ_SET_SECURITY : 8A149EE4 12:03:26:031 3144 IRP_MJ_POWER : 8A149EE4 12:03:26:031 3144 IRP_MJ_SYSTEM_CONTROL : 8A149EE4 12:03:26:031 3144 IRP_MJ_DEVICE_CHANGE : 8A149EE4 12:03:26:031 3144 IRP_MJ_QUERY_QUOTA : 8A149EE4 12:03:26:031 3144 IRP_MJ_SET_QUOTA : 8A149EE4 12:03:26:031 3144 Driver "atapi" infected by TDSS rootkit! 12:03:26:062 3144 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1 12:03:26:062 3144 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 12:03:26:062 3144 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys 12:03:26:062 3144 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3 12:03:26:343 3144 vfvi6 12:03:26:453 3144 !dsvbh1 12:03:27:046 3144 dsvbh2 12:03:27:046 3144 fdfb2 12:03:27:046 3144 Backup copy found, using it.. 12:03:27:093 3144 will be cured on next reboot 12:03:27:109 3144 Reboot required for cure complete.. 12:03:27:140 3144 Cure on reboot scheduled successfully 12:03:27:140 3144 12:03:27:140 3144 Completed 12:03:27:140 3144 12:03:27:140 3144 Results: 12:03:27:140 3144 Memory objects infected / cured / cured on reboot: 1 / 0 / 0 12:03:27:140 3144 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 12:03:27:140 3144 File objects infected / cured / cured on reboot: 1 / 0 / 1 12:03:27:140 3144 12:03:27:140 3144 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 12:03:27:140 3144 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 12:03:27:156 3144 UnloadDriverW: NtUnloadDriver error 1 12:03:27:156 3144 KLMD(ARK) unloaded successfully Thanks again for any help you can provide, Jon

Ok, I admit I've tried some things I'm not supposed to do on my own here, but I consider myself knowledgeable enough that I thought I had a chance. I was hoping to not have to bother anyone else to solve this - but when I found myself considering a HDD format, I thought I would reach out for help first MSE detected Alureon.H. I've tried Combofix and Tdsskiller without success. Malwarebytes does not see anything at all. Symptoms are generally severe sluggishness, and browser redirects. Here are the logs: DDS.TXT DDS (Ver_10-03-17.01) - NTFSx86 Run by jokream at 9:09:09.35 on Mon 05/17/2010 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2476 [GMT -4:00] AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\System32\svchost.exe -k eapsvcs svchost.exe C:\WINDOWS\System32\svchost.exe -k dot3svc C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\Explorer.EXE C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\WINDOWS\system32\NWTRAY.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Cactus Spam Filter 3.00\cactusspamfilter.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\jokream\Desktop\UNI\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - EB: Google Side Bar: {32004b8a-44a9-43e7-84e9-808838809519} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [com.codeode.cactusspamfilter] "c:\program files\cactus spam filter 3.00\cactusspamfilter.exe" -minimized mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [nwiz] nwiz.exe /install mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey mRun: [NWTRAY] NWTRAY.EXE dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe mPolicies-system: CompatibleRUPSecurity = 1 (0x1) IE: &Dial with CTI DATA CONNECTOR ENTERPRISE EDITION - file://c:\documents and settings\jokream\application data\cdc\CDCWebDial.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html IE: Open PDF in Word (PDF Converter 2.0) - c:\program files\scansoft\pdf converter 2.0 professional\pdfconv\IEShellExt.dll /100 IE: Open with WordPerfect - c:\program files\corelx4\wordperfect office x4\programs\WPLauncher.hta IE: LOGS.zip