Jump to content

Looks like I'm Infected


jqw

Recommended Posts

Reposting from wrong forum:http://forums.malwarebytes.org/index.php?showtopic=95611

Unable to run Security Essentials, MBAM. Earlier Hijackthis and TDSSKiller files attached to previous message. Ran defogger, dds, gmer, files attached. downloaded all to laptop, copied to desktop. (Avast "caught" some infection two days ago and gave some instruction about auto sandbox; MBAM showed no warning.) Zone Alarm also installed with no warning. dds.txt below previous message.

It's been interesting thus far; I hope you can straighten this out.

Thanks in advance

Previous post:

Since a couple of days ago MBAM has failed to run, uninstalled and downloaded again. It still does not work. I seem to have picked up a google redirect problem and a runaway svchost memory leak on my HPa610n running XP Service pack 3. Avast also having problems (stalling at 98% complete with 1 threat) running, needs to be "repaired" in control panel to run scan. It found and "corrected" a few problems (?) netbt.sys; PUP:Win32-gen; ~A0225353.exe. MBAM was able to run once in Safe mode with no threats found.

TDSSKiller run - report attached. Hijackthis file also attached.

After a day of troubleshooting, the internet connection has now stopped working. Tried HitmanPro to no avail as the internet died.

HP support says the computer is too old and they can't help - after 30 min on the phone.

Any help appreciated. I'll check back tomorrow,

Thanks

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17

Run by Owner at 7:50:33 on 2011-09-18

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.461 [GMT -6:00]

.

AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: ZoneAlarm Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

svchost.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\System32\hphmon05.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\ps2.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Program Files\Clipomatic\Clipomatic.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\Owner\Application Data\Dropbox\bin\Dropbox.exe

C:\Program Files\MiniMind\MiniMind.exe

C:\Program Files\stickies\stickies.exe

C:\Documents and Settings\Owner\My Documents\My Received Files\TinySpell\tinySpell\tinySpellp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\msiexec.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\hh.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://utahalien.blogspot.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = <local>;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\jusearch\SearchEnh1.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll

TB: JunoBar: {5854fac4-5bf0-47dd-b5a9-a5ea8cff3cf4} - c:\program files\juno\toolbar.dll

TB: eSnips: {ed1184da-e57e-4480-99d0-a16809037f54} - c:\program files\esnips\SnipBar.dll

TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search 2\toolbar\ToolbarContainer101000048.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {968631B6-4729-440D-9BF4-251F5593EC9A} - No File

EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search 2\toolbar\ToolbarContainer101000048.dll

EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll

EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files\copernic desktop search 2\DeskbandIntegration301000049.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [Clipomatic] c:\program files\clipomatic\Clipomatic.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [PowerPanel Personal Edition User Interaction] "c:\program files\cyberpower powerpanel personal edition\pppeuser.exe"

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe

mRun: [HPHmon05] c:\windows\system32\hphmon05.exe

mRun: [VTTimer] VTTimer.exe

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [ClientGW]

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\owner\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\minimi~1.lnk - c:\program files\minimind\MiniMind.exe

StartupFolder: c:\documents and settings\owner\start menu\programs\startup\OpenOffice.org 2.0.lnk.disabled

StartupFolder: c:\documents and settings\owner\start menu\programs\startup\OpenOffice.org 3.1.lnk.disabled

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\tinysp~1.lnk - c:\documents and settings\owner\my documents\my received files\tinyspell\tinyspell\tinySpellp.exe

StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled

StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Device Detector 3.lnk.disabled

StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Updates from HP.lnk.disabled

uPolicies-system: EnableProfileQuota = 1 (0x1)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Snip to my eSnips account - c:\program files\esnips\res\SnipIt.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

Trusted Zone: elementk.com

Trusted Zone: familysearch.com

Trusted Zone: familysearch.org\help

Trusted Zone: familysearch.org\new

Trusted Zone: familysearch.org\www

Trusted Zone: incontact.com\login

Trusted Zone: intuit.com\ttlc

Trusted Zone: ldschurch.org\www

Trusted Zone: ldschurchindexing.org\www

Trusted Zone: netdimensions.com

Trusted Zone: netdimensions.com\lds

Trusted Zone: rosettastone.com

Trusted Zone: safaribooksonline.com

Trusted Zone: skillport.com

Trusted Zone: skillsoft.com

Trusted Zone: turbotax.com

Trusted Zone: ual.com\united.intranet

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab

DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.0.cab

DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://www.pestscan.com/scanner/axscanner.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab

DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} - hxxp://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38187.6131828704

DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} - hxxp://www.genline.com/GFFControl.cab

DPF: {BDFC91DC-AAE6-4E27-A624-EC2DE54E2F67} - file://f:\n_scanning\IntraLaunch.CAB

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab

DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab

DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - hxxp://www2.incredimail.com/contents/setup/downloader_sp1/imloader.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{F1EDEB48-364B-4E45-A3AF-41E73721A61F} : DhcpNameServer = 192.168.0.1

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll

Notify: igfxcui - igfxsrvc.dll

AppInit_DLLs: ?

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\bs7jujo8.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.numbersusa.com/content/

FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\bs7jujo8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\bs7jujo8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll

FF - component: c:\program files\copernic desktop search 2\firefoxconnector\components\CSPXPCOMBridge.dll

FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

FF - plugin: c:\program files\picasa2\npPicasa3.dll

FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll

FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll

FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

.

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-22 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-26 309848]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-8-9 532224]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-26 19544]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-9-17 42184]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-3-9 92592]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2009-6-26 102400]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-25 136176]

S2 PC Monitor;PC Monitor;c:\program files\pc monitor\PCMonitorSrv.exe [2011-8-12 273728]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-25 136176]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-09-18 13:45:40 -------- d-----w- c:\program files\Microsoft Security Client

2011-09-18 04:05:05 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-17 20:55:45 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-09-17 20:37:16 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-09-17 20:35:09 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro

2011-09-17 19:31:53 -------- d-----w- c:\program files\Malware Bytes

2011-09-17 19:26:24 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-17 19:26:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-09 09:12:13 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

.

==================== Find3M ====================

.

2011-09-16 16:28:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-07 05:56:00 45056 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\pavilion\xphnabs4en\plugin\bin\jsharpde\util.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-04 11:43:53 40112 ----a-w- c:\windows\avastSS.scr

2011-07-04 11:36:43 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:45:58 832512 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:45:57 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:45:57 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-06-21 18:45:57 17408 ----a-w- c:\windows\system32\corpol.dll

2011-06-21 11:47:20 389120 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

============= FINISH: 7:53:08.76 ===============

Attach.txt

ark.txt

Link to post
Share on other sites

Unfortunately you have a nasty rootkit on board. Please read the following.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Thank you, Elise, for the response.

Regrettably, my suspicion are confirmed. Thank you for the article links.

I have already disconnected that computer from the internet (actually it will not connect now anyway) and changed a bunch of passwords.

I would like to try to clean this machine, but I have some concern about spreading this virus to my laptop,(which I'm using now)by having to transfer programs to the infected computer and files back. I'm not sure if virus checking the USB drives is sufficient protection.

Does this thing have a name?

Regards

Link to post
Share on other sites

Well, ComboFix took a fairly long time to run, but here's the report

ComboFix 11-09-20.04 - Owner 09/20/2011 16:24:30.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.616 [GMT -6:00]

Running from: L:\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Owner\Application Data\shb.dat

c:\documents and settings\Owner\g2mdlhlpx.exe

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\backupnotify.exe.cd4639e.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\BalloonMsg.exe.c892f05.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\CDRFinder.exe.6f03412c.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\helpctr.exe.974d4532.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\hpdupdbh.exe.50c7ec26.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\hpdupdbh.exe.bfb00456.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqimvac.exe.8e72900.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\HpqPhUnl.exe.e1eda619.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqqpa.exe.5046474c.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqselsk.exe.a048b05c.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\iexplore.exe.26e3ad32.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\iexplore.exe.26e3ad32.ini.inuse

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\pchealthde.exe.d430e5a8.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\QuickConnect.exe.f4c1467e.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\QuickConnectClientUpdater.exe.b2ab3908.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.11f1da13.ini

c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\ToMyPic.exe.484fda6b.ini

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts

c:\documents and settings\Owner\My Documents\PFT2DB.tmp

c:\documents and settings\Owner\My Documents\PFT313.tmp

c:\documents and settings\Owner\My Documents\PFT31C.tmp

c:\documents and settings\Owner\My Documents\QPW0000.TMP

c:\documents and settings\Owner\My Documents\RWren.DUP

c:\documents and settings\Owner\System

c:\documents and settings\Owner\System\win_qs8.jqx

c:\documents and settings\Owner\WINDOWS

c:\documents and settings\QBPOSDBSrvUser\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\QBPOSDBSrvUser\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.11f1da13.ini

c:\documents and settings\QBPOSDBSrvUser\Local Settings\Application Data\ApplicationHistory\ToMyPic.exe.484fda6b.ini

c:\documents and settings\QBPOSDBSrvUser\WINDOWS

c:\program files\messenger\msmsgsin.exe

c:\windows\$NtUninstallKB60702$

c:\windows\$NtUninstallKB60702$\3542752881

c:\windows\$NtUninstallKB60702$\948251236\@

c:\windows\$NtUninstallKB60702$\948251236\bckfg.tmp

c:\windows\$NtUninstallKB60702$\948251236\cfg.ini

c:\windows\$NtUninstallKB60702$\948251236\Desktop.ini

c:\windows\$NtUninstallKB60702$\948251236\keywords

c:\windows\$NtUninstallKB60702$\948251236\kwrd.dll

c:\windows\$NtUninstallKB60702$\948251236\L\anjncqnk

c:\windows\$NtUninstallKB60702$\948251236\lsflt7.ver

c:\windows\$NtUninstallKB60702$\948251236\U\00000001.@

c:\windows\$NtUninstallKB60702$\948251236\U\00000002.@

c:\windows\$NtUninstallKB60702$\948251236\U\80000000.@

c:\windows\$NtUninstallKB60702$\948251236\U\80000032.@

c:\windows\dasetup.log

c:\windows\help\wmplayer.bak

c:\windows\patch.exe

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\d3d9caps.dat

c:\windows\system32\ps2.bat

c:\windows\tsoc.log

c:\windows\wiaserviv.log

c:\windows\wiaservv.log

D:\Autorun.inf

.

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-08-20 to 2011-09-20 )))))))))))))))))))))))))))))))

.

.

2011-09-20 23:03 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2011-09-20 23:03 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2011-09-19 03:58 . 2011-09-19 03:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2011-09-18 13:46 . 2011-09-18 13:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth

2011-09-18 13:45 . 2011-09-19 23:40 -------- d-----w- c:\program files\Microsoft Security Client

2011-09-17 20:55 . 2011-09-17 20:55 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-09-17 20:37 . 2011-09-17 20:37 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-09-17 20:35 . 2011-09-17 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-09-17 19:31 . 2011-09-20 04:27 -------- d-----w- c:\program files\Malware Bytes

2011-09-17 19:26 . 2011-09-17 19:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-17 19:26 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-17 14:18 . 2011-09-17 14:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2011-09-09 09:12 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-16 16:28 . 2011-06-21 20:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12 . 2004-04-01 08:25 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-07 05:56 . 2011-08-07 05:56 45056 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\util.dll

2011-08-07 05:55 . 2011-08-07 05:55 114688 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\ZipLib.dll

2011-08-07 05:55 . 2011-08-07 05:55 49152 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\PCHI18N.dll

2011-08-07 05:55 . 2011-08-07 05:55 32768 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\pchapi.dll

2011-08-07 05:55 . 2011-08-07 05:55 307200 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\pchealthplugin.dll

2011-08-07 05:55 . 2011-08-07 05:55 282624 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\clientutil52.dll

2011-08-07 05:55 . 2011-08-07 05:55 5632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\GUI.dll

2011-08-07 05:55 . 2011-08-07 05:55 315392 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\pchmsxml.dll

2011-08-07 05:55 . 2011-08-07 05:55 20480 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\InetCheckWrap.dll

2011-08-07 05:55 . 2011-08-07 05:55 114688 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\asst_ui.dll

2011-08-07 05:55 . 2011-08-07 05:55 98304 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\PluginCtrl.dll

2011-08-07 05:55 . 2011-08-07 05:55 24576 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\pcdapi.dll

2011-08-07 05:55 . 2011-08-07 05:55 356352 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\client_motkt.dll

2011-08-07 05:55 . 2011-08-07 05:55 26572 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\INV16.dll

2011-08-07 05:55 . 2011-08-07 05:55 4096 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\winverifytrustwrapper.dll

2011-08-07 05:55 . 2011-08-07 05:55 69632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\msxmlwrapper.dll

2011-08-07 05:55 . 2011-08-07 05:55 344064 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\api.dll

2011-08-07 05:55 . 2011-08-07 05:55 139264 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\ContentUpdater.exe

2011-08-07 05:55 . 2011-08-07 05:55 212992 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\jsharpinterp.dll

2011-08-07 05:55 . 2011-08-07 05:55 434176 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\motivede.dll

2011-08-07 05:55 . 2011-08-07 05:55 69632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\msxmlwrapper.dll

2011-08-07 05:55 . 2011-08-07 05:55 126976 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\SearchCtrl.dll

2011-08-07 05:55 . 2011-08-07 05:55 36864 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\gnu.dll

2011-08-07 05:55 . 2011-08-07 05:55 307200 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\pchnotify.exe

2011-08-07 05:55 . 2011-08-07 05:55 3072 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\pchealthde.exe

2011-08-07 05:55 . 2011-08-07 05:55 159744 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\PCHButton.exe

2011-08-07 05:55 . 2011-08-07 05:55 77824 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\FDIWrapper.dll

2011-08-07 05:55 . 2011-08-07 05:55 77824 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\WinVerifyTrust.dll

2011-08-07 05:55 . 2011-08-07 05:55 49152 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\hwinv.dll

2011-08-07 05:55 . 2011-08-07 05:55 315392 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\pchmsxml.dll

2011-07-15 13:29 . 2004-04-01 04:49 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-04-29 17:29 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-04 11:43 . 2010-06-30 06:18 40112 ----a-w- c:\windows\avastSS.scr

2011-07-04 11:43 . 2010-03-27 04:02 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-07-04 11:36 . 2011-06-22 17:53 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-07-04 11:36 . 2010-03-27 04:03 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-07-04 11:35 . 2010-03-27 04:03 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-07-04 11:35 . 2010-03-27 04:03 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-07-04 11:35 . 2010-03-27 04:03 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-07-04 11:32 . 2010-03-27 04:03 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-07-04 11:32 . 2010-03-27 04:03 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-07-04 11:32 . 2010-03-27 04:03 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-06-24 14:10 . 2004-04-29 17:30 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-03-18 17:53 . 2011-04-05 05:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Clipomatic"="c:\program files\Clipomatic\Clipomatic.exe" [1999-05-15 65536]

"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-01-11 262144]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-22 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]

"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]

"VTTimer"="VTTimer.exe" [2005-03-08 53248]

"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-06 196608]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]

"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2009-06-26 450560]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2011-08-17 126976]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-07-04 3493720]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Owner\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]

MiniMinder.lnk - c:\program files\MiniMind\MiniMind.exe [2004-10-30 176128]

OpenOffice.org 2.0.lnk.disabled [2006-9-21 921]

OpenOffice.org 3.1.lnk.disabled [2009-8-19 909]

Stickies.lnk - c:\program files\stickies\stickies.exe [2007-3-9 700416]

tinySpell.lnk - c:\documents and settings\Owner\My Documents\My Received Files\TinySpell\tinySpell\tinySpellp.exe [2009-9-28 217088]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk.disabled [2007-5-4 1802]

Device Detector 3.lnk.disabled [2010-1-16 1695]

Updates from HP.lnk.disabled [2004-7-15 1865]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Registration.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Registration.lnk

backup=c:\windows\pss\Corel Registration.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL 9.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL 9.LNK

backup=c:\windows\pss\CorelCENTRAL 9.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL Alarms.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL Alarms.LNK

backup=c:\windows\pss\CorelCENTRAL Alarms.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Application Director 9.LNK

backup=c:\windows\pss\Desktop Application Director 9.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk

backup=c:\windows\pss\Device Detector 2.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk

backup=c:\windows\pss\HP Organize.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk

backup=c:\windows\pss\IMStart.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]

2004-01-09 09:34 32768 ----a-w- c:\program files\HP\Digital Imaging\bin\BackupNotify.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-04-27 07:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2007-01-26 06:49 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot

"BackupNotify"=c:\program files\HP\Digital Imaging\bin\backupnotify.exe

"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background

"RecordNow!"=

"spc_w"="c:\program files\JUSearch\juspc.exe" -w

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

"Copernic Desktop Search"="c:\program files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe"

"CopernicMobile.exe"="c:\program files\Copernic Mobile\CopernicMobile.exe" /AUTOMATIC

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

"AlcxMonitor"=ALCXMNTR.EXE

"eSnips"="c:\program files\eSnips\ClientGW.exe"

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r

"Picasa Media Detector"=c:\program files\Picasa2\PicasaMediaDetector.exe

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" -s

"QUICKCARE"=c:\program files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini

"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

"Recguard"=c:\windows\SMINST\RECGUARD.EXE

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"KBD"=c:\hp\KBD\KBD.EXE

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\stickies\\stickies.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\msncall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/22/2011 11:53 AM 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/26/2010 10:03 PM 309848]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/26/2010 10:03 PM 19544]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/9/2011 6:30 AM 92592]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [6/26/2009 4:56 PM 102400]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/25/2010 4:44 PM 136176]

S2 PC Monitor;PC Monitor;c:\program files\PC Monitor\PCMonitorSrv.exe [8/12/2011 3:53 PM 273728]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/25/2010 4:44 PM 136176]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-06 c:\windows\Tasks\defrag.job

- c:\windows\system32\dfrg.msc [2004-04-29 12:00]

.

2011-02-05 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\system32\cleanmgr.exe [2004-04-29 00:12]

.

2011-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-25 22:38]

.

2011-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-25 22:38]

.

2011-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3556973243-780273454-1310255599-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-29 22:38]

.

2011-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3556973243-780273454-1310255599-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-29 22:38]

.

2011-09-20 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 21:39]

.

2011-01-11 c:\windows\Tasks\Spybot - Search & Destroy.job

- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-03-27 22:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://utahalien.blogspot.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = <local>;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Snip to my eSnips account - c:\program files\eSnips\res\SnipIt.htm

Trusted Zone: elementk.com

Trusted Zone: familysearch.com

Trusted Zone: familysearch.org\help

Trusted Zone: familysearch.org\new

Trusted Zone: familysearch.org\www

Trusted Zone: incontact.com\login

Trusted Zone: intuit.com\ttlc

Trusted Zone: ldschurch.org\www

Trusted Zone: ldschurchindexing.org\www

Trusted Zone: netdimensions.com

Trusted Zone: netdimensions.com\lds

Trusted Zone: rosettastone.com

Trusted Zone: safaribooksonline.com

Trusted Zone: skillport.com

Trusted Zone: skillsoft.com

Trusted Zone: turbotax.com

Trusted Zone: ual.com\united.intranet

TCP: DhcpNameServer = 192.168.0.1

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} - hxxp://www.genline.com/GFFControl.cab

DPF: {BDFC91DC-AAE6-4E27-A624-EC2DE54E2F67} - file://f:\n_scanning\IntraLaunch.CAB

DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bs7jujo8.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.numbersusa.com/content/

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-ClientGW - (no file)

SafeBoot-17062016.sys

SafeBoot-90273242.sys

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

AddRemove-36317AE4-57EC-4F3E-B828-009A3DD96BE8 - c:\program files\WildTangent\Apps\GameChannel\Games\36317AE4-57EC-4F3E-B828-009A3DD96BE8\Uninstall.exe

AddRemove-62067F4C-84A9-45B9-8573-B90468B0A3EF - c:\program files\WildTangent\Apps\GameChannel\Games\62067F4C-84A9-45B9-8573-B90468B0A3EF\Uninstall.exe

AddRemove-6723E59E-322A-417A-8E03-27A61E18253C - c:\program files\WildTangent\Apps\GameChannel\Games\6723E59E-322A-417A-8E03-27A61E18253C\Uninstall.exe

AddRemove-B8610D19-E576-4F91-8A2F-07898D9CA301 - c:\program files\WildTangent\Apps\GameChannel\Games\B8610D19-E576-4F91-8A2F-07898D9CA301\Uninstall.exe

AddRemove-BFBCBAE3-8293-4215-9C4F-C2402C118EDB - c:\program files\WildTangent\Apps\GameChannel\Games\BFBCBAE3-8293-4215-9C4F-C2402C118EDB\Uninstall.exe

AddRemove-C2C3C2DB-7D8A-4E20-B527-E3149FAECC3A - c:\program files\WildTangent\Apps\GameChannel\Games\C2C3C2DB-7D8A-4E20-B527-E3149FAECC3A\Uninstall.exe

AddRemove-D11F7128-8CBD-408B-8BF8-034604DEDD42 - c:\program files\WildTangent\Apps\GameChannel\Games\D11F7128-8CBD-408B-8BF8-034604DEDD42\Uninstall.exe

AddRemove-F5215F01-DFC0-475D-A910-6F1AF94E807E - c:\program files\WildTangent\Apps\GameChannel\Games\F5215F01-DFC0-475D-A910-6F1AF94E807E\Uninstall.exe

AddRemove-TurboTax Premier Home & Business 2003 - c:\program files\TurboTax\Premier Home & Business 2003\TaxUnst.EXE

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-20 17:21

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Clipomatic = c:\program files\Clipomatic\Clipomatic.exe?~*?A~????(?a?<?a???????????????0????????? ???????????V?????????U?????W?D~0?A~????*?A~??A~????6Z?]??/???????????B~??a?????????????????&?@????? ?????0?????<?????A~??a???U?????????????u]B~T????]B~??0???????????????@? K@

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3556973243-780273454-1310255599-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**~*a%\OpenWithList]

@Class="Shell"

.

[HKEY_USERS\S-1-5-21-3556973243-780273454-1310255599-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4%**]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

[HKEY_USERS\S-1-5-21-3556973243-780273454-1310255599-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4%**\OpenWithList]

@Class="Shell"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1516)

c:\windows\system32\WININET.dll

c:\documents and settings\Owner\My Documents\My Received Files\TinySpell\tinySpell\tskh.dll

c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\CyberPower PowerPanel Personal Edition\ppped.exe

c:\windows\system32\VTTimer.exe

c:\windows\AGRSMMSG.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-09-20 17:38:29 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-20 23:38

.

Pre-Run: 93,540,585,472 bytes free

Post-Run: 94,218,002,432 bytes free

.

- - End Of File - - 687FE14C9FCF507C25842415925E123E

Link to post
Share on other sites

Hi again, that seems to have done the trick.

If your clean computer uses XP, you can use the following to protect it.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

TWO ANTIVIRUS PROGRAMS

---------------------------------------

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either Avast or MS Security Essentials.

When done, please rerun combofix and post me the new log.

Link to post
Share on other sites

MS Security Essentials removed.

ComboFix required "ignore" of one file; results attached (too long to paste and send):

It appears MBAM is now working again.

Is this still applicable from you initial post:

"This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS."

ComboFix 092111.txt

Link to post
Share on other sites

Hi, that looks good! :)

At this point the actual rootkit is gone as well as (most) other active malware. So, the immediate threat for your computer is over. However, this rootkit left behind a "hole" in your windows security. This can be exploited in the future by malware, but it is not said this will happen for sure. It sure helps to have adequate protection, practice a safe surfing behavior and keep all software up to date.

It is very hard to say what this rootkit altered, besides what we are able to see in logs; this rootkit gains almost unlimited access on your computer and it is impossible to track what exactly it has done.

Can you run MBAM, update it and run a full scan? Post me the resulting log.

Link to post
Share on other sites

MBAM Full Scan completed normally: (database a little out of date as the computer has still not been reconnected to the internet)

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

9/22/2011 3:46:25 PM

mbam-log-2011-09-22 (15-46-25).txt

Scan type: Full scan (C:\|D:\|L:\|)

Objects scanned: 346294

Time elapsed: 2 hour(s), 45 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Feel free to reconnect to the internet now. :)

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "JDK 7 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

The attempt to reconnect to the internet failed. Event viewer shows "the DHCP Client service depends on the following nonexistent service:netBT

NetBt.sys was one of the files that Avast identified as needing to be corrected (or removed). http://support.microsoft.com/kb/915162/e seems to cover this, but says to delete it: (for error 1075)

"Install the DHCP Client service dependency in the registry. To do this, follow these steps:

Click Start, click Run, type regedit in the Open box, and then click OK.

In Registry Editor, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp

Right-click the DependOnService entry, and then click Modify.

In the Value data box, delete the service that is described in the event that appears in the "Symptoms" section.

Note Typically, the only services that are in the DependOnService entry are the following services:

Tcpip

Afd

NetBt "

If deleted and rebooted does it auto restore itself, like drivers?

search reveals netbt found at C:\WINDOWS\ServicePackFiles\1386

D:\miniNT\system32\drivers

D:\I1386\SYSTEM32\drivers

Any suggestions??

Link to post
Share on other sites

Okay, that explains a few things, thank you for the additional information. :)

Please click Start > Run, type notepad and press enter.

Copy/paste the following text into Notepad and save it as query.bat to your desktop.

@echo off
regedit /e "c:\query.txt" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBt
start c:\query.txt
del %0

Exit notepad and double click on query.bat to run it. A Notepad file with text will open. Please post its contents in your next reply.

Can you also see in Avast quarantine if there are NetBt items you can restore?

Link to post
Share on other sites

You assistance is greatly appreciated. I feel like I'm in enrolled in a mini anti-virus class.

Thanks, again.

I had briefly noted netbt in Avast in the initial post - a little more info:

ON 9/16 a quick scan with Avast showed:

C:\WINDOWS\system32\drivers\netbt.sys

Severity = High

Status = Threat: Rootkit:system modification

Action choices = Delete, Move to chest; Delete; Do nothing

Result = Action postponed until next reboot

The computer has been rebooted several times since, so I'm unsure if (or what)

action has been taken as a result. My guess is nothing.

On 9/17, another file C:\WINDOWS\1680508216:3346716059.exe is shown

as a high threat and apparently awaits action as above, but doesn't show

anything about reboot.

The Virus Chest contains 5 viruses:

(2) Win32:KillApp-W

(2) Win32:PUP-gen

(1) Win32:Adaware-gen

Here's the query.bat result:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBt]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBt\Linkage]

"Bind"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,\

00,69,00,70,00,5f,00,7b,00,35,00,37,00,39,00,45,00,44,00,34,00,42,00,35,00,\

2d,00,35,00,38,00,42,00,30,00,2d,00,34,00,31,00,35,00,43,00,2d,00,39,00,45,\

00,33,00,45,00,2d,00,38,00,34,00,31,00,44,00,45,00,44,00,37,00,36,00,44,00,\

37,00,37,00,42,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,\

00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,38,00,31,00,46,00,45,00,39,00,\

42,00,34,00,45,00,2d,00,36,00,32,00,33,00,46,00,2d,00,34,00,42,00,43,00,46,\

00,2d,00,42,00,46,00,35,00,43,00,2d,00,41,00,34,00,30,00,33,00,35,00,41,00,\

44,00,43,00,45,00,38,00,30,00,30,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,\

00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,31,00,35,00,\

42,00,34,00,39,00,31,00,46,00,33,00,2d,00,42,00,42,00,44,00,34,00,2d,00,34,\

00,37,00,36,00,31,00,2d,00,41,00,46,00,45,00,46,00,2d,00,45,00,45,00,36,00,\

33,00,37,00,37,00,44,00,42,00,37,00,33,00,35,00,45,00,7d,00,00,00,5c,00,44,\

00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,\

7b,00,44,00,38,00,34,00,33,00,34,00,33,00,33,00,33,00,2d,00,31,00,31,00,43,\

00,30,00,2d,00,34,00,32,00,41,00,38,00,2d,00,42,00,42,00,46,00,45,00,2d,00,\

35,00,39,00,42,00,34,00,32,00,36,00,34,00,37,00,46,00,42,00,35,00,45,00,7d,\

00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,\

69,00,70,00,5f,00,7b,00,35,00,38,00,35,00,36,00,38,00,33,00,30,00,33,00,2d,\

00,43,00,46,00,36,00,33,00,2d,00,34,00,39,00,42,00,39,00,2d,00,38,00,39,00,\

43,00,35,00,2d,00,38,00,31,00,39,00,46,00,33,00,32,00,37,00,39,00,33,00,43,\

00,32,00,46,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,\

54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,37,00,46,00,46,00,39,00,46,00,37,\

00,41,00,39,00,2d,00,32,00,44,00,31,00,30,00,2d,00,34,00,43,00,43,00,30,00,\

2d,00,42,00,36,00,36,00,45,00,2d,00,33,00,44,00,37,00,37,00,41,00,44,00,36,\

00,33,00,30,00,45,00,36,00,41,00,7d,00,00,00,00,00

"Route"=hex(7):22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,35,\

00,37,00,39,00,45,00,44,00,34,00,42,00,35,00,2d,00,35,00,38,00,42,00,30,00,\

2d,00,34,00,31,00,35,00,43,00,2d,00,39,00,45,00,33,00,45,00,2d,00,38,00,34,\

00,31,00,44,00,45,00,44,00,37,00,36,00,44,00,37,00,37,00,42,00,7d,00,22,00,\

00,00,22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,38,00,31,\

00,46,00,45,00,39,00,42,00,34,00,45,00,2d,00,36,00,32,00,33,00,46,00,2d,00,\

34,00,42,00,43,00,46,00,2d,00,42,00,46,00,35,00,43,00,2d,00,41,00,34,00,30,\

00,33,00,35,00,41,00,44,00,43,00,45,00,38,00,30,00,30,00,7d,00,22,00,00,00,\

22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,4e,00,64,00,69,00,73,\

00,57,00,61,00,6e,00,49,00,70,00,22,00,00,00,00,00

"Export"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,\

00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,35,00,37,00,\

39,00,45,00,44,00,34,00,42,00,35,00,2d,00,35,00,38,00,42,00,30,00,2d,00,34,\

00,31,00,35,00,43,00,2d,00,39,00,45,00,33,00,45,00,2d,00,38,00,34,00,31,00,\

44,00,45,00,44,00,37,00,36,00,44,00,37,00,37,00,42,00,7d,00,00,00,5c,00,44,\

00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,\

54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,38,00,31,00,46,00,45,00,39,00,42,\

00,34,00,45,00,2d,00,36,00,32,00,33,00,46,00,2d,00,34,00,42,00,43,00,46,00,\

2d,00,42,00,46,00,35,00,43,00,2d,00,41,00,34,00,30,00,33,00,35,00,41,00,44,\

00,43,00,45,00,38,00,30,00,30,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\

63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,\

00,70,00,5f,00,7b,00,31,00,35,00,42,00,34,00,39,00,31,00,46,00,33,00,2d,00,\

42,00,42,00,44,00,34,00,2d,00,34,00,37,00,36,00,31,00,2d,00,41,00,46,00,45,\

00,46,00,2d,00,45,00,45,00,36,00,33,00,37,00,37,00,44,00,42,00,37,00,33,00,\

35,00,45,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,\

00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,\

44,00,38,00,34,00,33,00,34,00,33,00,33,00,33,00,2d,00,31,00,31,00,43,00,30,\

00,2d,00,34,00,32,00,41,00,38,00,2d,00,42,00,42,00,46,00,45,00,2d,00,35,00,\

39,00,42,00,34,00,32,00,36,00,34,00,37,00,46,00,42,00,35,00,45,00,7d,00,00,\

00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,\

54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,35,00,38,00,35,00,36,\

00,38,00,33,00,30,00,33,00,2d,00,43,00,46,00,36,00,33,00,2d,00,34,00,39,00,\

42,00,39,00,2d,00,38,00,39,00,43,00,35,00,2d,00,38,00,31,00,39,00,46,00,33,\

00,32,00,37,00,39,00,33,00,43,00,32,00,46,00,7d,00,00,00,5c,00,44,00,65,00,\

76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,\

00,70,00,69,00,70,00,5f,00,7b,00,37,00,46,00,46,00,39,00,46,00,37,00,41,00,\

39,00,2d,00,32,00,44,00,31,00,30,00,2d,00,34,00,43,00,43,00,30,00,2d,00,42,\

00,36,00,36,00,45,00,2d,00,33,00,44,00,37,00,37,00,41,00,44,00,36,00,33,00,\

30,00,45,00,36,00,41,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBt\Parameters]

"TransportBindName"="\\Device\\"

"BcastNameQueryCount"=dword:00000003

"BcastQueryTimeout"=dword:000002ee

"CacheTimeout"=dword:000927c0

"NameServerPort"=dword:00000089

"NameSrvQueryCount"=dword:00000003

"NameSrvQueryTimeout"=dword:000005dc

"NbProvider"="_tcp"

"SessionKeepAlive"=dword:0036ee80

"Size/Small/Medium/Large"=dword:00000001

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBt\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBt\Parameters\Interfaces\Tcpip_{579ED4B5-58B0-415C-9E3E-841DED76D77B}]

"NameServerList"=hex(7):00,00

"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBt\Parameters\Interfaces\Tcpip_{81FE9B4E-623F-4BCF-BF5C-A4035ADCE800}]

"NameServerList"=hex(7):00,00

"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBt\Enum]

"0"="Root\\LEGACY_NETBT\\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

***************************************************************

Link to post
Share on other sites

That explains the problem. Fortunately most of the service is still there, but the part that determines when the service starts and what it starts, and been obliterated and will need to be recreated.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


Registry::
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBt]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000006
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6e,00,65,00,74,00,62,00,74,00,2e,\
00,73,00,79,00,73,00,00,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"Description"="NetBios over Tcpip"

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

OK, let's see about this:

ComboFix 11-09-20.04 - Owner 09/24/2011 22:55:05.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.463 [GMT -6:00]

Running from: L:\ComboFix.exe

Command switches used :: L:\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))

.

.

2011-09-20 23:03 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2011-09-20 23:03 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2011-09-19 03:58 . 2011-09-19 03:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2011-09-18 13:46 . 2011-09-18 13:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth

2011-09-17 20:55 . 2011-09-17 20:55 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-09-17 20:37 . 2011-09-17 20:37 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-09-17 20:35 . 2011-09-17 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-09-17 19:31 . 2011-09-20 04:27 -------- d-----w- c:\program files\Malware Bytes

2011-09-17 19:26 . 2011-09-17 19:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-17 19:26 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-17 14:18 . 2011-09-17 14:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2011-09-09 09:12 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-16 16:28 . 2011-06-21 20:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12 . 2004-04-01 08:25 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-07 05:56 . 2011-08-07 05:56 45056 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\util.dll

2011-08-07 05:55 . 2011-08-07 05:55 114688 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\ZipLib.dll

2011-08-07 05:55 . 2011-08-07 05:55 49152 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\PCHI18N.dll

2011-08-07 05:55 . 2011-08-07 05:55 32768 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\pchapi.dll

2011-08-07 05:55 . 2011-08-07 05:55 307200 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\pchealthplugin.dll

2011-08-07 05:55 . 2011-08-07 05:55 282624 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\clientutil52.dll

2011-08-07 05:55 . 2011-08-07 05:55 5632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\GUI.dll

2011-08-07 05:55 . 2011-08-07 05:55 315392 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\pchmsxml.dll

2011-08-07 05:55 . 2011-08-07 05:55 20480 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\InetCheckWrap.dll

2011-08-07 05:55 . 2011-08-07 05:55 114688 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\asst_ui.dll

2011-08-07 05:55 . 2011-08-07 05:55 98304 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\PluginCtrl.dll

2011-08-07 05:55 . 2011-08-07 05:55 24576 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\pcdapi.dll

2011-08-07 05:55 . 2011-08-07 05:55 356352 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\client_motkt.dll

2011-08-07 05:55 . 2011-08-07 05:55 26572 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\INV16.dll

2011-08-07 05:55 . 2011-08-07 05:55 4096 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\winverifytrustwrapper.dll

2011-08-07 05:55 . 2011-08-07 05:55 69632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\msxmlwrapper.dll

2011-08-07 05:55 . 2011-08-07 05:55 344064 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\api.dll

2011-08-07 05:55 . 2011-08-07 05:55 139264 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\ContentUpdater.exe

2011-08-07 05:55 . 2011-08-07 05:55 212992 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\jsharpinterp.dll

2011-08-07 05:55 . 2011-08-07 05:55 434176 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\motivede.dll

2011-08-07 05:55 . 2011-08-07 05:55 69632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\msxmlwrapper.dll

2011-08-07 05:55 . 2011-08-07 05:55 126976 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\SearchCtrl.dll

2011-08-07 05:55 . 2011-08-07 05:55 36864 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\gnu.dll

2011-08-07 05:55 . 2011-08-07 05:55 307200 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\pchnotify.exe

2011-08-07 05:55 . 2011-08-07 05:55 3072 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\pchealthde.exe

2011-08-07 05:55 . 2011-08-07 05:55 159744 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\PCHButton.exe

2011-08-07 05:55 . 2011-08-07 05:55 77824 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\FDIWrapper.dll

2011-08-07 05:55 . 2011-08-07 05:55 77824 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\WinVerifyTrust.dll

2011-08-07 05:55 . 2011-08-07 05:55 49152 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\hwinv.dll

2011-08-07 05:55 . 2011-08-07 05:55 315392 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\pchmsxml.dll

2011-07-15 13:29 . 2004-04-01 04:49 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-04-29 17:29 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-04 11:43 . 2010-06-30 06:18 40112 ----a-w- c:\windows\avastSS.scr

2011-07-04 11:43 . 2010-03-27 04:02 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-07-04 11:36 . 2011-06-22 17:53 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-07-04 11:36 . 2010-03-27 04:03 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-07-04 11:35 . 2010-03-27 04:03 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-07-04 11:35 . 2010-03-27 04:03 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-07-04 11:35 . 2010-03-27 04:03 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-07-04 11:32 . 2010-03-27 04:03 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-07-04 11:32 . 2010-03-27 04:03 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-07-04 11:32 . 2010-03-27 04:03 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-03-18 17:53 . 2011-04-05 05:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Clipomatic"="c:\program files\Clipomatic\Clipomatic.exe" [1999-05-15 65536]

"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-01-11 262144]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-22 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]

"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]

"VTTimer"="VTTimer.exe" [2005-03-08 53248]

"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-06 196608]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]

"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2009-06-26 450560]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2011-08-17 126976]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-07-04 3493720]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Owner\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]

MiniMinder.lnk - c:\program files\MiniMind\MiniMind.exe [2004-10-30 176128]

OpenOffice.org 2.0.lnk.disabled [2006-9-21 921]

OpenOffice.org 3.1.lnk.disabled [2009-8-19 909]

Stickies.lnk - c:\program files\stickies\stickies.exe [2007-3-9 700416]

tinySpell.lnk - c:\documents and settings\Owner\My Documents\My Received Files\TinySpell\tinySpell\tinySpellp.exe [2009-9-28 217088]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk.disabled [2007-5-4 1802]

Device Detector 3.lnk.disabled [2010-1-16 1695]

Updates from HP.lnk.disabled [2004-7-15 1865]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Registration.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Registration.lnk

backup=c:\windows\pss\Corel Registration.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL 9.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL 9.LNK

backup=c:\windows\pss\CorelCENTRAL 9.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL Alarms.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL Alarms.LNK

backup=c:\windows\pss\CorelCENTRAL Alarms.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Application Director 9.LNK

backup=c:\windows\pss\Desktop Application Director 9.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk

backup=c:\windows\pss\Device Detector 2.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk

backup=c:\windows\pss\HP Organize.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk

backup=c:\windows\pss\IMStart.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]

2004-01-09 09:34 32768 ----a-w- c:\program files\HP\Digital Imaging\bin\BackupNotify.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-04-27 07:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2007-01-26 06:49 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot

"BackupNotify"=c:\program files\HP\Digital Imaging\bin\backupnotify.exe

"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background

"RecordNow!"=

"spc_w"="c:\program files\JUSearch\juspc.exe" -w

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

"Copernic Desktop Search"="c:\program files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe"

"CopernicMobile.exe"="c:\program files\Copernic Mobile\CopernicMobile.exe" /AUTOMATIC

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

"AlcxMonitor"=ALCXMNTR.EXE

"eSnips"="c:\program files\eSnips\ClientGW.exe"

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r

"Picasa Media Detector"=c:\program files\Picasa2\PicasaMediaDetector.exe

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" -s

"QUICKCARE"=c:\program files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini

"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

"Recguard"=c:\windows\SMINST\RECGUARD.EXE

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"KBD"=c:\hp\KBD\KBD.EXE

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\stickies\\stickies.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\msncall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

.

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-25 136176]

R2 PC Monitor;PC Monitor;c:\program files\PC Monitor\PCMonitorSrv.exe [2011-08-12 273728]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-25 136176]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-03-09 92592]

S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2009-06-26 102400]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-06 c:\windows\Tasks\defrag.job

- c:\windows\system32\dfrg.msc [2004-04-29 12:00]

.

2011-02-05 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\system32\cleanmgr.exe [2004-04-29 00:12]

.

2011-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-25 22:38]

.

2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-25 22:38]

.

2011-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3556973243-780273454-1310255599-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-29 22:38]

.

2011-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3556973243-780273454-1310255599-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-29 22:38]

.

2011-01-11 c:\windows\Tasks\Spybot - Search & Destroy.job

- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-03-27 22:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://utahalien.blogspot.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = <local>;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Snip to my eSnips account - c:\program files\eSnips\res\SnipIt.htm

Trusted Zone: elementk.com

Trusted Zone: familysearch.com

Trusted Zone: familysearch.org\help

Trusted Zone: familysearch.org\new

Trusted Zone: familysearch.org\www

Trusted Zone: incontact.com\login

Trusted Zone: intuit.com\ttlc

Trusted Zone: ldschurch.org\www

Trusted Zone: ldschurchindexing.org\www

Trusted Zone: netdimensions.com

Trusted Zone: netdimensions.com\lds

Trusted Zone: rosettastone.com

Trusted Zone: safaribooksonline.com

Trusted Zone: skillport.com

Trusted Zone: skillsoft.com

Trusted Zone: turbotax.com

Trusted Zone: ual.com\united.intranet

TCP: DhcpNameServer = 192.168.0.1

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} - hxxp://www.genline.com/GFFControl.cab

DPF: {BDFC91DC-AAE6-4E27-A624-EC2DE54E2F67} - file://f:\n_scanning\IntraLaunch.CAB

DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bs7jujo8.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.numbersusa.com/content/

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-24 23:14

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Clipomatic = c:\program files\Clipomatic\Clipomatic.exe?~*?A~????(?a?<?a???????????????0????????? ???????????V?????????U?????W?D~0?A~????*?A~??A~????6Z?]??/???????????B~??a?????????????????&?@????? ?????0?????<?????A~??a???U?????????????u]B~T????]B~??0???????????????@? K@

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetBT]

"ImagePath"="s\00y\00s\00t\00e\00m\003\002\00\\00D\00R\00I\00V\00E\00R\00S\00\\00n\00e\00t\00b\00t\00.\00s\00y\00s"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3556973243-780273454-1310255599-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**~*a%\OpenWithList]

@Class="Shell"

.

[HKEY_USERS\S-1-5-21-3556973243-780273454-1310255599-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4%**]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

[HKEY_USERS\S-1-5-21-3556973243-780273454-1310255599-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4%**\OpenWithList]

@Class="Shell"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(512)

c:\windows\system32\igfxsrvc.dll

c:\windows\system32\hccutils.DLL

.

- - - - - - - > 'explorer.exe'(1472)

c:\windows\system32\WININET.dll

c:\documents and settings\Owner\My Documents\My Received Files\TinySpell\tinySpell\tskh.dll

c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

c:\windows\system32\IEFRAME.dll

.

Completion time: 2011-09-24 23:23:43

ComboFix-quarantined-files.txt 2011-09-25 05:23

ComboFix2.txt 2011-09-22 04:55

ComboFix3.txt 2011-09-20 23:38

.

Pre-Run: 94,146,658,304 bytes free

Post-Run: 94,136,971,264 bytes free

.

- - End Of File - - D9FA9CCF71A0CC7B56FD54CD9E461000

Link to post
Share on other sites

Hi again, then lets look for the file as well. :)

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    netbt.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

There are also files in D: as mentioned earlier

SystemLook 30.07.11 by jpshortstuff

Log created at 22:20 on 26/09/2011 by Owner

Administrator - Elevation successful

========== filefind ==========

Searching for "netbt.sys"

C:\WINDOWS\$NtServicePackUninstall$\netbt.sys -----c- 162816 bytes [05:40 07/08/2011] [06:14 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\$NtUninstallKB824105$\netbt.sys --a--c- 157056 bytes [17:29 29/04/2004] [12:00 29/08/2002] D96F3BC5A6E7452B0E3275B560DC8528

C:\WINDOWS\ServicePackFiles\i386\netbt.sys ------- 162816 bytes [06:14 04/08/2004] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D

-= EOF =-

Link to post
Share on other sites

Next lets replace the file. :)

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


FCopy::
C:\WINDOWS\$NtServicePackUninstall$\netbt.sys | c:\windows\system32\drivers\netbt.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

correctly diagnosed - mea culpa - renamed file and ran CFScript in comboFix. Still no internet connection.

ComboFix txt results:

ComboFix 11-09-27.04 - Owner 09/28/2011 22:22:10.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.486 [GMT -6:00]

Running from: L:\ComboFix.exe

Command switches used :: L:\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

--------------- FCopy ---------------

.

c:\windows\$NtServicePackUninstall$\netbt.sys --> c:\windows\system32\drivers\netbt.sys

.

((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-29 )))))))))))))))))))))))))))))))

.

.

2011-09-29 04:22 . 2004-08-04 06:14 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys

2011-09-29 04:22 . 2004-08-04 06:14 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-09-20 23:03 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2011-09-20 23:03 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2011-09-19 03:58 . 2011-09-19 03:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2011-09-18 13:46 . 2011-09-18 13:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth

2011-09-17 20:55 . 2011-09-17 20:55 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-09-17 20:37 . 2011-09-17 20:37 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-09-17 20:35 . 2011-09-17 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-09-17 19:31 . 2011-09-20 04:27 -------- d-----w- c:\program files\Malware Bytes

2011-09-17 19:26 . 2011-09-17 19:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-17 19:26 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-17 14:18 . 2011-09-17 14:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2011-09-09 09:12 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-16 16:28 . 2011-06-21 20:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12 . 2004-04-01 08:25 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-07 05:56 . 2011-08-07 05:56 45056 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\util.dll

2011-08-07 05:55 . 2011-08-07 05:55 114688 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\ZipLib.dll

2011-08-07 05:55 . 2011-08-07 05:55 49152 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\PCHI18N.dll

2011-08-07 05:55 . 2011-08-07 05:55 32768 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\pchapi.dll

2011-08-07 05:55 . 2011-08-07 05:55 307200 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\pchealthplugin.dll

2011-08-07 05:55 . 2011-08-07 05:55 282624 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\clientutil52.dll

2011-08-07 05:55 . 2011-08-07 05:55 5632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\GUI.dll

2011-08-07 05:55 . 2011-08-07 05:55 315392 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\pchmsxml.dll

2011-08-07 05:55 . 2011-08-07 05:55 20480 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\InetCheckWrap.dll

2011-08-07 05:55 . 2011-08-07 05:55 114688 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\asst_ui.dll

2011-08-07 05:55 . 2011-08-07 05:55 98304 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\PluginCtrl.dll

2011-08-07 05:55 . 2011-08-07 05:55 24576 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\pcdapi.dll

2011-08-07 05:55 . 2011-08-07 05:55 356352 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\client_motkt.dll

2011-08-07 05:55 . 2011-08-07 05:55 26572 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\INV16.dll

2011-08-07 05:55 . 2011-08-07 05:55 4096 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\winverifytrustwrapper.dll

2011-08-07 05:55 . 2011-08-07 05:55 69632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\msxmlwrapper.dll

2011-08-07 05:55 . 2011-08-07 05:55 344064 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\api.dll

2011-08-07 05:55 . 2011-08-07 05:55 139264 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\ContentUpdater.exe

2011-08-07 05:55 . 2011-08-07 05:55 212992 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\jsharpinterp.dll

2011-08-07 05:55 . 2011-08-07 05:55 434176 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\motivede.dll

2011-08-07 05:55 . 2011-08-07 05:55 69632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\msxmlwrapper.dll

2011-08-07 05:55 . 2011-08-07 05:55 126976 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\SearchCtrl.dll

2011-08-07 05:55 . 2011-08-07 05:55 36864 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\gnu.dll

2011-08-07 05:55 . 2011-08-07 05:55 307200 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\pchnotify.exe

2011-08-07 05:55 . 2011-08-07 05:55 3072 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\pchealthde.exe

2011-08-07 05:55 . 2011-08-07 05:55 159744 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\PCHButton.exe

2011-08-07 05:55 . 2011-08-07 05:55 77824 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\FDIWrapper.dll

2011-08-07 05:55 . 2011-08-07 05:55 77824 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\WinVerifyTrust.dll

2011-08-07 05:55 . 2011-08-07 05:55 49152 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\hwinv.dll

2011-08-07 05:55 . 2011-08-07 05:55 315392 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHNABS4EN\plugin\bin\jsharpde\pchmsxml.dll

2011-07-15 13:29 . 2004-04-01 04:49 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-04-29 17:29 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-04 11:43 . 2010-06-30 06:18 40112 ----a-w- c:\windows\avastSS.scr

2011-07-04 11:43 . 2010-03-27 04:02 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-07-04 11:36 . 2011-06-22 17:53 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-07-04 11:36 . 2010-03-27 04:03 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-07-04 11:35 . 2010-03-27 04:03 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-07-04 11:35 . 2010-03-27 04:03 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-07-04 11:35 . 2010-03-27 04:03 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-07-04 11:32 . 2010-03-27 04:03 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-07-04 11:32 . 2010-03-27 04:03 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-07-04 11:32 . 2010-03-27 04:03 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-03-18 17:53 . 2011-04-05 05:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot_2011-09-22_04.49.26 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-09-26 04:51 . 2011-09-26 04:51 16384 c:\windows\Temp\Perflib_Perfdata_738.dat

+ 2004-04-01 04:49 . 2011-09-27 06:00 82222 c:\windows\system32\perfc009.dat

+ 2004-04-01 04:49 . 2011-09-27 06:00 469476 c:\windows\system32\perfh009.dat

+ 2011-09-23 16:31 . 2011-09-18 18:26 155686 c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Clipomatic"="c:\program files\Clipomatic\Clipomatic.exe" [1999-05-15 65536]

"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-01-11 262144]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-22 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]

"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]

"VTTimer"="VTTimer.exe" [2005-03-08 53248]

"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-06 196608]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]

"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2009-06-26 450560]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2011-08-17 126976]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-07-04 3493720]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Owner\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]

MiniMinder.lnk - c:\program files\MiniMind\MiniMind.exe [2004-10-30 176128]

OpenOffice.org 2.0.lnk.disabled [2006-9-21 921]

OpenOffice.org 3.1.lnk.disabled [2009-8-19 909]

Stickies.lnk - c:\program files\stickies\stickies.exe [2007-3-9 700416]

tinySpell.lnk - c:\documents and settings\Owner\My Documents\My Received Files\TinySpell\tinySpell\tinySpellp.exe [2009-9-28 217088]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk.disabled [2007-5-4 1802]

Device Detector 3.lnk.disabled [2010-1-16 1695]

Updates from HP.lnk.disabled [2004-7-15 1865]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Registration.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Registration.lnk

backup=c:\windows\pss\Corel Registration.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL 9.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL 9.LNK

backup=c:\windows\pss\CorelCENTRAL 9.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL Alarms.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL Alarms.LNK

backup=c:\windows\pss\CorelCENTRAL Alarms.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Application Director 9.LNK

backup=c:\windows\pss\Desktop Application Director 9.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk

backup=c:\windows\pss\Device Detector 2.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk

backup=c:\windows\pss\HP Organize.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk

backup=c:\windows\pss\IMStart.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]

2004-01-09 09:34 32768 ----a-w- c:\program files\HP\Digital Imaging\bin\BackupNotify.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-04-27 07:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2007-01-26 06:49 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot

"BackupNotify"=c:\program files\HP\Digital Imaging\bin\backupnotify.exe

"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background

"RecordNow!"=

"spc_w"="c:\program files\JUSearch\juspc.exe" -w

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

"Copernic Desktop Search"="c:\program files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe"

"CopernicMobile.exe"="c:\program files\Copernic Mobile\CopernicMobile.exe" /AUTOMATIC

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

"AlcxMonitor"=ALCXMNTR.EXE

"eSnips"="c:\program files\eSnips\ClientGW.exe"

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r

"Picasa Media Detector"=c:\program files\Picasa2\PicasaMediaDetector.exe

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" -s

"QUICKCARE"=c:\program files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini

"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

"Recguard"=c:\windows\SMINST\RECGUARD.EXE

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"KBD"=c:\hp\KBD\KBD.EXE

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\stickies\\stickies.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\msncall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/22/2011 11:53 AM 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/26/2010 10:03 PM 309848]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/26/2010 10:03 PM 19544]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/9/2011 6:30 AM 92592]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [6/26/2009 4:56 PM 102400]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/25/2010 4:44 PM 136176]

S2 PC Monitor;PC Monitor;c:\program files\PC Monitor\PCMonitorSrv.exe [8/12/2011 3:53 PM 273728]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/25/2010 4:44 PM 136176]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 6TO4

*NewlyCreated* - IP6FW

*NewlyCreated* - TCPIP6

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-06 c:\windows\Tasks\defrag.job

- c:\windows\system32\dfrg.msc [2004-04-29 12:00]

.

2011-02-05 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\system32\cleanmgr.exe [2004-04-29 00:12]

.

2011-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-25 22:38]

.

2011-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-25 22:38]

.

2011-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3556973243-780273454-1310255599-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-29 22:38]

.

2011-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3556973243-780273454-1310255599-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-29 22:38]

.

2011-01-11 c:\windows\Tasks\Spybot - Search & Destroy.job

- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-03-27 22:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://utahalien.blogspot.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = <local>;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Snip to my eSnips account - c:\program files\eSnips\res\SnipIt.htm

Trusted Zone: elementk.com

Trusted Zone: familysearch.com

Trusted Zone: familysearch.org\help

Trusted Zone: familysearch.org\new

Trusted Zone: familysearch.org\www

Trusted Zone: incontact.com\login

Trusted Zone: intuit.com\ttlc

Trusted Zone: ldschurch.org\www

Trusted Zone: ldschurchindexing.org\www

Trusted Zone: netdimensions.com

Trusted Zone: netdimensions.com\lds

Trusted Zone: rosettastone.com

Trusted Zone: safaribooksonline.com

Trusted Zone: skillport.com

Trusted Zone: skillsoft.com

Trusted Zone: turbotax.com

Trusted Zone: ual.com\united.intranet

TCP: DhcpNameServer = 192.168.0.1

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} - hxxp://www.genline.com/GFFControl.cab

DPF: {BDFC91DC-AAE6-4E27-A624-EC2DE54E2F67} - file://f:\n_scanning\IntraLaunch.CAB

DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bs7jujo8.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.numbersusa.com/content/

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-28 22:40

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Clipomatic = c:\program files\Clipomatic\Clipomatic.exe?~*?A~????(?a?<?a???????????????0????????? ???????????V?????????U?????W?D~0?A~????*?A~??A~????6Z?]??/???????????B~??a?????????????????&?@????? ?????0?????<?????A~??a???U?????????????u]B~T????]B~??0???????????????@? K@

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetBT]

"ImagePath"="s\00y\00s\00t\00e\00m\003\002\00\\00D\00R\00I\00V\00E\00R\00S\00\\00n\00e\00t\00b\00t\00.\00s\00y\00s"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3556973243-780273454-1310255599-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**~*a%\OpenWithList]

@Class="Shell"

.

[HKEY_USERS\S-1-5-21-3556973243-780273454-1310255599-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4%**]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

[HKEY_USERS\S-1-5-21-3556973243-780273454-1310255599-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*4%**\OpenWithList]

@Class="Shell"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(516)

c:\windows\system32\igfxsrvc.dll

c:\windows\system32\hccutils.DLL

.

- - - - - - - > 'explorer.exe'(2140)

c:\windows\system32\WININET.dll

c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

c:\windows\system32\IEFRAME.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

.

Completion time: 2011-09-28 22:48:48

ComboFix-quarantined-files.txt 2011-09-29 04:48

ComboFix2.txt 2011-09-25 05:23

ComboFix3.txt 2011-09-22 04:55

ComboFix4.txt 2011-09-20 23:38

.

Pre-Run: 94,063,345,664 bytes free

Post-Run: 94,045,982,720 bytes free

.

- - End Of File - - 04D3B898F3B19A932324EA1605345553

Link to post
Share on other sites

Please click Start > Run, type cmd and press enter.

Type the following lines and press enter after each line:

netsh int ip reset

netsh winsock reset

When done, restart your computer and let me know if the internet works.

If the commands returned errors, please let me know the exact message.

Link to post
Share on other sites

"netsh int ip reset" yielded "the following command was not found: ip reset"

"netsh winsock" reset yielded "successfully .... and restart

After restart tried "netsh int ip reset" rcvd message about improper context and referring to "resetlog"

google search found http://support.microsoft.com/kb/299357 which says:

(At the command prompt, copy and paste (or type) the following command and then press ENTER:

netsh int ip reset c:\resetlog.txt)

But, that didn't work either.

I have in local area Connection properties "Internet Protocol (TCP/IP)" and Microsoft TCP/IP version 6 with an "Install" button. I don't remember seeing that before. Is that a problem or, perhaps, a solution???

Link to post
Share on other sites

I have in local area Connection properties "Internet Protocol (TCP/IP)" and Microsoft TCP/IP version 6 with an "Install" button. I don't remember seeing that before. Is that a problem or, perhaps, a solution???
This is normal and you can try it, however I'm not sure if it will make a difference.

What did you get back after "netsh int ip reset resetlog.txt"?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.