View Full Version : PC infected
msobczak
2010-10-24, 18:15
Trust me, this will be the last time I do anything with torrents!
DDS (Ver_10-10-21.02) - NTFSx86
Run by msobczak at 11:01:21.65 on Sun 10/24/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2697 [GMT -4:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Lotus\Domino\nsd.exe
C:\Notes\nsd.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Documents and Settings\msobczak\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark 7600 Series\lxdwMsdMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\msobczak\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Tgbh_PreA1T] c:\program files\adware pro\Adware_Pro.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe
mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE
mRun: [lxdwmon.exe] "c:\program files\lexmark 7600 series\lxdwmon.exe"
mRun: [lxdwamon] "c:\program files\lexmark 7600 series\lxdwamon.exe"
mRun: [Lexmark 7600 Series Fax Server] "c:\program files\lexmark 7600 series\fm3032.exe" /s
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\msobczak\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\msobczak\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\msobczak\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: sterlingbank.com\mail
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://files.member.yahoo.com/dl/installs/sbc/yinst.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://mail.sterlingbank.com/iNotes6W.cab
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://secure2.andersonsinc.com/,DanaInfo=andmail1.andent.andersonsinc.com,ST=1+/dwa85W.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxp://quickplace.ebiztech.com/dwa7W.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure2.andersonsinc.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure2.andersonsinc.com/dana-cached/sc/JuniperSetupClient.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMgfDsr
LSA: Notification Packages = scecli c:\windows\system32\diremise.dll yoyaheku.dll
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: MSASCui.exe - c:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\msobczak\applic~1\mozilla\firefox\profiles\5wwmed26.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [2008-11-2 66736]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2008-11-2 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [2008-11-29 8192]
R2 Lotus Domino Diagnostics (CLotusDomino);Lotus Domino Diagnostics (CLotusDomino);c:\lotus\domino\nsd.exe [2008-11-4 3309568]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\notes\nsd.exe -svcinvoke -ini "c:\notes\notes.ini" --> c:\notes\nsd.exe -svcinvoke -ini c:\notes\notes.ini [?]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-12 135664]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [2009-10-11 98984]
S3 IBM RPT adapter for RQM;IBM RPT adapter for RQM;c:\ibm\sdp\rpt-rst_rqmadapter\bin\RPT-RST_RQMAdapterService.exe [2010-8-29 20480]
S3 Lotus Domino Server (LotusDominodata);Lotus Domino Server (LotusDominodata);c:\lotus\domino\nservice.exe [2008-11-4 99720]
S3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys --> c:\windows\system32\drivers\pppop.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S3 Zope_-372241316;Zope instance at c:\program files\plone\parts\instance;c:\program files\plone\python\pythonservice.exe [2010-9-7 8704]
=============== Created Last 30 ================
2010-10-24 02:40:30 -------- d-----w- c:\windows\Internet Logs
2010-10-24 02:35:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-24 01:56:53 -------- d-----w- c:\docume~1\msobczak\applic~1\AVP 2009
2010-10-21 12:22:58 -------- d-----w- C:\cports
2010-10-21 12:09:50 3887480 ----a-w- C:\procexp.exe
2010-10-13 00:28:38 -------- d-----w- c:\docume~1\msobczak\locals~1\applic~1\Google
2010-10-13 00:27:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
==================== Find3M ====================
2010-08-10 09:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 09:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-06 17:05:54 72080 ----a-w- c:\documents and settings\msobczak\g2mdlhlpx.exe
2010-08-04 23:36:13 48640 ----a-w- c:\windows\system32\libfdnvin.dll
============= FINISH: 11:03:03.64 ===============
Satchfan
2010-10-27, 12:05
Hello msobczak and welcome to Safer Networking Forums.
My name is Satchfan and I would be glad to help you with your computer problem. Please read the following guidelines which will help to make cleaning your machine easier:
• Please do not install/uninstall any programs unless asked to.
• Please do not run any scans other than those requested
• Please follow all instructions in the order posted
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• If you don't understand something, please don't hesitate to ask for clarification before proceeding
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!
Please note that I am still in training and my replies need to be checked by an expert in order for you to receive the best possible advice. This may result in a small delay between my posts but I shall try to keep this to a minimum.
I am looking through your log now and will reply as soon as possible.
Satchfan
msobczak
2010-10-27, 15:06
Hi Satchfan,
In the interim, I've been trying to run an Avast boot scan. It kept stalling at the Rational Application Developer software I had installed, so I uninstalled that.
Avast did find a corrupt file, but I still have the underlying issue.
Let me know if you need me to run the DDS again, and I'll do that later tonight.
Thanks,
- Mike.
Satchfan
2010-10-30, 11:36
Hello again msobczak
I see no sign of a current antivirus program. This is something that is crucial in protecting your computer. We’ll address this later when your computer is clean otherwise it might clear up something that we need to be aware of.
Meanwhile, please limit your internet activity to downloading tools and replying to this topic. Also, please do not run any other programs unless requested.
Re AVP 2009
Do you know what AVP 2009 is as it appears to have been downloaded very recently?.
OTL Custom Scan
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click on Minimal Output at the top
Download the following file scan.txt to your Desktop. Click here to download it (http://www.geekstogo.com/forum/files/download/395-otl-custom-scan-file-scantxt/). You may need to right click on it and select "Save"
Double click inside the Custom Scan box at the bottom
A window will appear saying "Click OK to load a custom scan from a file or Cancel to cancel"
Click the OK button and navigate to the file scan.txt which we just saved to your desktop
Select scan.txt and click Open. Writing will now appear under the Custom Scan box
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan won’t take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.
Download the GMER Rootkit Scanner
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
All drives/partitions except C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Logs to include with next post:
OTL.txt
Extras.txt
Gmer.txt
Also please remember to tell me about AVP 2009.
Thanks
Satchfan
msobczak
2010-10-31, 18:31
I've attached OTL.Txt and Gmer.txt.
OTL did not produce Extras.txt with the Quick Scan. Should I run a full scan?
I'm not sure what AVP 2009 is. I don't remember explicitly downloading it myself.
I have Avast 5 running on my PC now. At one point, Adware Pro told me to uninstall Avast and ZoneAlarm. I've since readded both.
Satchfan
2010-11-02, 01:32
Hello msobczak
Please do not attach logs unless requested to do so: just copy and paste them into your reply.
You have downloaded programs which I asked you not to do. I realise that you are anxious to get your computer clean but running random programs in an attempt to quicken the process can sometimes make it worse. We run programs in a certain order for specific reasons so please don’t run or download any more programs until your computer is clean.
I'm afraid one or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and download and execute files
I would suggest that you disconnect this PC from the Internet when you are not using it to download programs we request. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
I can help you in the cleaning if you don't want to reformat but I can't promise that we'll get you 100% clean.
Please let us know what you have decided to do in your next post.
Meanwhile, download ComboFix from the following location:
Link (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
Note: Do not mouse-click combofix's window while it is running. That may cause it to stall.
When finished, it will produce a log. Please include the ComboFix.txt in your next reply. It can be found at C:\ComboFix.txt
Thanks
Satchfan
msobczak
2010-11-04, 00:13
When I tried to paste OTL.txt into the body of a Reply, I got this error:
The text that you have entered is too long (80201 characters). Please shorten it to 64000 characters long.
msobczak
2010-11-04, 01:03
I needed to rename ComboFix.exe to something else in order for it to run.
Then, it kept warning me that Avast scanners were running, even though I shut down the services and the real-time scanners.
I ran ComboFix.exe, and it mentioned that it found "Rootkit - TDL3".
When the computer restarted after the deep scans, ComboFix looked like it was trying to create the report. Then I saw a quick blue screen and the computer restarted itself again.
I don't see a ComboFix.txt file under c:\
What should I do now?
Satchfan
2010-11-04, 14:28
msobczak
You can post the OTL log using more than one post. Post the OTL log and then try running ComboFix again but first, try disabling Avast this way:
• right-click on the avast! icon in system tray
• select avast! shields control
There will be options to disable avast for 10 minutes, 1 hour, until the computer is restarted or permanently.
Choose 1 hour.
When you’ve done this, try running ComboFix again .
Ideally, we'd like to run ComboFix in normal mode, but if it still won't run in normal mode please do the following:
Boot your computer in Safe Mode
• Turn the computer on or Restart the computer
• Start tapping the F8 key.
• The Windows Advanced Options Menu appears (If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again)
• Use the arrow keys to select the Safe Mode menu option.
• Press Enter.
• The computer then begins to start in Safe mode.
• Log into your usual account
Try running ComboFix again. After running it, reboot into normal mode and post the log in your next reply using more than one post if necessary.
Satchfan
Satchfan
2010-11-07, 14:29
Hello msobczak
It has been several days since I sent my last post with instructions to help with your computer problem..
Please let me know if you are having problems and still require help.
Thanks
Satchfan
msobczak
2010-11-07, 17:33
The first time I ran ComboFix, it stalled out on the 3rd scan. I killed the task, restarted, and ran it again. That time, it worked OK.
ComboFix 10-11-02.06 - msobczak 11/07/2010 9:35.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2751 [GMT -5:00]
Running from: c:\documents and settings\msobczak\Desktop\blah.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((( Files Created from 2010-10-07 to 2010-11-07 )))))))))))))))))))))))))))))))
.
2010-10-31 17:13 . 2010-10-31 17:13 -------- d-----w- c:\program files\DVDFab 8
2010-10-24 17:17 . 2010-10-24 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\documents and settings\msobczak\Application Data\CheckPoint
2010-10-24 16:27 . 2010-11-07 14:01 -------- d-----w- c:\documents and settings\msobczak\Local Settings\Application Data\ZoneAlarm_Security
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\program files\Conduit
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\program files\ZoneAlarm_Security
2010-10-24 16:26 . 2010-10-24 16:26 -------- d-----w- c:\program files\CheckPoint
2010-10-24 16:26 . 2010-09-02 13:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-10-24 16:26 . 2010-09-02 13:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-10-24 16:26 . 2010-09-02 13:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-10-24 16:26 . 2010-10-24 16:27 -------- d-----w- c:\windows\system32\ZoneLabs
2010-10-24 16:26 . 2010-10-24 16:26 -------- d-----w- c:\program files\Zone Labs
2010-10-24 15:18 . 2004-01-09 08:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
2010-10-24 14:58 . 2010-10-24 14:59 -------- d-----w- c:\program files\ERUNT
2010-10-24 02:40 . 2010-11-07 14:37 -------- d-----w- c:\windows\Internet Logs
2010-10-24 02:37 . 2010-10-24 02:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-10-24 02:35 . 2010-10-24 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-24 01:56 . 2010-10-24 02:33 -------- d-----w- c:\documents and settings\msobczak\Application Data\AVP 2009
2010-10-21 12:22 . 2010-10-21 12:43 -------- d-----w- C:\cports
2010-10-21 12:09 . 2010-06-07 20:16 3887480 ----a-w- C:\procexp.exe
2010-10-13 12:31 . 2010-10-13 12:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-10-13 00:31 . 2010-10-13 00:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-10-13 00:28 . 2010-10-13 00:36 -------- d-----w- c:\documents and settings\msobczak\Local Settings\Application Data\Google
2010-10-13 00:28 . 2010-10-13 00:33 -------- d-----w- c:\program files\Google
2010-10-13 00:27 . 2010-10-13 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-07 14:28 . 2009-03-06 02:24 4526 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-08-10 09:15 . 2010-08-10 09:15 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 09:15 . 2010-08-10 09:15 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-06-13 23:10 2734688 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"nwiz"="nwiz.exe" [2008-01-03 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-03 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 35328]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"Lexmark 7600 Series Fax Server"="c:\program files\Lexmark 7600 Series\fm3032.exe" [2008-09-10 311976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-09-02 738808]
c:\documents and settings\msobczak\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\msobczak\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-12-2 156160]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Documents and Settings\\msobczak\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\SeaMonkey\\seamonkey.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.2.20100729-1241\\win32\\x86\\notes2.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [11/2/2008 10:34 AM 66736]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [11/2/2008 10:10 AM 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [11/29/2008 4:34 PM 8192]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [9/2/2010 7:26 AM 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [9/2/2010 7:26 AM 493048]
R2 Lotus Domino Diagnostics (CLotusDomino);Lotus Domino Diagnostics (CLotusDomino);c:\lotus\Domino\nsd.exe [11/4/2008 7:44 PM 3309568]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\notes\nsd.exe -svcinvoke -ini "c:\notes\notes.ini" --> c:\notes\nsd.exe -svcinvoke -ini c:\notes\notes.ini [?]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/12/2010 7:29 PM 135664]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [10/11/2009 9:21 AM 98984]
S3 Lotus Domino Server (LotusDominodata);Lotus Domino Server (LotusDominodata);c:\lotus\Domino\nservice.exe [11/4/2008 7:46 PM 99720]
S3 pppop;PPPoP WAN Adapter;c:\windows\system32\DRIVERS\pppop.sys --> c:\windows\system32\DRIVERS\pppop.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [4/23/2007 4:11 PM 224896]
S3 Zope_-372241316;Zope instance at c:\program files\Plone\parts\instance;c:\program files\Plone\python\pythonservice.exe [9/7/2010 8:09 AM 8704]
.
Contents of the 'Scheduled Tasks' folder
2010-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 00:28]
2010-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 00:28]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: sterlingbank.com\mail
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://secure2.andersonsinc.com/,DanaInfo=andmail1.andent.andersonsinc.com,ST=1+/dwa85W.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure2.andersonsinc.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\msobczak\Application Data\Mozilla\Firefox\Profiles\5wwmed26.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(696)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
- - - - - - - > 'lsass.exe'(752)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
- - - - - - - > 'explorer.exe'(2568)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\nview.dll
c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\progra~1\Logitech\MOUSEW~1\SYSTEM\LgMousHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-07 09:44:21
ComboFix-quarantined-files.txt 2010-11-07 14:44
Pre-Run: 59,262,017,536 bytes free
Post-Run: 59,213,303,808 bytes free
- - End Of File - - 4385C00C47F61D387AD951705172D2DD
Satchfan
2010-11-08, 15:10
Hi msobczak
Open ComboFix
Please do the following:
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
DirLook::
c:\documents and settings\msobczak\Application Data\AVP 2009
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-
Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it produces a log at C:\ComboFix.txt. Post the contents of Combofix.txt in your next reply.
Run an on-line scan with Kaspersky
Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
http://img.photobucket.com/albums/v706/ried7/Kas-Savetxt.gif
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
Please click on to Start, Run and copy/paste the following, then press Enter:
C:\QooBox\ComboFix-quarantined-files.txt
When it opens, post the contents of that logfile also.
Logs to include with your reply:
ComboFix.txt
Kasperskt scan log
ComboFix-quarantined-files.txt
Use more than one post if necessary.
Satchfan
msobczak
2010-11-10, 05:51
ComboFix 10-11-09.01 - msobczak 11/09/2010 13:36:48.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2773 [GMT -5:00]
Running from: c:\documents and settings\msobczak\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\msobczak\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))
.
2010-11-09 10:45 . 2010-11-09 10:45 -------- d-----w- c:\documents and settings\msobczak\Application Data\smkits
2010-11-07 14:34 . 2010-11-07 14:44 -------- d-----w- C:\blah
2010-10-31 17:13 . 2010-10-31 17:13 -------- d-----w- c:\program files\DVDFab 8
2010-10-24 17:17 . 2010-10-24 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\documents and settings\msobczak\Application Data\CheckPoint
2010-10-24 16:27 . 2010-11-07 14:01 -------- d-----w- c:\documents and settings\msobczak\Local Settings\Application Data\ZoneAlarm_Security
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\program files\Conduit
2010-10-24 16:27 . 2010-10-24 16:27 -------- d-----w- c:\program files\ZoneAlarm_Security
2010-10-24 16:26 . 2010-10-24 16:26 -------- d-----w- c:\program files\CheckPoint
2010-10-24 16:26 . 2010-09-02 13:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-10-24 16:26 . 2010-09-02 13:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-10-24 16:26 . 2010-09-02 13:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-10-24 16:26 . 2010-10-24 16:27 -------- d-----w- c:\windows\system32\ZoneLabs
2010-10-24 16:26 . 2010-10-24 16:26 -------- d-----w- c:\program files\Zone Labs
2010-10-24 15:18 . 2004-01-09 08:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
2010-10-24 14:58 . 2010-10-24 14:59 -------- d-----w- c:\program files\ERUNT
2010-10-24 02:40 . 2010-11-09 18:36 -------- d-----w- c:\windows\Internet Logs
2010-10-24 02:37 . 2010-10-24 02:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-10-24 02:35 . 2010-10-24 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-24 01:56 . 2010-10-24 02:33 -------- d-----w- c:\documents and settings\msobczak\Application Data\AVP 2009
2010-10-21 12:22 . 2010-10-21 12:43 -------- d-----w- C:\cports
2010-10-21 12:09 . 2010-06-07 20:16 3887480 ----a-w- C:\procexp.exe
2010-10-13 12:31 . 2010-10-13 12:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-10-13 00:31 . 2010-10-13 00:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-10-13 00:28 . 2010-10-13 00:36 -------- d-----w- c:\documents and settings\msobczak\Local Settings\Application Data\Google
2010-10-13 00:28 . 2010-10-13 00:33 -------- d-----w- c:\program files\Google
2010-10-13 00:27 . 2010-10-13 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-09 18:34 . 2009-03-06 02:24 4526 ----a-w- c:\windows\system32\PerfStringBackup.TMP
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\msobczak\Application Data\AVP 2009 ----
2010-10-24 02:33 . 2010-10-24 02:47 0 ----a-w- c:\documents and settings\msobczak\Application Data\AVP 2009\1.dat
((((((((((((((((((((((((((((( SnapShot@2010-11-07_14.43.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-09 18:30 . 2010-11-09 18:30 16384 c:\windows\Temp\Perflib_Perfdata_690.dat
+ 2010-11-09 18:31 . 2010-11-09 18:31 204800 c:\windows\ERDNT\AutoBackup\11-9-2010\Users\00000002\UsrClass.dat
+ 2010-11-09 18:31 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\11-9-2010\ERDNT.EXE
+ 2010-11-08 23:08 . 2010-11-08 23:08 204800 c:\windows\ERDNT\AutoBackup\11-8-2010\Users\00000002\UsrClass.dat
+ 2010-11-08 23:08 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\11-8-2010\ERDNT.EXE
+ 2010-11-09 18:31 . 2010-11-09 18:31 9715712 c:\windows\ERDNT\AutoBackup\11-9-2010\Users\00000001\NTUSER.DAT
+ 2010-11-08 23:08 . 2010-11-08 23:08 9707520 c:\windows\ERDNT\AutoBackup\11-8-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-06-13 23:10 2734688 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"nwiz"="nwiz.exe" [2008-01-03 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-03 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 35328]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"Lexmark 7600 Series Fax Server"="c:\program files\Lexmark 7600 Series\fm3032.exe" [2008-09-10 311976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-09-02 738808]
c:\documents and settings\msobczak\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\msobczak\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-12-2 156160]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Documents and Settings\\msobczak\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\SeaMonkey\\seamonkey.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.2.20100729-1241\\win32\\x86\\notes2.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [11/2/2008 10:34 AM 66736]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [11/2/2008 10:10 AM 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [11/29/2008 4:34 PM 8192]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [9/2/2010 7:26 AM 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [9/2/2010 7:26 AM 493048]
R2 Lotus Domino Diagnostics (CLotusDomino);Lotus Domino Diagnostics (CLotusDomino);c:\lotus\Domino\nsd.exe [11/4/2008 7:44 PM 3309568]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\notes\nsd.exe -svcinvoke -ini "c:\notes\notes.ini" --> c:\notes\nsd.exe -svcinvoke -ini c:\notes\notes.ini [?]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/12/2010 7:29 PM 135664]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [10/11/2009 9:21 AM 98984]
S3 Lotus Domino Server (LotusDominodata);Lotus Domino Server (LotusDominodata);c:\lotus\Domino\nservice.exe [11/4/2008 7:46 PM 99720]
S3 pppop;PPPoP WAN Adapter;c:\windows\system32\DRIVERS\pppop.sys --> c:\windows\system32\DRIVERS\pppop.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [4/23/2007 4:11 PM 224896]
S3 Zope_-372241316;Zope instance at c:\program files\Plone\parts\instance;c:\program files\Plone\python\pythonservice.exe [9/7/2010 8:09 AM 8704]
.
Contents of the 'Scheduled Tasks' folder
2010-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 00:28]
2010-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 00:28]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: sterlingbank.com\mail
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://secure2.andersonsinc.com/,DanaInfo=andmail1.andent.andersonsinc.com,ST=1+/dwa85W.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure2.andersonsinc.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\msobczak\Application Data\Mozilla\Firefox\Profiles\5wwmed26.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(696)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
- - - - - - - > 'lsass.exe'(752)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
- - - - - - - > 'explorer.exe'(1064)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\nview.dll
c:\documents and settings\msobczak\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\progra~1\Logitech\MOUSEW~1\SYSTEM\LgMousHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-09 13:45:46
ComboFix-quarantined-files.txt 2010-11-09 18:45
ComboFix2.txt 2010-11-07 14:44
Pre-Run: 59,152,023,552 bytes free
Post-Run: 59,133,296,640 bytes free
- - End Of File - - C2937C2471614D5CFF87E20796DA9B93
msobczak
2010-11-10, 06:11
I will run the scan first thing in the morning.
msobczak
2010-11-11, 05:15
I started the scan this morning. When I returned home in the evening, my computer had rebooted itself. When Windows finished loading, it said it had recovered from an error.
I tried running Kaspersky again, but it said my license is expired. Is that a one-time only scan?
Satchfan
2010-11-11, 18:24
msobczak
It won’t let you run another scan until you have deleted the old ActiveX download component. The easiest way to solve this is to close your browser and uninstall the program via Start, Control Panel, Add/Remove programs.When you have removed/uninstalled it, download and run it again.
When you reply with the scan result, please also include the quarantined-files.txt log as previously requested and let me know how your computer is running.
msobczak
2010-11-12, 03:41
I ran the program with Firefox, so there's no ActiveX control to uninstall. There's also nothing Kaspersky-related in Control Panel to uninstall.
Satchfan
2010-11-12, 14:26
Msobczak
I don’t know why you are having a problem with Kaspersky, but we’ll try a different scan.
Run ESET Online Scan
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://www.eset.com/online-scanner)
1. Click the Eset online Scanner button.
2. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
• Click on esetinstaller.exe to download the ESET Smart Installer. Save it to your desktop.
• Double click on the Eset installer icon on your desktop.3. Check Yes, I accept the Terms of Use
4. Click the Start button.
5. Accept any security warnings from your browser.
6. Check Scan archives
7. Push the Start button.
8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
9. When the scan completes, push List of found threats
10. Push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Note - when ESET doesn't find any threats, no report will be created.
11. Push the back button.
12. Push Finish
If a log has been produced post it in your next reply.
Please also include quarantined-files.txt and let me know how your computer is running.
Thanks
Satchfan
msobczak
2010-11-13, 14:38
C:\Documents and Settings\msobczak\Application Data\Sun\Java\Deployment\cache\6.0\51\578cd3b3-216e18ae a variant of Java/TrojanDownloader.OpenStream.NAU trojan
C:\Program Files\Logitech\Desktop Messenger\8876480\6.1.0.155-8876480L\Program\Restart.exe probably a variant of Win32/Agent.BRGLHTJ trojan
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090303-201218-209.dll Win32/Adware.Virtumonde.NEK application
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090303-201218-571.dll Win32/Adware.Virtumonde.NEK application
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP533\A0066615.dll a variant of Win32/Olmarik.AFZ trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP533\A0066616.dll a variant of Win32/Olmarik.AFZ trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP535\A0067156.dll a variant of Win32/Adware.AntiMalwarePro.AA application
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080262.sys Win32/Olmarik.AGD trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080335.sys Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080397.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080398.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080399.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080400.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080401.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080402.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080403.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080404.dll a variant of Win32/Kryptik.DNI trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080406.dll a variant of Win32/Kryptik.DQT trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080407.dll a variant of Win32/Kryptik.DQT trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080408.dll a variant of Win32/Kryptik.DQT trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080409.dll a variant of Win32/Kryptik.DQT trojan
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080410.dll a variant of Win32/Adware.SuperJuan.U application
C:\System Volume Information\_restore{D242A14B-1B9D-46C4-B604-2105E3716A41}\RP544\A0080412.dll a variant of Win32/Kryptik.DNI trojan
msobczak
2010-11-13, 14:39
2010-11-09 18:17:41 . 2010-11-09 18:17:41 0 ----a-w- C:\Qoobox\Quarantine\Replicators\Replicator_3.txt
2010-11-09 18:05:11 . 2010-11-09 18:36:45 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2010-11-07 14:43:52 . 2010-11-07 14:43:52 1,174 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{7B63B2922B174135AFC0E1377DD81EC2}.reg.dat
2010-11-03 22:35:00 . 2010-11-09 18:43:35 8,439 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-11-03 22:10:51 . 2010-11-09 18:35:44 408 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-08-06 17:05:53 . 2010-08-06 17:05:54 72,080 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\msobczak\g2mdlhlpx.exe.vir
2009-07-31 21:03:10 . 2010-09-29 19:55:32 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\etc\lmhosts.vir
2008-12-16 23:46:12 . 2010-02-06 14:15:29 87,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\msobczak\Application Data\inst.exe.vir
2008-12-14 17:19:26 . 2008-12-14 17:19:29 8 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\wiaserviv.log.vir
msobczak
2010-11-13, 14:40
I don't have trouble browsing like before. I haven't tried to run Spybot or Malware bytes again, though.
Satchfan
2010-11-14, 23:06
Revised post
msobczak
It appears that ComboFix and the online scan have cleaned things up well but I’d like acouple more scans before giving you the all clear.
Run Malwarebytes’ Anti-Malware
Please open your MalwareBytes AntiMalware Program (If you no longer have it, you can download it from here (http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button))
Click the Update Tab and search for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
Run OTL
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in:
/md5start
cdrom.*
/md5stop
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so.
The scan won’t take long.
Logs to include:
Mbam.txt
OTL.txt
Satchfan
msobczak
2010-11-15, 03:27
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5117
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
11/14/2010 8:23:38 PM
mbam-log-2010-11-14 (20-23-38).txt
Scan type: Quick scan
Objects scanned: 150177
Time elapsed: 4 minute(s), 16 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
msobczak
2010-11-15, 05:12
OTL logfile created on: 11/14/2010 8:28:10 PM - Run 4
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\msobczak\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 58.61 Gb Free Space | 76.79% Space Free | Partition Type: NTFS
Drive D: | 279.46 Gb Total Space | 205.28 Gb Free Space | 73.46% Space Free | Partition Type: NTFS
Drive G: | 465.75 Gb Total Space | 12.99 Gb Free Space | 2.79% Space Free | Partition Type: NTFS
Computer Name: HOME-BIOSTAR | User Name: msobczak | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\msobczak\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
PRC - C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe (Check Point Software Technologies)
PRC - C:\notes\nsd.exe (IBM)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\WINDOWS\system32\lxdwcoms.exe ( )
PRC - C:\Lotus\Domino\nsd.exe (IBM Corp)
PRC - C:\Program Files\Lexmark 7600 Series\lxdwmon.exe ()
PRC - C:\Program Files\Lexmark 7600 Series\lxdwmsdmon.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe (HP)
PRC - C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE (Logitech Inc. )
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\msobczak\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (Check Point Software Technologies)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\nview.dll ()
MOD - C:\WINDOWS\system32\nvwddi.dll (NVIDIA Corporation)
MOD - C:\Program Files\Logitech\MouseWare\system\LGMOUSHK.DLL (Logitech Inc. )
========== Win32 Services (SafeList) ==========
SRV - (McciCMService) -- C:\Program Files\Common Files\Motive\McciCMService.exe File not found
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe File not found
SRV - (vsmon) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
SRV - (IswSvc) -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe (Check Point Software Technologies)
SRV - (Lotus Notes Diagnostics) -- C:\Notes\nsd.exe (IBM)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (lxdw_device) -- C:\WINDOWS\System32\lxdwcoms.exe ( )
SRV - (lxdwCATSCustConnectService) -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe ()
SRV - (Zope_-372241316) -- C:\Program Files\Plone\python\PythonService.exe ()
SRV - (Lotus Domino Diagnostics (CLotusDomino)) Lotus Domino Diagnostics (CLotusDomino) -- C:\Lotus\Domino\nsd.exe (IBM Corp)
SRV - (Lotus Domino Server (LotusDominodata)) Lotus Domino Server (LotusDominodata) -- C:\Lotus\Domino\nservice.exe (IBM Corp)
========== Driver Services (SafeList) ==========
DRV - (pppop) -- C:\WINDOWS\System32\DRIVERS\pppop.sys File not found
DRV - (MRESP50a64) -- C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS File not found
DRV - (MRESP50) -- C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS File not found
DRV - (MREMP50a64) -- C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS File not found
DRV - (MREMP50) -- C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS File not found
DRV - (mcdbus) -- C:\WINDOWS\System32\DRIVERS\mcdbus.sys File not found
DRV - (catchme) -- C:\DOCUME~1\msobczak\LOCALS~1\Temp\catchme.sys File not found
DRV - (ISWKL) -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys (Check Point Software Technologies)
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Check Point Software Technologies LTD)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (BANTExt) -- C:\WINDOWS\System32\Drivers\BANTExt.sys ()
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (RTL8187B) -- C:\WINDOWS\system32\drivers\wg111v3.sys (Realtek Semiconductor Corporation )
DRV - (Pnp680) -- C:\WINDOWS\system32\DRIVERS\pnp680.sys (Silicon Image, Inc.)
DRV - (BS_I2cIo) -- C:\WINDOWS\system32\drivers\BS_I2cIo.sys (BIOSTAR Group)
DRV - (BIOS) -- C:\WINDOWS\system32\drivers\BIOS.sys (BIOSTAR Group)
DRV - (LMouFlt2) -- C:\WINDOWS\system32\drivers\LMouFlt2.sys (Logitech)
DRV - (LHidFlt2) -- C:\WINDOWS\system32\drivers\LHidFlt2.sys (Logitech)
DRV - (LKbdFlt2) -- C:\WINDOWS\system32\drivers\LKbdFlt2.sys (Logitech)
DRV - (PMEM) -- C:\WINDOWS\system32\drivers\PMEMNT.SYS (Microsoft Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..browser.search.defaultthis.engineName: "ZoneAlarm Security Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}"
FF - prefs.js..extensions.enabledItems: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}:2.1.106
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {FFB96CC1-7EB3-449D-B827-DB661701C6BB}:1.5.240.0
FF - prefs.js..network.proxy.type: 4
FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2010/11/08 18:24:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/01 21:26:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/01 21:26:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey 2.0.6\extensions\\Components: C:\Program Files\SeaMonkey\components [2010/08/19 07:40:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey 2.0.6\extensions\\Plugins: C:\Program Files\SeaMonkey\plugins [2010/08/19 07:40:17 | 000,000,000 | ---D | M]
[2010/07/02 14:01:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Mozilla\Extensions
[2010/07/02 14:01:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\msobczak\Application Data\Mozilla\Extensions\{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}
[2010/01/08 10:30:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Mozilla\eclipse\extensions
[2010/11/11 19:52:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Mozilla\Firefox\Profiles\5wwmed26.default\extensions
[2010/09/02 05:44:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\msobczak\Application Data\Mozilla\Firefox\Profiles\5wwmed26.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
[2010/10/21 06:45:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Mozilla\SeaMonkey\Profiles\ymk4f6di.default\extensions
[2010/08/31 20:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Mozilla\SeaMonkey\Profiles\ymk4f6di.default\extensions\inspector@mozilla.org
[2010/08/19 21:08:14 | 000,000,939 | ---- | M] () -- C:\Documents and Settings\msobczak\Application Data\Mozilla\Firefox\Profiles\5wwmed26.default\searchplugins\conduit.xml
[2010/11/11 19:52:02 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/21 21:53:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2008/06/18 01:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2010/07/21 21:53:00 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
O1 HOSTS File: ([2010/11/03 17:53:34 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll (Conduit Ltd.)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Toolbar) - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [EM_EXEC] C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE (Logitech Inc. )
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe (HP)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [Lexmark 7600 Series Fax Server] C:\Program Files\Lexmark 7600 Series\fm3032.exe ()
O4 - HKLM..\Run: [lxdwamon] C:\Program Files\Lexmark 7600 Series\lxdwamon.exe ()
O4 - HKLM..\Run: [lxdwmon.exe] C:\Program Files\Lexmark 7600 Series\lxdwmon.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10k_Plugin.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\msobczak\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\msobczak\Application Data\Dropbox\bin\Dropbox.exe ()
O4 - Startup: C:\Documents and Settings\msobczak\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: sterlingbank.com ([mail] https in Trusted sites)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} http://files.member.yahoo.com/dl/installs/sbc/yinst.cab (YInstStarter Class)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} https://mail.sterlingbank.com/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} https://secure2.andersonsinc.com/,DanaInfo=andmail1.andent.andersonsinc.com,ST=1+/dwa85W.cab (IBM Lotus iNotes 8.5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} http://quickplace.ebiztech.com/dwa7W.cab (Domino Web Access 7 Control)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://secure2.andersonsinc.com/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupSP1 Control)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://secure2.andersonsinc.com/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/17 09:59:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/11/12 15:11:12 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/11/12 15:09:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\msobczak\Local Settings\Application Data\Conduit
[2010/11/09 13:35:43 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/11/09 13:03:36 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/11/09 13:03:36 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/11/09 13:03:36 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/11/09 13:03:36 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/11/07 09:34:06 | 000,000,000 | ---D | C] -- C:\blah
[2010/11/03 17:54:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/11/03 17:15:18 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/11/03 17:07:50 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/10/31 20:05:37 | 000,000,000 | ---D | C] -- D:\Data\My Documents\NeroUser
[2010/10/31 20:03:17 | 000,000,000 | ---D | C] -- D:\Data\My Documents\PMP
[2010/10/31 12:13:03 | 000,000,000 | ---D | C] -- C:\Program Files\DVDFab 8
[2010/10/31 10:22:37 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\msobczak\Desktop\OTL.exe
[2010/10/24 12:17:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/10/24 11:27:53 | 000,000,000 | ---D | C] -- D:\Data\My Documents\ForceField Shared Files
[2010/10/24 11:27:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\msobczak\Application Data\CheckPoint
[2010/10/24 11:27:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\msobczak\Local Settings\Application Data\ZoneAlarm_Security
[2010/10/24 11:27:13 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2010/10/24 11:27:12 | 000,000,000 | ---D | C] -- C:\Program Files\ZoneAlarm_Security
[2010/10/24 11:26:44 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/10/24 11:26:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2010/10/24 11:26:33 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/10/24 09:59:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/10/24 09:58:57 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/10/23 21:40:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/10/23 21:37:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2010/10/23 21:35:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/10/23 21:35:18 | 004,294,360 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\msobczak\Desktop\something.exe
[2010/10/23 21:23:33 | 009,578,056 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\msobczak\Desktop\SUPERAntiSpyware.exe
[2010/10/23 20:56:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\msobczak\Application Data\AVP 2009
[2010/10/21 07:22:58 | 000,000,000 | ---D | C] -- C:\cports
[2010/10/21 07:09:50 | 003,887,480 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\procexp.exe
[2009/10/11 09:21:04 | 000,409,600 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcoin.dll
[2009/10/11 09:16:52 | 001,069,056 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwserv.dll
[2009/10/11 09:16:52 | 000,860,160 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwusb1.dll
[2009/10/11 09:16:52 | 000,651,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwpmui.dll
[2009/10/11 09:16:52 | 000,446,464 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDWhcp.dll
[2009/10/11 09:16:52 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwinpa.dll
[2009/10/11 09:16:52 | 000,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwiesc.dll
[2009/10/11 09:16:51 | 000,761,856 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomc.dll
[2009/10/11 09:16:51 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwhbn3.dll
[2009/10/11 09:16:51 | 000,577,536 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwlmpm.dll
[2009/10/11 09:16:51 | 000,376,832 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomm.dll
[2008/12/16 18:46:12 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\msobczak\Application Data\pcouffin.sys
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2010/11/14 09:43:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/12 22:43:03 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/10 19:31:56 | 000,000,104 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/11/10 19:31:44 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/10 07:32:16 | 000,035,636 | ---- | M] () -- C:\WINDOWS\vpd.properties
[2010/11/10 07:32:16 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\msobczak\.WASRegistry
[2010/11/10 07:27:50 | 000,000,162 | ---- | M] () -- C:\WINDOWS\.nifregistry
[2010/11/09 13:02:38 | 003,906,966 | R--- | M] () -- C:\Documents and Settings\msobczak\Desktop\ComboFix.exe
[2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2010/11/07 09:00:32 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/11/03 17:53:34 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/11/03 17:15:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/11/03 17:06:24 | 003,901,988 | R--- | M] () -- C:\Documents and Settings\msobczak\Desktop\blah.exe
[2010/11/01 11:13:56 | 006,492,160 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2010/11/01 11:13:56 | 003,156,992 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/10/31 12:13:13 | 000,000,695 | ---- | M] () -- C:\Documents and Settings\msobczak\Application Data\Microsoft\Internet Explorer\Quick Launch\DVDFab 8.lnk
[2010/10/31 12:13:13 | 000,000,677 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\DVDFab 8.lnk
[2010/10/31 11:29:20 | 000,019,973 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\OTL_scan.zip
[2010/10/31 11:29:02 | 000,005,035 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\Gmer_scan.zip
[2010/10/31 11:28:44 | 000,286,404 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\Gmer.zip
[2010/10/31 10:22:43 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\msobczak\Desktop\OTL.exe
[2010/10/24 11:28:10 | 000,421,442 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/10/24 11:26:43 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/10/24 11:26:42 | 000,000,738 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\ZoneAlarm Security.lnk
[2010/10/24 10:00:54 | 000,545,280 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\dds.scr
[2010/10/24 09:59:06 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\msobczak\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/10/24 09:58:57 | 000,000,599 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\ERUNT.lnk
[2010/10/23 22:23:13 | 000,000,721 | ---- | M] () -- C:\Documents and Settings\msobczak\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/10/23 22:23:13 | 000,000,703 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/23 21:35:38 | 004,294,360 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\msobczak\Desktop\something.exe
[2010/10/23 21:24:44 | 009,578,056 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\msobczak\Desktop\SUPERAntiSpyware.exe
[2010/10/23 21:21:31 | 000,364,032 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\rkill.scr
[2010/10/21 07:29:50 | 000,000,501 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\Shortcut to cports.exe.lnk
[2010/10/21 07:11:37 | 005,505,024 | ---- | M] () -- D:\Data\My Documents\Tooling.nsf
[2010/10/21 07:10:14 | 000,000,415 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\procexp.exe.lnk
[2010/10/19 15:00:08 | 000,294,912 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\gmer.exe
[2010/10/19 06:29:50 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
========== Files Created - No Company Name ==========
[2010/11/09 13:03:36 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/11/09 13:03:36 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/11/09 13:03:36 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/11/09 13:03:36 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/11/09 13:03:36 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/11/09 13:02:08 | 003,906,966 | R--- | C] () -- C:\Documents and Settings\msobczak\Desktop\ComboFix.exe
[2010/11/03 17:15:23 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/11/03 17:15:21 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/11/03 17:01:53 | 003,901,988 | R--- | C] () -- C:\Documents and Settings\msobczak\Desktop\blah.exe
[2010/10/31 12:13:13 | 000,000,695 | ---- | C] () -- C:\Documents and Settings\msobczak\Application Data\Microsoft\Internet Explorer\Quick Launch\DVDFab 8.lnk
[2010/10/31 12:13:13 | 000,000,677 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\DVDFab 8.lnk
[2010/10/31 11:29:20 | 000,019,973 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\OTL_scan.zip
[2010/10/31 11:29:02 | 000,005,035 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\Gmer_scan.zip
[2010/10/31 10:50:46 | 000,294,912 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\gmer.exe
[2010/10/31 10:49:55 | 000,286,404 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\Gmer.zip
[2010/10/24 11:26:42 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\ZoneAlarm Security.lnk
[2010/10/24 11:26:34 | 000,421,442 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/10/24 10:18:29 | 000,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2010/10/24 10:00:53 | 000,545,280 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\dds.scr
[2010/10/24 09:59:06 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\msobczak\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/10/24 09:58:57 | 000,000,599 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\ERUNT.lnk
[2010/10/23 22:23:13 | 000,000,721 | ---- | C] () -- C:\Documents and Settings\msobczak\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/10/23 21:21:30 | 000,364,032 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\rkill.scr
[2010/10/21 07:29:50 | 000,000,501 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\Shortcut to cports.exe.lnk
[2010/10/21 07:10:03 | 000,000,415 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\procexp.exe.lnk
[2010/10/21 07:01:14 | 005,505,024 | ---- | C] () -- D:\Data\My Documents\Tooling.nsf
[2010/10/17 10:43:38 | 000,743,737 | ---- | C] () -- D:\Data\My Documents\100_1225.jpg
[2010/08/29 18:32:07 | 000,006,914 | ---- | C] () -- C:\Documents and Settings\msobczak\Local Settings\Application Data\rational_state.log
[2009/10/11 09:21:07 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdwvs.dll
[2009/10/11 09:20:18 | 001,036,288 | ---- | C] () -- C:\WINDOWS\System32\lxdwdrs.dll
[2009/10/11 09:20:18 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\lxdwcaps.dll
[2009/10/11 09:20:18 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdwcnv4.dll
[2009/10/11 09:20:03 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXDWPMON.DLL
[2009/10/11 09:20:03 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXDWFXPU.DLL
[2009/10/11 09:19:43 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\lxdwoem.dll
[2009/10/11 09:17:46 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxdwrwrd.ini
[2009/10/11 09:16:52 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\LXDWinst.dll
[2009/10/11 09:16:51 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdwgrd.dll
[2009/07/13 16:18:51 | 000,000,446 | ---- | C] () -- C:\Documents and Settings\msobczak\Application Data\JuniperExtXP.log
[2009/01/27 11:00:27 | 000,000,023 | ---- | C] () -- C:\Documents and Settings\msobczak\Local Settings\Application Data\kodakpcd.ini
[2008/12/16 18:46:12 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\msobczak\Application Data\pcouffin.cat
[2008/12/16 18:46:12 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\msobczak\Application Data\pcouffin.inf
[2008/12/16 18:46:12 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\msobczak\Application Data\pcouffin.log
[2008/12/12 13:23:16 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/12/02 23:05:41 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS75.DLL
[2008/12/02 22:03:22 | 000,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2008/12/02 21:50:20 | 000,109,056 | ---- | C] () -- C:\WINDOWS\System32\LGUICOM.DLL
[2008/12/02 21:50:20 | 000,000,488 | ---- | C] () -- C:\WINDOWS\Cmousecc.ini
[2008/11/30 19:27:16 | 000,000,141 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/11/29 14:58:56 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/11/04 19:31:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/11/03 19:44:47 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2008/11/03 19:32:32 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2008/10/18 11:21:02 | 000,796,048 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2008/10/17 02:00:16 | 000,004,324 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/01/03 17:26:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/01/03 17:26:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/01/03 17:26:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/01/03 17:26:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/01/03 17:26:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/06/30 13:15:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[1999/03/09 23:23:00 | 000,222,928 | ---- | C] () -- C:\WINDOWS\System32\lobas09.dll
[1999/01/22 11:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/13 11:52:30 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\lotrn13.dll
[1997/11/13 23:23:00 | 000,031,008 | ---- | C] () -- C:\WINDOWS\System32\ivtrn09.dll
[1997/02/01 23:23:00 | 000,000,058 | ---- | C] () -- C:\WINDOWS\loss613.ini
[1997/02/01 23:23:00 | 000,000,058 | ---- | C] () -- C:\WINDOWS\loss09.ini
[1996/07/08 23:23:00 | 000,000,038 | ---- | C] () -- C:\WINDOWS\loidp13.ini
[1994/07/24 23:23:00 | 000,014,928 | ---- | C] () -- C:\WINDOWS\System32\wingen.drv
[1994/04/06 23:23:00 | 000,000,462 | ---- | C] () -- C:\WINDOWS\lodbf13.ini
========== LOP Check ==========
[2009/10/11 09:19:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\7600 Series
[2010/10/24 12:17:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2008/12/02 23:05:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/11/10 07:54:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IBM
[2010/09/29 14:53:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
[2010/02/17 14:01:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lexmark 7600 Series
[2010/01/08 10:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lotus
[2008/10/18 11:21:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2010/10/23 21:35:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2008/11/29 22:51:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2009/10/11 10:19:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ThumbnailCache4R
[2010/08/19 07:30:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/11/25 06:23:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/09/07 13:07:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/10/11 11:55:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\7600 Series
[2010/10/23 21:33:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\AVP 2009
[2010/10/24 11:27:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\CheckPoint
[2010/11/10 19:33:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Dropbox
[2010/02/03 13:48:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Juniper Networks
[2008/12/02 22:03:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Leadertech
[2009/10/11 10:17:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Lexmark Productivity Studio
[2010/01/08 10:26:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Lotus
[2010/08/26 14:26:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Rational
[2008/12/03 23:13:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Skinux
[2010/09/08 15:50:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\TeamViewer
[2010/10/19 20:40:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\uTorrent
[2008/11/04 19:34:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Visio
[2010/10/31 12:13:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Vso
========== Purity Check ==========
========== Custom Scans ==========
< MD5 for: CDROM.CFG >
[2004/11/02 14:54:32 | 000,238,909 | ---- | M] () MD5=9843F9599093C944878DC78BF2DFA634 -- C:\Program Files\Nero\Nero 7\Core\CDROM.CFG
[2004/11/02 14:54:32 | 000,238,909 | ---- | M] () MD5=9843F9599093C944878DC78BF2DFA634 -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NeroFiles\CDROM.CFG
< MD5 for: CDROM.DLL >
[2007/01/12 20:42:04 | 000,262,144 | ---- | M] (Nero AG) MD5=8A706BFE5DC457FE2018A4D980139715 -- C:\Program Files\Nero\Nero 7\Core\CDROM.dll
[2006/10/27 18:26:24 | 000,258,048 | ---- | M] (Nero AG) MD5=A7C58016B8327BA271AE3AFF010EA8F1 -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NeroFiles\CDROM.dll
< MD5 for: CDROM.INF >
[2008/04/13 22:57:52 | 000,035,450 | ---- | M] () MD5=9BAA6F3637647C25A05F0AC694F5C5E6 -- C:\WINDOWS\inf\cdrom.inf
< MD5 for: CDROM.PNF >
[2008/10/21 10:20:28 | 000,056,516 | ---- | M] () MD5=259D643D42910A938E3E7A6B372C6C3B -- C:\WINDOWS\inf\cdrom.PNF
< MD5 for: CDROM.PNG >
[2007/11/12 10:33:32 | 000,000,931 | ---- | M] () MD5=6A09A46C3CD6F8A392DFF593A8FD8517 -- C:\Program Files\Plone\python\Lib\site-packages\wx-2.8-msw-ansi\wx\tools\Editra\pixmaps\theme\Tango\menu\cdrom.png
< MD5 for: CDROM.SY_ >
[2004/08/03 21:59:54 | 000,024,812 | ---- | M] () MD5=AC59EC774E0092BE96B6F012F391F002 -- C:\cmdcons\CDROM.SY_
< MD5 for: CDROM.SYS >
[2008/04/14 01:10:48 | 000,062,976 | ---- | M] (Microsoft Corporation) MD5=1F4260CC5B42272D71F79E570A27A4FE -- C:\WINDOWS\$NtUninstallKB932716-v2$\cdrom.sys
[2008/05/02 05:49:39 | 000,062,976 | ---- | M] (Microsoft Corporation) MD5=4B0A100EAF5C49EF3CCA8C641431EACC -- C:\WINDOWS\Driver Cache\i386\cdrom.sys
[2008/05/02 05:49:39 | 000,062,976 | ---- | M] (Microsoft Corporation) MD5=4B0A100EAF5C49EF3CCA8C641431EACC -- C:\WINDOWS\system32\dllcache\cdrom.sys
[2008/05/02 05:49:39 | 000,062,976 | ---- | M] (Microsoft Corporation) MD5=4B0A100EAF5C49EF3CCA8C641431EACC -- C:\WINDOWS\system32\drivers\cdrom.sys
< End of report >
Satchfan
2010-11-15, 14:56
msobczak
Although Eset found quite a few infections, not all were dealt but don’t worry, the remaining ones will be removed when we clear up the tools you have been using.
Run OTL
Double click on the icon to run it.
Copy/paste ALL the following text written inside the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
[2010/10/23 21:33:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\AVP 2009
:Commands
[purity]
[emptytemp]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post a new OTL log (don't check the boxes beside LOP Check or Purity this time)
Please post back with the log and let me know if you are having any problems now.
Satchfan
msobczak
2010-11-16, 01:20
All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
C:\Documents and Settings\msobczak\Application Data\AVP 2009 folder moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: LocalService
->Temp folder emptied: 989880 bytes
->Temporary Internet Files folder emptied: 111826 bytes
User: msobczak
->Temp folder emptied: 112722665 bytes
->Temporary Internet Files folder emptied: 8872541 bytes
->Java cache emptied: 6408397 bytes
->FireFox cache emptied: 66106908 bytes
->Flash cache emptied: 26207 bytes
User: NetworkService
->Temp folder emptied: 1989832 bytes
->Temporary Internet Files folder emptied: 67 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 7103 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1136609 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 3531596115 bytes
Total Files Cleaned = 3,559.00 mb
OTL by OldTimer - Version 3.2.17.1 log created on 11152010_180750
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
msobczak
2010-11-16, 01:21
OTL logfile created on: 11/15/2010 6:16:57 PM - Run 5
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\msobczak\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 83.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 58.68 Gb Free Space | 76.89% Space Free | Partition Type: NTFS
Drive D: | 279.46 Gb Total Space | 205.27 Gb Free Space | 73.45% Space Free | Partition Type: NTFS
Drive G: | 465.75 Gb Total Space | 16.26 Gb Free Space | 3.49% Space Free | Partition Type: NTFS
Computer Name: HOME-BIOSTAR | User Name: msobczak | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\msobczak\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
PRC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe (Check Point Software Technologies)
PRC - C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
PRC - C:\notes\nsd.exe (IBM)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Documents and Settings\msobczak\Application Data\Dropbox\bin\Dropbox.exe ()
PRC - C:\WINDOWS\system32\lxdwcoms.exe ( )
PRC - C:\Lotus\Domino\nsd.exe (IBM Corp)
PRC - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
PRC - C:\Program Files\Lexmark 7600 Series\lxdwmon.exe ()
PRC - C:\Program Files\Lexmark 7600 Series\lxdwmsdmon.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe (HP)
PRC - C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE (Logitech Inc. )
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\msobczak\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (Check Point Software Technologies)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\nview.dll ()
MOD - C:\WINDOWS\system32\nvwddi.dll (NVIDIA Corporation)
MOD - C:\Program Files\Logitech\MouseWare\system\LGMOUSHK.DLL (Logitech Inc. )
========== Win32 Services (SafeList) ==========
SRV - (McciCMService) -- C:\Program Files\Common Files\Motive\McciCMService.exe File not found
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe File not found
SRV - (vsmon) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
SRV - (IswSvc) -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe (Check Point Software Technologies)
SRV - (Lotus Notes Diagnostics) -- C:\Notes\nsd.exe (IBM)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (lxdw_device) -- C:\WINDOWS\System32\lxdwcoms.exe ( )
SRV - (lxdwCATSCustConnectService) -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe ()
SRV - (Zope_-372241316) -- C:\Program Files\Plone\python\PythonService.exe ()
SRV - (Lotus Domino Diagnostics (CLotusDomino)) Lotus Domino Diagnostics (CLotusDomino) -- C:\Lotus\Domino\nsd.exe (IBM Corp)
SRV - (Lotus Domino Server (LotusDominodata)) Lotus Domino Server (LotusDominodata) -- C:\Lotus\Domino\nservice.exe (IBM Corp)
========== Driver Services (SafeList) ==========
DRV - (pppop) -- C:\WINDOWS\System32\DRIVERS\pppop.sys File not found
DRV - (MRESP50a64) -- C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS File not found
DRV - (MRESP50) -- C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS File not found
DRV - (MREMP50a64) -- C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS File not found
DRV - (MREMP50) -- C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS File not found
DRV - (mcdbus) -- C:\WINDOWS\System32\DRIVERS\mcdbus.sys File not found
DRV - (catchme) -- C:\DOCUME~1\msobczak\LOCALS~1\Temp\catchme.sys File not found
DRV - (ISWKL) -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys (Check Point Software Technologies)
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Check Point Software Technologies LTD)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (BANTExt) -- C:\WINDOWS\System32\Drivers\BANTExt.sys ()
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (RTL8187B) -- C:\WINDOWS\system32\drivers\wg111v3.sys (Realtek Semiconductor Corporation )
DRV - (Pnp680) -- C:\WINDOWS\system32\DRIVERS\pnp680.sys (Silicon Image, Inc.)
DRV - (BS_I2cIo) -- C:\WINDOWS\system32\drivers\BS_I2cIo.sys (BIOSTAR Group)
DRV - (BIOS) -- C:\WINDOWS\system32\drivers\BIOS.sys (BIOSTAR Group)
DRV - (LMouFlt2) -- C:\WINDOWS\system32\drivers\LMouFlt2.sys (Logitech)
DRV - (LHidFlt2) -- C:\WINDOWS\system32\drivers\LHidFlt2.sys (Logitech)
DRV - (LKbdFlt2) -- C:\WINDOWS\system32\drivers\LKbdFlt2.sys (Logitech)
DRV - (PMEM) -- C:\WINDOWS\system32\drivers\PMEMNT.SYS (Microsoft Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..browser.search.defaultthis.engineName: "ZoneAlarm Security Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}"
FF - prefs.js..extensions.enabledItems: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}:2.1.106
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {FFB96CC1-7EB3-449D-B827-DB661701C6BB}:1.5.240.0
FF - prefs.js..network.proxy.type: 4
FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2010/11/08 18:24:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/01 21:26:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/01 21:26:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey 2.0.6\extensions\\Components: C:\Program Files\SeaMonkey\components [2010/08/19 07:40:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey 2.0.6\extensions\\Plugins: C:\Program Files\SeaMonkey\plugins [2010/08/19 07:40:17 | 000,000,000 | ---D | M]
[2010/07/02 14:01:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Mozilla\Extensions
[2010/07/02 14:01:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\msobczak\Application Data\Mozilla\Extensions\{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}
[2010/01/08 10:30:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Mozilla\eclipse\extensions
[2010/11/15 07:50:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Mozilla\Firefox\Profiles\5wwmed26.default\extensions
[2010/09/02 05:44:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\msobczak\Application Data\Mozilla\Firefox\Profiles\5wwmed26.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
[2010/10/21 06:45:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Mozilla\SeaMonkey\Profiles\ymk4f6di.default\extensions
[2010/08/31 20:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\msobczak\Application Data\Mozilla\SeaMonkey\Profiles\ymk4f6di.default\extensions\inspector@mozilla.org
[2010/08/19 21:08:14 | 000,000,939 | ---- | M] () -- C:\Documents and Settings\msobczak\Application Data\Mozilla\Firefox\Profiles\5wwmed26.default\searchplugins\conduit.xml
[2010/11/15 07:50:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/21 21:53:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2008/06/18 01:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2010/07/21 21:53:00 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
O1 HOSTS File: ([2010/11/03 17:53:34 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll (Conduit Ltd.)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Toolbar) - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - C:\Program Files\ZoneAlarm_Security\tbZone.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [EM_EXEC] C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE (Logitech Inc. )
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe (HP)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [Lexmark 7600 Series Fax Server] C:\Program Files\Lexmark 7600 Series\fm3032.exe ()
O4 - HKLM..\Run: [lxdwamon] C:\Program Files\Lexmark 7600 Series\lxdwamon.exe ()
O4 - HKLM..\Run: [lxdwmon.exe] C:\Program Files\Lexmark 7600 Series\lxdwmon.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\msobczak\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\msobczak\Application Data\Dropbox\bin\Dropbox.exe ()
O4 - Startup: C:\Documents and Settings\msobczak\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: sterlingbank.com ([mail] https in Trusted sites)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} http://files.member.yahoo.com/dl/installs/sbc/yinst.cab (YInstStarter Class)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} https://mail.sterlingbank.com/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} https://secure2.andersonsinc.com/,DanaInfo=andmail1.andent.andersonsinc.com,ST=1+/dwa85W.cab (IBM Lotus iNotes 8.5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} http://quickplace.ebiztech.com/dwa7W.cab (Domino Web Access 7 Control)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://secure2.andersonsinc.com/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupSP1 Control)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://secure2.andersonsinc.com/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/17 09:59:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/11/15 18:07:50 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/11/15 07:40:11 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/11/12 15:11:12 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/11/12 15:09:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\msobczak\Local Settings\Application Data\Conduit
[2010/11/09 13:35:43 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/11/09 13:03:36 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/11/09 13:03:36 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/11/09 13:03:36 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/11/09 13:03:36 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/11/07 09:34:06 | 000,000,000 | ---D | C] -- C:\blah
[2010/11/03 17:54:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/11/03 17:15:18 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/11/03 17:07:50 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/10/31 20:05:37 | 000,000,000 | ---D | C] -- D:\Data\My Documents\NeroUser
[2010/10/31 20:03:17 | 000,000,000 | ---D | C] -- D:\Data\My Documents\PMP
[2010/10/31 12:13:03 | 000,000,000 | ---D | C] -- C:\Program Files\DVDFab 8
[2010/10/31 10:22:37 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\msobczak\Desktop\OTL.exe
[2010/10/24 12:17:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/10/24 11:27:53 | 000,000,000 | ---D | C] -- D:\Data\My Documents\ForceField Shared Files
[2010/10/24 11:27:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\msobczak\Application Data\CheckPoint
[2010/10/24 11:27:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\msobczak\Local Settings\Application Data\ZoneAlarm_Security
[2010/10/24 11:27:13 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2010/10/24 11:27:12 | 000,000,000 | ---D | C] -- C:\Program Files\ZoneAlarm_Security
[2010/10/24 11:26:44 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/10/24 11:26:41 | 000,058,368 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsregexp.dll
[2010/10/24 11:26:40 | 000,103,936 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcommdb.dll
[2010/10/24 11:26:40 | 000,069,120 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcomm.dll
[2010/10/24 11:26:35 | 001,238,528 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zpeng25.dll
[2010/10/24 11:26:35 | 000,110,080 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsxml.dll
[2010/10/24 11:26:35 | 000,043,008 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vswmi.dll
[2010/10/24 11:26:34 | 000,532,224 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys
[2010/10/24 11:26:34 | 000,302,592 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vspubapi.dll
[2010/10/24 11:26:34 | 000,108,032 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsmonapi.dll
[2010/10/24 11:26:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2010/10/24 11:26:33 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/10/24 11:25:45 | 000,714,240 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsutil.dll
[2010/10/24 11:25:45 | 000,228,352 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsinit.dll
[2010/10/24 11:25:45 | 000,112,128 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdata.dll
[2010/10/24 09:59:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/10/24 09:58:57 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/10/23 21:40:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/10/23 21:37:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2010/10/23 21:35:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/10/23 21:35:18 | 004,294,360 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\msobczak\Desktop\something.exe
[2010/10/23 21:23:33 | 009,578,056 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\msobczak\Desktop\SUPERAntiSpyware.exe
[2010/10/23 21:23:13 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\msobczak\Desktop\ATF-Cleaner.exe
[2010/10/21 07:22:58 | 000,000,000 | ---D | C] -- C:\cports
[2010/10/21 07:09:50 | 003,887,480 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\procexp.exe
[2009/10/11 09:21:04 | 000,409,600 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcoin.dll
[2009/10/11 09:16:52 | 001,069,056 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwserv.dll
[2009/10/11 09:16:52 | 000,860,160 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwusb1.dll
[2009/10/11 09:16:52 | 000,651,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwpmui.dll
[2009/10/11 09:16:52 | 000,446,464 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDWhcp.dll
[2009/10/11 09:16:52 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwinpa.dll
[2009/10/11 09:16:52 | 000,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwiesc.dll
[2009/10/11 09:16:51 | 000,761,856 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomc.dll
[2009/10/11 09:16:51 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwhbn3.dll
[2009/10/11 09:16:51 | 000,577,536 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwlmpm.dll
[2009/10/11 09:16:51 | 000,376,832 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomm.dll
[2008/12/16 18:46:12 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\msobczak\Application Data\pcouffin.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2010/11/15 18:12:27 | 000,000,104 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/11/15 18:11:46 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/15 18:11:39 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/15 09:43:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/15 07:35:47 | 000,077,312 | ---- | M] () -- D:\Data\My Documents\100_0952_Eric2.jpg
[2010/11/15 07:35:47 | 000,073,824 | ---- | M] () -- D:\Data\My Documents\100_0951_Eric3.jpg
[2010/11/15 07:35:46 | 000,068,228 | ---- | M] () -- D:\Data\My Documents\100_0950_1Eric.jpg
[2010/11/10 07:32:16 | 000,035,636 | ---- | M] () -- C:\WINDOWS\vpd.properties
[2010/11/10 07:32:16 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\msobczak\.WASRegistry
[2010/11/10 07:27:50 | 000,000,162 | ---- | M] () -- C:\WINDOWS\.nifregistry
[2010/11/09 13:02:38 | 003,906,966 | R--- | M] () -- C:\Documents and Settings\msobczak\Desktop\ComboFix.exe
[2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2010/11/07 09:00:32 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/11/03 17:53:34 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/11/03 17:15:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/11/03 17:06:24 | 003,901,988 | R--- | M] () -- C:\Documents and Settings\msobczak\Desktop\blah.exe
[2010/11/01 11:13:56 | 006,492,160 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2010/11/01 11:13:56 | 003,156,992 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/10/31 12:13:13 | 000,000,695 | ---- | M] () -- C:\Documents and Settings\msobczak\Application Data\Microsoft\Internet Explorer\Quick Launch\DVDFab 8.lnk
[2010/10/31 12:13:13 | 000,000,677 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\DVDFab 8.lnk
[2010/10/31 11:29:20 | 000,019,973 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\OTL_scan.zip
[2010/10/31 11:29:02 | 000,005,035 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\Gmer_scan.zip
[2010/10/31 11:28:44 | 000,286,404 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\Gmer.zip
[2010/10/31 10:22:43 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\msobczak\Desktop\OTL.exe
[2010/10/24 11:28:10 | 000,421,442 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/10/24 11:26:43 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/10/24 11:26:42 | 000,000,738 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\ZoneAlarm Security.lnk
[2010/10/24 10:00:54 | 000,545,280 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\dds.scr
[2010/10/24 09:59:06 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\msobczak\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/10/24 09:58:57 | 000,000,599 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\ERUNT.lnk
[2010/10/23 22:23:13 | 000,000,721 | ---- | M] () -- C:\Documents and Settings\msobczak\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/10/23 22:23:13 | 000,000,703 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/23 21:35:38 | 004,294,360 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\msobczak\Desktop\something.exe
[2010/10/23 21:24:44 | 009,578,056 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\msobczak\Desktop\SUPERAntiSpyware.exe
[2010/10/23 21:23:13 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\msobczak\Desktop\ATF-Cleaner.exe
[2010/10/23 21:21:31 | 000,364,032 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\rkill.scr
[2010/10/21 07:29:50 | 000,000,501 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\Shortcut to cports.exe.lnk
[2010/10/21 07:11:37 | 005,505,024 | ---- | M] () -- D:\Data\My Documents\Tooling.nsf
[2010/10/21 07:10:14 | 000,000,415 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\procexp.exe.lnk
[2010/10/19 15:00:08 | 000,294,912 | ---- | M] () -- C:\Documents and Settings\msobczak\Desktop\gmer.exe
[2010/10/19 06:29:50 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
========== Files Created - No Company Name ==========
[2010/11/09 13:03:36 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/11/09 13:03:36 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/11/09 13:03:36 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/11/09 13:03:36 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/11/09 13:03:36 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/11/09 13:02:08 | 003,906,966 | R--- | C] () -- C:\Documents and Settings\msobczak\Desktop\ComboFix.exe
[2010/11/03 17:15:23 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/11/03 17:15:21 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/11/03 17:01:53 | 003,901,988 | R--- | C] () -- C:\Documents and Settings\msobczak\Desktop\blah.exe
[2010/10/31 12:13:13 | 000,000,695 | ---- | C] () -- C:\Documents and Settings\msobczak\Application Data\Microsoft\Internet Explorer\Quick Launch\DVDFab 8.lnk
[2010/10/31 12:13:13 | 000,000,677 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\DVDFab 8.lnk
[2010/10/31 11:29:20 | 000,019,973 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\OTL_scan.zip
[2010/10/31 11:29:02 | 000,005,035 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\Gmer_scan.zip
[2010/10/31 10:50:46 | 000,294,912 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\gmer.exe
[2010/10/31 10:49:55 | 000,286,404 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\Gmer.zip
[2010/10/24 11:26:42 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\ZoneAlarm Security.lnk
[2010/10/24 11:26:34 | 000,421,442 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/10/24 10:18:29 | 000,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2010/10/24 10:00:53 | 000,545,280 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\dds.scr
[2010/10/24 09:59:06 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\msobczak\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/10/24 09:58:57 | 000,000,599 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\ERUNT.lnk
[2010/10/23 22:23:13 | 000,000,721 | ---- | C] () -- C:\Documents and Settings\msobczak\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/10/23 21:21:30 | 000,364,032 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\rkill.scr
[2010/10/21 07:29:50 | 000,000,501 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\Shortcut to cports.exe.lnk
[2010/10/21 07:10:03 | 000,000,415 | ---- | C] () -- C:\Documents and Settings\msobczak\Desktop\procexp.exe.lnk
[2010/10/21 07:01:14 | 005,505,024 | ---- | C] () -- D:\Data\My Documents\Tooling.nsf
[2010/10/17 10:43:38 | 000,743,737 | ---- | C] () -- D:\Data\My Documents\100_1225.jpg
[2010/08/29 18:32:07 | 000,006,914 | ---- | C] () -- C:\Documents and Settings\msobczak\Local Settings\Application Data\rational_state.log
[2009/10/11 09:21:07 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdwvs.dll
[2009/10/11 09:20:18 | 001,036,288 | ---- | C] () -- C:\WINDOWS\System32\lxdwdrs.dll
[2009/10/11 09:20:18 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\lxdwcaps.dll
[2009/10/11 09:20:18 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdwcnv4.dll
[2009/10/11 09:20:03 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXDWPMON.DLL
[2009/10/11 09:20:03 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXDWFXPU.DLL
[2009/10/11 09:19:43 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\lxdwoem.dll
[2009/10/11 09:17:46 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxdwrwrd.ini
[2009/10/11 09:16:52 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\LXDWinst.dll
[2009/10/11 09:16:51 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdwgrd.dll
[2009/07/13 16:18:51 | 000,000,446 | ---- | C] () -- C:\Documents and Settings\msobczak\Application Data\JuniperExtXP.log
[2009/01/27 11:00:27 | 000,000,023 | ---- | C] () -- C:\Documents and Settings\msobczak\Local Settings\Application Data\kodakpcd.ini
[2008/12/16 18:46:12 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\msobczak\Application Data\pcouffin.cat
[2008/12/16 18:46:12 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\msobczak\Application Data\pcouffin.inf
[2008/12/16 18:46:12 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\msobczak\Application Data\pcouffin.log
[2008/12/12 13:23:16 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/12/02 23:05:41 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS75.DLL
[2008/12/02 22:03:22 | 000,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2008/12/02 21:50:20 | 000,109,056 | ---- | C] () -- C:\WINDOWS\System32\LGUICOM.DLL
[2008/12/02 21:50:20 | 000,000,488 | ---- | C] () -- C:\WINDOWS\Cmousecc.ini
[2008/11/30 19:27:16 | 000,000,141 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/11/29 14:58:56 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/11/04 19:31:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/11/03 19:44:47 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2008/11/03 19:32:32 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2008/10/18 11:21:02 | 000,796,048 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2008/10/17 02:00:16 | 000,004,324 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/01/03 17:26:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/01/03 17:26:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/01/03 17:26:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/01/03 17:26:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/01/03 17:26:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/06/30 13:15:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[1999/03/09 23:23:00 | 000,222,928 | ---- | C] () -- C:\WINDOWS\System32\lobas09.dll
[1999/01/22 11:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/13 11:52:30 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\lotrn13.dll
[1997/11/13 23:23:00 | 000,031,008 | ---- | C] () -- C:\WINDOWS\System32\ivtrn09.dll
[1997/02/01 23:23:00 | 000,000,058 | ---- | C] () -- C:\WINDOWS\loss613.ini
[1997/02/01 23:23:00 | 000,000,058 | ---- | C] () -- C:\WINDOWS\loss09.ini
[1996/07/08 23:23:00 | 000,000,038 | ---- | C] () -- C:\WINDOWS\loidp13.ini
[1994/07/24 23:23:00 | 000,014,928 | ---- | C] () -- C:\WINDOWS\System32\wingen.drv
[1994/04/06 23:23:00 | 000,000,462 | ---- | C] () -- C:\WINDOWS\lodbf13.ini
< End of report >
Satchfan
2010-11-16, 15:00
Msobczak
Good news - your log shows no sign of infection.
Please let me how your computer is running.
Satchfan
msobczak
2010-11-17, 05:07
Haven't noticed anything in a few days.
Let's close this out.
Thanks for your help!
Satchfan
2010-11-18, 14:42
Msobczak
Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:
Uninstall ComboFix
Follow these steps to make sure that Combofix is completely uninstalled
• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there. http://i944.photobucket.com/albums/ad283/Ninamf/WTT/CFuninstall.jpg
• Once it's finished uninstalling itself you will receive a message saying Combofix was uninstalled successfully.
===================================================
Uninstall OTL
• Double-click OTL.exe
• Click the CleanUp! button.
• Select Yes when the Begin cleanup Process? prompt appears.
• If you are prompted to reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself. NOTE: If you receive a warning from your firewall or other security programs regarding OTL attempting to contact the internet, please allow it to do so.
===================================================
I see no sign of the antivirus you installed previously. If you use the Internet without an antivirus program your computer will certainly become infected again.
If you no longer have Avast, download and install one of the following:
• AVG 2011 Free (http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5)
• Free Avast Home Edition (http://www.avast.com/index)
• Avira AntiVir® Personal Edition Classic (http://www.avira.com/en/avira-free-antivirus)
Update Adobe Reader and Java
Your version of Adobe Reader is very out of date. You also have old versions of Java on your computer. Older versions of both programs have vulnerabilities that malicious sites can use to exploit and infect your system.
• Go to Add/Remove Programs and remove all versions of Adobe Reader and Java.
• Click here (http://www.adobe.com/support/downloads/product.jsp?platform=windows&product=10)to download the latest version of Adobe Reader.
• Go here (http://java.sun.com/javase/downloads/index.jsp) to download the latest version of Java.
===================================================
Set your computer to automatically check for Windows updates.
To turn on Automatic Updates:
• Click Start, Settings and then click Control Panel.
• Double-click Automatic Updates.
• Choose Automatic (recommended).
===================================================
I suggest that you run SUPERAntiSpyware and Malwarebytes’ AntiMalware on a regular basis, probably weekly.
===================================================
I also recommend that you read the following:
“So how did I get infected in the first place”? (http://www.nutnworks.com/forums/showthread.php?t=321)
by Tony Klein
"How to prevent malware" (http://miekiemoes.blogspot.com/2008/02/how-to-prevent-malware.html)
by miekiemoes
Remember to keep updating all of the above programs to help your computer remains clean. You can never update too often and your computer will not be protected from new malware if your programs are not up-to-date.
Safe computing
Satchfan