Jump to content

rob5211

Members
  • Posts

    20
  • Joined

  • Last visited

Everything posted by rob5211

  1. Elise, thanks for clarifying; a personal donation has been sent to you. Thanks again, and goodbye!
  2. Elise, I've read and your latest posting and will proceed as suggested. Thanks very much for all your help. One last question: your signature includes a (Donate) button, but elsewhere on the site it says that MalwareBytes no longer accepts donations; we should instead buy the full version of your software. Can you confirm? I'm good with the latter to support the good work you do. Thanks again. -Rob
  3. Hi Again, Old versions of Java have been removed, the latest version has been installed, and the ESET scan has been completed -- here are the results: ============================================================ C:\Documents and Settings\Rob\Application Data\Sun\Java\Deployment\cache\6.0\28\286463dc-4ebbdf41 multiple threats deleted - quarantined C:\Documents and Settings\Rob\Application Data\Sun\Java\Deployment\cache\6.0\40\29d45da8-641311b0 multiple threats deleted - quarantined C:\Documents and Settings\Rob\Application Data\Sun\Java\Deployment\cache\6.0\46\63ac01ee-3ca0b54b multiple threats deleted - quarantined C:\Documents and Settings\Rob\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-2ab9659a multiple threats deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\flt.exe.vir a variant of Win32/Injector.FQG trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\qev.exe.vir a variant of Win32/Injector.FQG trojan cleaned by deleting - quarantined
  4. Here you go -- I ran the script-based CF again, making sure the script included both lines: DDS:: uInternet Settings,ProxyServer = http=127.0.0.1:5555 I compared this log to the one from earlier today -- it basically looks the same; the number rows differs only by 1, I think. Does this mean anything significant? FYI, I still see no further evidence of the infection, so all seems to be well. Let me know if there is something else you would like me to do. If not, thanks very much for your help! It is much appreciated, and I'd like to follow-up briefly with a discussion about a donation or purchase of the full MBAM product. -Rob ComboFix 11-04-06.01 - Rob 04/06/2011 19:20:16.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.908 [GMT -7:00] Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Rob\Desktop\CFscript.txt AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((( Files Created from 2011-03-07 to 2011-04-07 ))))))))))))))))))))))))))))))) . . 2011-04-05 01:50 . 2011-04-05 02:08 -------- d-----w- c:\documents and settings\MalAdjust 2011-04-04 05:00 . 2011-04-04 05:00 709456 ----a-w- c:\windows\is-SS5P4.exe 2011-04-04 04:58 . 2011-04-04 04:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2011-04-04 02:23 . 2011-04-04 02:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-21 14:44 . 2004-08-11 22:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09 . 2004-08-11 22:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2005-05-14 00:12 217073 --sha-r- c:\windows\meta4.exe 2005-10-24 18:13 66560 --sha-r- c:\windows\MOTA113.exe 2005-10-14 04:27 422400 --sha-r- c:\windows\x2.64.exe 2005-10-08 02:14 308224 --sha-r- c:\windows\system32\avisynth.dll 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll 2006-04-27 17:24 2945024 --sha-r- c:\windows\system32\Smab.dll 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll . . ((((((((((((((((((((((((((((( SnapShot@2011-04-06_09.32.29 ))))))))))))))))))))))))))))))))))))))))) . + 2011-04-06 09:38 . 2011-04-06 09:38 16384 c:\windows\temp\Perflib_Perfdata_8e8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2011-02-02 02:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-15 68856] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480] "AnyDVD"="c:\program files\AnyDVD\AnyDVDtray.exe" [2010-07-27 4455360] "Eye-Fi"="c:\program files\Eye-Fi\Helper\EyeFiHelper.exe" [2010-10-27 3760320] "Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2009-08-24 2684200] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568] "PMX Daemon"="ICO.EXE" [2006-11-08 49152] "RTHDCPL"="RTHDCPL.EXE" [2007-07-22 16132608] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-14 16384] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656] "OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152] "AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-12 198160] "UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296] "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112] "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-03-03 140640] "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720] "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504] . c:\documents and settings\Rob\Start Menu\Programs\Startup\ WinTidy.lnk - c:\program files\WinTidy\WinTidy.exe [2001-10-8 585216] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2010-9-13 97384] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-15 49152] HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040] Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232] PopMenu exe.lnk - c:\program files\WinBatch\System\popmenu.exe [1999-1-13 56832] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-4-26 106560] ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Fences\FencesMenu.dll" [2009-10-02 128360] . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^palmOne Registration.lnk] path=c:\documents and settings\Rob\Start Menu\Programs\Startup\palmOne Registration.lnk backup=c:\windows\pss\palmOne Registration.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-06-02 18:13 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] 2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Eye-Fi\\Helper\\EyeFiHelper.exe"= "c:\\Documents and Settings\\Rob\\Application Data\\U3\\0000187FC570F5FE\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe"= "c:\\Program Files\\DirecTV\\DirecTV\\DIRECTV2PC.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/19/2009 10:56 PM 317440] R2 CLDTVHNService;CLDTVHNService;c:\program files\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe [9/17/2009 6:40 PM 75048] R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSslvpnDaemon.exe [4/19/2008 1:10 PM 510496] R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2/9/2011 1:45 PM 63448] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080] R2 ntk_dtv;ntk_dtv;c:\program files\DirecTV\DirecTV\Kernel\DMP\ntk_dtv.sys [9/17/2009 6:40 PM 119792] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/28/2010 8:01 PM 102448] R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [4/19/2008 9:31 AM 18432] R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [4/19/2008 9:31 AM 14336] R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [11/3/2006 5:31 PM 36384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 7:00 PM 135664] S3 getPlus® Installer;getPlus® Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/11/2009 6:17 PM 59552] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952] . Contents of the 'Scheduled Tasks' folder . 2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:00] . 2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:00] . 2011-04-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2011-02-02 02:17] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: intuit.com\ttlc TCP: {42AE4EF0-0BDA-41EC-932F-EDDB11EEBAFC} = 208.67.220.220,208.67.222.222 DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://65.214.187.52:10443/sslvpn.cab DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\tuymetb4.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Nero Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-06 19:23 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(6024) c:\windows\system32\WININET.dll c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Fences\FencesMenu.dll c:\program files\fences\DesktopDock.dll c:\windows\system32\pmxscrll.dll c:\windows\system32\PMXCOMM.dll c:\windows\system32\PMXHOOKS.dll . - - - - - - - > 'explorer.exe'(2504) c:\windows\system32\WININET.dll c:\program files\AnyDVD\ADvdDiscHlp.dll c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Fences\FencesMenu.dll c:\program files\fences\DesktopDock.dll c:\windows\system32\pmxscrll.dll c:\windows\system32\PMXCOMM.dll c:\windows\system32\PMXHOOKS.dll . Completion time: 2011-04-06 19:26:21 ComboFix-quarantined-files.txt 2011-04-07 02:26 ComboFix2.txt 2011-04-06 09:33 . Pre-Run: 196,779,929,600 bytes free Post-Run: 196,757,123,072 bytes free . Current=4 Default=4 Failed=3 LastKnownGood=2 Sets=1,2,3,4 - - End Of File - - 341C4DD5230B20765FAB140F2A94172B
  5. Hello, I've been away at work all day -- just reading your latest request. When I get home, I'll check to see that the complete script was run, or just run it again (including the DDS:). I'll have an update for you in 1-2 hours. Thanks. -Rob
  6. Things are looking great -- I see no evidence of the infection any more (running Windows normal mode, user Rob). Here's the log from the last CF run using the script: ========================================================== ComboFix 11-04-05.02 - Rob 04/06/2011 8:22.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1060 [GMT -7:00] Running from: c:\combofix\ComboFix.exe Command switches used :: c:\combofix\CFScript.txt AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 ))))))))))))))))))))))))))))))) . . 2011-04-05 01:50 . 2011-04-05 02:08 -------- d-----w- c:\documents and settings\MalAdjust 2011-04-04 05:00 . 2011-04-04 05:00 709456 ----a-w- c:\windows\is-SS5P4.exe 2011-04-04 04:58 . 2011-04-04 04:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2011-04-04 02:23 . 2011-04-04 02:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-21 14:44 . 2004-08-11 22:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09 . 2004-08-11 22:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2005-05-14 00:12 217073 --sha-r- c:\windows\meta4.exe 2005-10-24 18:13 66560 --sha-r- c:\windows\MOTA113.exe 2005-10-14 04:27 422400 --sha-r- c:\windows\x2.64.exe 2005-10-08 02:14 308224 --sha-r- c:\windows\system32\avisynth.dll 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll 2006-04-27 17:24 2945024 --sha-r- c:\windows\system32\Smab.dll 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll . . ((((((((((((((((((((((((((((( SnapShot@2011-04-06_09.32.29 ))))))))))))))))))))))))))))))))))))))))) . + 2011-04-06 09:38 . 2011-04-06 09:38 16384 c:\windows\temp\Perflib_Perfdata_8e8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2011-02-02 02:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-15 68856] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480] "AnyDVD"="c:\program files\AnyDVD\AnyDVDtray.exe" [2010-07-27 4455360] "Eye-Fi"="c:\program files\Eye-Fi\Helper\EyeFiHelper.exe" [2010-10-27 3760320] "Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2009-08-24 2684200] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568] "PMX Daemon"="ICO.EXE" [2006-11-08 49152] "RTHDCPL"="RTHDCPL.EXE" [2007-07-22 16132608] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-14 16384] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656] "OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152] "AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-12 198160] "UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296] "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112] "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-03-03 140640] "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720] "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504] . c:\documents and settings\Rob\Start Menu\Programs\Startup\ WinTidy.lnk - c:\program files\WinTidy\WinTidy.exe [2001-10-8 585216] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2010-9-13 97384] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-15 49152] HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040] Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232] PopMenu exe.lnk - c:\program files\WinBatch\System\popmenu.exe [1999-1-13 56832] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-4-26 106560] ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Fences\FencesMenu.dll" [2009-10-02 128360] . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^palmOne Registration.lnk] path=c:\documents and settings\Rob\Start Menu\Programs\Startup\palmOne Registration.lnk backup=c:\windows\pss\palmOne Registration.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-06-02 18:13 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] 2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Eye-Fi\\Helper\\EyeFiHelper.exe"= "c:\\Documents and Settings\\Rob\\Application Data\\U3\\0000187FC570F5FE\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe"= "c:\\Program Files\\DirecTV\\DirecTV\\DIRECTV2PC.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/19/2009 10:56 PM 317440] R2 CLDTVHNService;CLDTVHNService;c:\program files\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe [9/17/2009 6:40 PM 75048] R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSslvpnDaemon.exe [4/19/2008 1:10 PM 510496] R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2/9/2011 1:45 PM 63448] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080] R2 ntk_dtv;ntk_dtv;c:\program files\DirecTV\DirecTV\Kernel\DMP\ntk_dtv.sys [9/17/2009 6:40 PM 119792] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/28/2010 8:01 PM 102448] R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [4/19/2008 9:31 AM 18432] R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [4/19/2008 9:31 AM 14336] R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [11/3/2006 5:31 PM 36384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 7:00 PM 135664] S3 getPlus® Installer;getPlus® Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/11/2009 6:17 PM 59552] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952] . Contents of the 'Scheduled Tasks' folder . 2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:00] . 2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:00] . 2011-04-06 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2011-02-02 02:17] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: intuit.com\ttlc TCP: {42AE4EF0-0BDA-41EC-932F-EDDB11EEBAFC} = 208.67.220.220,208.67.222.222 DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://65.214.187.52:10443/sslvpn.cab DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\tuymetb4.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Nero Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-06 08:30 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(4540) c:\windows\system32\WININET.dll c:\program files\AnyDVD\ADvdDiscHlp.dll c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Fences\FencesMenu.dll c:\program files\fences\DesktopDock.dll c:\windows\system32\pmxscrll.dll c:\windows\system32\PMXCOMM.dll c:\windows\system32\PMXHOOKS.dll . - - - - - - - > 'explorer.exe'(4536) c:\windows\system32\WININET.dll c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Fences\FencesMenu.dll c:\program files\fences\DesktopDock.dll c:\windows\system32\pmxscrll.dll c:\windows\system32\PMXCOMM.dll c:\windows\system32\PMXHOOKS.dll . Completion time: 2011-04-06 08:31:48 ComboFix-quarantined-files.txt 2011-04-06 15:31 ComboFix2.txt 2011-04-06 09:33 . Pre-Run: 196,740,308,992 bytes free Post-Run: 196,718,694,400 bytes free . Current=4 Default=4 Failed=3 LastKnownGood=2 Sets=1,2,3,4 - - End Of File - - B6BE726F42813F4A26FDC72C2A15E477
  7. Alrighty then! CF ran successfully in Safe Mode (user Rob). (It did still complain that Symantec was running.) Here are the results. BTW, it's quite late, and I'm thinking of stopping for now and resuming in the morning (er, later this morning!) but if you're still on now and think you'll want me to check something very soon, I can stay on longer...let me know. I have rebooted in normal mode, user MalAdjust. I'm tempted to check things out in user Rob, but will await your instructions. Thanks. -Rob ========================================================================= ComboFix 11-04-05.02 - Rob 04/06/2011 2:28.1.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1695 [GMT -7:00] Running from: C:\ComboFix.com AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Rob\Local Settings\Application Data\{C9761C39-2000-4CD6-A94E-6DB3A823FD89} c:\documents and settings\Rob\Local Settings\Application Data\{C9761C39-2000-4CD6-A94E-6DB3A823FD89}\chrome.manifest c:\documents and settings\Rob\Local Settings\Application Data\{C9761C39-2000-4CD6-A94E-6DB3A823FD89}\chrome\content\_cfg.js c:\documents and settings\Rob\Local Settings\Application Data\{C9761C39-2000-4CD6-A94E-6DB3A823FD89}\chrome\content\overlay.xul c:\documents and settings\Rob\Local Settings\Application Data\{C9761C39-2000-4CD6-A94E-6DB3A823FD89}\install.rdf c:\documents and settings\Rob\Local Settings\Application Data\flt.exe c:\documents and settings\Rob\Local Settings\Application Data\qev.exe c:\documents and settings\Rob\WINDOWS C:\LOG10.tmp C:\LOG104.tmp C:\LOG110.tmp C:\LOG123D.tmp C:\LOG145.tmp C:\LOG161.tmp C:\LOG171E.tmp C:\LOG186.tmp C:\LOG1A6.tmp C:\LOG1B.tmp C:\LOG1B3.tmp C:\LOG1B5B.tmp C:\LOG1B8.tmp C:\LOG202.tmp C:\LOG20B.tmp C:\LOG234.tmp C:\LOG25.tmp C:\LOG250.tmp C:\LOG256.tmp C:\LOG261.tmp C:\LOG265.tmp C:\LOG2CE.tmp C:\LOG2D.tmp C:\LOG3.tmp C:\LOG300.tmp C:\LOG33.tmp C:\LOG337.tmp C:\LOG39B.tmp C:\LOG3FC.tmp C:\LOG40D.tmp C:\LOG450.tmp C:\LOG467.tmp C:\LOG4B5.tmp C:\LOG50C.tmp C:\LOG55.tmp C:\LOG56.tmp C:\LOG59F.tmp C:\LOG5A1.tmp C:\LOG5F.tmp C:\LOG613.tmp C:\LOG678.tmp C:\LOG70B.tmp C:\LOG712.tmp C:\LOG7AE.tmp C:\LOG7C.tmp C:\LOG838.tmp C:\LOG89B.tmp C:\LOG8BB.tmp C:\LOG957.tmp C:\LOG9A5.tmp C:\LOG9BB.tmp C:\LOG9E1.tmp C:\LOGAC.tmp C:\LOGC4.tmp C:\LOGC42.tmp C:\LOGCC2.tmp C:\LOGD3E.tmp C:\LOGE68.tmp C:\LOGEE.tmp C:\LOGF26.tmp C:\LOGF6.tmp c:\windows\system32\rnaph.dll c:\windows\UA000106.DLL . . ((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 ))))))))))))))))))))))))))))))) . . 2011-04-05 01:50 . 2011-04-05 02:08 -------- d-----w- c:\documents and settings\MalAdjust 2011-04-04 05:00 . 2011-04-04 05:00 709456 ----a-w- c:\windows\is-SS5P4.exe 2011-04-04 04:58 . 2011-04-04 04:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2011-04-04 02:23 . 2011-04-04 02:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-21 14:44 . 2004-08-11 22:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09 . 2004-08-11 22:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2005-05-14 00:12 217073 --sha-r- c:\windows\meta4.exe 2005-10-24 18:13 66560 --sha-r- c:\windows\MOTA113.exe 2005-10-14 04:27 422400 --sha-r- c:\windows\x2.64.exe 2005-10-08 02:14 308224 --sha-r- c:\windows\system32\avisynth.dll 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll 2006-04-27 17:24 2945024 --sha-r- c:\windows\system32\Smab.dll 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2011-02-02 02:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-15 68856] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480] "AnyDVD"="c:\program files\AnyDVD\AnyDVDtray.exe" [2010-07-27 4455360] "Eye-Fi"="c:\program files\Eye-Fi\Helper\EyeFiHelper.exe" [2010-10-27 3760320] "Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2009-08-24 2684200] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568] "PMX Daemon"="ICO.EXE" [2006-11-08 49152] "RTHDCPL"="RTHDCPL.EXE" [2007-07-22 16132608] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-14 16384] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656] "OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152] "AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-12 198160] "UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296] "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112] "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-03-03 140640] "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720] "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504] . c:\documents and settings\Rob\Start Menu\Programs\Startup\ WinTidy.lnk - c:\program files\WinTidy\WinTidy.exe [2001-10-8 585216] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2010-9-13 97384] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-15 49152] HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040] Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232] PopMenu exe.lnk - c:\program files\WinBatch\System\popmenu.exe [1999-1-13 56832] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-4-26 106560] ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Fences\FencesMenu.dll" [2009-10-02 128360] . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^palmOne Registration.lnk] path=c:\documents and settings\Rob\Start Menu\Programs\Startup\palmOne Registration.lnk backup=c:\windows\pss\palmOne Registration.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-06-02 18:13 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] 2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Eye-Fi\\Helper\\EyeFiHelper.exe"= "c:\\Documents and Settings\\Rob\\Application Data\\U3\\0000187FC570F5FE\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe"= "c:\\Program Files\\DirecTV\\DirecTV\\DIRECTV2PC.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [4/19/2008 9:31 AM 18432] R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [4/19/2008 9:31 AM 14336] R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [11/3/2006 5:31 PM 36384] S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/19/2009 10:56 PM 317440] S2 CLDTVHNService;CLDTVHNService;c:\program files\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe [9/17/2009 6:40 PM 75048] S2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSslvpnDaemon.exe [4/19/2008 1:10 PM 510496] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 7:00 PM 135664] S2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2/9/2011 1:45 PM 63448] S2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080] S2 ntk_dtv;ntk_dtv;c:\program files\DirecTV\DirecTV\Kernel\DMP\ntk_dtv.sys [9/17/2009 6:40 PM 119792] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/28/2010 8:01 PM 102448] S3 getPlus® Installer;getPlus® Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/11/2009 6:17 PM 59552] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MDMXSDK *NewlyCreated* - PXHELP20 . Contents of the 'Scheduled Tasks' folder . 2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:00] . 2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:00] . 2011-04-06 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2011-02-02 02:17] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: intuit.com\ttlc TCP: {42AE4EF0-0BDA-41EC-932F-EDDB11EEBAFC} = 208.67.220.220,208.67.222.222 DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://65.214.187.52:10443/sslvpn.cab DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\tuymetb4.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Nero Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) HKCU-Run-LxrAutorun - c:\documents and settings\Rob\Local Settings\Application Data\Lexar Media\LxrAutorun.exe HKLM-Run-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe MSConfigStartUp-Pzagariwitat - c:\windows\aruqocub.dll . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-06 02:32 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Completion time: 2011-04-06 02:33:58 ComboFix-quarantined-files.txt 2011-04-06 09:33 . Pre-Run: 198,842,318,848 bytes free Post-Run: 198,901,067,776 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 5ED358A292187B24ABD0A8A7673506CC
  8. I'm having a problem: I can start combofix.com while in the Rob user account, but it soon reports that I need to shutdown the Symantec AV. I understand why, but because of the infection, the Symantec icon is not in the System Tray, and I don't know how to turn it off. Combofix says it will have unpredictable results/may cause system damage if it is run while the AV is still running. I tried googling to figure out the applicable process(es) to kill in the Task Manager, but it's not at all clear which process(es) to kill, and whether or not the infection will even let me kill it/them. How about this: would it be OK to run combofix.com in the Rob account in Safe Mode? (Assuming that the AV is not running in Safe Mode?) While in Safe Mode for user MalAdjust, it seems that Symantec AV is NOT running -- some of the processes that I think are part of the AV (DefWatcher.exe, ccEvtMgr.exe, ccSetMgr.exe) are not appearing in Task Manager, and there's no AV icon in the System Tray). So it seems Safe Mode in Rob will likely get me past combofix's complaint about Symantec AV running, but here's another concern: while logged into user Rob (whether Safe or Normal Mode), I do not have general Internet access (using IE or Firefox). Would that cause a problem with combofix? Does it need Internet access to do its job? I see that it may need to install the Windows Recovery Console -- does it need to get it via the Internet? Please advise! Thanks! -Rob
  9. OK, got it. Renaming and attempting to run combofix.com from Rob now...
  10. No problem, thanks for the clarification. So, to be clear: do you want me to first run combofix.exe in the new account (user name MalAdjust, the one I'm currently using without any problems) and see the results of that BEFORE I rename it to combofix.com and try to run it in the Rob account (where I'm having the problems)? Or do you want me to immediately rename and try running it in the Rob account? Thanks. -Rob
  11. I found the download for combofix at combofix.org. I presume I should download it, then proceed as you requested (rename to combofix.com, then try to execute it from the Rob account). Yes?
  12. OK, but I'm not familiar with combofix.exe and I don't think it's been downloaded yet. I just googled it and see that it is another tool to find/fix malware, but we've not done that yet, and I've not used it previously. I just searched my C: drive to be sure, and did not find it anywhere. Should I first download combofix.exe, then rename it to combofix.com, then try to execute it from the Rob account? Do you have a link for it? Thanks. -Rob
  13. Hello, the SystemLook scan ran very quickly -- only a few seconds. Here's the results. Thanks, -Rob ================================== SystemLook 04.09.10 by jpshortstuff Log created at 23:10 on 05/04/2011 by MalAdjust Administrator - Elevation successful ========== regfind ========== Searching for "flt.exe" No data found. -= EOF =-
  14. Here is the log from the latest custom scan. -Kristen OTL logfile created on: 4/5/2011 3:58:47 PM - Run 4 OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\MalAdjust\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 465.70 Gb Total Space | 181.59 Gb Free Space | 38.99% Space Free | Partition Type: NTFS Computer Name: JANE | User Name: MalAdjust | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days ========== Custom Scans ========== < HKEY_USERS\S-1-5-21-2706065477-1034120459-467431141-1005\software\classes\.exe /s > < End of report >
  15. Here's the log from the latest scan. -Kristen OTL logfile created on: 4/5/2011 12:54:11 PM - Run 3 OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\MalAdjust\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 465.70 Gb Total Space | 181.60 Gb Free Space | 39.00% Space Free | Partition Type: NTFS Computer Name: JANE | User Name: MalAdjust | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days ========== Custom Scans ========== < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList /s > "ProfilesDirectory" = %SystemDrive%\Documents and Settings -- [2011/04/04 18:50:46 | 000,000,000 | ---D | M] "DefaultUserProfile" = Default User "AllUsersProfile" = All Users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18] "Flags" = 12 "State" = 0 "RefCount" = 1 "Sid" = 01 01 00 00 00 00 00 05 12 00 00 00 [binary data] "ProfileImagePath" = %systemroot%\system32\config\systemprofile -- [2010/03/12 21:00:33 | 000,000,000 | ---D | M] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19] "ProfileImagePath" = %SystemDrive%\Documents and Settings\LocalService -- [2010/10/26 21:02:03 | 000,000,000 | -HSD | M] "Sid" = 01 01 00 00 00 00 00 05 13 00 00 00 [binary data] "Flags" = 9 "State" = 0 "CentralProfile" = "ProfileLoadTimeLow" = 2011901126 "ProfileLoadTimeHigh" = 30143394 "RefCount" = 3 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20] "ProfileImagePath" = %SystemDrive%\Documents and Settings\NetworkService -- [2004/08/11 15:20:16 | 000,000,000 | -HSD | M] "Sid" = 01 01 00 00 00 00 00 05 14 00 00 00 [binary data] "Flags" = 9 "State" = 0 "CentralProfile" = "ProfileLoadTimeLow" = 2007213626 "ProfileLoadTimeHigh" = 30143394 "RefCount" = 2 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2706065477-1034120459-467431141-1005] "ProfileImagePath" = %SystemDrive%\Documents and Settings\Rob -- [2011/02/06 14:41:42 | 000,000,000 | ---D | M] "Sid" = 01 05 00 00 00 00 00 05 15 00 00 00 45 48 4B A1 0B 6D A3 3D E5 6E DC 1B ED 03 00 00 [binary data] "Flags" = 0 "State" = 256 "CentralProfile" = "ProfileLoadTimeLow" = -1462415868 "ProfileLoadTimeHigh" = 30143132 "RefCount" = 1 "RunLogonScriptSync" = 0 "OptimizedLogonStatus" = 11 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2706065477-1034120459-467431141-1006] "ProfileImagePath" = %SystemDrive%\Documents and Settings\MalAdjust -- [2011/04/04 19:08:49 | 000,000,000 | ---D | M] "Sid" = 01 05 00 00 00 00 00 05 15 00 00 00 45 48 4B A1 0B 6D A3 3D E5 6E DC 1B EE 03 00 00 [binary data] "Flags" = 0 "State" = 256 "CentralProfile" = "ProfileLoadTimeLow" = -2057441170 "ProfileLoadTimeHigh" = 30143394 "RefCount" = 3 "RunLogonScriptSync" = 0 "OptimizedLogonStatus" = 11 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2706065477-1034120459-467431141-500] "ProfileImagePath" = %SystemDrive%\Documents and Settings\Administrator -- [2010/10/26 21:12:41 | 000,000,000 | ---D | M] "Sid" = 01 05 00 00 00 00 00 05 15 00 00 00 45 48 4B A1 0B 6D A3 3D E5 6E DC 1B F4 01 00 00 [binary data] "Flags" = 0 "State" = 256 "CentralProfile" = "ProfileLoadTimeLow" = -73098874 "ProfileLoadTimeHigh" = 30143393 "RefCount" = 0 "RunLogonScriptSync" = 0 "OptimizedLogonStatus" = 11 < End of report >
  16. Hi, the name of the infected account is Rob. I will be away from the infected PC until I get home from work in about 7 hours, but I am having someone follow up here during the day so we can keep this moving. She will be continuing with your latest instruction in a little later today. KRISTEN: if it's not clear, what we want to do next is repeat Elise's last instruction with a slight change, as follows: Please rerun OTL (click the OTL icon on the desktop) and click the NONE button. After that, copy/paste the following text into the "custom scan/fix" field: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList /s (IMPORTANT: include the /s switch on the end of the command -- this is the change from the previous scan.) ...then click Run Scan. Post the resulting log (using copy/paste) to this forum. Call me with any questions on this process! Thanks to both of you! -Rob
  17. Here you go, the results of the custom scan... -Rob =============================== OTL logfile created on: 4/5/2011 8:45:28 AM - Run 2 OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\MalAdjust\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 465.70 Gb Total Space | 181.61 Gb Free Space | 39.00% Space Free | Partition Type: NTFS Computer Name: JANE | User Name: MalAdjust | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days ========== Custom Scans ========== < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList > "ProfilesDirectory" = %SystemDrive%\Documents and Settings -- [2011/04/04 18:50:46 | 000,000,000 | ---D | M] "DefaultUserProfile" = Default User "AllUsersProfile" = All Users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2706065477-1034120459-467431141-1005] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2706065477-1034120459-467431141-1006] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2706065477-1034120459-467431141-500] < End of report >
  18. Hello, here you go. Thanks for helping! -Rob ======================================= OTL logfile created on: 4/5/2011 7:43:54 AM - Run 1 OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\MalAdjust\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 54.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 465.70 Gb Total Space | 181.63 Gb Free Space | 39.00% Space Free | Partition Type: NTFS Computer Name: JANE | User Name: MalAdjust | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2011/04/05 07:42:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MalAdjust\Desktop\OTL.exe PRC - [2010/12/12 12:26:11 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2010/09/13 12:48:14 | 000,097,384 | R--- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe PRC - [2010/09/13 12:48:12 | 000,025,704 | R--- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe PRC - [2010/05/04 12:07:22 | 000,503,080 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Update\NASvc.exe PRC - [2010/04/02 11:18:54 | 001,185,112 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE PRC - [2010/03/24 19:50:00 | 002,516,296 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE PRC - [2010/03/02 20:52:00 | 000,140,640 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe PRC - [2009/12/30 14:21:02 | 000,065,536 | ---- | M] (Lexar Media, Inc.) -- C:\WINDOWS\system32\LxrSII1s.exe PRC - [2009/09/17 18:40:44 | 000,075,048 | ---- | M] () -- C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe PRC - [2009/06/03 21:59:02 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe PRC - [2009/02/02 02:33:18 | 000,317,440 | ---- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe PRC - [2009/02/02 02:32:42 | 000,246,272 | ---- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe PRC - [2008/10/10 18:26:30 | 000,510,496 | ---- | M] (Fortinet Inc.) -- C:\WINDOWS\system32\FortiSslvpnDaemon.exe PRC - [2008/06/09 10:37:44 | 000,053,392 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2008/02/05 14:29:20 | 000,054,512 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe PRC - [2007/10/18 21:10:42 | 000,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe PRC - [2007/09/17 09:56:08 | 000,124,200 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe PRC - [2007/05/25 09:38:46 | 000,112,176 | ---- | M] (SingleClick Systems) -- C:\Program Files\Dell Network Assistant\hnm_svc.exe PRC - [2007/05/23 18:02:36 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\pmxmiced.exe PRC - [2006/11/08 13:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe PRC - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe PRC - [2006/03/17 06:34:30 | 000,124,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe PRC - [2006/03/17 06:34:20 | 001,799,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe PRC - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe PRC - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe PRC - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe PRC - [2006/03/07 13:02:14 | 000,053,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe PRC - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe PRC - [2004/06/09 14:16:08 | 000,471,040 | ---- | M] (PalmSource, Inc) -- C:\Program Files\palmOne\Hotsync.exe PRC - [2003/05/08 11:00:58 | 000,049,152 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe PRC - [2002/10/11 08:10:00 | 000,106,560 | ---- | M] (WinZip Computing, Inc.) -- C:\Program Files\WinZip\WZQKPICK.EXE PRC - [1999/01/13 00:49:28 | 000,056,832 | ---- | M] () -- C:\Program Files\WinBatch\System\popmenu.exe ========== Modules (SafeList) ========== MOD - [2011/04/05 07:42:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MalAdjust\Desktop\OTL.exe MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll MOD - [2003/05/08 11:00:46 | 000,159,744 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- -- (HidServ) SRV - [2010/09/13 12:48:12 | 000,025,704 | R--- | M] (Amazon.com) [Auto | Running] -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe -- (ADVService) SRV - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService) SRV - [2010/05/04 12:07:22 | 000,503,080 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Update\NASvc.exe -- (NAUpdate) SRV - [2009/12/30 14:21:02 | 000,065,536 | ---- | M] (Lexar Media, Inc.) [Auto | Running] -- C:\WINDOWS\system32\LxrSII1s.exe -- (LxrSII1s) SRV - [2009/09/17 18:40:44 | 000,075,048 | ---- | M] () [Auto | Running] -- C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe -- (CLDTVHNService) SRV - [2009/03/16 17:45:14 | 000,059,552 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Installer) getPlus® SRV - [2009/02/02 02:33:18 | 000,317,440 | ---- | M] (Amazon.com) [Auto | Running] -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent) SRV - [2008/10/10 18:26:30 | 000,510,496 | ---- | M] (Fortinet Inc.) [Auto | Running] -- C:\WINDOWS\system32\FortiSslvpnDaemon.exe -- (FortiSslvpnDaemon) SRV - [2008/06/09 10:37:44 | 000,053,392 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper) SRV - [2007/05/25 09:38:46 | 000,112,176 | ---- | M] (SingleClick Systems) [Auto | Running] -- C:\Program Files\Dell Network Assistant\hnm_svc.exe -- (hnmsvc) SRV - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8) SRV - [2006/03/17 06:34:24 | 000,115,952 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam) SRV - [2006/03/17 06:34:20 | 001,799,408 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus) SRV - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch) SRV - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr) SRV - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr) SRV - [2006/02/23 11:41:02 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate) SRV - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc) SRV - [2006/01/24 20:06:58 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc) ========== Driver Services (SafeList) ========== DRV - [2011/04/01 01:00:00 | 001,393,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110401.002\NAVEX15.SYS -- (NAVEX15) DRV - [2011/04/01 01:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110401.002\NAVENG.SYS -- (NAVENG) DRV - [2010/07/22 04:37:29 | 000,108,480 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD) DRV - [2010/06/17 01:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl) DRV - [2010/05/28 01:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2009/12/30 11:36:56 | 000,063,448 | ---- | M] (Lexar Media, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LxrSII1d.sys -- (LxrSII1d) DRV - [2009/09/17 18:40:52 | 000,119,792 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- C:\Program Files\DirecTV\DirecTV\Kernel\DMP\ntk_dtv.sys -- (ntk_dtv) DRV - [2008/10/10 18:26:32 | 000,036,384 | ---- | M] (Fortinet Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pppop.sys -- (pppop) DRV - [2008/04/20 13:15:41 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD) DRV - [2008/01/02 11:13:12 | 000,987,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV) DRV - [2008/01/02 11:13:12 | 000,731,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf) DRV - [2008/01/02 11:13:12 | 000,268,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2) DRV - [2007/07/22 13:27:12 | 004,424,704 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM) DRV - [2007/06/01 11:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pmxmouse.sys -- (pmxmouse) DRV - [2007/05/24 14:56:00 | 000,014,336 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pmxusblf.sys -- (pmxusblf) DRV - [2006/12/18 17:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\packet.sys -- (Packet) DRV - [2006/08/18 11:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM) DRV - [2006/08/18 11:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM) DRV - [2006/08/18 11:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M) DRV - [2006/08/18 11:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM) DRV - [2006/08/18 11:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM) DRV - [2006/08/18 11:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM) DRV - [2006/08/18 11:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M) DRV - [2006/08/18 11:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM) DRV - [2006/08/11 08:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM) DRV - [2006/08/11 08:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M) DRV - [2006/08/02 11:45:32 | 000,114,560 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mr7910.sys -- (mr7910) DRV - [2006/02/06 12:50:22 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv) DRV - [2006/01/31 13:29:20 | 000,107,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent) DRV - [2006/01/24 20:06:36 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI) DRV - [2006/01/24 20:06:32 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV) DRV - [2005/12/19 20:41:58 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL) DRV - [2005/12/19 20:41:56 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT) DRV - [2004/07/19 09:41:48 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32) DRV - [2003/09/19 16:45:48 | 000,021,248 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415 IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415 IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415 IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415 IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415 IE - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb IE - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415 IE - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: {C9761C39-2000-4CD6-A94E-6DB3A823FD89}:1.9.1 FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/07/11 18:13:43 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\extensions\\{C9761C39-2000-4CD6-A94E-6DB3A823FD89}: C:\Documents and Settings\Rob\Local Settings\Application Data\{C9761C39-2000-4CD6-A94E-6DB3A823FD89} [2010/09/29 16:57:26 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/13 22:10:44 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/12 12:26:16 | 000,000,000 | ---D | M] [2011/04/04 19:10:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\MalAdjust\Application Data\Mozilla\Extensions [2011/04/04 21:23:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\MalAdjust\Application Data\Mozilla\Firefox\Profiles\2yh775pc.default\extensions [2011/04/04 21:23:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\MalAdjust\Application Data\Mozilla\Firefox\Profiles\2yh775pc.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011/04/03 11:02:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2010/09/29 16:57:26 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\ROB\LOCAL SETTINGS\APPLICATION DATA\{C9761C39-2000-4CD6-A94E-6DB3A823FD89} [2008/12/14 15:54:47 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/07/11 18:13:43 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD O1 HOSTS File: ([2010/03/07 00:16:05 | 000,380,253 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 008i.com O1 - Hosts: 127.0.0.1 www.008k.com O1 - Hosts: 127.0.0.1 008k.com O1 - Hosts: 127.0.0.1 www.00hq.com O1 - Hosts: 127.0.0.1 00hq.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.0scan.com O1 - Hosts: 127.0.0.1 0scan.com O1 - Hosts: 127.0.0.1 1000gratisproben.com O1 - Hosts: 127.0.0.1 www.1000gratisproben.com O1 - Hosts: 127.0.0.1 1001namen.com O1 - Hosts: 127.0.0.1 www.1001namen.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 www.1-2005-search.com O1 - Hosts: 127.0.0.1 1-2005-search.com O1 - Hosts: 13102 more lines... O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - File not found O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.) O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.) O2 - BHO: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll () O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.) O3 - HKLM\..\Toolbar: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.) O3 - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\..\Toolbar\WebBrowser: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask) O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe (Amazon.com) O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.) O4 - HKLM..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE (CANON INC.) O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation) O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink) O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( ) O4 - HKLM..\Run: [Google Desktop Search] File not found O4 - HKLM..\Run: [iJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation) O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.) O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.) O4 - HKLM..\Run: [PMX Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.) O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [updateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.) O4 - HKLM..\Run: [uVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe (Corel TW Corp.) O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk = C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe (Amazon.com) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe (PalmSource, Inc) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PopMenu exe.lnk = C:\Program Files\WinBatch\System\popmenu.exe () O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe (Yahoo! Inc.) O4 - Startup: C:\Documents and Settings\Rob\Start Menu\Programs\Startup\WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe (Ziff Davis Media, Inc.) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.) O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} http://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab (get_atlcom Class) O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab (Creative Software AutoUpdate) O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} https://65.214.187.52:10443/sslvpn.cab (fortisslvpn Class) O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner) O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab (Creative Software AutoUpdate Support Package) O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0 (DigWebHelper Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation) O22 - SharedTaskScheduler: {1984DD45-52CF-49cd-AB77-18F378FEA264} - FencesShellExt - C:\Program Files\Fences\FencesMenu.dll (Stardock) O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2004/08/11 15:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2011/04/05 07:42:57 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\MalAdjust\Desktop\OTL.exe [2011/04/04 21:23:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\My Documents\Downloads [2011/04/04 21:21:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\My Documents\TurboTax [2011/04/04 21:21:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Intuit [2011/04/04 21:21:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Intuit [2011/04/04 19:14:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\CyberLink [2011/04/04 19:09:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Mozilla [2011/04/04 19:09:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Mozilla [2011/04/04 19:09:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Adobe [2011/04/04 19:08:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\MalAdjust\PrivacIE [2011/04/04 19:08:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Canon Easy-WebPrint EX [2011/04/04 18:56:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Malwarebytes [2011/04/04 18:55:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Ipswitch [2011/04/04 18:54:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Google [2011/04/04 18:54:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\AskToolbar [2011/04/04 18:54:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Ulead Systems [2011/04/04 18:53:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\HotSync [2011/04/04 18:53:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\My Documents\Palm OS Desktop [2011/04/04 18:53:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Power2Go [2011/04/04 18:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Real [2011/04/04 18:52:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Symantec [2011/04/04 18:52:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Stardock [2011/04/04 18:52:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\MalAdjust\IETldCache [2011/04/04 18:51:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Internet Explorer [2011/04/04 18:50:48 | 000,000,000 | --SD | C] -- C:\Documents and Settings\MalAdjust\Application Data\Microsoft [2011/04/04 18:50:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\MalAdjust\Application Data [2011/04/04 18:50:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\Favorites [2011/04/04 18:50:48 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\MalAdjust\Cookies [2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Macromedia [2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\InstallShield [2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Identities [2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Google [2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Desktop [2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\BVRP Software [2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\ApplicationHistory [2011/04/04 18:50:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\MalAdjust\SendTo [2011/04/04 18:50:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\MalAdjust\Recent [2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Startup [2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\Start Menu [2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\My Documents\My Videos [2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\My Documents\My Pictures [2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\My Documents\My Music [2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\My Documents [2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Accessories [2011/04/04 18:50:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\MalAdjust\Templates [2011/04/04 18:50:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\MalAdjust\PrintHood [2011/04/04 18:50:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\MalAdjust\NetHood [2011/04/04 18:50:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\MalAdjust\Local Settings [2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Utilities [2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\SingleClick Systems [2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Roxio [2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\PowerDVD DX [2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\My Documents\My Google Gadgets [2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Microsoft [2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Dell Accessories [2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060} [2011/03/06 14:45:39 | 000,090,112 | ---- | C] (MindVision Software) -- C:\WINDOWS\unvise32.exe [2011/03/06 14:45:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Quicken WillMaker Plus 2011 [2011/03/06 14:45:27 | 000,000,000 | ---D | C] -- C:\Program Files\Quicken WillMaker Plus 2011 [2011/03/06 14:32:09 | 004,199,768 | ---- | C] (Amyuni Technologies http://www.amyuni.com) -- C:\WINDOWS\System32\cdintf400.dll [2011/03/06 14:32:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Quicken 2011 [61 C:\*.tmp files -> C:\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2011/04/05 07:42:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MalAdjust\Desktop\OTL.exe [2011/04/05 07:40:43 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Desktop\MS Office Outlook 2003.lnk [2011/04/05 07:25:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2011/04/05 07:01:00 | 000,000,230 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job [2011/04/04 21:25:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2011/04/04 21:23:00 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Desktop\Mozilla Firefox.lnk [2011/04/04 21:11:49 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk [2011/04/04 20:53:00 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI [2011/04/04 20:47:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2011/04/04 20:47:20 | 2145,566,720 | -HS- | M] () -- C:\hiberfil.sys [2011/04/04 18:56:51 | 000,445,700 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2011/04/04 18:56:51 | 000,072,780 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2011/04/04 18:54:02 | 000,000,132 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\fusioncache.dat [2011/04/04 18:53:12 | 000,001,674 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Desktop\CyberLink Power2Go.lnk [2011/04/04 18:53:08 | 000,001,540 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Desktop\Customize Fences.lnk [2011/04/04 18:52:26 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk [2011/04/04 18:51:05 | 000,000,782 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Desktop\Windows Media Player.lnk [2011/04/04 17:53:30 | 000,016,612 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\muui32clp1xb41do30186g73wxfgt8irp431q23v6s78nf [2011/04/03 22:00:21 | 000,709,456 | ---- | M] () -- C:\WINDOWS\is-SS5P4.exe [2011/04/03 22:00:21 | 000,010,562 | ---- | M] () -- C:\WINDOWS\is-SS5P4.msg [2011/04/03 22:00:21 | 000,000,399 | ---- | M] () -- C:\WINDOWS\is-SS5P4.lst [2011/03/21 19:40:48 | 3862,011,904 | ---- | M] () -- C:\DVDVOLUME.ISO [2011/03/12 21:17:07 | 000,016,686 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3782553494 [2011/03/12 09:48:17 | 000,015,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3452207138 [2011/03/06 14:32:01 | 000,000,154 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI [61 C:\*.tmp files -> C:\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2011/04/04 22:07:17 | 000,002,521 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Desktop\MS Office Outlook 2003.lnk [2011/04/04 21:23:00 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Desktop\Mozilla Firefox.lnk [2011/04/04 21:11:49 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk [2011/04/04 18:54:02 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\fusioncache.dat [2011/04/04 18:53:08 | 000,001,540 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Desktop\Customize Fences.lnk [2011/04/04 18:52:26 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Internet Explorer [2011/04/04 18:51:05 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Windows Media Player.lnk [2011/04/04 18:51:05 | 000,000,782 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Desktop\Windows Media Player.lnk [2011/04/04 18:50:50 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk [2011/04/04 18:50:50 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf [2011/04/04 18:50:49 | 000,266,556 | ---- | C] () -- C:\Documents and Settings\MalAdjust\BD=1 [2011/04/04 18:50:49 | 000,001,674 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Desktop\CyberLink Power2Go.lnk [2011/04/04 18:50:48 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Remote Assistance.lnk [2011/04/04 18:50:48 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Outlook Express.lnk [2011/04/04 18:49:58 | 2145,566,720 | -HS- | C] () -- C:\hiberfil.sys [2011/04/03 22:00:21 | 000,709,456 | ---- | C] () -- C:\WINDOWS\is-SS5P4.exe [2011/04/03 22:00:21 | 000,010,562 | ---- | C] () -- C:\WINDOWS\is-SS5P4.msg [2011/04/03 22:00:21 | 000,000,399 | ---- | C] () -- C:\WINDOWS\is-SS5P4.lst [2011/04/03 18:17:18 | 000,016,612 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\muui32clp1xb41do30186g73wxfgt8irp431q23v6s78nf [2011/03/21 19:36:30 | 3862,011,904 | ---- | C] () -- C:\DVDVOLUME.ISO [2011/03/12 21:15:06 | 000,016,686 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3782553494 [2011/03/11 18:41:12 | 000,015,328 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3452207138 [2011/02/06 15:57:04 | 004,997,704 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat [2010/09/29 16:57:28 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Erodeguyoyamuzag.dat [2010/09/29 16:57:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Bvucipabusaxupet.bin [2010/07/17 21:06:00 | 000,000,040 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib [2010/02/07 14:17:29 | 000,002,077 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2010/01/03 14:13:56 | 000,000,154 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI [2009/08/07 10:54:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI [2009/07/26 14:57:43 | 000,209,040 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll [2009/07/26 14:57:43 | 000,204,944 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll [2009/07/26 14:57:43 | 000,196,752 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll [2009/07/26 14:57:43 | 000,196,752 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll [2009/07/26 14:57:43 | 000,192,656 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll [2009/07/26 14:57:43 | 000,024,720 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll [2009/06/18 23:12:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2009/05/03 23:34:43 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2008/12/28 17:24:34 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Images [2008/12/28 17:24:34 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT [2008/12/28 17:24:34 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Internet Services [2008/12/20 13:33:18 | 000,000,120 | ---- | C] () -- C:\WINDOWS\marscam.ini [2008/11/06 09:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll [2008/11/06 09:33:02 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll [2008/09/19 10:48:32 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll [2008/09/19 10:48:32 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\uninscpw.exe [2008/04/26 22:36:30 | 000,000,039 | ---- | C] () -- C:\WINDOWS\ulead32.ini [2008/04/26 12:50:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI [2008/04/26 11:49:06 | 000,494,080 | ---- | C] () -- C:\WINDOWS\System32\mp3tsshx.dll [2008/04/25 09:14:17 | 000,000,175 | ---- | C] () -- C:\WINDOWS\wetest.ini [2008/04/20 14:41:30 | 000,000,036 | ---- | C] () -- C:\WINDOWS\iltwain.ini [2008/04/20 14:41:29 | 000,000,056 | ---- | C] () -- C:\WINDOWS\Addrfixr.ini [2008/04/20 14:40:55 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\DYMOCFG.DLL [2008/04/20 14:40:54 | 000,005,563 | ---- | C] () -- C:\WINDOWS\System32\dymourl.ini [2008/04/20 14:23:40 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7L.DLL [2008/04/20 14:22:04 | 000,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI [2008/04/19 21:49:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2008/04/19 12:45:38 | 000,001,526 | ---- | C] () -- C:\WINDOWS\pw4.ini [2008/04/19 09:43:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI [2008/04/15 10:00:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2008/04/15 09:57:36 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL [2008/04/15 09:57:36 | 000,000,188 | ---- | C] () -- C:\WINDOWS\wininit.ini [2008/04/15 09:53:34 | 000,303,104 | ---- | C] () -- C:\WINDOWS\System32\FontZoom.exe [2008/04/15 09:53:34 | 000,131,066 | ---- | C] () -- C:\WINDOWS\System32\DellPM.ini [2008/04/15 09:35:19 | 000,876,544 | ---- | C] () -- C:\WINDOWS\System32\TEACico2.dll [2008/04/15 09:34:37 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe [2008/04/15 09:33:21 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2006/11/07 02:25:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2006/09/16 21:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll [2006/09/16 21:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll [2005/10/24 11:13:58 | 000,066,560 | RHS- | C] () -- C:\WINDOWS\MOTA113.exe [2005/10/13 21:27:00 | 000,422,400 | RHS- | C] () -- C:\WINDOWS\x2.64.exe [2005/07/14 12:31:20 | 000,027,648 | RHS- | C] () -- C:\WINDOWS\System32\AVSredirect.dll [2005/06/21 22:37:42 | 000,045,568 | RHS- | C] () -- C:\WINDOWS\System32\cygz.dll [2005/05/13 17:12:00 | 000,217,073 | RHS- | C] () -- C:\WINDOWS\meta4.exe [2005/02/28 13:16:22 | 000,240,128 | RHS- | C] () -- C:\WINDOWS\System32\x.264.exe [2004/08/11 15:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini [2004/08/11 15:19:30 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2004/08/11 15:12:14 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat [2004/08/11 15:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini [2004/08/11 15:07:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2004/08/11 15:06:43 | 000,305,216 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2004/08/11 15:00:30 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat [2004/08/11 15:00:28 | 000,445,700 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat [2004/08/11 15:00:28 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat [2004/08/11 15:00:28 | 000,072,780 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat [2004/08/11 15:00:28 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat [2004/08/11 15:00:27 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat [2004/08/11 15:00:26 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin [2004/08/11 15:00:24 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat [2004/08/11 15:00:19 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat [2004/08/11 15:00:19 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin [2004/08/11 15:00:12 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat [2004/08/11 15:00:04 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin [2003/01/29 17:39:40 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\dcfft2.dll [2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI [2002/03/16 17:00:00 | 000,007,420 | ---- | C] () -- C:\WINDOWS\UA000106.DLL ========== LOP Check ========== [2010/10/26 21:12:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Stardock [2011/02/27 14:47:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Amazon [2008/04/19 20:02:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software [2010/12/14 21:11:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canon IJ Network Tool [2008/04/19 13:01:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ [2010/12/14 22:03:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEGV [2010/12/14 21:08:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMSetup [2010/12/14 21:58:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan [2010/12/14 21:07:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJWSpt [2010/08/21 14:58:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco Systems [2008/04/20 13:23:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DataViz [2008/12/28 17:24:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp [2008/04/20 13:16:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync [2009/07/26 14:57:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo [2008/12/28 17:25:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon [2010/01/07 23:34:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft [2008/04/15 09:58:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SingleClick Systems [2010/07/17 21:06:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft [2010/05/02 16:48:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc [2009/06/03 22:37:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir [2008/04/20 14:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanWizard [2008/04/15 09:58:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft [2011/02/07 22:06:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2009/08/23 11:59:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems [2008/12/28 17:24:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15 [2008/04/26 12:23:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO [2008/06/21 16:17:22 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{68D98ECE-8350-4B76-A666-6DAA2183091C} [2010/05/17 21:19:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{A87EB928-0C6C-4071-AEF1-59E32BAEDF1B} [2010/10/26 21:02:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AskToolbar [2011/04/04 19:08:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MalAdjust\Application Data\Canon Easy-WebPrint EX [2011/04/04 18:53:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MalAdjust\Application Data\HotSync [2011/04/04 18:52:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MalAdjust\Application Data\Stardock [2011/04/04 18:54:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MalAdjust\Application Data\Ulead Systems [2008/05/15 22:35:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Amazon [2010/07/17 23:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\AskToolbar [2010/12/14 21:58:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Canon [2010/12/14 21:08:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Canon Easy-WebPrint EX [2011/03/12 21:08:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Eye-Fi [2010/08/07 18:10:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\fi.eye.center.E430518E652B889A80EC0E8A6E532C09FF36DF62.1 [2009/06/20 14:56:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\GetRightToGo [2008/04/20 13:15:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\HotSync [2008/04/20 13:21:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Leadertech [2008/12/28 17:29:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Nikon [2011/03/06 14:45:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Nolo [2008/06/21 16:20:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\RiffTrax [2008/04/20 14:22:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\ScanSoft [2010/05/17 21:20:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Stardock [2009/07/26 15:07:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Ulead Systems [2011/04/05 07:01:00 | 000,000,230 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794 < End of report > ======================================================================================================== OTL Extras logfile created on: 4/5/2011 7:43:54 AM - Run 1 OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\MalAdjust\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 54.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 465.70 Gb Total Space | 181.63 Gb Free Space | 39.00% Space Free | Partition Type: NTFS Computer Name: JANE | User Name: MalAdjust | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* [HKEY_USERS\S-1-5-21-2706065477-1034120459-467431141-1006\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 0 "DoNotAllowExceptions" = 0 "DisableNotifications" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 "3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 "10421:UDP" = 10421:UDP:*:Enabled:SingleClick Discovery Protocol "10426:UDP" = 10426:UDP:*:Enabled:SingleClick ICC "3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009 "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.) "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.) "C:\Program Files\DirecTV\DirecTV\DIRECTV2PC.exe" = C:\Program Files\DirecTV\DirecTV\DIRECTV2PC.exe:*:Enabled:DIRECTV2PC -- (DIRECTV Corp.) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.) "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.) "C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox -- (Yahoo! Inc.) "C:\Program Files\Eye-Fi\Eye-Fi Manager.exe" = C:\Program Files\Eye-Fi\Eye-Fi Manager.exe:*:Enabled:Eye-Fi Manager "C:\Program Files\Dell Network Assistant\ezi_hnm2.exe" = C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:*:Enabled:Dell Network Assistant -- (SingleClick Systems) "C:\Documents and Settings\Rob\Application Data\U3\0000186265711886\0DE4F643-C398-46ec-9339-2362F2311932\Exec\Skype.exe" = C:\Documents and Settings\Rob\Application Data\U3\0000186265711886\0DE4F643-C398-46ec-9339-2362F2311932\Exec\Skype.exe:*:Enabled:Skype "C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation) "C:\Program Files\Eye-Fi\Helper\EyeFiHelper.exe" = C:\Program Files\Eye-Fi\Helper\EyeFiHelper.exe:*:Enabled:Eye-Fi Helper -- (Eye-Fi, Inc.) "C:\Documents and Settings\Rob\Application Data\U3\0000187FC570F5FE\0DE4F643-C398-46ec-9339-2362F2311932\Exec\Skype.exe" = C:\Documents and Settings\Rob\Application Data\U3\0000187FC570F5FE\0DE4F643-C398-46ec-9339-2362F2311932\Exec\Skype.exe:*:Enabled:Skype -- () "C:\Program Files\DirecTV\DirecTV\DIRECTV2PC.exe" = C:\Program Files\DirecTV\DirecTV\DIRECTV2PC.exe:*:Enabled:DIRECTV2PC -- (DIRECTV Corp.) "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0240BDFB-2995-4A3F-8C96-18D41282B716}" = Dell Network Assistant "{034B16A2-86DA-8498-632F-E24A4B512FD5}" = Eye-Fi Center "{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools "{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport "{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data "{10CD364B-FFCC-48BE-B469-B9622A033075}" = Fences "{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG6100_series" = Canon MG6100 series MP Drivers "{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{1882D3BE-8B8F-4EA3-9414-EB06CD5B9CD8}" = Modem Diagnostics Tool "{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}" = iSEEK AnswerWorks English Runtime "{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10 "{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java 6 Update 17 "{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation "{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager "{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6 "{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5 "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7 "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module "{360EDFB0-EAA2-012B-AD16-000000000000}" = TurboTax 2009 wcaiper "{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset "{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset "{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine "{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport "{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper "{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting "{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go "{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support "{448E2D77-E504-4221-B2C2-93646B344729}" = Mouse Suite for Desktop Computers "{459E93B6-150E-45d5-8D4B-45C66FC035FE}" = getPlus® for Corel "{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR "{479F8C12-576B-4A58-AB78-4B70F7012AA8}" = DIRECTV2PC Playback Advisor "{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour "{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin "{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper "{523B2B1B-D8DB-4B41-90FF-C4D799E2758A}" = Nero ControlCenter 10 Help (CHM) "{5404E185-BD7C-4A72-ABD0-91A411A05726}" = Ulead VideoStudio 6 SE DVD "{54A4839E-87F8-4BD1-9682-A349E9943F0A}" = Amazon Unbox Video "{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool "{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper "{5FE545A1-D215-4216-9189-E7B39C9D1CC1}" = Quicken 2011 "{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy "{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10 "{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset "{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762 "{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0 "{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0 "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio "{842BEE12-CCCB-43F4-ABAF-CBA6DFE2583D}" = Nero BurnLite 10 "{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5 "{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar "{86EF9FC4-F209-4520-B7E1-C7FF0EEBDFFF}" = Adobe Audition 1.5 "{87FF0E39-8490-4EB4-A557-FF12F712EF7E}" = TurboTax 2010 wcaiper "{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin "{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player "{8F194222-199F-11D6-B163-AA8310157D2E}" = SAPI51forSayPad "{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003 "{94673EFC-6EF6-4CB1-8FFC-78F4C0203A0C}" = Eye-Fi Helper 3.2 "{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime "{9F70BF98-003C-491D-81FC-FF9792206AF0}" = iTunes "{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}" = Symantec AntiVirus "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A34DCE59-0003-0000-0387-3F8A9926B752}" = FortiClient SSL VPN v3.0.387 "{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder "{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter "{AB627AF2-9C7E-4DBD-816B-3B2646B81E89}" = Nero BurnLite 10 "{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0 "{AD88355B-A4E0-4DA1-BAC3-EA4FEA930691}" = Ipswitch WS_FTP Professional 2007 "{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder "{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter "{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper "{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player "{BA4DF4C3-196E-4128-969A-00996B5A46F8}" = Canon MP500 "{BDFE199D-E889-4BB6-BECB-C4BDF5700849}" = Documents To Go "{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}" = Canon PhotoRecord "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C4B3A7F9-5CD8-4608-B623-689CA3604A08}" = RiffTrax DVD Player "{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime "{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE "{C8CE30F9-CBD0-43B1-BFD3-B18F55A48827}" = Calendar Creator 10 "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{CE636486-7E13-4051-9067-AFC4E1B8F54E}" = ArcSoft ShowBiz DVD 2 "{CF0C0E58-2C1A-4645-85FC-D3DF9686EF60}" = Mp3-Tag Studio 3.01 "{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center "{D45E8C45-B601-4A80-AFD8-E16338744DE1}" = ArcSoft Panorama Maker 4 "{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime "{DC3065BF-95B4-42C5-B47D-0B713CDA75D0}" = Creative Zen Vision M "{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center "{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect "{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp "{E8617EA7-DBC7-48A2-8FF5-F9D699BD581A}" = Attachmate Reflection for Secure IT Client 7.0 "{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer "{E9B10AA5-E5F6-4DEF-A435-FB20704AF1E8}" = DIRECTV2PC "{EC3B8CA2-49B8-4D38-BE9C-ABD0F6029168}" = Yahoo! Music Jukebox "{F0FDF9C9-1DDC-401F-B638-36F1CAE8A875}" = VideoStudio "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{FF8157AA-F640-45BD-B7C2-BAA1016B267A}" = palmOne "Adobe AIR" = Adobe AIR "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3 "AnyDVD" = AnyDVD "CAL" = Canon Camera Access Library "CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX "CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX "CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX "Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder "Canon MG6100 series User Registration" = Canon MG6100 series User Registration "Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility "Canon_IJ_Network_UTILITY" = Canon IJ Network Tool "CanonMyPrinter" = Canon My Printer "CanonSolutionMenuEX" = Canon Solution Menu EX "Cisco Connect" = Cisco Connect "CNXT_MODEM_PCI_HSF" = Conexant D850 PCI V.92 Modem "Cool Edit Pro 2.0" = Cool Edit Pro 2.0 "Creative Removable Disk Manager" = Creative Removable Disk Manager "CSCLIB" = Canon Camera Support Core Library "CutePDF Writer Installation" = CutePDF Writer 2.5 "DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters "DVD Shrink_is1" = DVD Shrink 3.2 "DYMO Label Software" = DYMO Label Software "Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint "Easy-WebPrint" = Easy-WebPrint "Easy-WebPrint EX" = Canon Easy-WebPrint EX "EOS Utility" = Canon Utilities EOS Utility "Fences" = Fences "fi.eye.center.E430518E652B889A80EC0E8A6E532C09FF36DF62.1" = Eye-Fi Center "FLV to AVI MPEG WMV 3GP MP4 iPod Converter_is1" = FLV to AVI MPEG WMV 3GP MP4 iPod Converter 5.2.0603 "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go "InstallShield_{479F8C12-576B-4A58-AB78-4B70F7012AA8}" = DIRECTV2PC Playback Advisor "InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin "InstallShield_{54A4839E-87F8-4BD1-9682-A349E9943F0A}" = Amazon Unbox Video "InstallShield_{E9B10AA5-E5F6-4DEF-A435-FB20704AF1E8}" = DIRECTV2PC "InstallShield_{F0FDF9C9-1DDC-401F-B638-36F1CAE8A875}" = Corel VideoStudio 12 "LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation) "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX "Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13) "MP Navigator EX 4.0" = Canon MP Navigator EX 4.0 "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "NVIDIA Drivers" = NVIDIA Drivers "PC Magazine's WinTidy_is1" = WinTidy 1.0.11 "PhotoStitch" = Canon Utilities PhotoStitch "Procomm Plus" = Procomm Plus 4.60 "Quicken WillMaker Plus 2011" = Quicken WillMaker Plus 2011 "RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX "Readerware" = Readerware "RealPlayer 6.0" = RealPlayer "RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX "RiffTrax DVD Player" = RiffTrax DVD Player "RSecureClient" = Attachmate Reflection for Secure IT Client 7.0 "Scott's Space Invaders_is1" = Scott's Space Invaders v 1.9 "SearchAssist" = SearchAssist "Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4 "ST6UNST #1" = SayPad "SUPER
  19. Update: after running the third MBAM scan (under normal (non-Safe) mode, new user MalAdjust), it found and fixed the same 3 infections as shown in scan #2: Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\flt.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\flt.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\flt.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully. I have a feeling that if I switch to the original user (Rob) where the infection first happened, it will still be there. I will await a reply before proceeding with anything else...
  20. Hello, yesterday evening my desktop PC (Win XP Professional SP3) got infected with "XP Security 2011", a fake AV program that has hijacked the Windows firewall among several other things. Under normal (non-Safe) mode (user: Rob), I cannot run msconfig, regedit, System Restore, View/Create Users. I cannot turn on the Windows Firewall, and my real AV (Symantec) seems to have disappeared, along with most other items in the System Tray. I cannot run MBAM (or Spy-Bot S&D, for that matter), even with mbam.exe renamed to another name. I have no general Internet access via IE 8 or Firefox 3.6. Task Manager (which I CAN run) indicates processes named flt.exe linked to the malware. I can kill such processes and make the malware screens temporarily disappear, but they reappear soon thereafter. In Safe Mode (user: Admin -- not Rob), the malware is not present, and was able to run both full scans of MBAM and SpyBot S&D. I ran MBAM twice, and it found a handful of problems to correct (logs are posted below), but when I reboot in normal mode, the malware is still present. So far, MBAM has not able to remove this infection, and it's clear that the malware is somehow linked to user Rob. This evening, I created a new user "MalAdjust" while in Safe Mode, then rebooted in normal mode with this new user. So far, the malware is not present; I started another MBAM full scan under this new user in normal mode, but so far (31 minutes and counting) it has not found any infected objects. Any help you can provide would be most appreciated!! Thanks. -Rob ========================================================== First MBAM scan -- mbam-log-2011-04-03 (23-03-44).txt: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6264 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 8.0.6001.18702 4/3/2011 11:03:44 PM mbam-log-2011-04-03 (23-03-44).txt Scan type: Full scan (C:\|) Objects scanned: 313653 Time elapsed: 43 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 6 Folders Infected: 0 Files Infected: 12 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\jnn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\jnn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\jnn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\Rob\local settings\application data\jnn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\documents and settings\Rob\local settings\Temp\jar_cache4756159025373658791.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\WINDOWS\system32\spool\prtprocs\w32x86\c31uoceiq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully. c:\documents and settings\Rob\application data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully. c:\documents and settings\Rob\application data\jsdfgs.bat (Malware.Trace) -> Quarantined and deleted successfully. c:\documents and settings\Rob\local settings\Temp\0.41964341364192215.exe (Trojan.Dropper) -> Quarantined and deleted successfully. c:\documents and settings\Rob\local settings\Temp\0.2877388884204123.exe (Trojan.Dropper) -> Quarantined and deleted successfully. c:\documents and settings\Rob\local settings\Temp\0.6974761506986406.exe (Trojan.Dropper) -> Quarantined and deleted successfully. c:\documents and settings\Rob\local settings\Temp\pdfupd.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\Rob\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully. c:\documents and settings\Rob\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully. c:\documents and settings\Rob\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully. ========================================================== Second MBAM scan -- mbam-log-2011-04-04 (00-19-57).txt: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6264 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 8.0.6001.18702 4/4/2011 12:19:57 AM mbam-log-2011-04-04 (00-19-57).txt Scan type: Full scan (C:\|) Objects scanned: 313673 Time elapsed: 43 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\flt.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\flt.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\flt.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ==========================================================
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.