MBAM Malicious Website Block

Elise · June 17, 2010

Hi Doug, I'm happy to hear that things look fine now

Please let me know if there are any issues left.

Windows Firewall is fine as long as you are connected through a router to the internet (a router acts as a hardware firewall).

TWO ANTIVIRUS PROGRAMS

---------------------------------------

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either AVG or MS Security Essentials. I recommend you to keep MSSE and remove AVG, since your version of AVG is already outdated.

When done, please run a full system scan with MSSE and post me the results.

dagtexas · June 17, 2010

Elise, I deleted AVG and ran full scan of MSE. Unfortunately, MSE does not appear to produce any type of .txt log but only produces a screen when detected items are found. I saved the last two items found as screen prints and attached as .bmp.

Something that seems a little unusual to me; after running the last ComboFix session per instructions yesterday, there were no more IP blocks. Log:

01:00:00 Doug ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

02:00:00 Doug MESSAGE Scheduled scan executed successfully

08:31:06 Doug IP-BLOCK 222.186.24.38

09:02:55 Doug IP-BLOCK 222.189.238.209

09:15:47 Doug IP-BLOCK 174.36.194.105

09:56:39 Doug IP-BLOCK 174.36.194.101

10:09:11 Doug IP-BLOCK 221.192.199.35

11:34:14 Doug IP-BLOCK 221.192.199.49

11:44:57 Doug IP-BLOCK 121.11.86.68

11:59:37 Doug IP-BLOCK 121.11.86.68

12:04:10 Doug IP-BLOCK 218.8.245.123

12:25:42 Doug MESSAGE IP Protection stopped

12:53:45 Doug MESSAGE IP Protection started successfully

However, after MBAM ran it's scheduled scan last night, IP blocks started again thereafter. Log:

01:00:51 Doug MESSAGE Scheduled update executed successfully

01:00:51 Doug MESSAGE IP Protection stopped

01:00:54 Doug MESSAGE Scheduled scan executed successfully

01:01:17 Doug MESSAGE Database updated successfully

01:01:33 Doug MESSAGE IP Protection started successfully

01:20:45 Doug IP-BLOCK 60.191.187.10

01:20:51 Doug IP-BLOCK 60.191.187.10

02:00:00 Doug MESSAGE Scheduled scan executed successfully

02:28:35 Doug IP-BLOCK 221.192.199.35

04:19:33 Doug IP-BLOCK 222.186.24.38

06:25:52 Doug IP-BLOCK 218.8.245.123

08:26:30 Doug IP-BLOCK 222.186.16.167

08:30:16 Doug IP-BLOCK 208.87.33.151

08:30:19 Doug IP-BLOCK 208.87.33.151

08:30:25 Doug IP-BLOCK 208.87.33.151

08:30:44 Doug IP-BLOCK 208.87.33.151

08:30:47 Doug IP-BLOCK 208.87.33.151

08:30:53 Doug IP-BLOCK 208.87.33.151

10:01:56 Doug IP-BLOCK 121.11.86.68

10:13:47 Doug IP-BLOCK 121.11.86.68

11:08:35 Doug IP-BLOCK 222.186.16.167

11:19:07 Doug IP-BLOCK 221.192.199.35

11:50:01 Doug IP-BLOCK 222.186.42.141

11:55:16 Doug IP-BLOCK 221.192.199.49

11:55:18 Doug IP-BLOCK 221.192.199.49

12:53:00 Doug IP-BLOCK 218.8.245.123

13:51:17 Doug IP-BLOCK 117.135.131.138

14:23:47 Doug IP-BLOCK 222.186.25.114

14:43:34 (null) MESSAGE Protection started successfully

14:44:26 Doug MESSAGE IP Protection started successfully

14:45:27 Doug IP-BLOCK 69.10.38.238

14:45:30 Doug IP-BLOCK 69.10.38.238

17:09:30 Doug IP-BLOCK 221.192.199.49

17:09:32 Doug IP-BLOCK 221.192.199.49

17:30:05 Doug IP-BLOCK 218.8.245.123

18:02:27 Doug MESSAGE IP Protection stopped

18:02:34 Doug MESSAGE IP Protection started successfully

18:03:14 Doug MESSAGE IP Protection stopped

18:03:20 Doug MESSAGE IP Protection started successfully

18:04:02 Doug MESSAGE IP Protection stopped

18:04:09 Doug MESSAGE IP Protection started successfully

18:04:09 Doug MESSAGE IP Protection stopped

18:04:16 Doug MESSAGE IP Protection started successfully

18:05:03 Doug MESSAGE IP Protection stopped

18:05:10 Doug MESSAGE IP Protection started successfully

18:14:58 Doug IP-BLOCK 60.173.10.165

Thanks.

MSSE_Scan_History_06_17_10.bmp

MSSE_Scan_History2_06_17_10.bmp

Elise · June 18, 2010

Those detections by MSSE are not dangerous; the items are in quarantine.

To see what might be the deal with those IP blocks, please rerun Combofix, post me the log and see if they stop afterwards.

Also, please check your XP firewall is turned on. I strongly suspect the firewall being turned off is causing these IP blocks.

Since you are not using a router, its recommended to install a thirdparty firewall.

INSTALL FIREWALL

--------------------------

Install and use a firewall with outbound protection

While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers

I therefore strongly recommend that you install one of the following free firewalls: Outpost Firewall Free, Sygate Personal Firewall Free or Zonealarm

See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here

Note - If you connect to the internet using a router, you are already behind a hardware firewall.

Note: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

dagtexas · June 18, 2010

Elise,

Those entries in MSSE on June 3 were the last ones detected although I have been running a quick scan almost every day and a full scan every few days, so I guess that's some good news.

I deleted the existing CF and downloaded a new version and ran; log is posted, and noticed a system32 file was deleted. I then disconnected from the cable modem, deleted MSSE and MBAM and then downloaded and installed new versions. No IP blocks as yet although I completed those actions just earlier today. I have been keeping the Windows Firewall ON but browsed through the firewall link you provided and will switch to one of those next week. I am preparing to leave town for a few days and will have the PC off. Upon return early next week, I'll fire it up and see what happens, then notify you.

Thanks so much for your continuing assistance with my PC issues. Hope you enjoy your weekend.

Doug

ComboFix 10-06-17.03 - Doug 06/18/2010 11:21:35.6.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.704 [GMT -5:00]

Running from: c:\documents and settings\Doug\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\win.com

.

((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))

.

2010-06-15 23:06 . 2010-06-15 23:06 -------- d-----w- C:\_OTL

2010-06-14 20:15 . 2010-06-14 20:15 -------- d-----w- c:\program files\ESET

2010-06-14 15:09 . 2010-06-14 15:09 -------- d-----w- c:\program files\Common Files\Java

2010-06-14 15:09 . 2010-06-14 15:09 503808 ----a-w- c:\documents and settings\Doug\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33d78a18-n\msvcp71.dll

2010-06-14 15:09 . 2010-06-14 15:09 499712 ----a-w- c:\documents and settings\Doug\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33d78a18-n\jmc.dll

2010-06-14 15:09 . 2010-06-14 15:09 348160 ----a-w- c:\documents and settings\Doug\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33d78a18-n\msvcr71.dll

2010-06-14 15:09 . 2010-06-14 15:09 61440 ----a-w- c:\documents and settings\Doug\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-48cf37d6-n\decora-sse.dll

2010-06-14 15:09 . 2010-06-14 15:09 12800 ----a-w- c:\documents and settings\Doug\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-48cf37d6-n\decora-d3d.dll

2010-06-14 15:08 . 2010-06-14 15:08 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-13 04:31 . 2010-06-13 04:31 -------- d-----w- c:\documents and settings\Doug\Local Settings\Application Data\PCHealth

2010-06-13 04:31 . 2010-06-13 04:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2010-06-11 21:40 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-04 04:03 . 2010-06-04 04:03 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

2010-06-03 19:18 . 2008-04-13 18:40 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys

2010-06-03 19:18 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2010-06-01 21:01 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-01 13:20 . 2010-06-01 13:30 -------- d-----w- c:\program files\Windows Live Safety Center

2010-05-27 15:40 . 2010-05-27 15:40 -------- d-----w- C:\_OTM

2010-05-25 17:59 . 2010-05-25 18:00 -------- d-----w- C:\rsit

2010-05-25 12:14 . 2010-05-25 12:14 42368 ----a-w- c:\windows\system32\drivers\AGP440.SYS

2010-05-25 03:38 . 2010-05-25 12:16 -------- d-----w- c:\windows\system32\MpEngineStore

2010-05-25 03:36 . 2010-05-25 12:16 -------- d-----w- C:\acaef223b3beb048f035f7ca4d

2010-05-20 18:47 . 2010-05-20 18:47 -------- d-----w- c:\program files\DIFX

2010-05-20 18:46 . 2010-05-20 18:46 -------- d-----w- c:\program files\Garmin

2010-05-20 01:08 . 2010-05-20 01:08 388096 ----a-r- c:\documents and settings\Doug\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-17 21:38 . 2008-03-02 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-06-14 14:01 . 2007-06-23 03:51 -------- d-----w- c:\program files\Java

2010-06-07 16:40 . 2008-07-25 14:54 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-04 23:22 . 2010-01-14 16:40 -------- d-----w- c:\documents and settings\Doug\Application Data\PrimoPDF

2010-06-03 15:48 . 2010-05-10 19:39 -------- d-----w- c:\program files\Analog Devices

2010-05-25 17:59 . 2006-03-16 03:48 -------- d-----w- c:\program files\Trend Micro

2010-05-12 18:56 . 2005-06-10 23:29 -------- d-----w- c:\program files\Lavasoft

2010-05-10 19:40 . 2002-12-19 13:58 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-10 19:23 . 2010-05-10 19:23 -------- d-----w- c:\program files\SystemRequirementsLab

2010-05-06 10:41 . 2004-08-24 01:32 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-05 06:17 . 2010-04-29 15:14 -------- d-----w- c:\documents and settings\Doug\Application Data\3B4B9E60933DD2591D35596DBB73B27B

2010-05-03 01:17 . 2010-05-03 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion

2010-05-02 07:00 . 2010-05-02 07:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Malwarebytes

2010-05-02 05:22 . 2001-08-18 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-01 00:42 . 2009-10-21 22:04 -------- d-----w- c:\program files\Uniblue

2010-05-01 00:03 . 2010-02-20 16:42 -------- d-----w- c:\documents and settings\Doug\Application Data\Uniblue

2010-04-30 22:47 . 2010-04-29 21:18 -------- d-----w- c:\program files\Spyware Doctor

2010-04-30 22:47 . 2010-04-29 21:18 -------- d-----w- c:\program files\Common Files\PC Tools

2010-04-30 22:45 . 2010-04-29 21:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-30 21:07 . 2004-10-31 14:29 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-04-30 19:36 . 2010-04-30 19:36 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2010-04-29 21:08 . 2010-04-29 21:08 711168 ----a-w- c:\windows\is-IV4HO.exe

2010-04-20 05:30 . 2001-08-18 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-18 17:50 . 2010-04-18 17:50 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-04-18 17:50 . 2010-04-18 17:50 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-04-18 17:50 . 2010-04-18 17:50 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-04-18 17:50 . 2010-04-18 17:50 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-04-18 17:50 . 2010-04-18 17:50 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-04-18 17:50 . 2010-04-18 17:50 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-04-18 17:50 . 2010-04-18 17:50 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-04-18 17:50 . 2010-04-18 17:50 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-04-18 17:50 . 2010-04-18 17:50 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

2010-04-18 17:48 . 2003-02-21 04:42 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-04-18 17:32 . 2010-04-18 17:32 734728 ----a-w- c:\documents and settings\Doug\Application Data\Real\RealPlayer\setup\AU_setup13.exe

2010-04-17 15:25 . 2010-04-17 15:25 439816 ----a-w- c:\documents and settings\Doug\Application Data\Real\Update\setup3.10\setup.exe

2010-04-13 21:55 . 2009-11-22 13:20 79488 ----a-w- c:\documents and settings\Doug\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-23 19:47 . 2009-07-14 18:36 256 ----a-w- c:\documents and settings\Doug\pool.bin

2007-10-07 17:19 . 2007-10-07 17:19 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-06-13_18.07.09 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-18 16:09 . 2010-06-18 16:09 16384 c:\windows\Temp\Perflib_Perfdata_698.dat

+ 2010-06-15 20:03 . 2010-06-15 20:03 21504 c:\windows\Installer\40c6f79.msi

+ 2010-06-14 15:08 . 2010-06-14 15:08 153376 c:\windows\system32\javaws.exe

+ 2010-06-14 15:08 . 2010-06-14 15:08 145184 c:\windows\system32\javaw.exe

+ 2010-06-14 15:08 . 2010-06-14 15:08 145184 c:\windows\system32\java.exe

+ 2010-06-14 15:09 . 2010-06-14 15:09 180224 c:\windows\Installer\be6ae.msi

+ 2010-06-14 15:08 . 2010-06-14 15:08 576000 c:\windows\Installer\be6a9.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 68856]

"gStart"="c:\garmin\gStart.exe" [2008-08-13 1891416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-08-14 147456]

"IMONTRAY"="c:\program files\Intel\Intel® Active Monitor\imontray.exe" [2002-09-19 32768]

"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]

"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-07 1838592]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-18 202256]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-07-07 77824]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2005-10-11 798720]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk

backup=c:\windows\pss\Device Detector 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk

backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Doug^Start Menu^Programs^Startup^Riorad Manager.lnk]

path=c:\documents and settings\Doug\Start Menu\Programs\Startup\Riorad Manager.lnk

backup=c:\windows\pss\Riorad Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Doug^Start Menu^Programs^Startup^Riorad SB-Riot Manager.lnk]

path=c:\documents and settings\Doug\Start Menu\Programs\Startup\Riorad SB-Riot Manager.lnk

backup=c:\windows\pss\Riorad SB-Riot Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]

2010-03-29 19:54 2343120 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]

2010-03-11 03:32 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]

2008-08-13 20:34 1891416 ----a-w- c:\garmin\gStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2004-07-07 16:53 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2009-07-08 18:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Red Chair Software\\Riorad Explorer\\riomgr.exe"=

"c:\\Program Files\\Red Chair Software\\Riorad Explorer\\riormgr.exe"=

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [1/5/2003 2:25 PM 17792]

R1 enportv;enportv;c:\windows\system32\drivers\enportv.sys [2/4/2006 8:12 AM 28416]

R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 1:51 AM 380928]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/6/2007 5:09 PM 24652]

S1 MpKsl75be3789;MpKsl75be3789;\??\c:\windows\system32\MpEngineStore\MpKsl75be3789.sys --> c:\windows\system32\MpEngineStore\MpKsl75be3789.sys [?]

S2 gupdate1c98ac2b8b1b730;Google Update Service (gupdate1c98ac2b8b1b730);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2009 9:28 AM 133104]

S3 ATIPCXXX;ATI Parental control device;c:\windows\system32\drivers\atipcxxx.sys [12/19/2002 8:53 AM 10240]

S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);c:\windows\system32\drivers\atirtcap.sys [12/19/2002 8:53 AM 49920]

S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);c:\windows\system32\drivers\ativxbar.sys [12/19/2002 8:53 AM 26624]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]

S3 iscFlash;iscFlash;\??\c:\windows\SYSTEM32\DRIVERS\iscflash.sys --> c:\windows\SYSTEM32\DRIVERS\iscflash.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-07 00:03]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-09 14:28]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-09 14:28]

2010-06-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-725345543-1202660629-1343024091-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-06-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-725345543-1202660629-1343024091-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-06-18 c:\windows\Tasks\User_Feed_Synchronization-{22B9F4EE-F161-4ED4-9132-F02211555B6A}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]

2010-06-18 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 03:18]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.drudgereport.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uCustomizeSearch = hxxp://ie.search.msn.com

Trusted Zone: finehomebuilding.com\www

Trusted Zone: plateauwildlife.com\mail

Trusted Zone: taunton.com\reg

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\d7lrcvcm.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

------- File Associations -------

.

.scr=DWGTrueViewScriptFile

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKLM-Run-Malwarebytes Anti-Malware (rootkit-scan) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-18 11:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-06-18 11:34:33

ComboFix-quarantined-files.txt 2010-06-18 16:34

ComboFix2.txt 2010-06-16 17:51

ComboFix3.txt 2010-06-13 18:15

ComboFix4.txt 2010-06-03 19:51

ComboFix5.txt 2010-06-18 16:18

Pre-Run: 19,768,762,368 bytes free

Post-Run: 19,758,907,392 bytes free

- - End Of File - - E186C6BBCB6A8432957C9247784A7CFB

Elise · June 18, 2010

Hi Doug, that looks good now.

Please post back when you return and let me know how things are.

Enjoy your weekend

Elise · June 20, 2010

Bump to reset time stamp.

Please post back when ready

dagtexas · June 23, 2010

Hello again, Elise. My apologies for the delay in getting back with you. Returned from the trip and had some other matters pressing.

I had the computer off while I was gone. (I have generally been disconnecting PC from cable modem at end of day, reconnecting in the am) Upon going live again on 6/21, following is a synopsis of findings;

06/21 - 8 MBAM IP blocks during evening;

06/22 - MSSE detects/removes Trojan:JS/FakeSpyPro (log file posted)

06/22 - MBAM IP blocks throughout the day

06/23 - MBAM full scan clean (log file posted). At about 11:35 today, there was a brief power outage that shut down PC; upon reboot at 11:40, got 1 IP block right away and had 2nd while preparing this post.

Thanks for your assistance. I'll await your response.

Doug

Event Type: Information

Event Source: Microsoft Antimalware

Event Category: None

Event ID: 1007

Date: 6/22/2010

Time: 2:18:12 AM

User: N/A

Computer: XPPRO

Description:

Microsoft Antimalware has taken action to protect this machine from spyware or other potentially unwanted software.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=370...atid=2147634372

User: NT AUTHORITY\SYSTEM

Name: Trojan:JS/FakeSpypro

ID: 2147634372

Severity: Severe

Category: Trojan

Action: Remove

Status: The operation completed successfully.

Signature Version: AV: 1.85.561.0, AS: 1.85.561.0

Engine Version: 1.1.5902.0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning

Event Source: Microsoft Antimalware

Event Category: None

Event ID: 1006

Date: 6/22/2010

Time: 2:07:46 AM

User: N/A

Computer: XPPRO

Description:

Microsoft Antimalware has detected spyware or other potentially unwanted software.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=370...atid=2147634372

Name: Trojan:JS/FakeSpypro

ID: 2147634372

Severity: Severe

Category: Trojan

Path: file:C:\Temporary Internet Files\Content.IE5\4HEFK1A3\block[1].htm;file:C:\Temporary Internet Files\Content.IE5\CLE38LYV\block[3].php

Detection Origin: Local machine

Detection Type: Concrete

Detection Source: Real-Time Protection

Status: Suspended

User: NT AUTHORITY\SYSTEM

Process Name: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Signature Version: AV: 1.85.561.0, AS: 1.85.561.0

Engine Version: 1.1.5902.0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning

Event Source: Microsoft Antimalware

Event Category: None

Event ID: 1006

Date: 6/22/2010

Time: 2:06:59 AM

User: N/A

Computer: XPPRO

Description:

Microsoft Antimalware has detected spyware or other potentially unwanted software.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=370...atid=2147634372

Name: Trojan:JS/FakeSpypro

ID: 2147634372

Severity: Severe

Category: Trojan

Path: file:C:\Temporary Internet Files\Content.IE5\4HEFK1A3\block[1].htm

Detection Origin: Local machine

Detection Type: Concrete

Detection Source: Real-Time Protection

Status: Suspended

User: NT AUTHORITY\SYSTEM

Process Name: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Signature Version: AV: 1.85.561.0, AS: 1.85.561.0

Engine Version: 1.1.5902.0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

=============

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4227

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/23/2010 2:54:50 AM

mbam-log-2010-06-23 (02-54-50).txt

Scan type: Full scan (C:\|)

Objects scanned: 266544

Time elapsed: 1 hour(s), 54 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Elise · June 23, 2010

Please open OTL, and copy/paste the following text into the "custom scan/fix" field. Click Run Fix.

:commands
[emptytemp]

When done, let me know how things are.

dagtexas · June 24, 2010

I deleted previous OTL and downloaded current version, then ran with command as instructed; log is posted. At 18:10, got another IP block (repeat of an earlier IP address). Also, I checked MBAM Quarantine and found the following entries for 06/22:

Trojan.Zapchast 06/22/2010 File C:\System Volume Information\_restore{39FD2E65-E5B8-4B9B-A64F-01126D87DCF9}\RP21\A0001623.exe

Trojan.Zapchast 06/22/2010 File C:\System Volume Information\_restore{39FD2E65-E5B8-4B9B-A64F-01126D87DCF9}\RP21\A0001612.exe

Trojan.Zapchast 06/22/2010 File C:\System Volume Information\_restore{39FD2E65-E5B8-4B9B-A64F-01126D87DCF9}\RP21\A0001996.exe

Trojan.Zapchast 06/22/2010 File C:\System Volume Information\_restore{39FD2E65-E5B8-4B9B-A64F-01126D87DCF9}\RP21\A0001981.exe

Trojan.Zapchast 06/22/2010 File C:\System Volume Information\_restore{39FD2E65-E5B8-4B9B-A64F-01126D87DCF9}\RP21\A0001601.exe

Trojan.Zapchast 06/22/2010 File C:\System Volume Information\_restore{39FD2E65-E5B8-4B9B-A64F-01126D87DCF9}\RP21\A0001969.exe

All processes killed

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 0 bytes

User: Doug

->Temp folder emptied: 79814388 bytes

->Temporary Internet Files folder emptied: 2031910 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Flash cache emptied: 13500 bytes

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

->Flash cache emptied: 0 bytes

User: NetworkService

->Temp folder emptied: 153674 bytes

->Temporary Internet Files folder emptied: 33256 bytes

->Flash cache emptied: 0 bytes

User: Randy

User: TEMP

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 778181 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 15239568 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 8402 bytes

Total Files Cleaned = 94.00 mb

OTL by OldTimer - Version 3.2.7.0 log created on 06232010_164924

Files\Folders moved on Reboot...

C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_50c.dat moved successfully.

Registry entries deleted on Reboot...

Elise · June 24, 2010

Hello again,

Please Download Flash Cookie Killer by Bobbie Flekman and save it to your Desktop

Double click from your desktop
Check "Everything but Adobe Site Settings"
Mouse click "Make it so!"
Now go to the Adobe Flash Player Settings Manager
In the "Website Storage Settings" choose the "Delete All Sites" tab then "Confirm"
Next in the "Global Storage Settings" uncheck "Allow third-party Flash content to store on your computer"
Finally in the "Global Privacy Settings" choose "Always Deny" then "Confirm"
You have now successfully deleted cookies stored and changed the Flash Players default settings to prevent access in the future.

Please let me know if you have still pop ups after this.

dagtexas · June 24, 2010

Elise, I just completed the FlushFlash instructions; saw some websites in storage that I did not recognize at all. Never knew about this storage. Since having this problem, I have had IE deleting all browsing history (including all cookies) upon closing. I will let you know should any blocks occur or notify of you of their absence tomorrow.

BTW, the Flash Cookie Killer link you provided gave me an error (unable to connect to server) but I did a search at bleepingcomputer and found a good link from a few weeks ago.

Thanks again.

Doug

Elise · June 24, 2010

Thanks, I'll fix the link

dagtexas · June 24, 2010

Elise, unfortunately, the IP blocks are continuing.

Elise · June 24, 2010

Hello again,

OTL

-----

Please download OTL from one of the following mirrors:
- This is THE Mirror

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Copy and Paste the following code into the textbox. Do not include the word "Code"

netsvcs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\at*.job

[*]Push

[*]A report will open. Copy and Paste that report in your next reply.

dagtexas · June 24, 2010

OTL run as requested; log -

OTL logfile created on: 6/24/2010 3:20:08 PM - Run 2

OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Doug\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 424.00 Mb Available Physical Memory | 41.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free

Paging file location(s): C:\pagefile.sys 1534 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.52 Gb Total Space | 17.91 Gb Free Space | 24.04% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: XPPRO

Current User Name: Doug

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/24 15:18:59 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Doug\Desktop\OTL.exe

PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2010/04/18 12:48:17 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

PRC - [2010/02/21 05:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe

PRC - [2010/01/08 01:51:02 | 000,380,928 | ---- | M] (Spigot, Inc.) -- C:\Program Files\Application Updater\ApplicationUpdater.exe

PRC - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

PRC - [2009/12/09 18:02:36 | 000,202,776 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe

PRC - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

PRC - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

PRC - [2008/08/13 15:34:08 | 001,891,416 | ---- | M] (GARMIN Corp.) -- C:\Garmin\gStart.exe

PRC - [2008/06/10 14:56:27 | 000,447,560 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/10/09 20:03:26 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

PRC - [2007/03/12 18:30:14 | 000,517,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

PRC - [2007/01/04 16:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe

PRC - [2005/01/07 18:30:56 | 000,864,256 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter2\brctrcen.exe

PRC - [2004/08/26 19:44:48 | 000,282,624 | ---- | M] (Digital Networks North America, Inc.) -- C:\WINDOWS\system32\RioMSC.exe

PRC - [2004/04/14 14:46:50 | 000,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

PRC - [2003/06/17 14:43:42 | 000,208,896 | ---- | M] (ACD Systems, Ltd.) -- C:\Program Files\ACD Systems\DevDetect\DevDetect.exe

PRC - [2002/09/19 18:33:00 | 000,032,768 | ---- | M] () -- C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

PRC - [2002/09/19 18:31:46 | 000,102,400 | ---- | M] (Intel Corp.) -- C:\Program Files\Intel\Intel® Active Monitor\imonNT.exe

PRC - [2002/08/14 14:08:06 | 000,151,552 | ---- | M] (Iomega Corporation) -- C:\Program Files\Iomega\AutoDisk\ADService.exe

PRC - [2002/08/14 14:07:44 | 000,147,456 | ---- | M] (Iomega Corporation) -- C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

PRC - [2002/07/31 15:15:18 | 000,073,728 | ---- | M] (Iomega Corporation) -- C:\Program Files\Iomega\System32\AppServices.exe

PRC - [2002/06/07 16:29:59 | 000,061,490 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

PRC - [2002/04/12 00:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe

PRC - [2002/03/21 23:41:56 | 000,094,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

PRC - [2001/12/13 00:01:00 | 000,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe

PRC - [2001/08/18 03:36:54 | 000,086,016 | ---- | M] (PCtel, Inc.) -- C:\WINDOWS\system32\pctspk.exe

========== Modules (SafeList) ==========

MOD - [2010/06/24 15:18:59 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Doug\Desktop\OTL.exe

MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Ex)

SRV - File not found [Disabled | Stopped] -- -- (Iomega Activity Disk2)

SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2010/01/08 01:51:02 | 000,380,928 | ---- | M] (Spigot, Inc.) [Auto | Running] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater)

SRV - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)

SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ)

SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)

SRV - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)

SRV - [2008/11/24 22:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)

SRV - [2007/10/07 18:21:10 | 001,838,592 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager)

SRV - [2007/03/12 18:30:14 | 000,517,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service)

SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)

SRV - [2004/08/26 19:44:48 | 000,282,624 | ---- | M] (Digital Networks North America, Inc.) [Auto | Running] -- C:\WINDOWS\system32\RioMSC.exe -- (RioMSC)

SRV - [2002/09/19 18:31:46 | 000,102,400 | ---- | M] (Intel Corp.) [Auto | Running] -- C:\Program Files\Intel\Intel® Active Monitor\imonNT.exe -- (imonNT) Intel®

SRV - [2002/08/14 14:08:06 | 000,151,552 | ---- | M] (Iomega Corporation) [Auto | Running] -- C:\Program Files\Iomega\AutoDisk\ADService.exe -- (_IOMEGA_ACTIVE_DISK_SERVICE_)

SRV - [2002/07/31 15:15:18 | 000,073,728 | ---- | M] (Iomega Corporation) [Auto | Running] -- C:\Program Files\Iomega\System32\AppServices.exe -- (Iomega App Services)

SRV - [2002/04/12 00:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) [Auto | Running] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)

SRV - [2001/08/18 03:36:54 | 000,086,016 | ---- | M] (PCtel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\pctspk.exe -- (Pctspk)

========== Driver Services (SafeList) ==========

DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2009/12/18 10:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)

DRV - [2009/12/02 15:23:40 | 000,149,040 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)

DRV - [2009/02/21 19:04:43 | 000,006,912 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)

DRV - [2006/04/07 17:06:38 | 000,038,496 | ---- | M] (OLYMPUS IMAGING CORP.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VNUSB.sys -- (VNUSB)

DRV - [2006/02/04 08:12:59 | 000,028,416 | ---- | M] (Guidance Software Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\enportv.sys -- (enportv)

DRV - [2006/01/19 04:17:38 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrUsbSer.sys -- (BrUsbSer)

DRV - [2006/01/18 23:44:46 | 000,053,248 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrSerIf.sys -- (BrSerIf)

DRV - [2005/07/28 09:18:40 | 000,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)

DRV - [2005/07/20 19:08:28 | 000,100,096 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aksusb.sys -- (aksusb)

DRV - [2005/07/20 19:08:26 | 000,327,808 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\akshasp.sys -- (akshasp)

DRV - [2005/05/17 04:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)

DRV - [2004/10/15 21:41:48 | 000,016,128 | ---- | M] (Digital Networks North America, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RIOUNIV.SYS -- (RIOUNIV)

DRV - [2004/10/15 13:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)

DRV - [2004/08/04 00:29:31 | 000,036,463 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ati1tuxx.sys -- (ATITUNEP) ATI WDM TV Tuner (Microsoft)

DRV - [2004/08/04 00:29:31 | 000,034,735 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ati1xsxx.sys -- (ATIXSAudio) ATI WDM TV Audio Crossbar (Microsoft)

DRV - [2004/08/04 00:29:30 | 000,063,663 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati1rvxx.sys -- (atinrvxx) ATI WDM Rage Theater Video (Microsoft)

DRV - [2004/08/04 00:29:29 | 000,012,047 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ati1pdxx.sys -- (PCDCODEC) ATI WDM Specialized PCD Codec (Microsoft)

DRV - [2004/08/04 00:29:29 | 000,011,615 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ati1mdxx.sys -- (MVDCODEC) ATI WDM Specialized MVD Codec (Microsoft)

DRV - [2004/08/04 00:29:26 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2004/08/04 00:29:26 | 000,327,040 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtaa.sys -- (ati2mtaa)

DRV - [2004/03/15 11:11:50 | 000,005,120 | ---- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\EGATHDRV.SYS -- (EGATHDRV)

DRV - [2002/09/19 18:29:26 | 000,007,424 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\SIODRV.SYS -- (SIODRV)

DRV - [2002/09/19 18:29:02 | 000,016,480 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\iSMBIOS.SYS -- (iSMBIOS)

DRV - [2002/07/31 15:15:18 | 000,030,258 | ---- | M] (Iomega Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\iomdisk.sys -- (iomdisk)

DRV - [2002/02/28 18:13:24 | 000,021,963 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smb.sys -- (smbusp) Intel®

DRV - [2002/01/08 14:16:06 | 000,006,656 | ---- | M] (Ravisent Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\CINEMSUP.SYS -- (CINEMSUP)

DRV - [2001/08/17 18:28:16 | 000,397,502 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\vpctcom.sys -- (Vpctcom)

DRV - [2001/08/17 18:28:16 | 000,064,605 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\vvoice.sys -- (Vvoice)

DRV - [2001/08/17 18:28:14 | 000,604,253 | ---- | M] (PCTEL, INC.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\vmodem.sys -- (Vmodem)

DRV - [2001/08/17 18:28:14 | 000,112,574 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptserlp.sys -- (Ptserlp)

DRV - [2001/08/17 17:49:48 | 000,026,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ativxbar.sys -- (ATIVXSXX) ATI Audio Crossbar (ATIVXBAR)

DRV - [2001/08/17 17:49:36 | 000,010,240 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atipcxxx.sys -- (ATIPCXXX)

DRV - [2001/08/17 17:49:12 | 000,049,920 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atirtcap.sys -- (ATIVRVXX) ATI Rage Theatre Video (ATIRTCAP)

DRV - [2001/08/17 17:48:52 | 000,281,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpaa.sys -- (ati2mpaa)

DRV - [2001/08/17 07:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.drudgereport.com/"

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/30 11:32:42 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/22 13:39:01 | 000,000,000 | ---D | M]

[2010/02/22 16:28:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Doug\Application Data\Mozilla\Extensions

[2009/03/25 09:44:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Doug\Application Data\Mozilla\Extensions\home2@tomtom.com

[2010/04/30 16:57:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\d7lrcvcm.default\extensions

[2010/02/22 19:10:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\d7lrcvcm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/06/14 10:08:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/06/14 10:08:53 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2010/01/10 00:34:26 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com

[2010/06/14 10:08:21 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

[2006/06/22 14:44:00 | 002,078,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

[2007/01/05 10:31:49 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/06/18 11:30:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)

O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe (Iomega Corporation)

O4 - HKLM..\Run: [Camera Detector] C:\Program Files\ACD Systems\DevDetect\DevDetect.exe (ACD Systems, Ltd.)

O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)

O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)

O4 - HKLM..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe ()

O4 - HKLM..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [intelliType] C:\Program Files\Microsoft Hardware\Keyboard\type32.exe (Microsoft Corporation)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [sSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)

O4 - HKLM..\Run: [symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

O4 - HKCU..\Run: [gStart] C:\Garmin\gStart.exe (GARMIN Corp.)

O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL (ATI Technologies Inc.)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O15 - HKCU\..Trusted Domains: finehomebuilding.com ([www] https in Trusted sites)

O15 - HKCU\..Trusted Domains: plateauwildlife.com ([mail] https in Trusted sites)

O15 - HKCU\..Trusted Domains: taunton.com ([reg] https in Trusted sites)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} http://www.activation.rr.com/install/download/tgctlcm.cab (Support.com Configuration Class)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)

O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} http://www.costcophotocenter.com/CostcoOutlookImport.cab (Snapfish Outlook Import ActiveX Control)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?LinkID=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} http://download.microsoft.com/download/7/1...20/pmupd806.exe (MSN Money Charting)

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www.costcophotocenter.com/CostcoActivia.cab (Snapfish Activia)

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupdate.microsoft.com/v5co...b?1101956813290 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1192471026077 (MUWebControl Class)

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} https://www-307.ibm.com/pc/support/access/a...nt/IbmEgath.cab (Reg Error: Value error.)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://mail.plateauwildlife.com/Remote/msrdp.cab (Microsoft RDP Client Control (redist))

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} http://www.costcophotocenter.com/CostcoUpload.cab (Snapfish File Upload ActiveX Control)

O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} http://kaseya.riata-tech.com/inc/kaxRemote.dll (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s...el_4.1.66.0.cab (SysInfo Class)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found

O18 - Protocol\Handler\x-excid {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll ()

O18 - Protocol\Filter\video/x-flv {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - Reg Error: Key error. File not found

O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Doug\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Doug\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2002/11/14 09:20:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2002/11/14 09:19:32 | 000,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/06/24 15:18:59 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Doug\Desktop\OTL.exe

[2010/06/24 11:43:41 | 000,172,032 | ---- | C] (SteelWerX) -- C:\Documents and Settings\Doug\Desktop\flushflash.exe

[2010/06/22 13:46:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Doug\My Documents\Paul Terranova

[2010/06/18 12:50:57 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/06/18 12:50:55 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/06/18 12:50:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/06/18 12:48:34 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Doug\Desktop\mbam-setup.exe

[2010/06/18 12:45:41 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/06/18 11:47:52 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials

[2010/06/18 11:46:39 | 011,862,896 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Doug\Desktop\mssefullinstall-x86fre-en-us-xp.exe

[2010/06/15 18:06:30 | 000,000,000 | ---D | C] -- C:\_OTL

[2010/06/14 15:15:41 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2010/06/14 10:09:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun

[2010/06/14 10:09:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/06/14 10:08:45 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

[2010/06/14 10:08:45 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/06/14 10:08:45 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/06/14 10:08:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/06/14 10:08:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/06/12 23:31:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Doug\Local Settings\Application Data\PCHealth

[2010/06/12 23:31:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth

[2010/06/11 16:40:15 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll

[2010/06/03 14:56:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Doug\My Documents\Malware Logs

[2010/06/03 14:18:52 | 000,057,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\redbook.sys

[2010/06/02 14:03:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Doug\My Documents\Book Reviews

[2010/06/01 16:01:18 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[2010/06/01 08:20:28 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center

[2010/05/31 10:41:12 | 000,998,736 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Doug\Desktop\TDSSKiller.exe

[2010/05/27 10:40:06 | 000,000,000 | ---D | C] -- C:\_OTM

[2010/05/26 18:25:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Doug\My Documents\Belkin Router

[2010/05/26 16:54:22 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/05/26 16:48:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/05/26 16:48:39 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/05/26 16:48:39 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/05/26 16:48:39 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/05/26 16:48:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/05/26 16:47:14 | 000,000,000 | ---D | C] -- C:\Qoobox

[2 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/24 15:18:59 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Doug\Desktop\OTL.exe

[2010/06/24 15:08:04 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/06/24 15:08:03 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/06/24 13:08:11 | 012,582,912 | ---- | M] () -- C:\Documents and Settings\Doug\ntuser.dat

[2010/06/24 11:52:16 | 000,172,032 | ---- | M] (SteelWerX) -- C:\Documents and Settings\Doug\Desktop\flushflash.exe

[2010/06/24 11:22:12 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job

[2010/06/23 23:11:36 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{22B9F4EE-F161-4ED4-9132-F02211555B6A}.job

[2010/06/23 22:37:11 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/06/23 20:41:28 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job

[2010/06/23 20:34:01 | 000,012,612 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/06/23 20:31:36 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-725345543-1202660629-1343024091-1004.job

[2010/06/23 20:31:18 | 008,405,015 | ---- | M] () -- C:\WINDOWS\TempFile

[2010/06/23 20:31:08 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/06/23 20:31:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/06/23 20:30:59 | 1073,074,176 | -HS- | M] () -- C:\hiberfil.sys

[2010/06/23 20:29:59 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Doug\ntuser.ini

[2010/06/23 20:29:49 | 009,646,768 | -H-- | M] () -- C:\Documents and Settings\Doug\Local Settings\Application Data\IconCache.db

[2010/06/22 23:05:57 | 000,555,060 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/06/22 23:05:57 | 000,479,808 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/06/22 23:05:57 | 000,085,578 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/06/22 20:49:07 | 000,046,580 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\digitalreconnaissance_com.htm

[2010/06/22 13:39:02 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk

[2010/06/18 12:51:00 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\Doug\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk

[2010/06/18 12:51:00 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/06/18 12:48:34 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Doug\Desktop\mbam-setup.exe

[2010/06/18 11:47:53 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk

[2010/06/18 11:46:39 | 011,862,896 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Doug\Desktop\mssefullinstall-x86fre-en-us-xp.exe

[2010/06/18 11:30:39 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/06/18 11:30:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/06/18 11:02:44 | 003,714,766 | R--- | M] () -- C:\Documents and Settings\Doug\Desktop\ComboFix.exe

[2010/06/17 18:40:08 | 000,069,345 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\MSSE Scan History 06-17-10.jpg

[2010/06/17 18:28:51 | 000,055,262 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\MSSE Scan History2 06-17-10.bmp

[2010/06/17 18:25:58 | 000,056,062 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\MSSE Scan History 06-17-10.bmp

[2010/06/16 10:14:37 | 000,966,213 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\tdsskiller.zip

[2010/06/15 10:00:17 | 000,167,424 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\06-15-10 Procedures.doc

[2010/06/14 10:08:18 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/06/14 10:08:18 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/06/14 10:08:17 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

[2010/06/14 10:08:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/06/14 10:08:17 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/06/13 13:24:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-725345543-1202660629-1343024091-1004.job

[2010/06/11 23:25:13 | 000,450,088 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/06/11 23:07:29 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/06/10 12:31:06 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\dds.com

[2010/06/10 12:23:44 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\dds_null1.scr

[2010/06/10 12:06:55 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Doug\defogger_reenable

[2010/06/10 12:03:44 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\Defogger.exe

[2010/06/06 05:54:57 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\Book List.xls

[2010/06/02 17:43:48 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\Shortcut to HousecallLauncher.lnk

[2010/06/02 08:38:13 | 000,044,544 | ---- | M] () -- C:\Documents and Settings\Doug\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/05/31 10:41:12 | 000,998,736 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Doug\Desktop\TDSSKiller.exe

[2010/05/26 16:54:29 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2010/05/26 14:47:28 | 000,013,214 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\hijackthis1_052610

[2010/05/26 14:24:57 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Doug\Desktop\HijackThis.lnk

[2 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/22 20:49:07 | 000,046,580 | ---- | C] () -- C:\Documents and Settings\Doug\Desktop\digitalreconnaissance_com.htm

[2010/06/21 22:47:44 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk

[2010/06/18 12:51:00 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\Doug\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk

[2010/06/18 12:51:00 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/06/18 11:53:05 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/06/18 11:47:53 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk

[2010/06/18 11:02:44 | 003,714,766 | R--- | C] () -- C:\Documents and Settings\Doug\Desktop\ComboFix.exe

[2010/06/17 18:40:08 | 000,069,345 | ---- | C] () -- C:\Documents and Settings\Doug\Desktop\MSSE Scan History 06-17-10.jpg

[2010/06/17 18:28:50 | 000,055,262 | ---- | C] () -- C:\Documents and Settings\Doug\Desktop\MSSE Scan History2 06-17-10.bmp

[2010/06/17 18:25:57 | 000,056,062 | ---- | C] () -- C:\Documents and Settings\Doug\Desktop\MSSE Scan History 06-17-10.bmp

[2010/06/16 10:14:37 | 000,966,213 | ---- | C] () -- C:\Documents and Settings\Doug\Desktop\tdsskiller.zip

[2010/06/15 10:00:17 | 000,167,424 | ---- | C] () -- C:\Documents and Settings\Doug\Desktop\06-15-10 Procedures.doc

[2010/06/10 12:31:19 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Doug\Desktop\dds.com

[2010/06/10 12:23:58 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Doug\Desktop\dds_null1.scr

[2010/06/10 12:06:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Doug\defogger_reenable

[2010/06/10 12:03:43 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Doug\Desktop\Defogger.exe

[2010/06/02 17:43:48 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\Doug\Desktop\Shortcut to HousecallLauncher.lnk

[2010/05/26 16:54:29 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/05/26 16:54:26 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010/05/26 16:48:39 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/05/26 16:48:39 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/05/26 16:48:39 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/05/26 16:48:39 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/05/26 16:48:39 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/05/26 14:47:28 | 000,013,214 | ---- | C] () -- C:\Documents and Settings\Doug\Desktop\hijackthis1_052610

[2010/05/26 14:24:57 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Doug\Desktop\HijackThis.lnk

[2010/04/30 17:33:39 | 000,000,202 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2010/04/29 16:19:59 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll0402.old

[2010/01/14 10:55:42 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll

[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

[2009/07/30 20:58:42 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini

[2009/02/21 19:04:46 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll

[2009/01/23 16:37:10 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL

[2008/04/08 09:45:42 | 000,000,050 | ---- | C] () -- C:\WINDOWS\BRQIKMON.INI

[2008/03/29 17:34:30 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini

[2007/10/22 15:06:29 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\OdiOlDVR.dll

[2007/10/22 15:06:29 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\OdiAPI.dll

[2006/03/29 11:48:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PestPatrol5.INI

[2006/02/10 13:54:59 | 000,000,032 | ---- | C] () -- C:\WINDOWS\BrmfXCh1.ini

[2006/02/10 10:27:57 | 000,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini

[2006/02/04 08:13:01 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\gsimrxnp.dll

[2005/10/11 23:26:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Brownie.ini

[2005/10/11 23:08:49 | 000,000,054 | ---- | C] () -- C:\WINDOWS\brmx2001.ini

[2005/10/11 22:58:39 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini

[2005/10/11 22:56:29 | 000,000,885 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini

[2005/10/11 22:56:29 | 000,000,471 | ---- | C] () -- C:\WINDOWS\brwmark.ini

[2005/10/11 22:56:29 | 000,000,147 | ---- | C] () -- C:\WINDOWS\brpcfx.ini

[2005/10/11 22:56:29 | 000,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI

[2005/10/11 22:53:01 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini

[2005/08/02 09:08:33 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini

[2005/05/30 13:14:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Jcmkr32.INI

[2003/06/04 09:14:00 | 000,000,199 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

[2003/06/04 09:13:54 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\unzdll.dll

[2003/04/19 14:22:18 | 000,000,468 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2002/12/29 14:04:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI

[2002/12/19 18:08:03 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK32.dll

[2002/12/19 09:44:53 | 000,000,487 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2002/12/19 08:59:28 | 000,013,373 | ---- | C] () -- C:\WINDOWS\System32\vctest.ini

[2002/12/19 08:59:28 | 000,000,011 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.ini

[2002/12/19 08:59:23 | 000,066,560 | ---- | C] () -- C:\WINDOWS\System32\atiyuv12.dll

[2002/12/19 08:59:23 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

[2002/12/19 08:59:11 | 000,009,136 | ---- | C] () -- C:\WINDOWS\System32\INETWH16.DLL

[2002/12/19 08:53:52 | 000,017,152 | ---- | C] () -- C:\WINDOWS\System32\drivers\atitunep.sys

[2002/12/19 08:53:49 | 000,049,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\atirtcap.sys

[2002/12/19 08:53:48 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativxbar.sys

[2002/12/19 08:53:46 | 000,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmdcd.sys

[2002/12/19 08:53:43 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\drivers\atipcxxx.sys

[2002/04/11 13:47:52 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll

[2002/03/21 14:39:02 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\UNACEV2.DLL

[2002/03/21 12:51:52 | 000,503,808 | R--- | C] () -- C:\WINDOWS\System32\lt_xtrans.dll

[2002/03/21 12:51:52 | 000,286,720 | R--- | C] () -- C:\WINDOWS\System32\MrSIDD.dll

[2002/03/21 12:51:52 | 000,163,840 | R--- | C] () -- C:\WINDOWS\System32\lt_common.dll

[2002/03/21 12:51:52 | 000,126,976 | R--- | C] () -- C:\WINDOWS\System32\lt_trans.dll

[2002/03/21 12:51:52 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\lt_meta.dll

[2002/03/21 12:51:52 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\lt_encrypt.dll

[2002/03/21 12:51:52 | 000,020,480 | R--- | C] () -- C:\WINDOWS\System32\lt_messagetext.dll

[2002/03/20 21:01:06 | 000,006,688 | R--- | C] () -- C:\WINDOWS\System32\Digita.sys

[2002/03/20 21:00:20 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\TransportUSB.dll

[2002/03/20 21:00:20 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\TransportSerial.dll

[2002/03/20 21:00:20 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\TransportIrDA.dll

[2002/03/20 21:00:20 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\TransportIrCOMM.dll

[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

[2001/12/26 21:12:30 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll

[2001/09/04 04:46:38 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll

[2001/07/30 21:33:56 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll

[2001/07/24 03:04:36 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll

[1999/07/23 13:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini

[1999/07/23 10:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll

[1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

[1998/01/12 03:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== Custom Scans ==========

< %systemroot%\system32\*.dll /lockedfiles >

[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll

[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\at*.job >

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >

Elise · June 25, 2010

Hello again,

KASPERSKY ONLINE SCAN

-----------------------------------

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
- Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.

dagtexas · June 26, 2010

Good Morning. Ran Kaspersky as directed (disabled MSSE first). No threats found, however, IP blocks continued during and after scan. Note said browser could be used during scan but I did not use PC for any other purpose during scan. Wow, this bug is well hidden. Will await your further instructions.

Thanks for your persistence.

Doug

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Saturday, June 26, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Friday, June 25, 2010 14:56:40

Records in database: 4301363

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

Scan statistics:

Objects scanned: 109323

Threats found: 0

Infected objects found: 0

Suspicious objects found: 0

Scan duration: 08:28:10

No threats found. Scanned area is clean.

Selected area has been scanned.

Elise · June 26, 2010

Please try rebooting in safe mode with networking, make sure MBAM is running and see if the popups occur also in safe mode.

dagtexas · June 28, 2010

Twice I rebooted successfully into Safe Mode with Networking, opened MBAM and Enabled Protection. Both times, after a few minutes, the following MBAM error message popped up; MBAM then showed protection was disabled.

[Open Event] Failed to perform desired action. Error Code 2.

Elise · June 29, 2010

Sorry for the delay, I'm having quite a bad cold which keeps me a bit slower than usual.

Please boot in normal mode, disconnect from the internet and let me know if any IP blocks show up (normally they shouldn't).

dagtexas · June 29, 2010

No problem about any delay. Sorry you're dealing with a summer cold...their crummy. Post your next reply whenever you are feeling better.

Attached is the most recent MBAM log; disconnected just after 6:48:34 block; no blocks while disconnected; reconnect to internet at 11:07 and immediately got 3 blocks.

00:00:43 Doug MESSAGE Scheduled update executed successfully

00:00:43 Doug MESSAGE IP Protection stopped

00:01:08 Doug MESSAGE Database updated successfully

00:01:15 Doug MESSAGE IP Protection started successfully

00:06:57 Doug IP-BLOCK 121.11.86.68

00:16:43 Doug IP-BLOCK 121.11.86.68

00:27:41 Doug IP-BLOCK 221.192.199.35

00:27:43 Doug IP-BLOCK 221.192.199.35

00:27:48 Doug IP-BLOCK 221.192.199.35

01:00:00 Doug MESSAGE Scheduled scan executed successfully

03:41:36 Doug IP-BLOCK 221.192.199.35

03:41:40 Doug IP-BLOCK 221.192.199.35

03:41:44 Doug IP-BLOCK 221.192.199.35

03:41:49 Doug IP-BLOCK 221.192.199.35

03:41:54 Doug IP-BLOCK 221.192.199.35

03:42:00 Doug IP-BLOCK 221.192.199.35

04:06:00 Doug IP-BLOCK 218.8.245.123

04:41:38 Doug IP-BLOCK 91.213.175.225

06:48:34 Doug IP-BLOCK 218.8.245.123

11:07:38 Doug IP-BLOCK 66.235.126.122

11:07:41 Doug IP-BLOCK 66.235.126.122

11:07:47 Doug IP-BLOCK 66.235.126.122

Elise · June 30, 2010

I have been keeping the Windows Firewall ON but browsed through the firewall link you provided and will switch to one of those next week.

Did you do this already?

dagtexas · July 1, 2010

I installed Outpost about 4.5 hrs ago and have not had any IP blocks since then. I will stay connected to the internet tonight and post tomorrow morning as to any blocks.

Thanks.

Elise · July 1, 2010

I'm glad to hear that. XP's firewall is not adequate, especially not when you are connecting directly to the internet (and not through a router). MBAM was most likely catching things that were not caught by XP firewall.

dagtexas · July 1, 2010

Since Outpost install, there have been no IP blocks by MBAM. I looked at the Outpost firewall log (Event Viewer) and see a lot of Block NetBios Traffic (System process) entries. However, there are also a few Block Incoming RPC (TCP) entries (svchost.exe process) that have the same IP address block as have shown up in the MBAM logs. So, per your previous reply, it sounds like Outpost is picking up what Windows FW was letting through (although there have only been a few IP blocks with Outpost vs a lot with MBAM.)

I also see that applicationupdater.exe (Spigot) shows as a constant connection. I had seen this .exe show up earlier in some other test results and have found conflicting info in forums about whether it is a threat or not. Do you know if it is ok?

Also, I would like to put a wireless router on the computer. Questions: at this point, could my PC pass on any infection to it? would I delete Outpost and keep Windows FW turned off?

Let me know if you think my PC is clean at this point (subject to a possible backdoor as previously noted) and whether I should perform any additional tasks. I will be out of town for a few days so will address any issues when I return if not before.

Thanks again.

MBAM Malicious Website Block

Recommended Posts

Link to post

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information