Jump to content

Leila

Honorary Members
  • Posts

    135
  • Joined

  • Last visited

Everything posted by Leila

  1. Thanks Maniac! I can't get Malwarebytes to open and run. I think the virus/trojan has disabled it. But, I went ahead an download DeFogger and DDS and did those scans. I wanted to post them now, just in case they disappear from my desktop. I will do the GMER Rootkit Scanner next and post that one in a separate post. Here is the DeFogger scan: defogger_disable by jpshortstuff (23.02.10.1) Log created at 21:58 on 07/06/2010 (Owner) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- Here is the DDS Scan: DDS (Ver_10-03-17.01) - NTFSx86 NETWORK Run by Owner at 22:06:17.39 on Mon 06/07/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.745 [GMT -7:00] AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\Explorer.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Owner\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://srch-us7.hpwis.com/ BHO: {0f224aa6-0422-48c0-b474-c39fac444ed5} - mosadefe.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [KBD] c:\hp\kbd\KBD.EXE mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [jupejegaso] Rundll32.exe "mazoyabo.dll",s mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [pozojisin] Rundll32.exe "c:\windows\system32\rotawapo.dll",a StartupFolder: c:\docume~1\owner\startm~1\programs\startup\eventr~1.lnk - c:\program files\mindscape\printmaster\PMREMIND.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 7.0\aoltray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE mPolicies-explorer: <NO NAME> = IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: microsoft.com\.windowsupdate Trusted Zone: windowsupdate.com DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37847.7197337963 DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Notify: igfxcui - igfxsrvc.dll AppInit_DLLs: jasojife.dll c:\windows\system32\kipozepe.dll c:\windows\system32\rotawapo.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: kivegohem - {5abfe74a-cf59-4016-ba01-428a854575cf} - c:\windows\system32\kipozepe.dll SSODL: dedonazuw - {2f474bcb-7190-48df-aa59-9d2ecd1133e3} - c:\windows\system32\rotawapo.dll STS: gahurihor: {5abfe74a-cf59-4016-ba01-428a854575cf} - c:\windows\system32\kipozepe.dll STS: mujuzedij: {2f474bcb-7190-48df-aa59-9d2ecd1133e3} - c:\windows\system32\rotawapo.dll LSA: Notification Packages = scecli jasojife.dll IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe IFEO: MSASCui.exe - c:\windows\system32\svchost.exe IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe IFEO: msseces.exe - c:\windows\system32\svchost.exe ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3fr781te.default\ FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q= FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll FF - plugin: c:\program files\mozilla firefox\plugins\npImgCtl.dll FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-5-4 28552] S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-21 11608] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-21 108289] S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-21 185089] S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-21 56816] S2 FMS;Flash Media Server (FMS);c:\program files\macromedia\flash media server 2\FMSMaster.exe [2007-6-5 893031] S2 FMSAdmin;Flash Media Administration Server;c:\program files\macromedia\flash media server 2\FMSAdmin.exe [2007-6-5 1171558] S2 gupdate1c9e0e7f016fb78;Google Update Service (gupdate1c9e0e7f016fb78);c:\program files\google\update\GoogleUpdate.exe [2009-5-29 133104] S2 mrtRate;mrtRate; [x] S2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2008-2-13 202280] S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2009-7-23 15872] S3 bfturboo;BUFFALO TurboUSB for DVD Filter;c:\windows\system32\drivers\bfturboo.sys [2009-7-23 8704] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-27 38224] S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?] =============== Created Last 30 ================ 2010-06-08 04:58:04 0 ----a-w- c:\documents and settings\owner\defogger_reenable 2010-05-28 04:51:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-28 04:51:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-28 04:51:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware ==================== Find3M ==================== 2010-05-07 02:04:06 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll 1601-01-01 00:03:28 99328 --sha-w- c:\windows\system32\gujowude.dll 2010-03-04 06:10:34 99328 --sha-w- c:\windows\system32\hujinuya.dll 2010-03-02 06:09:10 100352 --sha-w- c:\windows\system32\mozewaya.dll 2010-03-07 18:11:49 99328 --sha-w- c:\windows\system32\rotawapo.dll 1601-01-01 00:03:28 99840 --sha-w- c:\windows\system32\rurajiye.dll 1601-01-01 00:03:28 100352 --sha-w- c:\windows\system32\yebineza.dll 2010-03-03 18:10:20 99328 --sha-w- c:\windows\system32\yonugese.dll 2010-03-03 06:09:55 99840 --sha-w- c:\windows\system32\yozezuna.dll 2010-01-08 05:15:00 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat 2008-09-11 15:09:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091120080912\index.dat ============= FINISH: 22:07:43.50 =============== The is the Attach Scan UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-03-17.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume2 Install Date: 5/23/2003 7:33:21 PM System Uptime: 6/7/2010 10:02:21 PM (0 hours ago) Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6577 Processor: Intel® Pentium® 4 CPU 2.66GHz | Socket 478 | 2666/133mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 107 GiB total, 85.228 GiB free. D: is FIXED (FAT32) - 5 GiB total, 0.92 GiB free. E: is CDROM () F: is CDROM () G: is Removable H: is Removable I: is Removable ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP1: 5/6/2010 7:17:36 PM - System Checkpoint RP2: 5/8/2010 6:42:05 PM - System Checkpoint RP3: 5/10/2010 11:06:22 PM - System Checkpoint RP4: 5/12/2010 6:30:51 AM - System Checkpoint RP5: 5/12/2010 10:20:06 AM - Software Distribution Service 3.0 RP6: 5/13/2010 6:30:07 PM - System Checkpoint RP7: 5/14/2010 8:13:21 PM - System Checkpoint RP8: 5/15/2010 11:00:28 PM - System Checkpoint RP9: 5/17/2010 4:43:49 AM - System Checkpoint RP10: 5/18/2010 6:12:20 AM - System Checkpoint RP11: 5/19/2010 1:56:07 PM - System Checkpoint RP12: 5/20/2010 9:09:11 PM - System Checkpoint RP13: 5/22/2010 2:24:44 AM - System Checkpoint RP14: 5/24/2010 1:47:48 AM - System Checkpoint RP15: 5/25/2010 2:22:39 AM - System Checkpoint RP16: 5/26/2010 2:28:23 AM - System Checkpoint RP17: 5/26/2010 9:00:17 AM - Software Distribution Service 3.0 RP18: 5/27/2010 5:53:22 PM - System Checkpoint RP19: 5/27/2010 10:25:40 PM - Spybot-S&D Spyware removal RP20: 5/28/2010 10:31:08 PM - System Checkpoint RP21: 5/30/2010 10:07:30 AM - System Checkpoint RP22: 5/31/2010 4:35:05 PM - System Checkpoint RP23: 6/1/2010 9:48:35 PM - System Checkpoint RP24: 6/4/2010 9:12:26 PM - System Checkpoint RP25: 6/5/2010 9:29:55 PM - System Checkpoint ==== Installed Programs ====================== Ad-Aware SE Personal Adobe Download Manager 2.0 (Remove Only) Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 7.0.9 AiO_Scan_CDA AiOSoftwareNPI Apple QuickTime Installer ArcSoft Software Suite Avira AntiVir Personal - Free Antivirus BUFFALO TurboUSB for FLASH/HDD BufferChm CCleaner (remove only) CD Label Design Software CP_CalendarTemplates1 cp_OnlineProjectsConfig CP_Package_Basic1 CP_Panorama1Config cp_PosterPrintConfig Critical Update for Windows Media Player 11 (KB959772) CueTour CustomerResearchQFolder Destinations Detto IntelliMover Demo DeviceManagementQFolder DocProc DocProcQFolder DocumentViewer DocumentViewerQFolder EarthLink MDAC easy Internet sign-up Enhanced Multimedia Keyboard Solution ESET Online Scanner ESET Online Scanner v3 eSupportQFolder Fax_CDA FullDPAppQFolder Google Chrome Google Earth Google Update Helper Google Updater HighMAT Extension to Microsoft Windows XP CD Writing Wizard HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) hp center HP Customer Participation Program 7.0 HP Digital Imaging Album Printing 1.0 HP Document Viewer 7.0 HP Imaging Device Functions 7.0 HP Instant Support HP Memories Disc HP Photo and Imaging 1.1 - Photosmart Cameras HP Photo and Imaging 1.2 - Scanjet 4570c Series HP Photosmart Essential HP Photosmart Premier Software 6.5 HP Photosmart, Officejet and Deskjet 7.0.A HP Product Assistant HP Solution Center 7.0 hp toolkit HP Update HPPhotoSmartExpress HPProductAssistant Inactive HP Printer Drivers (Remove only) Indeo
  2. Thanks Maniac, I've got Malwarebytes already installed on my computer, but this virus isn't allowing Malwarebytes to open. Should I go ahead and download and run the other programs - DeFogger, DDS, and GMER, and post those scans here? Thanks..........Leila
  3. Tonight my anti-virus (Avira) popped up saying an unwanted program had tried to access my computer and had "deny access" checked. I clicked "ok", and within seconds there was another alert, and then another. I kept denying access and did a complete shut down of my computer. I booted up in safe mode and ran a complete virus scan. At the end of the scan the report stated that I had 6 entries of TR/Vundo.ME.71. I selected the option specified - "repair all", and restarted my computer. But, when I rebooted I had numerous pop-ups of my anti-virus saying that TR/Vundo.ME.71 was trying to access my computer. I shut down again and rebooted in safe mode. Malwarebytes won't open, so the only report I have is the one from my anti-virus, Avira. Avira AntiVir Personal Report file date: Sunday, June 06, 2010 19:34 Scanning for 2190565 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Save mode Username : Owner Computer name : YOUR-6JNHHU0520 Version information: BUILD.DAT : 9.0.0.422 21701 Bytes 3/9/2010 10:29:00 AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/20/2009 07:26:00 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52 VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 07:25:59 VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 07:25:59 VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 20:06:11 VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 20:09:06 VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 02:24:01 VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 05:32:36 VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 02:07:21 VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 02:07:22 VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 02:07:22 VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 02:07:22 VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 02:07:22 VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 02:07:22 VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 02:07:22 VBASE013.VDF : 7.10.7.225 2048 Bytes 6/2/2010 02:07:23 VBASE014.VDF : 7.10.7.226 2048 Bytes 6/2/2010 02:07:23 VBASE015.VDF : 7.10.7.227 2048 Bytes 6/2/2010 02:07:23 VBASE016.VDF : 7.10.7.228 2048 Bytes 6/2/2010 02:07:23 VBASE017.VDF : 7.10.7.229 2048 Bytes 6/2/2010 02:07:23 VBASE018.VDF : 7.10.7.230 2048 Bytes 6/2/2010 02:07:24 VBASE019.VDF : 7.10.7.231 2048 Bytes 6/2/2010 02:07:24 VBASE020.VDF : 7.10.7.232 2048 Bytes 6/2/2010 02:07:24 VBASE021.VDF : 7.10.7.233 2048 Bytes 6/2/2010 02:07:24 VBASE022.VDF : 7.10.7.234 2048 Bytes 6/2/2010 02:07:24 VBASE023.VDF : 7.10.7.235 2048 Bytes 6/2/2010 02:07:25 VBASE024.VDF : 7.10.7.236 2048 Bytes 6/2/2010 02:07:25 VBASE025.VDF : 7.10.7.237 2048 Bytes 6/2/2010 02:07:25 VBASE026.VDF : 7.10.7.238 2048 Bytes 6/2/2010 02:07:25 VBASE027.VDF : 7.10.7.239 2048 Bytes 6/2/2010 02:07:25 VBASE028.VDF : 7.10.7.240 2048 Bytes 6/2/2010 02:07:26 VBASE029.VDF : 7.10.7.241 2048 Bytes 6/2/2010 02:07:26 VBASE030.VDF : 7.10.7.242 2048 Bytes 6/2/2010 02:07:26 VBASE031.VDF : 7.10.7.252 87552 Bytes 6/6/2010 02:07:37 Engineversion : 8.2.2.6 AEVDF.DLL : 8.1.2.0 106868 Bytes 4/24/2010 05:31:52 AESCRIPT.DLL : 8.1.3.31 1352058 Bytes 6/3/2010 02:07:38 AESCN.DLL : 8.1.6.1 127347 Bytes 5/12/2010 17:27:00 AESBX.DLL : 8.1.3.1 254324 Bytes 4/24/2010 05:31:53 AERDL.DLL : 8.1.4.6 541043 Bytes 4/16/2010 05:33:56 AEPACK.DLL : 8.2.1.1 426358 Bytes 3/20/2010 01:58:53 AEOFFICE.DLL : 8.1.1.0 201081 Bytes 5/12/2010 17:27:00 AEHEUR.DLL : 8.1.1.33 2724214 Bytes 6/5/2010 02:07:24 AEHELP.DLL : 8.1.11.5 242038 Bytes 6/3/2010 02:07:29 AEGEN.DLL : 8.1.3.10 377205 Bytes 6/3/2010 02:07:28 AEEMU.DLL : 8.1.2.0 393588 Bytes 4/24/2010 05:31:49 AECORE.DLL : 8.1.15.3 192886 Bytes 5/12/2010 17:26:58 AEBB.DLL : 8.1.1.0 53618 Bytes 4/24/2010 05:31:48 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59 AVPREF.DLL : 9.0.3.0 44289 Bytes 9/9/2009 01:58:54 AVREP.DLL : 8.0.0.7 159784 Bytes 2/18/2010 02:03:13 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09 AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10 RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58 RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/20/2009 07:25:57 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, D:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR, Start of the scan: Sunday, June 06, 2010 19:34 Starting search for hidden objects. The driver could not be initialized. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 12 processes with 12 modules were scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Master boot sector HD1 [iNFO] No virus was found! Master boot sector HD2 [iNFO] No virus was found! Master boot sector HD3 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Boot sector 'D:\' [iNFO] No virus was found! Starting to scan executable files (registry). C:\WINDOWS\system32\mazoyabo.dll [DETECTION] Is the TR/Vundo.ME.71 Trojan The registry was scanned ( '80' files ). Starting the file scan: Begin scan in 'C:\' <HP_PAVILION> C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NS1OFA45\load[1].php [DETECTION] Is the TR/Vundo.ME.71 Trojan C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP23\A0001161.dll [DETECTION] Is the TR/Vundo.99328.G.4 Trojan C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP25\A0001325.dll [DETECTION] Is the TR/Vundo.ME.71 Trojan C:\WINDOWS\system32\jasojife.dll [DETECTION] Is the TR/Vundo.ME.71 Trojan C:\WINDOWS\system32\mosadefe.dll [DETECTION] Is the TR/Vundo.ME.71 Trojan Begin scan in 'D:\' <HP_RECOVERY> Beginning disinfection: C:\WINDOWS\system32\mazoyabo.dll [DETECTION] Is the TR/Vundo.ME.71 Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [NOTE] The driver could not be initialized. [NOTE] The file is scheduled for deleting after reboot. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NS1OFA45\load[1].php [DETECTION] Is the TR/Vundo.ME.71 Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004 [WARNING] The source file could not be found. [NOTE] Attempting to perform action using the ARK library. [WARNING] Error in ARK library [NOTE] The file is scheduled for deleting after reboot. C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP23\A0001161.dll [DETECTION] Is the TR/Vundo.99328.G.4 Trojan [NOTE] The file was moved to '4c3c89b7.qua'! C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP25\A0001325.dll [DETECTION] Is the TR/Vundo.ME.71 Trojan [NOTE] The file was moved to '4d442c70.qua'! C:\WINDOWS\system32\jasojife.dll [DETECTION] Is the TR/Vundo.ME.71 Trojan [WARNING] An error has occurred and the file was not deleted. ErrorID: 26003 [WARNING] The file could not be deleted! [NOTE] Attempting to perform action using the ARK library. [NOTE] The driver could not be initialized. [NOTE] The file is scheduled for deleting after reboot. C:\WINDOWS\system32\mosadefe.dll [DETECTION] Is the TR/Vundo.ME.71 Trojan [NOTE] The file was moved to '4c7f89f8.qua'! End of the scan: Sunday, June 06, 2010 22:54 Used time: 3:18:42 Hour(s) The scan has been done completely. 12170 Scanned directories 593564 Files were scanned 6 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 3 Files were moved to quarantine 0 Files were renamed 1 Files cannot be scanned 593557 Files not concerned 21106 Archives were scanned 4 Warnings 7 Notes
  4. Hi Kahdah, I've just completed all steps to clean-up, updated Java, and created a system restore point. I hope I did it right. I found that the system restore point was turned off already, so I turned it on and it now says "monitoring." Is that what it's supposed to say? When I read your message regarding the clean-up, my anti-virus (Avira) had already started and I thought I'd better let it run as it's been since last Saturday since it's done it's daily scan. While it was scanning, it detected a virus called "TR/FraudPack.aunu" and had an option of "repair it" selected. I clicked on repair and evidently it was repaired. I had errands to run and waited until this evening to get back to the computer and complete the clean up. I can't thank you enough for all your help! You've done such a great job of helping me through this malware attack and I really appreciated all your help. It's a wonderful service being provided here at Malwarebytes Forum. Thank you again!
  5. My computer is running great, and no signs of the virus/trojan - no pop-up warnings from the fake anti-virus. Here's the latest OTL report. OTL logfile created on: 5/6/2010 10:32:42 AM - Run 2 OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Owner\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1,023.00 Mb Total Physical Memory | 692.00 Mb Available Physical Memory | 68.00% Memory free 2.00 Gb Paging File | 1.00 Gb Available in Paging File | 84.00% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 106.50 Gb Total Space | 83.06 Gb Free Space | 77.99% Space Free | Partition Type: NTFS Drive D: | 5.27 Gb Total Space | 0.92 Gb Free Space | 17.45% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: YOUR-6JNHHU0520 Current User Name: Owner Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Documents and Settings\Owner\Desktop\OTH.scr (OldTimer Tools) PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH) PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\WINDOWS\system32\HPZipm12.exe (HP) PRC - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe (SupportSoft, Inc.) PRC - C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe (Macromedia, Inc.) PRC - C:\Program Files\Macromedia\Flash Media Server 2\FMSEdge.exe (Macromedia, Inc.) PRC - C:\Program Files\Macromedia\Flash Media Server 2\FMSCore.exe (Macromedia, Inc.) PRC - C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe (Macromedia, Inc.) PRC - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe (Hewlett-Packard Development Company, L.P.) PRC - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.) PRC - C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe () PRC - C:\WINDOWS\wanmpsvc.exe (America Online, Inc.) PRC - C:\Program Files\America Online 7.0\aoltray.exe (America Online, Inc.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH) SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP) SRV - (sprtsvc_medicsp2) SupportSoft Sprocket Service (medicsp2) -- C:\Program Files\twc\medicsp2\bin\sprtsvc.exe (SupportSoft, Inc.) SRV - (FMS) Flash Media Server (FMS) -- C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe (Macromedia, Inc.) SRV - (FMSAdmin) -- C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe (Macromedia, Inc.) SRV - (WANMiniportService) WAN Miniport (ATW) -- C:\WINDOWS\wanmpsvc.exe (America Online, Inc.) ========== Driver Services (SafeList) ========== DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH) DRV - (pavboot) -- C:\WINDOWS\system32\drivers\pavboot.sys (Panda Security, S.L.) DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH) DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH) DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH) DRV - (bfturboh) -- C:\WINDOWS\system32\drivers\bfturboh.sys () DRV - (bfturboo) -- C:\WINDOWS\system32\drivers\bfturboo.sys (Medialogic Corp.) DRV - (symlcbrd) -- C:\WINDOWS\system32\drivers\symlcbrd.sys (Symantec Corporation) DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company) DRV - (AFS2K) -- C:\WINDOWS\system32\drivers\AFS2K.SYS (Oak Technology Inc.) DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.) DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\rtl8139.sys (Realtek Semiconductor Corporation) DRV - (S3Psddr) -- C:\WINDOWS\system32\drivers\s3gnbm.sys (S3 Graphics, Inc.) DRV - (ndiscm) -- C:\WINDOWS\system32\drivers\NetMotCM.sys (Motorola Inc.) DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation) DRV - (ltmodem5) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys (LT) DRV - (MxlW2k) -- C:\WINDOWS\system32\drivers\MxlW2k.sys (MusicMatch, Inc.) DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.) DRV - (drvmcdb) -- C:\WINDOWS\System32\DRIVERS\drvmcdb.sys (VERITAS Software, Inc.) DRV - (SISAGP) -- C:\WINDOWS\System32\DRIVERS\SISAGP.sys (Silicon Integrated Systems Corporation) DRV - (viaagp1) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.) DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.) DRV - (PcdrNt) -- C:\WINDOWS\System32\drivers\PcdrNt.sys (PC-Doctor Inc.) ========== Standard Registry (All) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6E C4 F8 20 66 09 CA 01 [binary data] IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..network.proxy.no_proxies_on: "localhost" FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/09 15:38:23 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/08 09:15:51 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 02:30:12 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 02:30:12 | 000,000,000 | ---D | M] [2008/08/27 12:06:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions [2008/08/27 12:06:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2005/09/20 15:04:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0k7w24pw.default\extensions [2005/09/20 15:04:15 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0k7w24pw.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2010/05/05 13:46:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3fr781te.default\extensions [2009/08/09 09:57:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3fr781te.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/03/13 11:25:34 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3fr781te.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2005/09/21 23:29:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rk31whtr.default\extensions [2005/09/21 23:29:50 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rk31whtr.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2010/05/05 13:46:27 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/04/02 02:30:12 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2007/05/10 10:43:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [2007/07/28 11:23:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [2007/10/29 20:50:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [2008/03/27 21:56:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [2009/01/09 15:38:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [2009/04/10 10:26:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [2009/06/10 11:38:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [2010/04/02 02:30:03 | 000,023,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll [2010/04/02 02:30:03 | 000,138,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll [2007/04/10 17:21:08 | 000,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll [2004/11/12 20:36:20 | 000,005,120 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll [2009/05/21 11:33:58 | 000,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll [2007/05/11 17:41:00 | 000,200,704 | ---- | M] (Ancestry.com) -- C:\Program Files\Mozilla Firefox\plugins\npImgCtl.dll [2006/12/12 11:48:22 | 001,440,560 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll [2010/04/02 02:30:05 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll [2006/12/18 05:18:30 | 000,077,824 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll [2005/12/09 11:59:57 | 000,139,305 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll [2006/05/16 10:32:21 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll [2006/05/16 10:32:21 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll [2006/05/16 10:32:21 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll [2006/05/16 10:32:21 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll [2006/05/16 10:32:22 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll [2006/05/16 10:32:22 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll [2006/05/16 10:32:22 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll [2005/12/09 12:00:14 | 000,024,621 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll [2005/12/09 11:59:39 | 000,081,967 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll [2010/03/11 22:20:18 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml [2010/03/11 22:20:18 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml [2010/03/11 22:20:18 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml [2010/03/11 22:20:18 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml [2010/03/11 22:20:18 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml [2008/10/17 12:22:02 | 000,000,897 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\livecom.png [2008/10/17 12:22:02 | 000,001,015 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\livecom.src [2010/03/11 22:20:18 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml [2010/03/11 22:20:18 | 000,001,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml O1 HOSTS File: ([2010/02/08 20:21:08 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company) O3 - HKCU\..\Toolbar\ShellBrowser: (hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company) O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe () O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation) O4 - HKLM..\Run: [hpsysdrv] c:\WINDOWS\system\hpsysdrv.exe (Hewlett-Packard Company) O4 - HKLM..\Run: [KBD] C:\hp\KBD\kbd.exe (Hewlett-Packard Company) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation) O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe () O4 - HKLM..\Run: [updateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions) O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation) O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe (America Online, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O15 - HKCU\..Trusted Domains: microsoft.com ([.windowsupdate] http in Trusted sites) O15 - HKCU\..Trusted Domains: windowsupdate.com ([]http in Trusted sites) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object) O16 - DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} http://download.microsoft.com/download/3/B...tualEarth3D.cab (SentinelProxy Class) O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/shock...h/ultrashim.cab (Reg Error: Value error.) O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...7847.7197337963 (Reg Error: Key error.) O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} http://fdl.msn.com/zone/datafiles/heartbeat.cab (HeartbeatCtl Class) O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object) O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62 O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation) O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation) O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation) O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation) O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation) O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation) O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation) O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation) O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation) O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation) O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation) O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O24 - Desktop Components:0 (My Current Home Page) - About:Home O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation) O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation) O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation) O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation) O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2002/10/28 10:36:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2001/07/28 07:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/05/06 10:31:14 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe [2010/05/06 10:30:53 | 000,257,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTH.scr [2010/05/05 23:10:32 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster [2010/05/05 18:42:18 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2010/05/04 17:36:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/05/04 17:36:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/05/04 17:36:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/05/04 17:36:43 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/05/04 17:36:11 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/05/04 17:36:03 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys [2010/05/04 17:19:01 | 000,000,000 | ---D | C] -- C:\_OTL [2010/05/03 21:19:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Programs Not Often Used [2010/05/03 19:56:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Anti-Malware Programs [1 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/05/06 10:31:10 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe [2010/05/06 10:30:37 | 000,257,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTH.scr [2010/05/06 10:20:02 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/05/06 10:19:01 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job [2010/05/06 10:18:45 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2010/05/06 10:18:43 | 000,000,249 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat [2010/05/06 10:18:39 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/05/06 10:18:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/05/06 10:18:35 | 1073,270,784 | -HS- | M] () -- C:\hiberfil.sys [2010/05/06 01:37:54 | 007,602,176 | ---- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT [2010/05/06 01:37:54 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini [2010/05/06 00:53:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2010/05/05 23:10:35 | 000,000,701 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk [2010/05/05 21:18:37 | 000,045,095 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\CV090376 - Simpson.pdf [2010/05/05 18:00:27 | 000,031,744 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Instructions for Malwarebytes - May 5, 2010.doc [2010/05/05 13:29:55 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2010/05/05 09:33:41 | 000,036,864 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Computer repair - May 5, 2010.doc [2010/05/04 17:32:18 | 003,946,093 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe [2010/05/04 16:41:04 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Instructions for Clean Up - May 2010.doc [2010/05/04 11:19:12 | 000,049,664 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\OTL Extras logfile created o1.doc [2010/05/04 11:18:00 | 000,073,216 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\OTL Extras logfile created on.doc [2010/05/04 10:59:54 | 000,135,168 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\OTL logfile created on.doc [2010/05/03 20:01:32 | 000,001,524 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\NOTEPAD.lnk [2010/05/02 22:42:56 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\During the sentencing phase of the trial I don.doc [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe [2010/04/26 09:13:22 | 001,180,364 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\KFIS25XVMS_Use%20and%20Care_EN.pdf [2010/04/22 13:43:57 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Crock pot chicken alfredo.doc [2010/04/22 11:06:03 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn [2010/04/22 10:48:00 | 000,050,176 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\At exit 59.doc [2010/04/21 22:38:50 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Wall Street Journal Sizes up Obama.doc [2010/04/15 12:24:57 | 000,052,224 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Pat Brown - Criminal Profile of Haleigh Cummings Case.doc [2010/04/15 10:20:51 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Kitchen Renovation -Things left to do.doc [2010/04/14 21:55:05 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\How to get rid of ad at bottom of page.doc [2010/04/14 10:25:26 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010/04/14 10:22:31 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Rainfall for 2009 -2010.doc [1 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/05/05 23:10:35 | 000,000,701 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk [2010/05/05 21:18:37 | 000,045,095 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\CV090376 - Simpson.pdf [2010/05/05 18:00:26 | 000,031,744 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Instructions for Malwarebytes - May 5, 2010.doc [2010/05/05 09:33:41 | 000,036,864 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Computer repair - May 5, 2010.doc [2010/05/04 17:36:43 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010/05/04 17:36:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010/05/04 17:36:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010/05/04 17:36:43 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010/05/04 17:36:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2010/05/04 17:32:43 | 003,946,093 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe [2010/05/04 17:28:02 | 1073,270,784 | -HS- | C] () -- C:\hiberfil.sys [2010/05/04 16:41:03 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Instructions for Clean Up - May 2010.doc [2010/05/04 11:19:12 | 000,049,664 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\OTL Extras logfile created o1.doc [2010/05/04 11:18:00 | 000,073,216 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\OTL Extras logfile created on.doc [2010/05/04 10:59:53 | 000,135,168 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\OTL logfile created on.doc [2010/05/02 22:42:56 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\During the sentencing phase of the trial I don.doc [2010/04/26 09:12:34 | 001,180,364 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\KFIS25XVMS_Use%20and%20Care_EN.pdf [2010/04/22 13:43:35 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Crock pot chicken alfredo.doc [2010/04/22 10:47:59 | 000,050,176 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\At exit 59.doc [2010/04/21 22:38:49 | 000,031,232 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Wall Street Journal Sizes up Obama.doc [2010/04/15 12:24:55 | 000,052,224 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Pat Brown - Criminal Profile of Haleigh Cummings Case.doc [2010/04/15 10:20:51 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Kitchen Renovation -Things left to do.doc [2010/04/14 21:55:00 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\How to get rid of ad at bottom of page.doc [2009/07/23 21:38:47 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\bfturboh.sys [2009/07/19 00:17:36 | 000,000,044 | ---- | C] () -- C:\WINDOWS\ALBUM.INI [2008/09/29 16:13:29 | 000,006,416 | ---- | C] () -- C:\WINDOWS\UN080325.INI [2008/08/09 08:53:25 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll [2008/04/26 15:52:44 | 000,000,362 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini [2008/02/11 10:39:26 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLA.dll [2008/02/11 10:39:18 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLW.dll [2008/02/08 14:53:46 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerLang.dll [2007/07/27 15:49:02 | 000,225,355 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiW.dll [2007/07/27 15:49:02 | 000,196,683 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiA.dll [2007/07/21 12:26:23 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll [2006/05/01 13:41:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI [2005/12/05 20:25:22 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\lnod32umc.dll [2005/12/05 13:37:10 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\lnod32upd.dll [2005/01/13 15:58:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI [2004/09/24 13:33:55 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini [2004/08/23 08:45:47 | 000,001,454 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2004/03/25 15:53:36 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll [2003/12/17 22:31:40 | 000,000,259 | ---- | C] () -- C:\WINDOWS\hpqcopy.INI [2003/11/24 21:53:50 | 000,000,050 | ---- | C] () -- C:\WINDOWS\Winamp.ini [2003/11/24 21:53:21 | 000,000,041 | ---- | C] () -- C:\WINDOWS\winampa.ini [2003/08/21 20:27:59 | 000,000,070 | ---- | C] () -- C:\WINDOWS\BAF4F3D2.ini [2003/06/17 18:43:30 | 000,000,282 | ---- | C] () -- C:\WINDOWS\kodakpcd.Owner.ini [2003/06/04 18:58:06 | 000,002,509 | ---- | C] () -- C:\WINDOWS\WinInit.Ini [2003/05/28 22:58:54 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini [2003/05/25 13:35:06 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2003/05/23 19:43:38 | 000,000,044 | ---- | C] () -- C:\WINDOWS\AUTHMGR.INI [2003/05/12 14:32:44 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL [2003/03/02 15:08:17 | 000,000,242 | ---- | C] () -- C:\WINDOWS\qwimp.ini [2002/12/13 12:32:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2002/10/28 15:48:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2002/10/28 12:31:35 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll [2002/10/28 12:29:39 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll [2002/10/28 12:29:38 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll [2002/10/28 12:18:04 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini [2002/10/28 12:17:57 | 000,000,626 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI [2002/10/28 12:12:23 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll [2002/10/28 11:42:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini [2002/10/28 11:34:32 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll [2002/10/28 11:31:05 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll [2002/10/28 11:23:47 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll [2002/10/28 11:23:47 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll [2002/10/28 11:23:25 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll [2002/10/28 10:40:15 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini [2002/10/28 09:23:12 | 000,000,659 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini [2001/08/31 16:33:58 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\VxDMDcDlg.dll [2001/08/14 19:47:08 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\vxpsapi.dll [2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini ========== Alternate Data Streams ========== @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 < End of report >
  6. Here's the ESET scan. That one took several hours to run. ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=65ba73866290f14e956c30c3203a1edc # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-05-06 05:36:20 # local_time=2010-05-05 10:36:20 (-0800, Pacific Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 42429642 42429642 0 0 # compatibility_mode=1024 16777215 100 0 60283548 60283548 0 0 # compatibility_mode=1797 16775125 100 100 0 47884574 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # compatibility_mode=9217 16777214 0 9 32464465 32464465 0 0 # scanned=126800 # found=0 # cleaned=0 # scan_time=13772
  7. Here's the report from Malwarebytes. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4070 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 5/5/2010 6:14:33 PM mbam-log-2010-05-05 (18-14-33).txt Scan type: Quick scan Objects scanned: 139769 Time elapsed: 10 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  8. Sorry I took so long to respond. I had unexpected company this morning. Here's the ComboFix Log. ComboFix 10-05-04.03 - Owner 05/05/2010 13:20:30.7.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.564 [GMT -7:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\Local Settings\Application Data\qlpyxxrbw . ((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 ))))))))))))))))))))))))))))))) . 2010-05-05 00:36 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys 2010-05-05 00:19 . 2010-05-05 00:19 -------- d-----w- C:\_OTL . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-05 04:55 . 2008-12-30 03:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-05 04:52 . 2008-12-30 00:52 -------- d-----w- c:\program files\SpywareBlaster 2010-05-03 08:48 . 2010-02-07 19:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-03 08:48 . 2010-04-03 00:58 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-04-29 22:39 . 2010-02-07 19:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 22:39 . 2010-02-07 19:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-13 06:56 . 2003-10-21 05:28 -------- d-----w- c:\program files\Google 2010-03-14 18:16 . 2009-12-05 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Image Zone Express 2010-03-10 06:15 . 2002-11-13 17:05 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-02-25 06:24 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-24 13:11 . 2002-11-13 17:44 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2002-08-29 08:04 2146304 ------w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2002-08-29 08:04 2024448 ------w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33 . 2003-07-10 20:19 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 2003-07-01 00:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys . ((((((((((((((((((((((((((((( SnapShot@2010-05-05_00.48.55 ))))))))))))))))))))))))))))))))))))))))) . + 2010-05-05 16:28 . 2010-05-05 16:28 16384 c:\windows\Temp\Perflib_Perfdata_240.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-09-09 114688] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] c:\documents and settings\Owner\Start Menu\Programs\Startup\ Event Reminder.lnk - c:\program files\Mindscape\PrintMaster\PMREMIND.EXE [1998-6-6 325632] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] America Online 7.0 Tray Icon.lnk - c:\program files\America Online 7.0\aoltray.exe [2003-4-9 32839] HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2003-5-12 65588] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk backup=c:\windows\pss\hp center UI.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk backup=c:\windows\pss\hp center.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2007-05-09 00:24 54840 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2006-02-23 23:45 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\medicsp2] 2007-03-07 19:53 198184 ----a-w- c:\program files\twc\medicsp2\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2006-05-16 17:31 282624 ----a-w- c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 2002-04-18 01:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-05-21 18:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2009-05-30 05:30 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2005-12-09 18:59 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2002-07-23 16:58 12288 ----a-w- c:\program files\Winamp3\winampa.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/4/2010 5:36 PM 28552] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/21/2009 10:56 PM 108289] R2 FMS;Flash Media Server (FMS);c:\program files\Macromedia\Flash Media Server 2\FMSMaster.exe [6/5/2007 7:42 PM 893031] R2 FMSAdmin;Flash Media Administration Server;c:\program files\Macromedia\Flash Media Server 2\FMSAdmin.exe [6/5/2007 7:42 PM 1171558] R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2/13/2008 12:18 AM 202280] S2 gupdate1c9e0e7f016fb78;Google Update Service (gupdate1c9e0e7f016fb78);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2009 10:31 PM 133104] S2 mrtRate;mrtRate; [x] S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [7/23/2009 9:38 PM 15872] S3 bfturboo;BUFFALO TurboUSB for DVD Filter;c:\windows\system32\drivers\bfturboo.sys [7/23/2009 9:40 PM 8704] S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-05-05 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-30 05:30] 2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 05:31] 2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 05:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://srch-us7.hpwis.com/ Trusted Zone: microsoft.com\.windowsupdate Trusted Zone: windowsupdate.com DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3fr781te.default\ FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q= FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npImgCtl.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-05 13:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3068319366-1007421996-3448509444-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3544) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-05-05 13:35:01 ComboFix-quarantined-files.txt 2010-05-05 20:34 ComboFix2.txt 2010-05-05 00:55 ComboFix3.txt 2010-02-10 03:53 Pre-Run: 89,327,558,656 bytes free Post-Run: 89,291,644,928 bytes free - - End Of File - - AE01E81DB91FD6193C6426D3EDDCE952
  9. And here's the ComboFix report. ComboFix 10-05-04.03 - Owner 05/04/2010 17:38:16.6.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.567 [GMT -7:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\WindowsUpdate c:\program files\WindowsUpdate\V4\iuhist.xml . ((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 ))))))))))))))))))))))))))))))) . 2010-05-05 00:36 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys 2010-05-05 00:19 . 2010-05-05 00:19 -------- d-----w- C:\_OTL 2010-05-03 08:41 . 2010-05-05 00:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\qlpyxxrbw . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-03 08:56 . 2008-12-30 03:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-03 08:48 . 2010-02-07 19:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-03 08:48 . 2010-04-03 00:58 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-04-29 22:39 . 2010-02-07 19:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 22:39 . 2010-02-07 19:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-13 07:57 . 2008-12-30 00:52 -------- d-----w- c:\program files\SpywareBlaster 2010-04-13 06:56 . 2003-10-21 05:28 -------- d-----w- c:\program files\Google 2010-03-14 18:16 . 2009-12-05 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Image Zone Express 2010-03-10 06:15 . 2002-11-13 17:05 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-02-25 06:24 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-24 13:11 . 2002-11-13 17:44 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2002-08-29 08:04 2146304 ------w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2002-08-29 08:04 2024448 ------w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33 . 2003-07-10 20:19 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 2003-07-01 00:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-09-09 114688] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] c:\documents and settings\Owner\Start Menu\Programs\Startup\ Event Reminder.lnk - c:\program files\Mindscape\PrintMaster\PMREMIND.EXE [1998-6-6 325632] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] America Online 7.0 Tray Icon.lnk - c:\program files\America Online 7.0\aoltray.exe [2003-4-9 32839] HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2003-5-12 65588] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk backup=c:\windows\pss\hp center UI.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk backup=c:\windows\pss\hp center.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2007-05-09 00:24 54840 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2006-02-23 23:45 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\medicsp2] 2007-03-07 19:53 198184 ----a-w- c:\program files\twc\medicsp2\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2006-05-16 17:31 282624 ----a-w- c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 2002-04-18 01:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-05-21 18:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2009-05-30 05:30 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2005-12-09 18:59 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2002-07-23 16:58 12288 ----a-w- c:\program files\Winamp3\winampa.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/21/2009 10:56 PM 108289] R2 FMS;Flash Media Server (FMS);c:\program files\Macromedia\Flash Media Server 2\FMSMaster.exe [6/5/2007 7:42 PM 893031] R2 FMSAdmin;Flash Media Administration Server;c:\program files\Macromedia\Flash Media Server 2\FMSAdmin.exe [6/5/2007 7:42 PM 1171558] R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2/13/2008 12:18 AM 202280] S2 gupdate1c9e0e7f016fb78;Google Update Service (gupdate1c9e0e7f016fb78);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2009 10:31 PM 133104] S2 mrtRate;mrtRate; [x] S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [7/23/2009 9:38 PM 15872] S3 bfturboo;BUFFALO TurboUSB for DVD Filter;c:\windows\system32\drivers\bfturboo.sys [7/23/2009 9:40 PM 8704] S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-05-05 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-30 05:30] 2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 05:31] 2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 05:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://srch-us7.hpwis.com/ Trusted Zone: microsoft.com\.windowsupdate Trusted Zone: windowsupdate.com DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3fr781te.default\ FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q= FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npImgCtl.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-04 17:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3068319366-1007421996-3448509444-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . Completion time: 2010-05-04 17:55:19 ComboFix-quarantined-files.txt 2010-05-05 00:55 ComboFix2.txt 2010-02-10 03:53 Pre-Run: 89,377,452,032 bytes free Post-Run: 89,340,370,944 bytes free - - End Of File - - 3DE35D34E42ECA8B4977F7B915E81E81
  10. Here's the OTL Fix-It report: All processes killed ========== OTL ========== HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully! HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully! Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ixlijvwt deleted successfully. C:\Documents and Settings\Owner\Local Settings\Application Data\qlpyxxrbw\sriiehftssd.exe moved successfully. Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ixlijvwt deleted successfully. File C:\Documents and Settings\Owner\Local Settings\Application Data\qlpyxxrbw\sriiehftssd.exe not found. ========== FILES ========== File\Folder C:\Documents and Settings\Owner\Local Settings\Application Data\qlpyxxrb not found. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator User: All Users User: Customer ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: Default User ->Temp folder emptied: 1275749 bytes ->Temporary Internet Files folder emptied: 571411 bytes ->Flash cache emptied: 41 bytes User: Guest ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: LocalService ->Temp folder emptied: 326340 bytes ->Temporary Internet Files folder emptied: 32902 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Owner ->Temp folder emptied: 161195620 bytes ->Temporary Internet Files folder emptied: 81689476 bytes ->Java cache emptied: 40409774 bytes ->FireFox cache emptied: 64603520 bytes ->Google Chrome cache emptied: 819568 bytes ->Flash cache emptied: 131816 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 58625 bytes %systemroot%\System32 .tmp files removed: 9557009 bytes %systemroot%\System32\dllcache .tmp files removed: 569344 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 78983955 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 420.00 mb OTL by OldTimer - Version 3.2.4.1 log created on 05042010_171901 Files\Folders moved on Reboot... Registry entries deleted on Reboot...
  11. It worked this time! GMER 1.0.15.15281 - http://www.gmer.net Autostart scan 2010-05-04 12:08:01 Windows 5.1.2600 Service Pack 3 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe, HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>> dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll igfxcui@DLLName = igfxsrvc.dll WgaLogon@DLLName = WgaLogon.dll HKLM\SYSTEM\CurrentControlSet\Services\ >>> AntiVirSchedulerService@ = "C:\Program Files\Avira\AntiVir Desktop\sched.exe" AntiVirService@ = "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" Fax@ = %systemroot%\system32\fxssvc.exe FMS@ = "C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe" FMSAdmin@ = "C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe" gupdate1c9e0e7f016fb78@ = "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc gusvc@ = "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" NVSvc@ = %SystemRoot%\System32\nvsvc32.exe Pml Driver HPZ12@ = C:\WINDOWS\system32\HPZipm12.exe ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys sprtsvc_medicsp2@ = C:\Program Files\twc\medicsp2\bin\sprtsvc.exe /service /p medicsp2 /*file not found*/ WANMiniportService@ = "C:\WINDOWS\wanmpsvc.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @HotKeysCmdsC:\WINDOWS\System32\hkcmd.exe = C:\WINDOWS\System32\hkcmd.exe @RecguardC:\WINDOWS\SMINST\RECGUARD.EXE = C:\WINDOWS\SMINST\RECGUARD.EXE @NvCplDaemonRUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup @nwiznwiz.exe /install = nwiz.exe /install @KBDC:\HP\KBD\KBD.EXE = C:\HP\KBD\KBD.EXE @CamMonitorc:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe = c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe @UpdateManager"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r @hpsysdrvc:\windows\system\hpsysdrv.exe = c:\windows\system\hpsysdrv.exe @avgnt"C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min = "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min @ixlijvwtC:\Documents and Settings\Owner\Local Settings\Application Data\qlpyxxrbw\sriiehftssd.exe = C:\Documents and Settings\Owner\Local Settings\Application Data\qlpyxxrbw\sriiehftssd.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>> @MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background @updateMgr"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 @ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe @ixlijvwtC:\Documents and Settings\Owner\Local Settings\Application Data\qlpyxxrbw\sriiehftssd.exe = C:\Documents and Settings\Owner\Local Settings\Application Data\qlpyxxrbw\sriiehftssd.exe HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/ @{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) = @{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{7F67036B-66F1-411A-AD85-759FB9C5B0DB} /*SampleView*/C:\WINDOWS\System32\ShellvRTF.dll = C:\WINDOWS\System32\ShellvRTF.dll @{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll @{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll @{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL @{A4DF5659-0801-4A60-9607-1C48695EFDA9} /*Share-to-Web Upload Folder*/C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL = C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL @{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealOne Player\rpshell.dll = C:\Program Files\Real\RealOne Player\rpshell.dll @{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll @{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll @{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll @{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll @{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll @{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll @{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll @{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll @{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Program Files\Avira\AntiVir Desktop\shlext.dll = C:\Program Files\Avira\AntiVir Desktop\shlext.dll @{11016101-E366-4D22-BC06-4ADA335C892B} /*IE History and Feeds Shell Data Source for Windows Search*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll @{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) = @{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL @{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\Avira\AntiVir Desktop\shlext.dll HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>> a2FreeContMenu@{A155339D-CCCD-4714-85EB-3754B804C9DF} = MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\Avira\AntiVir Desktop\shlext.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>> @{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll @{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll = C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll @{E7E6F031-17CE-4C07-BC86-EABFE594F69C}C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll = C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll HKLM\Software\Microsoft\Internet Explorer\Main >>> @Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157 @Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157 @Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main >>> @Start Pagehttp://www.yahoo.com/ = http://www.yahoo.com/ @Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm HKLM\Software\Classes\PROTOCOLS\Handler\ >>> dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll its@CLSID = C:\WINDOWS\System32\itss.dll mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll ms-its@CLSID = C:\WINDOWS\System32\itss.dll tv@CLSID = C:\WINDOWS\system32\msvidctl.dll HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll C:\Documents and Settings\Owner\Start Menu\Programs\Startup = Event Reminder.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>> Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk America Online 7.0 Tray Icon.lnk = America Online 7.0 Tray Icon.lnk HP Digital Imaging Monitor.lnk = HP Digital Imaging Monitor.lnk Microsoft Office.lnk = Microsoft Office.lnk ---- EOF - GMER 1.0.15 ----
  12. I'm still working on getting the GMER rootkit report. I've got it to paste to the Notepad, but when I typed in "ark.txt" and hit save, my computer stalled. I tried to run GMER in regular mode and the virus/trojan wouldn't allow it to run. I'm going to try doing it in safe mode again.
  13. This is the OTH Extras file. OTL Extras logfile created on: 5/3/2010 6:18:14 PM - Run 1 OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1,023.00 Mb Total Physical Memory | 827.00 Mb Available Physical Memory | 81.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 106.50 Gb Total Space | 84.03 Gb Free Space | 78.90% Space Free | Partition Type: NTFS Drive D: | 5.27 Gb Total Space | 0.92 Gb Free Space | 17.45% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: YOUR-6JNHHU0520 Current User Name: Owner Logged in as Administrator. Current Boot Mode: SafeMode with Networking Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation) https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 "UpdatesDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation) "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation) "%windir%\system32\drivers\svchost.exe" = %windir%\system32\drivers\svchost.exe:*:Enabled:svchost -- File not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation) "C:\Program Files\hp center\137903\Program\BackWeb-137903.exe" = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe:*:Disabled:BackWeb-137903 -- () "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Computer, Inc.) "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposid01.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- () "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard) "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( ) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- (Hewlett-Packard Development Company, L.P.) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{07295ABF-1245-415A-BE06-863271753443}" = ShowBiz "{08C0729E-3E50-11DF-9D81-005056806466}" = Google Earth "{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager "{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow "{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig "{1EEE2A9F-6471-42fa-8923-E8879168CE26}" = HP Photo and Imaging 1.1 - Photosmart Cameras "{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows "{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java 6 Update 14 "{29D88826-2AB9-11D5-8854-00902761A46D}" = WordPerfect Productivity Pack "{2B5DDB2C-0807-47FD-9C11-80EA761902C0}" = easy Internet sign-up "{2D87E961-577B-492B-AD54-1368680FB9A7}" = Virtual Earth 3D (Beta) "{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK "{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1 "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{35845E72-E34A-11D4-817D-005004D0F1FA}" = MarketBrowser "{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone "{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant "{3820E135-7A27-11D6-B0E7-0050DA59CA6C}" = CD Label Design Software "{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1 "{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm "{47D4AF7B-EDE6-4ADB-8D2F-0BDA25C7321F}" = HP Digital Imaging Album Printing 1.0 "{4C23837C-993E-11D4-9DE0-0060085C158A}" = KODAK Picture CD "{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant "{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder "{590D4F8F-98FE-47FA-AC2B-3F22FDCF7C09}" = ShareIns "{59C4F14F-7590-45FC-BE9F-A67AB3590709}" = iTunes "{5E835305-63BB-4E55-BBB7-EEBBE67774DB}" = MyDVD "{60E971B7-51A0-48CA-8687-C6B8F094A409}" = Simple Backup for My Pictures "{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0 "{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg "{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder "{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI "{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox "{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin "{6CAEFA23-0C08-4899-A661-29D69228AF6D}" = HP Memories Disc "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder "{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI "{8214CC02-6271-4DC8-B8DD-779933450264}" = RecordNow "{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status "{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder "{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® 82845G Graphics Driver Software "{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload "{8D5D99B8-DFA2-4018-ADE9-A6B83E655C65}" = "{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD 4 "{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A73EFA95-4872-4AE3-8EE9-10D2E2D713CF}" = RoadRunner "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder "{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9 "{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English) "{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour "{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config "{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery "{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime "{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter "{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp "{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch "{E4302788-101F-11D6-8563-00500494EF5C}" = Apple QuickTime Installer "{E62C706B-1352-4DCA-B4D4-81C24750B70F}" = Detto IntelliMover Demo "{EC3254F8-301E-43CB-9EC3-BDC28A882A5D}" = Medic Patch 6.0.0.8 "{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1 "{EEF397AC-DAEF-4C04-90A9-5B2BD31875DC}" = Simple Installer - Multilanguage Version "{EF729AE1-4AE9-402A-AF64-5C5A8150F549}" = HP Photo and Imaging 1.2 - Scanjet 4570c Series "{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC "{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan "{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA "{F61F2821-694C-475F-99AB-6AF2EFDF40FD}" = Quicken 2003 New User Edition "{F91E1833-2D7C-4725-B98A-C779FEC41946}" = EarthLink MDAC "{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations "{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA "{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard "{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update "{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer "ActiveScan 2.0" = Panda ActiveScan 2.0 "Ad-Aware SE Personal" = Ad-Aware SE Personal "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "AdobeESD" = Adobe Download Manager 2.0 (Remove Only) "ArcSoft Software Suite" = ArcSoft Software Suite "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "BackWeb-137903 Uninstaller" = hp center "CCleaner" = CCleaner (remove only) "EsetOnlineScanner" = ESET Online Scanner "Flash Media Server 2_is1" = Macromedia Flash Media Server 2 "Google Chrome" = Google Chrome "Google Updater" = Google Updater "HijackThis" = HijackThis 2.0.2 "HP Document Viewer" = HP Document Viewer 7.0 "HP Imaging Device Functions" = HP Imaging Device Functions 7.0 "hp instant support" = HP Instant Support "HP Photo & Imaging" = HP Photosmart Premier Software 6.5 "HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0 "HPExtendedCapabilities" = HP Customer Participation Program 7.0 "HPOCR" = OCR Software by I.R.I.S 7.0 "HPTOOLKIT" = hp toolkit "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "Inactive HP Printer Drivers (Remove only)" = Inactive HP Printer Drivers (Remove only) "Indeo
  14. I think this is the complete text for the OTL file. - Run 1 OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1,023.00 Mb Total Physical Memory | 827.00 Mb Available Physical Memory | 81.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 106.50 Gb Total Space | 84.03 Gb Free Space | 78.90% Space Free | Partition Type: NTFS Drive D: | 5.27 Gb Total Space | 0.92 Gb Free Space | 17.45% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: YOUR-6JNHHU0520 Current User Name: Owner Logged in as Administrator. Current Boot Mode: SafeMode with Networking Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe (OldTimer Tools) PRC - C:\Documents and Settings\Owner\My Documents\Downloads\OTH.scr (OldTimer Tools) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH) SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP) SRV - (sprtsvc_medicsp2) SupportSoft Sprocket Service (medicsp2) -- C:\Program Files\twc\medicsp2\bin\sprtsvc.exe (SupportSoft, Inc.) SRV - (FMS) Flash Media Server (FMS) -- C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe (Macromedia, Inc.) SRV - (FMSAdmin) -- C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe (Macromedia, Inc.) SRV - (WANMiniportService) WAN Miniport (ATW) -- C:\WINDOWS\wanmpsvc.exe (America Online, Inc.) ========== Driver Services (SafeList) ========== DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH) DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH) DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH) DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH) DRV - (bfturboh) -- C:\WINDOWS\system32\drivers\bfturboh.sys () DRV - (bfturboo) -- C:\WINDOWS\system32\drivers\bfturboo.sys (Medialogic Corp.) DRV - (symlcbrd) -- C:\WINDOWS\system32\drivers\symlcbrd.sys (Symantec Corporation) DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company) DRV - (AFS2K) -- C:\WINDOWS\system32\drivers\AFS2K.SYS (Oak Technology Inc.) DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.) DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\rtl8139.sys (Realtek Semiconductor Corporation) DRV - (S3Psddr) -- C:\WINDOWS\system32\drivers\s3gnbm.sys (S3 Graphics, Inc.) DRV - (ndiscm) -- C:\WINDOWS\system32\drivers\NetMotCM.sys (Motorola Inc.) DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation) DRV - (ltmodem5) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys (LT) DRV - (MxlW2k) -- C:\WINDOWS\system32\drivers\MxlW2k.sys (MusicMatch, Inc.) DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.) DRV - (drvmcdb) -- C:\WINDOWS\System32\DRIVERS\drvmcdb.sys (VERITAS Software, Inc.) DRV - (SISAGP) -- C:\WINDOWS\System32\DRIVERS\SISAGP.sys (Silicon Integrated Systems Corporation) DRV - (viaagp1) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.) DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.) DRV - (PcdrNt) -- C:\WINDOWS\System32\drivers\PcdrNt.sys (PC-Doctor Inc.) ========== Standard Registry (All) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6E C4 F8 20 66 09 CA 01 [binary data] IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555 ========== FireFox ========== FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..network.proxy.no_proxies_on: "localhost" FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/09 15:38:23 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/08 09:15:51 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 02:30:12 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 02:30:12 | 000,000,000 | ---D | M] [2008/08/27 12:06:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions [2008/08/27 12:06:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2005/09/20 15:04:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0k7w24pw.default\extensions [2005/09/20 15:04:15 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0k7w24pw.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2010/05/03 01:59:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3fr781te.default\extensions [2009/08/09 09:57:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3fr781te.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/03/13 11:25:34 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3fr781te.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2005/09/21 23:29:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rk31whtr.default\extensions [2005/09/21 23:29:50 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\rk31whtr.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2010/05/03 01:59:47 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/04/02 02:30:12 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2007/05/10 10:43:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [2007/07/28 11:23:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [2007/10/29 20:50:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [2008/03/27 21:56:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [2009/01/09 15:38:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [2009/04/10 10:26:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [2009/06/10 11:38:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [2010/04/02 02:30:03 | 000,023,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll [2010/04/02 02:30:03 | 000,138,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll [2007/04/10 17:21:08 | 000,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll [2004/11/12 20:36:20 | 000,005,120 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll [2009/05/21 11:33:58 | 000,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll [2007/05/11 17:41:00 | 000,200,704 | ---- | M] (Ancestry.com) -- C:\Program Files\Mozilla Firefox\plugins\npImgCtl.dll [2006/12/12 11:48:22 | 001,440,560 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll [2010/04/02 02:30:05 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll [2006/12/18 05:18:30 | 000,077,824 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll [2005/12/09 11:59:57 | 000,139,305 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll [2006/05/16 10:32:21 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll [2006/05/16 10:32:21 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll [2006/05/16 10:32:21 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll [2006/05/16 10:32:21 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll [2006/05/16 10:32:22 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll [2006/05/16 10:32:22 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll [2006/05/16 10:32:22 | 000,126,976 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll [2005/12/09 12:00:14 | 000,024,621 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll [2005/12/09 11:59:39 | 000,081,967 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll [2010/03/11 22:20:18 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml [2010/03/11 22:20:18 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml [2010/03/11 22:20:18 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml [2010/03/11 22:20:18 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml [2010/03/11 22:20:18 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml [2008/10/17 12:22:02 | 000,000,897 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\livecom.png [2008/10/17 12:22:02 | 000,001,015 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\livecom.src [2010/03/11 22:20:18 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml [2010/03/11 22:20:18 | 000,001,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml O1 HOSTS File: ([2010/02/08 20:21:08 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company) O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKCU\..\Toolbar\ShellBrowser: (hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company) O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe () O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation) O4 - HKLM..\Run: [hpsysdrv] c:\WINDOWS\system\hpsysdrv.exe (Hewlett-Packard Company) O4 - HKLM..\Run: [ixlijvwt] C:\Documents and Settings\Owner\Local Settings\Application Data\qlpyxxrbw\sriiehftssd.exe () O4 - HKLM..\Run: [KBD] C:\hp\KBD\kbd.exe (Hewlett-Packard Company) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation) O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe () O4 - HKLM..\Run: [updateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions) O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation) O4 - HKCU..\Run: [ixlijvwt] C:\Documents and Settings\Owner\Local Settings\Application Data\qlpyxxrbw\sriiehftssd.exe () O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated) O4 - HKLM..\RunOnce\Setup: [Registering ActiveScan 2.0 Components] C:\Program Files\Panda Security\ActiveScan 2.0\as2guiie.dll (Panda Security) O4 - HKLM..\RunOnce\Setup: [Registering ActiveScan 2.0 Components.] C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security) O4 - HKLM..\RunOnce\Setup: [Registering ActiveScan 2.0 Components..] C:\Program Files\Panda Security\ActiveScan 2.0\libcomm.dll (Panda Security, S.L.) O4 - HKLM..\RunOnce\Setup: [Registering ActiveScan 2.0 Components...] C:\Program Files\Panda Security\ActiveScan 2.0\as2inst.dll (Panda Security) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe (America Online, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0 O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O15 - HKCU\..Trusted Domains: microsoft.com ([.windowsupdate] http in Trusted sites) O15 - HKCU\..Trusted Domains: windowsupdate.com ([]http in Trusted sites) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object) O16 - DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} http://download.microsoft.com/download/3/B...tualEarth3D.cab (SentinelProxy Class) O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/shock...h/ultrashim.cab (Reg Error: Value error.) O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...7847.7197337963 (Reg Error: Key error.) O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} http://fdl.msn.com/zone/datafiles/heartbeat.cab (HeartbeatCtl Class) O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object) O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62 O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation) O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation) O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation) O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation) O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation) O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation) O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation) O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation) O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation) O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation) O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation) O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O24 - Desktop Components:0 (My Current Home Page) - About:Home O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation) O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation) O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation) O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation) O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2002/10/28 10:36:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2001/07/28 07:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2003/05/23 16:50:05 | 000,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation) NetSvcs: WmdmPmSp - File not found NetSvcs: Ip6FwHlp - File not found CREATERESTOREPOINT Error starting restore point: The function was called in safe mode. Error closing restore point: The sequence number is invalid. ========== Files/Folders - Created Within 30 Days ========== [2010/05/03 01:41:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\qlpyxxrbw [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [14 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ] [1 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/05/03 17:57:44 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/05/03 17:57:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/05/03 17:56:18 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/05/03 17:56:12 | 006,815,744 | ---- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT [2010/05/03 17:56:12 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini [2010/05/03 17:55:38 | 000,000,249 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat [2010/05/03 17:55:29 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job [2010/05/03 17:55:12 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2010/05/03 16:53:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2010/05/02 22:42:56 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\During the sentencing phase of the trial I don.doc [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/04/28 09:53:50 | 000,001,824 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk [2010/04/26 09:13:22 | 001,180,364 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\KFIS25XVMS_Use%20and%20Care_EN.pdf [2010/04/22 13:43:57 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Crock pot chicken alfredo.doc [2010/04/22 11:06:03 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn [2010/04/22 10:48:00 | 000,050,176 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\At exit 59.doc [2010/04/21 22:38:50 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Wall Street Journal Sizes up Obama.doc [2010/04/15 12:24:57 | 000,052,224 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Pat Brown - Criminal Profile of Haleigh Cummings Case.doc [2010/04/15 10:20:51 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Kitchen Renovation -Things left to do.doc [2010/04/14 21:55:05 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\How to get rid of ad at bottom of page.doc [2010/04/14 10:25:26 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010/04/14 10:22:31 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Rainfall for 2009 -2010.doc [2010/04/12 23:57:02 | 000,001,926 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk [2010/04/05 19:24:18 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Professionals at Websleuths.doc [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [14 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ] [1 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/05/02 22:42:56 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\During the sentencing phase of the trial I don.doc [2010/04/26 09:12:34 | 001,180,364 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\KFIS25XVMS_Use%20and%20Care_EN.pdf [2010/04/22 13:43:35 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Crock pot chicken alfredo.doc [2010/04/22 10:47:59 | 000,050,176 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\At exit 59.doc [2010/04/21 22:38:49 | 000,031,232 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Wall Street Journal Sizes up Obama.doc [2010/04/15 12:24:55 | 000,052,224 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Pat Brown - Criminal Profile of Haleigh Cummings Case.doc [2010/04/15 10:20:51 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Kitchen Renovation -Things left to do.doc [2010/04/14 21:55:00 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\How to get rid of ad at bottom of page.doc [2010/04/12 23:57:02 | 000,001,926 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk [2010/04/05 19:24:17 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Professionals at Websleuths.doc [2009/07/23 21:38:47 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\bfturboh.sys [2009/07/19 00:17:36 | 000,000,044 | ---- | C] () -- C:\WINDOWS\ALBUM.INI [2008/09/29 16:13:29 | 000,006,416 | ---- | C] () -- C:\WINDOWS\UN080325.INI [2008/08/09 08:53:25 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll [2008/04/26 15:52:44 | 000,000,362 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini [2008/02/11 10:39:26 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLA.dll [2008/02/11 10:39:18 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLW.dll [2008/02/08 14:53:46 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerLang.dll [2007/07/27 15:49:02 | 000,225,355 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiW.dll [2007/07/27 15:49:02 | 000,196,683 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiA.dll [2007/07/21 12:26:23 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll [2006/05/01 13:41:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI [2005/12/05 20:25:22 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\lnod32umc.dll [2005/12/05 13:37:10 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\lnod32upd.dll [2005/01/13 15:58:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI [2004/09/24 13:33:55 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini [2004/08/23 08:45:47 | 000,001,454 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2004/03/25 15:53:36 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll [2003/12/17 22:31:40 | 000,000,259 | ---- | C] () -- C:\WINDOWS\hpqcopy.INI [2003/11/24 21:53:50 | 000,000,050 | ---- | C] () -- C:\WINDOWS\Winamp.ini [2003/11/24 21:53:21 | 000,000,041 | ---- | C] () -- C:\WINDOWS\winampa.ini [2003/08/21 20:27:59 | 000,000,070 | ---- | C] () -- C:\WINDOWS\BAF4F3D2.ini [2003/06/17 18:43:30 | 000,000,282 | ---- | C] () -- C:\WINDOWS\kodakpcd.Owner.ini [2003/06/04 18:58:06 | 000,002,509 | ---- | C] () -- C:\WINDOWS\WinInit.Ini [2003/05/28 22:58:54 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini [2003/05/25 13:35:06 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2003/05/23 19:43:38 | 000,000,044 | ---- | C] () -- C:\WINDOWS\AUTHMGR.INI [2003/05/12 14:32:44 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL [2003/03/02 15:08:17 | 000,000,242 | ---- | C] () -- C:\WINDOWS\qwimp.ini [2002/12/13 12:32:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2002/10/28 15:48:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2002/10/28 12:31:35 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll [2002/10/28 12:29:39 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll [2002/10/28 12:29:38 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll [2002/10/28 12:18:04 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini [2002/10/28 12:17:57 | 000,000,626 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI [2002/10/28 12:12:23 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll [2002/10/28 11:42:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini [2002/10/28 11:34:32 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll [2002/10/28 11:31:05 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll [2002/10/28 11:23:47 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll [2002/10/28 11:23:47 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll [2002/10/28 11:23:25 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll [2002/10/28 10:40:15 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini [2002/10/28 09:23:12 | 000,000,659 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini [2001/08/31 16:33:58 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\VxDMDcDlg.dll [2001/08/14 19:47:08 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\vxpsapi.dll [2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini ========== LOP Check ========== [2002/10/28 12:20:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Freedom [2008/02/13 00:19:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft [2010/05/03 01:56:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2009/04/13 13:16:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2003/08/26 20:18:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zero Knowledge [2003/08/05 00:14:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Aim [2009/02/07 19:39:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Earthlink [2003/08/26 20:24:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Freedom [2010/03/14 11:16:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Image Zone Express [2003/02/15 17:03:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterVideo [2008/12/20 21:01:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Road Runner [2002/10/28 12:30:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView [2007/08/01 11:59:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Simple Star [2004/09/25 20:03:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\VERITAS [2009/04/13 14:36:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Viewpoint [2003/08/26 20:24:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Zero Knowledge ========== Purity Check ========== ========== Custom Scans ========== < %systemdrive%\*.exe > < MD5 for: AGP440.SYS > [2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:agp440.sys [2008/09/10 11:55:44 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:agp440.sys [2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:agp440.sys [2008/09/10 11:55:44 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:agp440.sys [2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys [2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys [2004/08/03 23:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys < MD5 for: ATAPI.SYS > [2002/08/29 05:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\i386\sp1.cab:atapi.sys [2002/08/29 12:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys [2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2008/09/10 11:55:44 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2002/08/29 12:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:atapi.sys [2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys [2008/09/10 11:55:44 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2002/08/29 05:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtUninstallQ331060$\atapi.sys [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2004/08/03 22:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys < MD5 for: EVENTLOG.DLL > [2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll [2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll [2004/08/04 00:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll < MD5 for: SCECLI.DLL > [2004/08/04 00:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll [2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll < %systemroot%\*./mp/s > < %systemroot%\system32\*.dll/lockedfiles > Invalid Switch: lockedfiles < %systemroot%\tasks\*.job/lockedfiles > Invalid Switch: lockedfiles < %systemroot%\system32\drivers\*.sys/lockedfiles > Invalid Switch: lockedfiles < %systemroot%\system32\config\*.sav > [2002/10/28 02:26:04 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav [2002/10/28 02:26:04 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav [2002/10/28 02:26:04 | 000,385,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav < %systemroot%\system32\drivers\*.sys/90 > [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2010/02/24 06:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys [2010/02/11 05:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys < End of report > ========== Alternate Data Streams ========== @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
  15. I'm having difficulties with the GMER program. I've run it and it's given a lengthy report, but I don't seem to be able to save it. The option to the right says "Copy", and when I click on that, it says "a copy was saved to your clipboard." I'm using Firefox as my browser, but do have Internet Explorer on my computer. I can't seem to find a clipboard on Firefox. Is the "clipboard" in Internet Explorer? Any help would be appreciated.........thanks.
  16. OTL logfile created on: 5/3/2010 6:18:13 PM - Run 1 OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1,023.00 Mb Total Physical Memory | 827.00 Mb Available Physical Memory | 81.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 106.50 Gb Total Space | 84.03 Gb Free Space | 78.90% Space Free | Partition Type: NTFS Drive D: | 5.27 Gb Total Space | 0.92 Gb Free Space | 17.45% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: YOUR-6JNHHU0520 Current User Name: Owner Logged in as Administrator. Current Boot Mode: SafeMode with Networking Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off And the OTL Extras OTL Extras logfile created on: 5/3/2010 6:18:14 PM - Run 1 OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Owner\My Documents\Downloads Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1,023.00 Mb Total Physical Memory | 827.00 Mb Available Physical Memory | 81.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 106.50 Gb Total Space | 84.03 Gb Free Space | 78.90% Space Free | Partition Type: NTFS Drive D: | 5.27 Gb Total Space | 0.92 Gb Free Space | 17.45% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: YOUR-6JNHHU0520 Current User Name: Owner Logged in as Administrator. Current Boot Mode: SafeMode with Networking Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off
  17. To help in diagnosing this problem...........I'm getting a pop-up that says there's two threats: BankerFox.A Attack from: 216190.66.184 port 41015 attack port: 7414 Win32/Nuqel.E attack from: 82.103.42.74 - port 5820 attack port: 24206
  18. I've downloaded the OTH.sec and the OTH to desktop, but have run into a real problem. The desktop icon won't appear, and when I go back to downloads and click on OTH and tryto click on "kill all processes", the screens disappears before I can click on the "kill all processes." This virus is not allowing anything to be executed. This virus has turned off my Avira anti-virus and if I try to click on Avira it says it's "out of date" and replaced it with the fake antimalware virus. Is there any way to work around this?
  19. Thanks kahdah! I'll follow your instructions and report back here. This virus isn't allowing me to do a copy paste of the commands to type into OTH, but I was able to print out your instructions. It will take a bit longer to type it all in rather than pasting it. Leila
  20. late last night I clicked on a picture an got a fake anti-spyware program. I was using my preferred browser, Firefox, and Internet Explorer launched itself and began a scan with a program called Antispyware soft. At the end of the scan it states I'm infected and need to purchase the full version of the program to get rid of the virus. I tried launching Malwarebytes and got a message that it couldn't be executed as it was infected. I tried to launch my anti-virus, Avira, and got the same message that it couldn't be executed as it was infected. I tried doing a Panda Scan and Sypbot Search and Destroy with the same results. Every few seconds I get a pop-up that says "Windows Security Alert", and if I try to get rid of it, it will just pop up again and again, along with a window that says "application cannot be executed. I tried download "Process Explorer" and it wouldn't allow it to be launched. What can I do?
  21. Last night I clicked on a link and got some sort of fake anti-spyware program that won't allow me to run Malwarebytes or any other anti-virus, anti-spyware program. I was using my preferred browser, FireFox, and Internet Explorer launched itself and started running a program called Antispyware. It's got a light green background and has put a cursor in the system tray that's green with a check-mark in it. Every few minutes a window pops up saying Windows Security Alert, and states that this computer is infected and Windows suggests doing a full scan now........then it scans and at the end of the scan says that I must purchase the full version of the software to remove the virus. I've tried running my anti-virus - Avira, Malwarebytes, Panda Scan, and Spybot Search and Destroy and each time I click on any of them I get a message that "this program cannot be executed as it's infected." I tried to go to "add and remove" programs on my computer and get the same message. What can I do to get rid of this virus?
  22. Hi sjpritch25! I successfully uninstalled Combofix. I want to thank you for all your help..........thank you so much! Everything is running okay.
  23. Hi sjpritch25! Everything seems to be running smoothly and I haven't had any alerts from my anti-virus, Avira, and the daily virus scans don't show intrusions. How do the scans look? Does everything appear normal? Thanks...........Leila
  24. This is the Malwarebytes scan: Malwarebytes' Anti-Malware 1.44 Database version: 3718 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 2/9/2010 8:00:21 PM mbam-log-2010-02-09 (20-00-21).txt Scan type: Quick Scan Objects scanned: 138153 Time elapsed: 6 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  25. This is the second half of the Combofix - CFScript.txt log: [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"= R2 gupdate1c9e0e7f016fb78;Google Update Service (gupdate1c9e0e7f016fb78);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 133104] R2 mrtRate;mrtRate; [x] R3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2007-05-18 15872] R3 bfturboo;BUFFALO TurboUSB for DVD Filter;c:\windows\system32\drivers\bfturboo.sys [2007-05-18 8704] R3 PCDRDRV;Pcdr Helper Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [x] S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289] S2 FMS;Flash Media Server (FMS);c:\program files\Macromedia\Flash Media Server 2\FMSMaster.exe [2007-01-12 893031] S2 FMSAdmin;Flash Media Administration Server;c:\program files\Macromedia\Flash Media Server 2\FMSAdmin.exe [2007-01-12 1171558] S2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2007-03-07 202280] . Contents of the 'Scheduled Tasks' folder 2010-02-09 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-30 05:30] 2010-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 05:31] 2010-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 05:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://srch-us7.hpwis.com/ uInternet Settings,ProxyOverride = localhost Trusted Zone: microsoft.com\.windowsupdate Trusted Zone: windowsupdate.com DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3fr781te.default\ FF - prefs.js: browser.search.selectedEngine - Ask FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q= FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npImgCtl.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-09 19:47 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3068319366-1007421996-3448509444-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . Completion time: 2010-02-09 19:53:09 ComboFix-quarantined-files.txt 2010-02-10 03:53 ComboFix2.txt 2010-02-10 03:37 ComboFix3.txt 2010-02-10 02:56 ComboFix4.txt 2010-02-09 03:44 ComboFix5.txt 2010-02-10 03:41 Pre-Run: 89,929,641,984 bytes free Post-Run: 89,908,842,496 bytes free - - End Of File - - D292CAB6F3EB8DB2685CF1C5045897DA
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.