PDA

View Full Version : win32.delf.uc keeps coming back



spybob
2011-12-03, 21:15
Over the past 3 days I've done far too much to recount with various programs. Bottom line is none of the other programs I've used make this detection but Spybot consistantly shows:

--- Search result list ---
Win32.Delf.uc: [SBI $88B8013A] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe

Win32.Delf.uc: [SBI $14B30E85] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
/--- Search result list ---

As requested, DDS follows in hope of help to resolve this.
TIA
-Bob

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Run by Bob at 13:06:09 on 2011-12-03
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.263 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
svchost.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PCMAGA~1\COOKIE~1\COOKIE~1.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Acronis\DriveMonitor\adm_tray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Volumouse\volumouse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
D:\keyexp\KEYEXP.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
E:\Adobe\Adobe Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\Bob\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Bob\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = cookiecop:8100
uInternet Settings,ProxyOverride = 192.168;<local>
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2012\ievkbd.dll
BHO: {69D72956-317C-44bd-B369-8E44D4EF9801} - No File
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2012\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
uRun: [$Volumouse$] "c:\program files\volumouse\volumouse.exe" /nodlg
uRun: [POP Peeper] "c:\program files\pop peeper\POPPeeper.exe" -min
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [CookieCop] c:\progra~1\pcmaga~1\cookie~1\COOKIE~1.EXE
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [adm_tray.exe] c:\program files\acronis\drivemonitor\adm_tray.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2012\avp.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\keyexp~1.lnk - d:\keyexp\KEYEXP.EXE
StartupFolder: c:\documents and settings\bob\start menu\programs\startup\Today.pif
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet g series\bin\hpoavn07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\kirbya~1.lnk - c:\program files\kirby alarm\kirbyalarm.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Convert link target to Adobe PDF - e:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2012\ievkbd.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2012\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: gamehouse.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: macys.com\www
Trusted Zone: mycheckfree.com
Trusted Zone: onlinesearches.com\publicrecords
Trusted Zone: pointspot.com\www
Trusted Zone: thdathomeservices.com\webmail
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java
DPF: ppctlcab - hxxp://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://ppupdates.ca.com/downloads/scanner/axscanner.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105290237593
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147109959609
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://www.imgag.com/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{DC70D44C-CFA4-4CFB-AA8F-23E25AF64531} : NameServer = 208.67.220.220,208.67.222.222
TCP: Interfaces\{DC70D44C-CFA4-4CFB-AA8F-23E25AF64531} : DhcpNameServer = 192.168.0.1
Notify: igfxcui - igfxsrvc.dll
Notify: klartew - c:\documents and settings\networkservice\local settings\application data\klartew.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\12nouic8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.ftp - cookiecop
FF - prefs.js: network.proxy.ftp_port - 8100
FF - prefs.js: network.proxy.gopher - cookiecop
FF - prefs.js: network.proxy.gopher_port - 8100
FF - prefs.js: network.proxy.http - cookiecop
FF - prefs.js: network.proxy.http_port - 8100
FF - prefs.js: network.proxy.socks - cookiecop
FF - prefs.js: network.proxy.socks_port - 8100
FF - prefs.js: network.proxy.ssl - cookiecop
FF - prefs.js: network.proxy.ssl_port - 8100
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\bob\application data\mozilla\firefox\profiles\12nouic8.default\extensions\{7e7165e2-0767-448c-852f-5fa8714f2c37}\components\PlainOldFavorites.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\bob\application data\mozilla\firefox\profiles\12nouic8.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: e:\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: PlainOldFavorites: {7E7165E2-0767-448c-852F-5FA8714F2C37} - %profile%\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\siber systems\ai roboform\Firefox
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2011-3-4 133208]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-11-15 28552]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-9-28 15328]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2011-3-4 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-12-2 565552]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2012\avp.exe [2011-4-24 202296]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-9-28 220128]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2011-3-10 34608]
S0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
S1 MpKsl05b8ec11;MpKsl05b8ec11;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cf9c8df2-582e-4a0b-a51f-7e845e1cd6fd}\mpksl05b8ec11.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cf9c8df2-582e-4a0b-a51f-7e845e1cd6fd}\MpKsl05b8ec11.sys [?]
S1 MpKsl2c04e557;MpKsl2c04e557;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0bc45769-a94d-4949-a210-4e7dd42e8b5a}\mpksl2c04e557.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0bc45769-a94d-4949-a210-4e7dd42e8b5a}\MpKsl2c04e557.sys [?]
S1 MpKsl30221af3;MpKsl30221af3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cc380205-6e12-4e7d-93e7-85f54d3db76c}\mpksl30221af3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cc380205-6e12-4e7d-93e7-85f54d3db76c}\MpKsl30221af3.sys [?]
S1 MpKsl3bbc9cb7;MpKsl3bbc9cb7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b65b421e-520c-4dc3-bb0b-e0b13ccacb29}\mpksl3bbc9cb7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b65b421e-520c-4dc3-bb0b-e0b13ccacb29}\MpKsl3bbc9cb7.sys [?]
S1 MpKsl50c6aa21;MpKsl50c6aa21;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8fbced0e-c906-4526-8ac0-a3e173bd644c}\mpksl50c6aa21.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8fbced0e-c906-4526-8ac0-a3e173bd644c}\MpKsl50c6aa21.sys [?]
S1 MpKsl63115aff;MpKsl63115aff;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f268287-023a-4ef1-8111-eed0d192dfae}\mpksl63115aff.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f268287-023a-4ef1-8111-eed0d192dfae}\MpKsl63115aff.sys [?]
S1 MpKsl6992bf7e;MpKsl6992bf7e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{00dd543a-485e-4f5c-805e-5cccba25d24d}\mpksl6992bf7e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{00dd543a-485e-4f5c-805e-5cccba25d24d}\MpKsl6992bf7e.sys [?]
S1 MpKsl6f4364a6;MpKsl6f4364a6;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{49f1789d-f463-4ae6-9a66-747134266b78}\mpksl6f4364a6.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{49f1789d-f463-4ae6-9a66-747134266b78}\MpKsl6f4364a6.sys [?]
S1 MpKsl91e50612;MpKsl91e50612;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7afa9519-2dc2-4f4a-bc6a-67db575ad69f}\mpksl91e50612.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7afa9519-2dc2-4f4a-bc6a-67db575ad69f}\MpKsl91e50612.sys [?]
S1 MpKsl957cbe81;MpKsl957cbe81;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1d7adc2b-9e7c-499b-8b4b-970056c021c5}\mpksl957cbe81.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1d7adc2b-9e7c-499b-8b4b-970056c021c5}\MpKsl957cbe81.sys [?]
S1 MpKsla44f2d84;MpKsla44f2d84;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cc380205-6e12-4e7d-93e7-85f54d3db76c}\mpksla44f2d84.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cc380205-6e12-4e7d-93e7-85f54d3db76c}\MpKsla44f2d84.sys [?]
S1 MpKslb1eef83e;MpKslb1eef83e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ec47350a-2863-4f9a-90e4-6aab11dc7f96}\mpkslb1eef83e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ec47350a-2863-4f9a-90e4-6aab11dc7f96}\MpKslb1eef83e.sys [?]
S1 MpKslbb72fb26;MpKslbb72fb26;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d02b31d1-047a-4a74-b222-564f57750561}\mpkslbb72fb26.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d02b31d1-047a-4a74-b222-564f57750561}\MpKslbb72fb26.sys [?]
S1 MpKslc6a20e02;MpKslc6a20e02;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{22038661-62e7-42f4-a3bd-bd6d7ea26198}\mpkslc6a20e02.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{22038661-62e7-42f4-a3bd-bd6d7ea26198}\MpKslc6a20e02.sys [?]
S1 MpKslc86a0644;MpKslc86a0644;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f951e807-42b7-42a5-8e28-f10b74bca579}\mpkslc86a0644.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f951e807-42b7-42a5-8e28-f10b74bca579}\MpKslc86a0644.sys [?]
S1 MpKslcfc4f3af;MpKslcfc4f3af;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c9f5f717-de2b-42a3-ad96-b15b8b26858b}\mpkslcfc4f3af.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c9f5f717-de2b-42a3-ad96-b15b8b26858b}\MpKslcfc4f3af.sys [?]
S1 MpKsldfa7710c;MpKsldfa7710c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5d66a504-67fe-4fc0-b704-9aff011607f5}\mpksldfa7710c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5d66a504-67fe-4fc0-b704-9aff011607f5}\MpKsldfa7710c.sys [?]
S1 MpKslf156ae64;MpKslf156ae64;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{021de105-dc76-4d6e-beb8-b9d47dd524a3}\mpkslf156ae64.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{021de105-dc76-4d6e-beb8-b9d47dd524a3}\MpKslf156ae64.sys [?]
S1 MpKslf9cc0160;MpKslf9cc0160;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e84c3ea2-141b-4581-a47d-ca48b2e8c486}\mpkslf9cc0160.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e84c3ea2-141b-4581-a47d-ca48b2e8c486}\MpKslf9cc0160.sys [?]
S1 MpKslfd8e6181;MpKslfd8e6181;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{71e3c987-72e8-40b3-a256-da415b7829b5}\mpkslfd8e6181.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{71e3c987-72e8-40b3-a256-da415b7829b5}\MpKslfd8e6181.sys [?]
S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys --> c:\windows\system32\drivers\pxrts.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S2 KirbyAlarmPro;Kirby Alarm Pro;c:\program files\kirby alarm pro\kirbyalarmpro.exe [2009-2-3 3579904]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2010-9-28 44512]
S3 PSVolAcc;PSVolAcc;c:\windows\system32\drivers\PSVolAcc.sys [2010-9-28 12256]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys --> c:\windows\system32\drivers\pxkbf.sys [?]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\drivers\sustucap.sys [2006-2-3 37632]
.
=============== File Associations ===============
.
txtfile="c:\program files\jgsoft\editpadlite\EditPad.exe" "%1"
.
=============== Created Last 30 ================
.
2011-12-02 23:32:30 97961 -c--a-w- c:\windows\system32\drivers\klick.dat
2011-12-02 23:32:30 115369 -c--a-w- c:\windows\system32\drivers\klin.dat
2011-12-02 23:29:57 -------- dc----w- c:\program files\Kaspersky Lab
2011-12-02 23:29:56 -------- dc----w- c:\documents and settings\all users\application data\Kaspersky Lab
2011-12-01 19:29:31 -------- dc----w- C:\SDFix
2011-12-01 16:37:25 -------- dc----w- c:\documents and settings\bob\local settings\application data\fxnetlib
2011-11-30 23:07:51 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-30 23:06:29 -------- dc----w- c:\documents and settings\all users\application data\Hitman Pro
2011-11-30 17:10:41 71880 -c--a-w- c:\windows\system32\PxSecure.dll-19202703
2011-11-15 22:34:40 28552 -c--a-w- c:\windows\system32\drivers\pavboot.sys
.
==================== Find3M ====================
.
2011-12-01 00:08:09 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-15 22:22:09 100 -c--a-w- c:\windows\system32\prsgrc.dll
2011-11-15 13:17:59 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 13:07:44.75 ===============

vict0r
2011-12-05, 16:59
Hello and welcome to the forum.

My nickname is vict0r and I will help you with the malware issues on your computer.

Please read the following information carefully.

IMPORTANT: Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

To make cleaning this machine easier:

Continue to respond to this thread until I I tell you that the logs are clean!
Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
Please follow all instructions in the order posted.
If you have any questions or do not understand instructions, please ask before continuing.
Please reply to this thread. Do not start a new topic.
Your security program(s) may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Please post the Attach.txt generated by DDS (copy and paste it into your reply, do not attach it). If necessary re-run DDS to get the log.

spybob
2011-12-05, 22:57
Thank you vict0r.
FYI, the system I am having an issue with is no longer connected to the network pending resolution.

It appears I did not save the file so I ran dds again with the following results:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/9/2005 11:36:14 AM
System Uptime: 12/5/2011 7:21:29 AM (8 hours ago)
.
Motherboard: Dell Computer Corp. | | 0C2425
Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | Microprocessor | 2657/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 10 GiB total, 0.951 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 0.39 GiB free.
E: is FIXED (NTFS) - 16 GiB total, 0.147 GiB free.
F: is CDROM ()
G: is CDROM ()
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
Acronis Drive Monitor
ACT! 2000
Adobe Acrobat 7.0 Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Creative Suite 2
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe GoLive CS2
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe InDesign CS2
Adobe Photoshop CS2
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Adobe Version Cue CS2
AI RoboForm (All Users)
AOL Instant Messenger
AOL Instant Messenger (SM)
ASAP Utilities
AutoScan5.4
Avery® Wizard 2.1 for Microsoft® Office Word 2003
BitPim 1.0.4
BlueSoleil
BookSmart® 2.9.1 2.9.1
Broadcom 440x 10/100 Integrated Controller
CCleaner
CDBurnerXP
cGPSmapper Shareware 0087
CmdHere Powertoy For Windows XP
Compatibility Pack for the 2007 Office system
Complete Cleanup Trial
CookieCop® 2
Dell ResourceCD
dfg BackUp XP 2005
dfg BackUp XP 2005 (C:\Program Files\DFG\BackUp3\)
DriveImage XML
EASEUS Data Recovery Wizard Free Edition 5.5.1
EasyCleaner
ERUNT 1.1j
Eudora
Excel VBA Code Cleaner 4.4
Excel VBA Code Documentor 4.0
FileNote (Remove Only)
Free CD to MP3 Converter
Garmin City Navigator North America 2008
Garmin City Navigator North America 2009
Garmin Communicator Plugin
Garmin MapSource
Garmin USB Drivers
Garmin WebUpdater
GmapTool 0.6.0
Google Earth
Google Gmail Notifier
Google Update Helper
Google Updater
GTK+ Runtime 2.14.7 rev a (remove only)
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
hp officejet g series
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
IrfanView (remove only)
Jalbum
Java Auto Updater
Java(TM) 6 Update 20
Just Great Software EditPad Lite 6.6.3
jv16 PowerTools 2005
Kaspersky Anti-Virus 2012
Kirby Alarm Pro v4.45
Kirby Alarm v2.11
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
Macrium Reflect - Free Edition
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia FreeHand MXa
MapSource
MapSource - City Select North America v7
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft IntelliType Pro 5.2
Microsoft Office Basic Edition 2003
Microsoft Office File Validation Add-In
Microsoft PowerPoint 97
Microsoft Tool Web Package : GETMAC.EXE
Microsoft Visual C++ 2005 Redistributable
MozBackup 1.4.7
Mozilla Firefox (3.6.23)
MSXML 6 Service Pack 2 (KB973686)
MySoftware Fonts
Nero Suite
Netflix Movie Viewer
Norton PartitionMagic
Norton PartitionMagic 8.0
Norton WMI Update
NTREGOPT 1.1j
OSM map
Panda ActiveScan 2.0
PandoraRecovery (Remove Only)
PC Authorize
Pidgin
POP Peeper
Postage $aver
PVR Plus
QuickBooks Pro 99
QuickTime Alternative 3.2.2
Real Alternative 1.42
SafeCast Shared Components
Seagate*DiscWizard
Secunia PSI
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Smart Defrag 1.0
Smart Indenter v3.5 for Office 2000-2003
Snapshot Viewer
SoundMAX
Spybot - Search & Destroy
Startup Cop 1.1
Stuff Organizer
Suite Specific
SyncBack
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wnjiper
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wnjiper
TurboTax 2009 wnyiper
TurboTax 2009 wrapper
TurboTax 2010 wneiper
TurboTax 2010 wnjiper
TurboTax 2010 wnyiper
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Tweak UI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
USB Modem Driver
Volumouse
WebFldrs XP
WexTech AnswerWorks
Windows Defender Signatures
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Vista Upgrade Advisor
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinDriver6.22 USB Driver
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Xteq Systems X-Setup 6.2
.
==== Event Viewer Messages From Past Week ========
.
12/2/2011 9:29:45 AM, error: Microsoft Antimalware [2001] -
12/1/2011 5:03:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde pxrts pxscan
12/1/2011 5:01:03 PM, error: Print [19] - Sharing printer failed + 1722, Printer Microsoft XPS Document Writer share name Printer.
12/1/2011 4:15:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: pxrts pxscan
12/1/2011 4:15:17 PM, error: Service Control Manager [7000] - The CSIScanner service failed to start due to the following error: The system cannot find the path specified.
12/1/2011 2:51:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter NetworkX OMCI pavboot pxrts pxscan
12/1/2011 2:35:03 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT NetworkX OMCI pavboot pxrts pxscan RasAcd Rdbss Tcpip Tcpip6
12/1/2011 2:35:03 PM, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/1/2011 2:35:03 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/1/2011 2:35:03 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
12/1/2011 2:34:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/1/2011 2:26:02 PM, error: DCOM [10000] - Unable to start a DCOM Server: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}. The error: "%6" Happened while starting this command: C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
11/30/2011 7:10:25 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
11/30/2011 6:52:57 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
11/30/2011 6:08:03 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
11/30/2011 3:02:44 PM, error: Service Control Manager [7022] - The Intuit Update Service service hung on starting.
11/30/2011 3:02:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
11/30/2011 3:02:33 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

vict0r
2011-12-07, 00:59
Hello, spybob.

Unfortunately, we do not work on company computers. Please refer to this post:

http://forums.spybot.info/showpost.php?p=25712&postcount=5

spybob
2011-12-07, 04:25
I would appear I have given you a false impression. This is not a company computer, it is a home network for myself and my wife. I took the offending computer off the network so it will not infect my wife's and so I don't risk identity theft when doing banking etc.

Respectfully submitted

Bob

vict0r
2011-12-08, 21:15
Hi,

Please explain why you have these business related programs installed on this computer:
ACT! 2000
AutoScan5.4
Avery® Wizard 2.1 for Microsoft® Office Word 2003
MetaFrame Presentation Server Web Client for Win32
PC Authorize
Postage $aver
WexTech AnswerWorks


Using the same method and computer you already have transfered files to and from the infected computer:

MGADiag

Please download this tool (http://go.microsoft.com/fwlink/?linkid=52012) from Microsoft. Save it to your desktop.
Double click on MGADiag.exeto run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in the window.
Save this file and copy/paste it in your next reply.


CKScanner

Please download CKScanner (http://downloads.malwareremoval.com/CKScanner.exe) ... Save it to your desktop.
This program should only be run once!
Make sure that CKScanner.exe is on the your desktop before running the application!
Double-click on the CKScanner.exe icon... then click the Search For Files button.
When the scan is finished (the cursor hourglass disappears) click the Save List To File button.
A text file will be created on your desktop named "ckfiles.txt"
Click OK at the file saved message box. Double-click on the ckfiles.txt icon on your desktop.
Please copy/paste the contents of ckfiles.txt in your next reply.

spybob
2011-12-09, 05:22
I can appreciate the questions now that I understand why you thought it was a business.

ACT! 2000 11 year old contact database program. I used to sell merchant services.

AutoScan5.4 To download data from my CPAP so I can monitor my sleep apnea. It is not a current application if you check it's about 4 or 5 years old and won't work with newer CPAP machines.

Avery® Wizard 2.1 for Microsoft® Office Word 2003 - no idea. My wife probably loaded it at some point.

MetaFrame Presentation Server Web Client for Win32 - dont know what it is or used for.

PC Authorize - I used to sell merchant services and this demo allowed me to become familiar with the product.

Postage $aver - installed when I investigated using this for a fund raising mailing list for our volunteer rescue squad. It is not a valid program since it was never purchased or registered with the vendor.

WexTech AnswerWorks - don't know what this is associated with but think I installed it when trying to get a mapping program to work with my garmin.

I'm more than willing to wipe out all but the autoscan 5.4 since I don't use any of the others. I'm sure if you saw the dates on the data for these you would see they are not current. Is there anything else I can provide to assure you it is not a business computer?

-Bob

vict0r
2011-12-09, 16:07
Is there anything else I can provide to assure you it is not a business computer?
Please post the logs from MGADiag and CKScanner as described in my previous post.

spybob
2011-12-09, 18:54
I'm sorry vict0r, I didn't finish reading before I responded.

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-GD6GR-K6DP3-4C8MT
Windows Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
Windows Product ID: 55277-OEM-2111907-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.2.0.hom
ID: {5F5C1FF9-F108-4C2E-98A0-4A2CDE359056}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Basic Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2ee7_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{5F5C1FF9-F108-4C2E-98A0-4A2CDE359056}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4C8MT</PKey><PID>55277-OEM-2111907-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-117609710-602609370-839522115</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 2400 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A05</Version><SMBIOSVersion major="2" minor="3"/><Date>20031202000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>F4CC344F01842062</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91130409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Basic Edition 2003</Name><Ver>11</Ver><Val>A0D98D99A01070E</Val><Hash>ZzKuB55t4Pi9K0gH55XtBhji+8c=</Hash><Pid>73102-OEM-5690357-78318</Pid><PidType>6</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1B285:Dell Inc|1B285:Microsoft Corporation
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System

OEM Activation 2.0 Data-->
N/A




CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.OOAPUN
----- EOF -----

vict0r
2011-12-11, 02:46
C: is FIXED (NTFS) - 10 GiB total, 0.951 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 0.39 GiB free.
E: is FIXED (NTFS) - 16 GiB total, 0.147 GiB free.
No restore point in system.

You need to free up some space. Please uninstall these programs:
ACT! 2000
Avery® Wizard 2.1 for Microsoft® Office Word 2003
MetaFrame Presentation Server Web Client for Win32
PC Authorize
Postage $aver
WexTech AnswerWorks

Out of date Java installations pose a security risk. They can be used by malware as a means to infect a computer and or re-infect. Please uninstall Java(TM) 6 Update 20

To uninstall programs:


Click on Start > Run.
In the open text box write appwiz.cpl Then click Ok.
Wait for the list of programs in the Add/Remove control panel to appear.
You can now uninstall the programs.

Using the same method and computer you already have transferred files to and from the infected computer:


OTL

Please download OTL (http://oldtimer.geekstogo.com/OTL.exe) by Old Timer and save it to your Desktop.

Double click on OTL.exe to run it.
Under Output, ensure that Standard Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Please save all work and close all open program windows.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized
Please post the contents of these 2 Notepad files in your next reply.

spybob
2011-12-11, 13:44
I have removed the programs you asked. Frankly, there are other programs that could have been removed to create more space. Booksmart 227Mb, Garmin web updater 501 Mb, google earth 85 Mb, hp officejet 150Mb, Kirby 2.11 3.5mb, .NET framework (not sure what it is used for and both 2.0 SP2 and 3.0 SP2 are installed at 180Mb each),>NET frameworkd 3.5 SP1 20mb, seagate discwizard 256mb for a total of almost 1.5 gig.

I have not removed these trying to follow the first readme before you post section of not doing things we're not asked for.

On that note, when I ran OTL i had noticed my flash drive was attached so I took it off and ran OTL again but it did not produce a 2nd EXTRAS file. enclosed is the result of the 2nd OTL.txt and the 1st EXTAS file. I apologize for the confusion.:oops:


FYI, PC Authorize & Wextech could not be removed from the list since the folders do not exist. they had been deleted some time prior.



OTL logfile created on: 12/10/2011 9:21:54 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = D:\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.00 Mb Total Physical Memory | 575.49 Mb Available Physical Memory | 56.31% Memory free
2.49 Gb Paging File | 2.04 Gb Available in Paging File | 81.88% Paging File free
Paging file location(s): D:\pagefile.sys 100 200E:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9.78 Gb Total Space | 1.02 Gb Free Space | 10.42% Space Free | Partition Type: NTFS
Drive D: | 11.45 Gb Total Space | 0.38 Gb Free Space | 3.35% Space Free | Partition Type: NTFS
Drive E: | 16.02 Gb Total Space | 0.15 Gb Free Space | 0.91% Space Free | Partition Type: NTFS

Computer Name: TYC | User Name: Bob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/10 20:47:46 | 000,584,192 | ---- | M] (OldTimer Tools) -- D:\Desktop\OTL.exe
PRC - [2011/04/24 23:15:02 | 000,202,296 | ---- | M] (Kaspersky Lab ZAO) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
PRC - [2010/10/29 03:50:25 | 000,160,328 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
PRC - [2010/09/28 13:02:58 | 000,220,128 | ---- | M] () -- C:\Program Files\Macrium\Reflect\ReflectService.exe
PRC - [2010/09/09 17:09:36 | 001,511,424 | ---- | M] (Mortal Universe) -- C:\Program Files\POP Peeper\POPPeeper.exe
PRC - [2010/08/26 10:07:04 | 000,531,664 | ---- | M] (Acronis) -- C:\Program Files\Acronis\DriveMonitor\adm_tray.exe
PRC - [2010/08/13 18:01:56 | 000,660,576 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2009/10/16 18:39:28 | 000,431,456 | ---- | M] (Seagate) -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
PRC - [2008/04/14 12:40:32 | 003,579,904 | ---- | M] (Kirby Software) -- C:\Program Files\Kirby Alarm Pro\kirbyalarmpro.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/22 23:13:46 | 001,591,808 | ---- | M] (YourWare Solutions (TM)) -- C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
PRC - [2005/07/15 16:48:33 | 000,479,232 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Gmail Notifier\gnotify.exe
PRC - [2005/06/04 21:16:44 | 000,024,064 | ---- | M] (NirSoft) -- C:\Program Files\Volumouse\volumouse.exe
PRC - [2004/08/04 00:56:56 | 000,419,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe
PRC - [2004/04/15 17:07:01 | 000,073,728 | ---- | M] (CrypKey (Canada) Ltd.) -- C:\WINDOWS\system32\Crypserv.exe
PRC - [2002/11/20 18:37:46 | 000,188,416 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
PRC - [2002/11/20 18:17:20 | 000,057,344 | ---- | M] (HP) -- C:\WINDOWS\system32\hpoipm07.exe
PRC - [2002/11/20 18:09:10 | 000,294,912 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
PRC - [2002/11/20 17:48:24 | 000,299,008 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpoevm07.exe
PRC - [2002/11/20 17:15:00 | 000,151,552 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
PRC - [2001/12/30 18:27:12 | 000,475,136 | ---- | M] (Ziff Davis Media, Inc. ) -- C:\Program Files\PC Magazine Utilities\CookieCop\CookieCop.exe
PRC - [2000/02/24 11:38:08 | 000,838,656 | ---- | M] () -- D:\keyexp\KEYEXP.EXE


========== Modules (No Company Name) ==========

MOD - [2011/11/29 17:51:12 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\klartew.dll
MOD - [2011/04/24 23:13:30 | 007,008,656 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtgui4.dll
MOD - [2011/04/24 23:13:28 | 000,192,912 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtsql4.dll
MOD - [2011/04/24 23:13:26 | 001,270,160 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtscript4.dll
MOD - [2011/04/24 23:13:26 | 000,758,160 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtnetwork4.dll
MOD - [2011/04/24 23:13:24 | 002,118,032 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtcore4.dll
MOD - [2011/04/24 23:13:24 | 002,089,360 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtdeclarative4.dll
MOD - [2011/04/20 19:56:28 | 000,025,088 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\imageformats\qgif4.dll
MOD - [2010/09/28 13:02:58 | 000,220,128 | ---- | M] () -- C:\Program Files\Macrium\Reflect\ReflectService.exe
MOD - [2010/08/26 09:46:18 | 000,012,128 | ---- | M] () -- C:\Program Files\Common Files\Acronis\DriveMonitor\Common\icudt38.dll
MOD - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
MOD - [2008/01/21 20:19:30 | 000,133,120 | ---- | M] () -- C:\Program Files\Kirby Alarm Pro\vuFT3.dll
MOD - [2006/10/11 10:31:20 | 000,013,312 | ---- | M] () -- C:\Program Files\Kirby Alarm Pro\xlswrite.dll
MOD - [2006/09/25 21:12:58 | 001,118,720 | ---- | M] () -- C:\Program Files\Kirby Alarm Pro\gca631.dll
MOD - [2006/01/17 16:57:52 | 000,590,440 | ---- | M] () -- C:\Program Files\Kirby Alarm Pro\c6fm3x.dll
MOD - [2002/11/20 18:37:02 | 000,028,672 | ---- | M] () -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpopxs07.dll
MOD - [2000/02/24 11:38:08 | 000,838,656 | ---- | M] () -- D:\keyexp\KEYEXP.EXE
MOD - [1998/07/29 00:20:00 | 000,039,424 | ---- | M] () -- D:\keyexp\KYX95HK.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2011/04/24 23:15:02 | 000,202,296 | ---- | M] (Kaspersky Lab ZAO) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe -- (AVP)
SRV - [2010/09/28 13:02:58 | 000,220,128 | ---- | M] () [Auto | Running] -- C:\Program Files\Macrium\Reflect\ReflectService.exe -- (ReflectService)
SRV - [2010/08/23 19:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2010/08/13 18:01:56 | 000,660,576 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2009/10/16 18:39:28 | 000,431,456 | ---- | M] (Seagate) [Auto | Running] -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe -- (SgtSch2Svc)
SRV - [2008/04/14 12:40:32 | 003,579,904 | ---- | M] (Kirby Software) [Auto | Running] -- C:\Program Files\Kirby Alarm Pro\kirbyalarmpro.exe -- (KirbyAlarmPro)
SRV - [2006/05/04 17:40:14 | 000,052,736 | ---- | M] (Macrovision) [Disabled | Stopped] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)
SRV - [2005/04/06 16:03:28 | 000,110,592 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\BlueSoleil\BTNtService.exe -- (BlueSoleil Hid Service)
SRV - [2005/04/04 17:58:28 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- E:\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -- (Adobe Version Cue CS2)
SRV - [2005/01/13 00:04:41 | 000,068,096 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
SRV - [2004/11/02 16:59:50 | 000,316,544 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- (SymWSC)
SRV - [2004/04/15 17:07:01 | 000,073,728 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)


========== Driver Services (SafeList) ==========

DRV - [2011/12/02 18:29:32 | 000,565,552 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2011/03/10 18:34:46 | 000,034,608 | ---- | M] (Kaspersky Lab ZAO) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2011/03/04 13:23:20 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl2.sys -- (kl2)
DRV - [2011/03/04 13:23:14 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\kl1.sys -- (KL1)
DRV - [2010/12/15 10:09:29 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2010/12/15 10:09:29 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2010/12/15 10:09:18 | 000,132,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2010/12/15 10:09:09 | 000,368,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2010/09/28 13:03:46 | 000,012,256 | ---- | M] (Paramount Software UK Ltd) [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\PSVolAcc.sys -- (PSVolAcc)
DRV - [2010/09/28 13:03:22 | 000,015,328 | ---- | M] (Macrium Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\pssnap.sys -- (pssnap)
DRV - [2010/09/28 13:03:10 | 000,044,512 | ---- | M] (Macrium Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psmounter.sys -- (PSMounter)
DRV - [2010/02/11 07:01:43 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/11/12 13:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/11/02 20:27:24 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/03/24 06:03:08 | 000,007,808 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2007/10/10 14:58:19 | 000,011,376 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\CdaC15BA.SYS -- (CdaC15BA)
DRV - [2007/03/28 18:26:25 | 000,017,480 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2006/11/21 03:25:44 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/09/12 21:21:46 | 000,292,864 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emBDA.sys -- (USB28xxBGA)
DRV - [2006/08/21 23:38:46 | 000,007,168 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emOEM.sys -- (USB28xxOEM)
DRV - [2006/02/03 08:56:14 | 000,037,632 | ---- | M] (Susteen, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sustucap.sys -- (SUSTUCAP)
DRV - [2005/05/31 15:40:20 | 000,020,480 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\blueletaudio.sys -- (BlueletAudio)
DRV - [2005/05/31 09:42:28 | 000,023,000 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)
DRV - [2005/04/30 14:50:20 | 000,011,860 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vbtenum.sys -- (BTHidEnum)
DRV - [2005/04/30 14:50:10 | 000,028,271 | ---- | M] (IVT Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\BTHidMgr.sys -- (BTHidMgr)
DRV - [2005/04/30 14:48:58 | 000,010,804 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BtNetDrv.sys -- (BT)
DRV - [2005/03/25 17:18:48 | 000,082,148 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VcommMgr.sys -- (VcommMgr)
DRV - [2004/12/16 16:32:54 | 000,013,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BTNetFilter.sys -- (BTNetFilter)
DRV - [2004/10/19 13:37:38 | 000,061,312 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VComm.sys -- (VComm)
DRV - [2004/09/17 08:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/09/07 17:57:00 | 000,316,152 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\windrvr6.sys -- (WinDriver6)
DRV - [2004/08/03 23:10:14 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2004/07/29 19:35:52 | 000,031,654 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\ckldrv.sys -- (NetworkX)
DRV - [2004/05/05 21:48:40 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\PQNTDRV.sys -- (PQNTDrv)
DRV - [2004/03/05 22:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/05 22:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/05 22:13:52 | 000,060,949 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/05 22:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google, = www.google.com $s
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google, = +
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google,# = %23
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google,% = %25
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google,& = %26
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google,+ = %2B
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 192.168;<local>
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = cookiecop:8100

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.10
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.10.1
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.1.5
FF - prefs.js..extensions.enabledItems: {7E7165E2-0767-448c-852F-5FA8714F2C37}:1.2
FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.7.3
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.67
FF - prefs.js..extensions.enabledItems: {4ED1F68A-5463-4931-9384-8FFF5ED91D92}:3.4.0
FF - prefs.js..network.proxy.backup.ftp: "cookiecop"
FF - prefs.js..network.proxy.backup.ftp_port: 8100
FF - prefs.js..network.proxy.backup.gopher: "cookiecop"
FF - prefs.js..network.proxy.backup.gopher_port: 8100
FF - prefs.js..network.proxy.backup.socks: "cookiecop"
FF - prefs.js..network.proxy.backup.socks_port: 8100
FF - prefs.js..network.proxy.backup.ssl: "cookiecop"
FF - prefs.js..network.proxy.backup.ssl_port: 8100
FF - prefs.js..network.proxy.ftp: "cookiecop"
FF - prefs.js..network.proxy.ftp_port: 8100
FF - prefs.js..network.proxy.gopher: "cookiecop"
FF - prefs.js..network.proxy.gopher_port: 8100
FF - prefs.js..network.proxy.http: "cookiecop"
FF - prefs.js..network.proxy.http_port: 8100
FF - prefs.js..network.proxy.no_proxies_on: "192.168,localhost,127.0.0.1"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "cookiecop"
FF - prefs.js..network.proxy.socks_port: 8100
FF - prefs.js..network.proxy.ssl: "cookiecop"
FF - prefs.js..network.proxy.ssl_port: 8100
FF - prefs.js..network.proxy.type: 1

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@garmin.com/GpsControl: C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@macromedia.com/FlashPlayer6: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2105: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1212: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll File not found
FF - HKCU\Software\MozillaPlugins\@macromedia.com/FlashPlayer6: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2007/03/23 08:17:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linkfilter@kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\FFExt\linkfilter@kaspersky.ru [2011/12/02 19:31:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtualKeyboard@kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\FFExt\virtualKeyboard@kaspersky.ru [2011/12/02 19:31:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/31 08:10:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/15 06:51:32 | 000,000,000 | ---D | M]

[2010/01/01 14:59:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Extensions
[2010/01/01 14:59:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Extensions\home2@tomtom.com
[2011/11/29 22:27:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions
[2010/01/03 14:32:59 | 000,000,000 | ---D | M] ("Garmin Communicator") -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2011/11/09 17:21:14 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2011/11/09 17:21:14 | 000,000,000 | ---D | M] (PlainOldFavorites) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
[2011/11/09 17:21:13 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/11/09 17:21:13 | 000,000,000 | ---D | M] ("BetterPrivacy") -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2011/01/07 13:39:22 | 000,000,000 | ---D | M] (User Agent Switcher) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2006/12/20 23:38:33 | 000,002,386 | ---- | M] () -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\searchplugins\siteadvisor.xml
[2011/12/10 20:46:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
File not found (No name found) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2007/03/23 08:17:11 | 000,000,000 | ---D | M] (AI Roboform Toolbar for Firefox) -- C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\FIREFOX
[2010/04/25 22:31:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2010/05/14 12:40:28 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2006/11/09 14:20:40 | 002,111,096 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\oldNPSWF32.dll

O1 HOSTS File: ([2008/12/11 23:41:36 | 000,290,674 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 CookieCop
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 10012 more lines...
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\ievkbd.dll (Kaspersky Lab ZAO)
O2 - BHO: (no name) - {69D72956-317C-44bd-B369-8E44D4EF9801} - No CLSID value found.
O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\klwtbbho.dll (Kaspersky Lab ZAO)
O3 - HKLM\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..\Toolbar\ShellBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe (Google Inc.)
O4 - HKLM..\Run: [adm_tray.exe] C:\Program Files\Acronis\DriveMonitor\adm_tray.exe (Acronis)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [CookieCop] C:\Program Files\PC Magazine Utilities\CookieCop\CookieCop.exe (Ziff Davis Media, Inc. )
O4 - HKU\.DEFAULT..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\S-1-5-18..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\S-1-5-21-117609710-602609370-839522115-1004..\Run: [$Volumouse$] C:\Program Files\Volumouse\volumouse.exe (NirSoft)
O4 - HKU\S-1-5-21-117609710-602609370-839522115-1004..\Run: [FreeRAM XP] C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe (YourWare Solutions (TM))
O4 - HKU\S-1-5-21-117609710-602609370-839522115-1004..\Run: [POP Peeper] C:\Program Files\POP Peeper\POPPeeper.exe (Mortal Universe)
O4 - HKU\S-1-5-21-117609710-602609370-839522115-1004..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2009/04/23 08:30:11 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\Bob\Start Menu\Programs\Startup\KeyExpress.lnk = D:\keyexp\KEYEXP.EXE ()
O4 - Startup: C:\Documents and Settings\Bob\Start Menu\Programs\Startup\Today.pif ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: Convert link target to Adobe PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\ievkbd.dll (Kaspersky Lab ZAO)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\klwtbbho.dll (Kaspersky Lab ZAO)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: gamehouse.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: macys.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: mycheckfree.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: onlinesearches.com ([publicrecords] http in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: pointspot.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: thdathomeservices.com ([webmail] https in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab (Reg Error: Key error.)
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} http://ppupdates.ca.com/downloads/scanner/axscanner.cab (Reg Error: Key error.)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc2.cab (Office Update Installation Engine)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe (Reg Error: Key error.)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} https://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105290237593 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147109959609 (MUWebControl Class)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} http://www.imgag.com/cp/install/AxCtp2.cab (Create & Print ActiveX Plug-in)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 (QDiagHUpdateObj Class)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: ppctlcab http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DC70D44C-CFA4-4CFB-AA8F-23E25AF64531}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\belarc - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AutorunsDisabled: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\klartew: DllName - (C:\Documents and Settings\NetworkService\Local Settings\Application Data\klartew.dll) - C:\Documents and Settings\NetworkService\Local Settings\Application Data\klartew.dll ()
O20 - Winlogon\Notify\klogon: DllName - (C:\WINDOWS\system32\klogon.dll) - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab ZAO)
O24 - Desktop Components:0 () -
O24 - Desktop WallPaper: C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)
O30 - LSA: Authentication Packages - (relog_ap) -C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/16 15:26:04 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2007/08/01 14:32:39 | 000,000,000 | ---D | M] - C:\autoruns -- [ NTFS ]
O32 - AutoRun File - [2011/10/19 15:35:12 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/08/16 15:26:04 | 000,000,000 | RHSD | M] - E:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{83925004-f3bb-11de-9450-101111111111}\Shell\AutoRun\command - "" = I:\WDSetup.exe
O33 - MountPoints2\{ed613d16-f5a7-11e0-968d-101111111111}\Shell\AutoRun\command - "" = J:\PortableRoboForm.exe
O33 - MountPoints2\{ed613d16-f5a7-11e0-968d-101111111111}\Shell\RoboForm2Go\command - "" = J:\PortableRoboForm.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/10 21:02:14 | 000,584,192 | ---- | C] (OldTimer Tools) -- D:\Desktop\OTL.exe
[2011/12/10 20:36:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/12/09 11:47:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2011/12/09 11:46:27 | 002,031,992 | ---- | C] (Microsoft Corporation) -- D:\Desktop\MGADiag.exe
[2011/12/03 23:47:23 | 000,000,000 | ---D | C] -- D:\Desktop\logs
[2011/12/03 13:04:50 | 000,607,260 | R--- | C] (Swearware) -- D:\Desktop\dds.scr
[2011/12/02 18:32:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Kaspersky Anti-Virus 2012
[2011/12/02 18:29:57 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2011/12/02 18:29:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2011/12/02 18:29:32 | 000,565,552 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2011/12/01 14:29:31 | 000,000,000 | ---D | C] -- C:\SDFix
[2011/12/01 11:37:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\Local Settings\Application Data\fxnetlib
[2011/11/30 18:51:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis
[2011/11/30 18:06:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/11/30 17:22:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Bob\Recent
[2011/11/30 12:10:41 | 000,071,880 | ---- | C] (Prevx) -- C:\WINDOWS\System32\PxSecure.dll-19202703
[2011/11/29 17:51:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/11/29 17:51:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/11/15 17:34:40 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2006/08/22 23:12:12 | 000,032,768 | ---- | C] ( ) -- C:\WINDOWS\System32\ShellLnkSSE.dll
[1 D:\*.tmp files -> D:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/10 21:12:04 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/12/10 21:10:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/10 20:47:46 | 000,584,192 | ---- | M] (OldTimer Tools) -- D:\Desktop\OTL.exe
[2011/12/10 18:05:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\DAILY DFG Backup Daily.job
[2011/12/10 17:10:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/09 11:47:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/09 11:45:44 | 002,031,992 | ---- | M] (Microsoft Corporation) -- D:\Desktop\MGADiag.exe
[2011/12/09 11:42:58 | 000,458,240 | ---- | M] () -- D:\Desktop\CKScanner.exe
[2011/12/07 20:12:07 | 000,000,207 | ---- | M] () -- C:\WINDOWS\hmapro.ini
[2011/12/05 19:30:15 | 003,219,344 | ---- | M] () -- D:\Desktop\popups.reg
[2011/12/05 07:21:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/04 15:52:26 | 000,005,714 | ---- | M] () -- D:\bob 120411.Theme
[2011/12/03 13:04:51 | 000,607,260 | R--- | M] (Swearware) -- D:\Desktop\dds.scr
[2011/12/03 09:46:53 | 000,109,670 | ---- | M] () -- D:\Desktop\todays santa.jpg
[2011/12/02 19:31:36 | 000,115,369 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2011/12/02 19:31:35 | 000,097,961 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2011/12/02 18:34:46 | 000,017,408 | ---- | M] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\WebpageIcons.db
[2011/12/02 18:32:53 | 000,000,032 | ---- | M] () -- C:\WINDOWS\gca631.INI
[2011/12/02 18:29:32 | 000,565,552 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2011/12/02 18:24:55 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/12/01 14:32:05 | 015,990,784 | ---- | M] () -- C:\Documents and Settings\Bob\NTUSER.bak
[2011/12/01 09:16:46 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\FULL DFG Backup.job
[2011/11/30 18:51:32 | 000,001,653 | ---- | M] () -- D:\Desktop\HijackThis.lnk
[2011/11/30 18:07:51 | 000,023,624 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/11/30 12:10:42 | 000,071,880 | ---- | M] (Prevx) -- C:\WINDOWS\System32\PxSecure.dll-19202703
[2011/11/30 12:10:20 | 000,000,447 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/11/25 14:08:28 | 000,004,421 | ---- | M] () -- C:\WINDOWS\DevMgr.ini
[2011/11/15 17:22:09 | 000,000,114 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.tgz
[2011/11/15 17:22:09 | 000,000,100 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.dll
[2011/11/15 08:17:59 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/11/14 08:39:41 | 000,000,539 | ---- | M] () -- C:\WINDOWS\KEYEX2.INI
[1 D:\*.tmp files -> D:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/09 11:43:52 | 000,458,240 | ---- | C] () -- D:\Desktop\CKScanner.exe
[2011/12/05 19:30:14 | 003,219,344 | ---- | C] () -- D:\Desktop\popups.reg
[2011/12/04 15:52:25 | 000,005,714 | ---- | C] () -- D:\bob 120411.Theme
[2011/12/03 09:48:36 | 000,109,670 | ---- | C] () -- D:\Desktop\todays santa.jpg
[2011/12/02 18:34:43 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\WebpageIcons.db
[2011/12/02 18:32:30 | 000,115,369 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2011/12/02 18:32:30 | 000,097,961 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2011/11/30 18:51:32 | 000,001,653 | ---- | C] () -- D:\Desktop\HijackThis.lnk
[2011/11/30 18:07:51 | 000,023,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/11/29 17:51:12 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\klartew.dll
[2011/09/21 17:18:53 | 000,001,088 | ---- | C] () -- C:\WINDOWS\B.COM
[2011/08/30 22:45:09 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll
[2011/08/30 22:45:09 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll
[2011/08/30 22:45:09 | 000,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
[2011/07/19 08:40:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ckconfig.INI
[2011/06/30 23:02:30 | 000,327,656 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/03/11 12:43:54 | 000,029,763 | ---- | C] () -- C:\WINDOWS\System32\drivers\klopp.dat
[2010/10/22 15:07:33 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2010/05/07 06:39:38 | 000,000,036 | -H-- | C] () -- C:\Documents and Settings\Bob\Application Data\swk.ini
[2010/01/01 17:59:40 | 000,001,226 | ---- | C] () -- C:\WINDOWS\Mpcwty02.ini
[2009/05/07 16:41:57 | 000,000,268 | ---- | C] () -- C:\WINDOWS\SYMGAMES.INI
[2009/02/18 13:50:41 | 000,000,032 | ---- | C] () -- C:\WINDOWS\gca631.INI
[2009/02/10 16:48:58 | 000,013,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\BTNetFilter.sys
[2009/02/10 16:48:58 | 000,011,860 | ---- | C] () -- C:\WINDOWS\System32\drivers\vbtenum.sys
[2008/09/11 07:12:55 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/01/24 10:34:23 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2007/11/02 13:19:20 | 000,040,960 | ---- | C] () -- C:\WINDOWS\emunist.exe
[2007/11/02 13:19:20 | 000,003,254 | ---- | C] () -- C:\WINDOWS\TVEpaDrv.ini
[2006/12/10 09:03:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\MSTRC32.DLL
[2006/11/20 23:09:59 | 000,000,004 | ---- | C] () -- C:\WINDOWS\vx86036.dat
[2006/11/20 23:09:09 | 000,000,036 | ---- | C] () -- C:\WINDOWS\Crypkey.ini
[2006/11/20 23:09:05 | 000,031,654 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys
[2006/11/20 23:09:05 | 000,027,648 | R--- | C] () -- C:\WINDOWS\Setup_ck.exe
[2006/11/20 23:09:05 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll
[2006/11/20 23:09:05 | 000,011,776 | ---- | C] () -- C:\WINDOWS\Ckrfresh.exe
[2006/11/17 12:19:36 | 000,000,781 | ---- | C] () -- C:\WINDOWS\BTI.INI
[2006/11/16 17:11:36 | 000,088,576 | -H-- | C] () -- C:\Documents and Settings\Bob\Application Data\rbap550.dll
[2006/09/29 22:21:33 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\FileOps.exe
[2006/08/22 23:12:12 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll
[2006/08/16 07:50:26 | 000,000,013 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\13.sys
[2006/05/05 18:28:09 | 000,000,447 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/05/04 17:40:15 | 000,202,752 | ---- | C] () -- C:\WINDOWS\CDAC14BA.DLL
[2006/05/04 17:40:15 | 000,020,992 | ---- | C] () -- C:\WINDOWS\CDAC13BA.EXE
[2006/05/04 17:40:14 | 000,011,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\CdaC15BA.SYS
[2006/01/27 14:52:41 | 000,046,345 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006/01/27 01:57:00 | 000,000,325 | ---- | C] () -- C:\WINDOWS\PCAuth.ini
[2005/10/28 01:10:04 | 000,000,032 | ---- | C] () -- C:\WINDOWS\kemail.INI
[2005/08/19 11:58:04 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\cdtool.dll
[2005/03/23 01:02:54 | 000,107,134 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2005/03/22 23:47:41 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/03/22 23:47:21 | 000,105,168 | ---- | C] () -- C:\WINDOWS\NSUninst.exe
[2005/03/22 23:46:58 | 000,105,168 | ---- | C] () -- C:\WINDOWS\GREUninstall.exe
[2005/03/22 23:46:52 | 000,013,111 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/02/07 11:37:38 | 000,000,539 | ---- | C] () -- C:\WINDOWS\KEYEX2.INI
[2005/02/04 10:35:21 | 000,000,207 | ---- | C] () -- C:\WINDOWS\hmapro.ini
[2005/02/01 22:50:31 | 000,000,043 | ---- | C] () -- C:\WINDOWS\pdf2rtf.INI
[2005/02/01 22:49:37 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\pdf2word.DAT
[2005/01/25 10:41:52 | 000,070,656 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/01/23 10:35:51 | 000,071,749 | ---- | C] () -- C:\WINDOWS\hcextoutput.dll
[2005/01/23 10:35:22 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/01/18 19:52:12 | 000,000,123 | ---- | C] () -- C:\WINDOWS\_vmtel.INI
[2005/01/11 11:28:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\crws.INI
[2005/01/10 15:34:54 | 000,004,421 | ---- | C] () -- C:\WINDOWS\DevMgr.ini
[2005/01/10 11:52:24 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
[2005/01/09 22:59:47 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ICOA.INI
[2005/01/09 22:59:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2005/01/09 22:59:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
[2005/01/09 22:45:02 | 000,000,064 | ---- | C] () -- C:\WINDOWS\QBWCD.INI
[2005/01/09 22:45:01 | 000,006,472 | ---- | C] () -- C:\WINDOWS\Icoadb32.dat
[2005/01/09 22:37:28 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/01/09 21:42:10 | 000,000,032 | -HS- | C] () -- C:\WINDOWS\System32\{2737521E-0016-4A5D-B638-1119267B18C9}.dat
[2005/01/09 21:42:10 | 000,000,032 | -HS- | C] () -- C:\WINDOWS\{2170D095-C0E7-4439-99C2-1171934A303A}.dat
[2005/01/09 21:42:06 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\SR2.dat
[2005/01/09 11:36:19 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/01/09 11:28:49 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/01/09 05:50:34 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/01/09 05:49:36 | 000,563,912 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/07/26 13:36:10 | 000,131,148 | ---- | C] () -- C:\WINDOWS\System32\WdReg.exe
[2003/07/16 15:54:55 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/07/16 15:54:54 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/07/16 15:41:25 | 000,513,048 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/07/16 15:41:25 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/07/16 15:41:23 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/07/16 15:41:21 | 000,085,916 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/07/16 15:39:07 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/07/16 15:33:50 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/07/16 15:33:39 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/07/16 15:27:41 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/07/16 15:26:37 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/01/20 15:48:41 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\mscfcword.dll
[2002/12/19 21:15:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\SAWZip.dll
[2002/11/20 18:51:34 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\win2000.dll
[2002/11/01 16:17:50 | 000,000,256 | ---- | C] () -- C:\WINDOWS\aucfg.ini
[2002/07/04 15:05:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\tmupdate.ini
[2002/06/26 18:38:44 | 000,002,249 | ---- | C] () -- C:\WINDOWS\System32\mswincore.dll
[2002/03/14 11:00:26 | 000,038,567 | ---- | C] () -- C:\WINDOWS\System32\pcpbios.exe
[2001/12/14 13:34:46 | 000,164,864 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2001/04/12 20:19:16 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[1999/07/23 12:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 09:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
[1998/08/16 04:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[1997/06/25 15:24:16 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[1996/12/13 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 219 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7204B89D
@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8927A071
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1AE68282

< End of report >



reports are too long, next report in next reply

spybob
2011-12-11, 13:45
OTL Extras logfile created on: 12/10/2011 9:02:28 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = D:\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.00 Mb Total Physical Memory | 589.99 Mb Available Physical Memory | 57.73% Memory free
2.49 Gb Paging File | 2.06 Gb Available in Paging File | 82.45% Paging File free
Paging file location(s): D:\pagefile.sys 100 200E:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9.78 Gb Total Space | 1.02 Gb Free Space | 10.43% Space Free | Partition Type: NTFS
Drive D: | 11.45 Gb Total Space | 0.38 Gb Free Space | 3.35% Space Free | Partition Type: NTFS
Drive E: | 16.02 Gb Total Space | 0.15 Gb Free Space | 0.91% Space Free | Partition Type: NTFS
Drive J: | 1.83 Gb Total Space | 1.49 Gb Free Space | 81.80% Space Free | Partition Type: FAT32

Computer Name: TYC | User Name: Bob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\Program Files\JGsoft\EditPadLite\EditPad.exe (Just Great Software)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
jsfile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- "C:\Program Files\JGsoft\EditPadLite\EditPad.exe" "%1" (Just Great Software)
vbefile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"67:UDP" = 67:UDP:*:Enabled:DHCP Discovery Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Disabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Program Files\ResMed\AutoScan\5.4\crws.exe" = C:\Program Files\ResMed\AutoScan\5.4\crws.exe:*:Enabled:CRWS -- (ResMed)
"C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe:*:Enabled:Dreamweaver MX 2004 -- (Macromedia, Inc.)
"C:\Program Files\DFG\BackUp3\BackUp.exe" = C:\Program Files\DFG\BackUp3\BackUp.exe:*:Enabled:BackUp
"C:\totalcmd\TOTALCMD.EXE" = C:\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows
"C:\Program Files\SmartFTP\SmartFTP.exe" = C:\Program Files\SmartFTP\SmartFTP.exe:*:Enabled:SmartFTP Client
"C:\Program Files\PC Magazine Utilities\FTPpie.exe" = C:\Program Files\PC Magazine Utilities\FTPpie.exe:*:Enabled:FTP usage piechart utility
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\SJLabs\SJphone\SJphone.exe" = C:\Program Files\SJLabs\SJphone\SJphone.exe:*:Enabled:SJphone
"C:\Program Files\jajah\jajah.exe" = C:\Program Files\jajah\jajah.exe:*:Enabled:jajah
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
"C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" = C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe:*:Enabled:VoipBuster
"E:\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" = E:\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2 -- (Adobe Systems Incorporated)
"E:\Program Files\TurboTax\2006\TurboTax Deluxe 2006\32bit\ttax.exe" = E:\Program Files\TurboTax\2006\TurboTax Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax
"E:\Program Files\TurboTax\2006\TurboTax Deluxe 2006\32bit\updatemgr.exe" = E:\Program Files\TurboTax\2006\TurboTax Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager
"E:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = E:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax
"E:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = E:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager
"C:\Program Files\BlueSoleil\BlueSoleil.exe" = C:\Program Files\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil -- (IVT Corporation)
"C:\WINDOWS\system32\javaw.exe" = C:\WINDOWS\system32\javaw.exe:*:Enabled:Java(TM) Platform SE binary
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\FavoriteSync\FavoriteSync.exe" = C:\Program Files\FavoriteSync\FavoriteSync.exe:*:Enabled:Internet Explorer Sync Application
"C:\WINDOWS\TEMP\spsvrb\setup.exe" = C:\WINDOWS\TEMP\spsvrb\setup.exe:*:Enabled:setup


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0134A1A1-C283-4A47-91A1-92F19F960372}" = Adobe Creative Suite 2
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = Google Gmail Notifier
"{03DF638A-D61C-4893-B8B9-845900C03163}" = TurboTax 2010 wnyiper
"{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}" = Macromedia Dreamweaver MX 2004
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1526D87C-A955-4FAB-BF18-697BA457E352}" = Norton WMI Update
"{1873789F-59D5-4002-8A2F-60A827B78F98}_is1" = GmapTool 0.6.0
"{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{2FD94FBC-07AE-475C-B522-BFE899B9048E}" = Garmin WebUpdater
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3B1D6DF0-EAA2-012B-AE51-000000000000}" = TurboTax 2009 wnjiper
"{3B8186F0-EAA2-012B-AE69-000000000000}" = TurboTax 2009 wnyiper
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{41369F9D-FF51-464F-9FFB-33198BA24CC9}" = USB Modem Driver
"{45E557D6-2271-4F13-8101-C620B4285AB0}" = Kaspersky Anti-Virus 2012
"{46548E80-0409-0000-7E8A-45000F855001}" = Adobe GoLive CS2
"{47CB8B6B-49DF-4058-AC2B-1596E3BE63EA}" = Garmin City Navigator North America 2009
"{5B893587-00A8-4A4E-83F0-8AFA7BFC7C1A}" = PVR Plus
"{5D5B9E6A-344C-4976-95AB-ABBDC648E5DA}" = Microsoft IntelliType Pro 5.2
"{5E3CFCA6-C95A-47CB-A822-7FA80D423AF2}" = MapSource
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{64D36D7C-B821-42E5-8BDB-239812D1D752}" = Microsoft Tool Web Package : GETMAC.EXE
"{64EF9937-CDDA-11D7-9FEB-0000E22B272F}" = AutoScan5.4
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP
"{6C6F0968-2B86-42B4-AF34-46A5F06E8FA4}" = MySoftware Fonts
"{706AE61D-40A4-4F50-8359-FE8F6F7FA461}" = Acronis Drive Monitor
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7F4C8163-F259-49A0-A018-2857A90578BC}" = Adobe InDesign CS2
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84CC9583-C2D6-42E6-A373-6FDDDA6A8BA6}" = Garmin Communicator Plugin
"{86BB059D-1231-457B-B88F-F9B315A18F90}" = Windows Vista Upgrade Advisor
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8C6DAA0F-D94F-475C-A82F-2E7B91BE7B58}" = Eudora
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9021848E-F315-44C7-8D45-3B16162AA73A}" = TurboTax 2010 wneiper
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{923CAE62-30C9-425E-B4ED-F5E9C09C5C4A}" = TurboTax 2008 wnjiper
"{939740B5-0064-4779-854A-8C1086181C05}" = Macromedia FreeHand MXa
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A8DF1374-7E6B-448A-87BB-2DCE71874F2B}" = Macrium Reflect - Free Edition
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA1542E6-D54D-4AB3-97E1-28DB4CEB4B90}" = Garmin City Navigator North America 2008
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{ADBE46EE-54E0-4610-B436-D7E93D829100}" = Adobe Version Cue CS2
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}" = Adobe Illustrator CS2
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
"{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}" = BlueSoleil
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43E4B9C-14C8-4EB0-998B-85211B6EDD61}" = Seagate DiscWizard
"{C49DAA9C-5BA8-459A-8244-E57B69DF0F04}" = Suite Specific
"{C4D26D60-7B43-4CE9-AE19-A380D9DF126B}" = Garmin MapSource
"{CA19AEA3-B949-41DA-AFBA-692356230F6E}" = TurboTax 2010 wnjiper
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E583ED6F-BD99-4066-A420-C815BF692B69}" = Macromedia Fireworks MX 2004
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E8DA0DB7-51C7-4D47-A9FC-51F206ED0045}" = MapSource - City Select North America v7
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}" =
"{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}" = Adobe Stock Photos 1.0
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F186D52C-BBD6-4C7D-80FA-28D0662D7ABD}" = Jalbum
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"{F7E1CA14-B39D-452A-960B-39423DDDD933}" = DriveImage XML
"{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 1.0.4
"{FBE4694D-AA7D-491A-8EE5-53695CDCF921}_is1" = Stuff Organizer
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"ActiveScan 2.0" = Panda ActiveScan 2.0
"AddressBook" =
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe GoLive CS2 English" =
"Adobe Illustrator CS2" =
"Adobe InDesign CS2 - {7F4C8163-F259-49A0-A018-2857A90578BC}" =
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" =
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"AI RoboForm" = AI RoboForm (All Users)
"AOL Instant Messenger" = AOL Instant Messenger
"AOL Instant Messenger (SM)" = AOL Instant Messenger (SM)
"ASAP Utilities_is1" = ASAP Utilities
"BookSmart® 2.9.1 2.9.1" = BookSmart® 2.9.1 2.9.1
"Branding" =
"CCleaner" = CCleaner
"CdaC13Ba" = SafeCast Shared Components
"cGPSmapper Shareware_is1" = cGPSmapper Shareware 0087
"Complete Cleanup Trial_is1" = Complete Cleanup Trial
"Connection Manager" =
"CookieCop® 2" = CookieCop® 2
"DirectAnimation" =
"DirectDrawEx" =
"EASEUS Data Recovery Wizard Free Edition 5.5.1_is1" = EASEUS Data Recovery Wizard Free Edition 5.5.1
"EditPad Lite" = Just Great Software EditPad Lite 6.6.3
"ERUNT_is1" = ERUNT 1.1j
"Excel VBA Code Cleaner 4.4" = Excel VBA Code Cleaner 4.4
"Excel VBA Code Documentor 4.0" = Excel VBA Code Documentor 4.0
"FileNote" = FileNote (Remove Only)
"Fontcore" =
"Free CD to MP3 Converter" = Free CD to MP3 Converter
"Google Updater" = Google Updater
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"HijackThis" = HijackThis 2.0.2
"hp officejet g series 1105389292" = hp officejet g series
"ICW" =
"IE40" =
"IE4Data" =
"IE5BAKEX" =
"ie7" = Windows Internet Explorer 7
"IEData" =
"InstallShield Uninstall Information" =
"InstallShield_{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic 8.0
"InstallShield_{41369F9D-FF51-464F-9FFB-33198BA24CC9}" = USB Modem Driver
"InstallShield_{E8DA0DB7-51C7-4D47-A9FC-51F206ED0045}" = MapSource - City Select North America v7
"InstallWIX_{45E557D6-2271-4F13-8101-C620B4285AB0}" = Kaspersky Anti-Virus 2012
"Intel(R) 537EP V9x DF PCI Modem" = Intel(R) 537EP V9x DF PCI Modem
"IrfanView" = IrfanView (remove only)
"jv16 PowerTools_is1" = jv16 PowerTools 2005
"Kirby Alarm Pro_is1" = Kirby Alarm Pro v4.45
"Kirby Alarm_is1" = Kirby Alarm v2.11
"LiveReg" = LiveReg (Symantec Corporation)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MobileOptionPack" =
"MozBackup_is1" = MozBackup 1.4.7
"Mozilla Firefox (3.6.23)" = Mozilla Firefox (3.6.23)
"MSI30a-KB884016" =
"MSI30-Beta1" =
"MSI30-Beta2" =
"MSI30-KB884016" =
"MSI30-RC1" =
"MSI30-RC2" =
"MSI31-Beta" =
"MSI31-RC1" =
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NetMeeting" =
"NTREGOPT_is1" = NTREGOPT 1.1j
"OSM map" = OSM map
"OutlookExpress" =
"PandoraRecovery" = PandoraRecovery (Remove Only)
"PC Authorize" = PC Authorize
"PC Magazine's Startup Cop_is1" = Startup Cop 1.1
"PCHealth" =
"Pidgin" = Pidgin
"POP Peeper" = POP Peeper
"Powerpnt" = Microsoft PowerPoint 97
"QuickBooks 99" = QuickBooks Pro 99
"QuicktimeAlt_is1" = QuickTime Alternative 3.2.2
"RealAlt_is1" = Real Alternative 1.42
"SchedulingAgent" =
"Secunia PSI" = Secunia PSI
"Shockwave" =
"Smart Defrag 1.0_is1" = Smart Defrag 1.0
"Smart Indenter v3.5 for Office 2000-2003" = Smart Indenter v3.5 for Office 2000-2003
"Snapshot Viewer" = Snapshot Viewer
"ST6UNST #1" = dfg BackUp XP 2005
"ST6UNST #4" = dfg BackUp XP 2005 (C:\Program Files\DFG\BackUp3\)
"SyncBack_is1" = SyncBack
"TurboTax 2009" = TurboTax 2009
"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
"Tweak UI 2.10" = Tweak UI
"Volumouse" = Volumouse
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinDriver6.22 USB Driver" = WinDriver6.22 USB Driver
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XQXSetup_is1" = Xteq Systems X-Setup 6.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/29/2011 11:26:04 PM | Computer Name = TYC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 11/29/2011 11:26:04 PM | Computer Name = TYC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 12/1/2011 1:24:02 PM | Computer Name = TYC | Source = Acronis Scheduler | ID = 1
Description =

Error - 12/2/2011 10:29:45 AM | Computer Name = TYC | Source = MPSampleSubmission | ID = 5000
Description =

Error - 12/2/2011 3:42:08 PM | Computer Name = TYC | Source = MPSampleSubmission | ID = 5000
Description =

Error - 12/2/2011 4:18:11 PM | Computer Name = TYC | Source = MPSampleSubmission | ID = 5000
Description =

Error - 12/2/2011 7:21:15 PM | Computer Name = TYC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 12/2/2011 7:24:32 PM | Computer Name = TYC | Source = Microsoft Security Client | ID = 1001
Description =

Error - 12/10/2011 9:39:10 PM | Computer Name = TYC | Source = Application Error | ID = 1000
Description = Faulting application set8a.tmp, version 7.1.100.1248, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 12/10/2011 9:39:17 PM | Computer Name = TYC | Source = Application Error | ID = 1000
Description = Faulting application set8b.tmp, version 7.1.100.1248, faulting module
, version 0.0.0.0, fault address 0x00000000.

[ System Events ]
Error - 12/2/2011 7:28:21 PM | Computer Name = TYC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
pxrts pxscan

Error - 12/4/2011 8:44:30 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Google Update Service
(gupdate) service to connect.

Error - 12/4/2011 8:44:30 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%1053

Error - 12/4/2011 8:44:30 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7022
Description = The Intuit Update Service service hung on starting.

Error - 12/4/2011 8:44:30 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
pxrts pxscan

Error - 12/5/2011 8:23:34 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
pxrts pxscan

Error - 12/6/2011 8:47:18 AM | Computer Name = TYC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 12/8/2011 8:47:19 AM | Computer Name = TYC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 12/10/2011 8:47:20 AM | Computer Name = TYC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 12/10/2011 7:58:41 PM | Computer Name = TYC | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service upnphost with
arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}


< End of report >

vict0r
2011-12-13, 02:24
Hi,

I haven't forgotten you and will post further instructions as soon as possible.

spybob
2011-12-13, 05:30
thank you

vict0r
2011-12-16, 03:48
Hello,

I'm sorry for the delay.


Please go ahead and uninstall Booksmart, google earth, hp officejet and Kirby 2.11.


Download Tools

Instruction on how to use these tools is found further down this post.

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper.

Download the following 3 files & save them with the original name.

Please download GMER Rootkit Scanner from the following link:
http://www2.gmer.net/download.php

Please download WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe from the following link:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=12934

Please download ComboFix from one of the following links, do not run the tool yet:

Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.forospyware.com/sUBs/ComboFix.exe)

Transfer the files to the desktop of the infected computer.

**IMPORTANT !!! ComboFix.exe must be saved to the Desktop**


Disable Kaspersky Anti Virus


Please navigate to the system tray on the bottom right hand corner and look for a http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/kav.png sign.
right click it-> select Pause Protection.
click on -> By User Request
a popup will claim that protection is now disabled and a sign like this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/kav_disabled.png will now be shown.
Note: Don't forget to re-enable it after the fix.


Run GMER Rootkit Scanner

If this scan crashes, please retry it a maximum of two times (a restart of your computer may be required), then continue with the next steps.

Double click the GMER .exe file. If asked to allow gmer's .sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All << (don't miss this one)
See image below, Click the image to enlarge it
http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)


Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in your next reply**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs or use your computer while Gmer is scanning.


Install the Recovery Console and run Combofix

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Drag the setup package (WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe) onto ComboFix.exe and drop it:
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console
http://img.photobucket.com/albums/v706/ried7/whatnext.png
At the next prompt, click Yes to continue scanning for malware. Please do not use the computer once Combofix has started scanning.

Please include the ComboFix log (C:\ComboFix.txt) in your next reply for further review.

Please enable Kaspersky Anti-Virus after ComboFix is finished.

spybob
2011-12-16, 20:19
I elected not to remove some of the last programs mentioned prior to following the rest of your instructions. Would there be any difference had I not removed any programs from the beginning of this?


The process did find rootkit.zeroaccess and needed to reboot before being run again.

Thanks

-Bob




ComboFix 11-12-16.01 - Bob 12/16/2011 12:36:52.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.614 [GMT -5:00]
Running from: d:\desktop\ComboFix.exe
Command switches used :: d:\desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\13.sys
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Bob\Application Data\rbap550.dll
c:\documents and settings\Bob\GoToAssistDownloadHelper.exe
c:\documents and settings\Bob\WINDOWS
c:\documents and settings\NetworkService\Local Settings\Application Data\klartew.dll
c:\windows\$NtUninstallKB44907$
c:\windows\$NtUninstallKB44907$\3260245246
c:\windows\$NtUninstallKB44907$\3558636407\@
c:\windows\$NtUninstallKB44907$\3558636407\bckfg.tmp
c:\windows\$NtUninstallKB44907$\3558636407\cfg.ini
c:\windows\$NtUninstallKB44907$\3558636407\Desktop.ini
c:\windows\$NtUninstallKB44907$\3558636407\keywords
c:\windows\$NtUninstallKB44907$\3558636407\kwrd.dll
c:\windows\$NtUninstallKB44907$\3558636407\L\cmhpaair
c:\windows\$NtUninstallKB44907$\3558636407\lsflt7.ver
c:\windows\$NtUninstallKB44907$\3558636407\U\00000001.@
c:\windows\$NtUninstallKB44907$\3558636407\U\00000002.@
c:\windows\$NtUninstallKB44907$\3558636407\U\00000004.@
c:\windows\$NtUninstallKB44907$\3558636407\U\80000000.@
c:\windows\$NtUninstallKB44907$\3558636407\U\80000004.@
c:\windows\$NtUninstallKB44907$\3558636407\U\80000032.@
c:\windows\CDAC13BA.EXE
c:\windows\CDAC14BA.DLL
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\prsgrc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-09 16:47 . 2011-12-09 16:47 -------- dc----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-12-02 23:32 . 2011-12-03 00:31 115369 -c--a-w- c:\windows\system32\drivers\klin.dat
2011-12-02 23:32 . 2011-12-03 00:31 97961 -c--a-w- c:\windows\system32\drivers\klick.dat
2011-12-02 23:29 . 2011-12-02 23:29 -------- dc----w- c:\program files\Kaspersky Lab
2011-12-02 23:29 . 2011-12-16 17:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2011-12-01 19:29 . 2008-11-06 07:03 -------- dc----w- C:\SDFix
2011-12-01 16:37 . 2011-12-01 22:00 -------- dc----w- c:\documents and settings\Bob\Local Settings\Application Data\fxnetlib
2011-11-30 23:07 . 2011-11-30 23:07 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-30 23:06 . 2011-11-30 23:07 -------- dc----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-11-30 17:10 . 2011-11-30 17:10 71880 -c--a-w- c:\windows\system32\PxSecure.dll-19202703
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-01 00:08 . 2003-07-16 20:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-15 13:17 . 2011-05-20 10:52 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2006-11-09 19:20 . 2006-06-05 03:13 2111096 -c--a-w- c:\program files\mozilla firefox\plugins\oldNPSWF32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"$Volumouse$"="c:\program files\Volumouse\volumouse.exe" [2005-06-05 24064]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2010-09-09 1511424]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-29 160328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"adm_tray.exe"="c:\program files\Acronis\DriveMonitor\adm_tray.exe" [2010-08-26 531664]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2011-04-25 202296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-29 160328]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
c:\documents and settings\Bob\Start Menu\Programs\Startup\
KeyExpress.lnk - d:\keyexp\KEYEXP.EXE [2005-1-10 838656]
Today.pif [2007-10-1 2855]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-9-29 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Kirby Alarm.lnk - c:\program files\Kirby Alarm\kirbyalarm.exe [2004-1-21 1366528]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- e:\adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-08-13 23:01 365632 -c--a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-10-16 23:42 904840 -c--a-w- c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:56 15360 -c--a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
2009-10-16 23:37 1325936 -c--a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\emMON]
2006-05-31 02:24 61440 -c--a-w- c:\windows\emMON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 12:59 155648 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 -csh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
2009-10-16 23:39 136544 -c--a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 18:42 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 -c----w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
2004-06-03 06:51 172032 ----a-w- c:\program files\Microsoft IntelliType Pro\type32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Titan Backup"="c:\progra~1\TITANB~1\TITANB~2.EXE" /startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\xqttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe Version Cue CS2"=e:\adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\ResMed\\AutoScan\\5.4\\crws.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"e:\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\BlueSoleil\\BlueSoleil.exe"=
"\\??\\c:\\WINDOWS\\system32\\winlogon.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/15/2011 5:34 PM 28552]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [9/28/2010 1:03 PM 15328]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [3/4/2011 1:23 PM 11352]
R2 KirbyAlarmPro;Kirby Alarm Pro;c:\program files\Kirby Alarm Pro\kirbyalarmpro.exe [2/3/2009 3:46 PM 3579904]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [9/28/2010 1:02 PM 220128]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 6:39 PM 431456]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [3/10/2011 6:34 PM 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 8:27 PM 19472]
S0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
S1 MpKsl05b8ec11;MpKsl05b8ec11;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF9C8DF2-582E-4A0B-A51F-7E845E1CD6FD}\MpKsl05b8ec11.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF9C8DF2-582E-4A0B-A51F-7E845E1CD6FD}\MpKsl05b8ec11.sys [?]
S1 MpKsl2c04e557;MpKsl2c04e557;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC45769-A94D-4949-A210-4E7DD42E8B5A}\MpKsl2c04e557.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC45769-A94D-4949-A210-4E7DD42E8B5A}\MpKsl2c04e557.sys [?]
S1 MpKsl30221af3;MpKsl30221af3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsl30221af3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsl30221af3.sys [?]
S1 MpKsl3bbc9cb7;MpKsl3bbc9cb7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B65B421E-520C-4DC3-BB0B-E0B13CCACB29}\MpKsl3bbc9cb7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B65B421E-520C-4DC3-BB0B-E0B13CCACB29}\MpKsl3bbc9cb7.sys [?]
S1 MpKsl50c6aa21;MpKsl50c6aa21;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FBCED0E-C906-4526-8AC0-A3E173BD644C}\MpKsl50c6aa21.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FBCED0E-C906-4526-8AC0-A3E173BD644C}\MpKsl50c6aa21.sys [?]
S1 MpKsl63115aff;MpKsl63115aff;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F268287-023A-4EF1-8111-EED0D192DFAE}\MpKsl63115aff.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F268287-023A-4EF1-8111-EED0D192DFAE}\MpKsl63115aff.sys [?]
S1 MpKsl6992bf7e;MpKsl6992bf7e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00DD543A-485E-4F5C-805E-5CCCBA25D24D}\MpKsl6992bf7e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00DD543A-485E-4F5C-805E-5CCCBA25D24D}\MpKsl6992bf7e.sys [?]
S1 MpKsl6f4364a6;MpKsl6f4364a6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49F1789D-F463-4AE6-9A66-747134266B78}\MpKsl6f4364a6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49F1789D-F463-4AE6-9A66-747134266B78}\MpKsl6f4364a6.sys [?]
S1 MpKsl91e50612;MpKsl91e50612;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AFA9519-2DC2-4F4A-BC6A-67DB575AD69F}\MpKsl91e50612.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AFA9519-2DC2-4F4A-BC6A-67DB575AD69F}\MpKsl91e50612.sys [?]
S1 MpKsl957cbe81;MpKsl957cbe81;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D7ADC2B-9E7C-499B-8B4B-970056C021C5}\MpKsl957cbe81.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D7ADC2B-9E7C-499B-8B4B-970056C021C5}\MpKsl957cbe81.sys [?]
S1 MpKsla44f2d84;MpKsla44f2d84;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsla44f2d84.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsla44f2d84.sys [?]
S1 MpKslb1eef83e;MpKslb1eef83e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC47350A-2863-4F9A-90E4-6AAB11DC7F96}\MpKslb1eef83e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC47350A-2863-4F9A-90E4-6AAB11DC7F96}\MpKslb1eef83e.sys [?]
S1 MpKslbb72fb26;MpKslbb72fb26;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02B31D1-047A-4A74-B222-564F57750561}\MpKslbb72fb26.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02B31D1-047A-4A74-B222-564F57750561}\MpKslbb72fb26.sys [?]
S1 MpKslc6a20e02;MpKslc6a20e02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22038661-62E7-42F4-A3BD-BD6D7EA26198}\MpKslc6a20e02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22038661-62E7-42F4-A3BD-BD6D7EA26198}\MpKslc6a20e02.sys [?]
S1 MpKslc86a0644;MpKslc86a0644;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F951E807-42B7-42A5-8E28-F10B74BCA579}\MpKslc86a0644.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F951E807-42B7-42A5-8E28-F10B74BCA579}\MpKslc86a0644.sys [?]
S1 MpKslcfc4f3af;MpKslcfc4f3af;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9F5F717-DE2B-42A3-AD96-B15B8B26858B}\MpKslcfc4f3af.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9F5F717-DE2B-42A3-AD96-B15B8B26858B}\MpKslcfc4f3af.sys [?]
S1 MpKsldfa7710c;MpKsldfa7710c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D66A504-67FE-4FC0-B704-9AFF011607F5}\MpKsldfa7710c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D66A504-67FE-4FC0-B704-9AFF011607F5}\MpKsldfa7710c.sys [?]
S1 MpKslf156ae64;MpKslf156ae64;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{021DE105-DC76-4D6E-BEB8-B9D47DD524A3}\MpKslf156ae64.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{021DE105-DC76-4D6E-BEB8-B9D47DD524A3}\MpKslf156ae64.sys [?]
S1 MpKslf9cc0160;MpKslf9cc0160;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E84C3EA2-141B-4581-A47D-CA48B2E8C486}\MpKslf9cc0160.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E84C3EA2-141B-4581-A47D-CA48B2E8C486}\MpKslf9cc0160.sys [?]
S1 MpKslfd8e6181;MpKslfd8e6181;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E3C987-72E8-40B3-A256-DA415B7829B5}\MpKslfd8e6181.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E3C987-72E8-40B3-A256-DA415B7829B5}\MpKslfd8e6181.sys [?]
S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys --> c:\windows\system32\drivers\pxrts.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 6:03 AM 7808]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [9/28/2010 1:03 PM 44512]
S3 PSVolAcc;PSVolAcc;c:\windows\system32\drivers\PSVolAcc.sys [9/28/2010 1:03 PM 12256]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys --> c:\windows\system32\drivers\pxkbf.sys [?]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\drivers\sustucap.sys [2/3/2006 8:56 AM 37632]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:14 PM 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:14 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-26 20:31]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 02:14]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 02:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = cookiecop:8100
uInternet Settings,ProxyOverride = 192.168;<local>
IE: Convert link target to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{320AF880-6646-11D3-ABEE-C5DBF3571F4E} - c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
Trusted Zone: gamehouse.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: macys.com\www
Trusted Zone: mycheckfree.com
Trusted Zone: onlinesearches.com\publicrecords
Trusted Zone: pointspot.com\www
Trusted Zone: thdathomeservices.com\webmail
Trusted Zone: turbotax.com
TCP: Interfaces\{DC70D44C-CFA4-4CFB-AA8F-23E25AF64531}: NameServer = 208.67.220.220,208.67.222.222
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.ftp - cookiecop
FF - prefs.js: network.proxy.ftp_port - 8100
FF - prefs.js: network.proxy.gopher - cookiecop
FF - prefs.js: network.proxy.gopher_port - 8100
FF - prefs.js: network.proxy.http - cookiecop
FF - prefs.js: network.proxy.http_port - 8100
FF - prefs.js: network.proxy.socks - cookiecop
FF - prefs.js: network.proxy.socks_port - 8100
FF - prefs.js: network.proxy.ssl - cookiecop
FF - prefs.js: network.proxy.ssl_port - 8100
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: PlainOldFavorites: {7E7165E2-0767-448c-852F-5FA8714F2C37} - %profile%\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadLite\EditPad.exe" "%1"
.
- - - - ORPHANS REMOVED - - - -
.
Notify-AutorunsDisabled - (no file)
SafeBoot-79768126.sys
AddRemove-CdaC13Ba - c:\windows\CDAC13BA.EXE
AddRemove-PC Authorize - e:\tellan\PCAuth\DeIsL1.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-16 12:51
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1572)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(2036)
c:\windows\system32\WININET.dll
c:\program files\Volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\crypserv.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\progra~1\PCMAGA~1\COOKIE~1\COOKIE~1.EXE
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
.
**************************************************************************
.
Completion time: 2011-12-16 13:01:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-16 18:01
.
Pre-Run: 1,089,880,064 bytes free
Post-Run: 1,376,165,888 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="TYC MS Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 5DAE4B4BE54E1DC804A32F93B940828C

spybob
2011-12-16, 22:47
I elected not to remove some of the last programs mentioned prior to following the rest of your instructions. Would there be any difference had I not removed any programs from the beginning of this?


The process did find rootkit.zeroaccess and needed to reboot before being run again.

Thanks

-Bob




ComboFix 11-12-16.01 - Bob 12/16/2011 12:36:52.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.614 [GMT -5:00]
Running from: d:\desktop\ComboFix.exe
Command switches used :: d:\desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\13.sys
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Bob\Application Data\rbap550.dll
c:\documents and settings\Bob\GoToAssistDownloadHelper.exe
c:\documents and settings\Bob\WINDOWS
c:\documents and settings\NetworkService\Local Settings\Application Data\klartew.dll
c:\windows\$NtUninstallKB44907$
c:\windows\$NtUninstallKB44907$\3260245246
c:\windows\$NtUninstallKB44907$\3558636407\@
c:\windows\$NtUninstallKB44907$\3558636407\bckfg.tmp
c:\windows\$NtUninstallKB44907$\3558636407\cfg.ini
c:\windows\$NtUninstallKB44907$\3558636407\Desktop.ini
c:\windows\$NtUninstallKB44907$\3558636407\keywords
c:\windows\$NtUninstallKB44907$\3558636407\kwrd.dll
c:\windows\$NtUninstallKB44907$\3558636407\L\cmhpaair
c:\windows\$NtUninstallKB44907$\3558636407\lsflt7.ver
c:\windows\$NtUninstallKB44907$\3558636407\U\00000001.@
c:\windows\$NtUninstallKB44907$\3558636407\U\00000002.@
c:\windows\$NtUninstallKB44907$\3558636407\U\00000004.@
c:\windows\$NtUninstallKB44907$\3558636407\U\80000000.@
c:\windows\$NtUninstallKB44907$\3558636407\U\80000004.@
c:\windows\$NtUninstallKB44907$\3558636407\U\80000032.@
c:\windows\CDAC13BA.EXE
c:\windows\CDAC14BA.DLL
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\prsgrc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-09 16:47 . 2011-12-09 16:47 -------- dc----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-12-02 23:32 . 2011-12-03 00:31 115369 -c--a-w- c:\windows\system32\drivers\klin.dat
2011-12-02 23:32 . 2011-12-03 00:31 97961 -c--a-w- c:\windows\system32\drivers\klick.dat
2011-12-02 23:29 . 2011-12-02 23:29 -------- dc----w- c:\program files\Kaspersky Lab
2011-12-02 23:29 . 2011-12-16 17:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2011-12-01 19:29 . 2008-11-06 07:03 -------- dc----w- C:\SDFix
2011-12-01 16:37 . 2011-12-01 22:00 -------- dc----w- c:\documents and settings\Bob\Local Settings\Application Data\fxnetlib
2011-11-30 23:07 . 2011-11-30 23:07 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-30 23:06 . 2011-11-30 23:07 -------- dc----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-11-30 17:10 . 2011-11-30 17:10 71880 -c--a-w- c:\windows\system32\PxSecure.dll-19202703
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-01 00:08 . 2003-07-16 20:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-15 13:17 . 2011-05-20 10:52 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2006-11-09 19:20 . 2006-06-05 03:13 2111096 -c--a-w- c:\program files\mozilla firefox\plugins\oldNPSWF32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"$Volumouse$"="c:\program files\Volumouse\volumouse.exe" [2005-06-05 24064]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2010-09-09 1511424]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-29 160328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"adm_tray.exe"="c:\program files\Acronis\DriveMonitor\adm_tray.exe" [2010-08-26 531664]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2011-04-25 202296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-29 160328]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
c:\documents and settings\Bob\Start Menu\Programs\Startup\
KeyExpress.lnk - d:\keyexp\KEYEXP.EXE [2005-1-10 838656]
Today.pif [2007-10-1 2855]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-9-29 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Kirby Alarm.lnk - c:\program files\Kirby Alarm\kirbyalarm.exe [2004-1-21 1366528]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- e:\adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-08-13 23:01 365632 -c--a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-10-16 23:42 904840 -c--a-w- c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:56 15360 -c--a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
2009-10-16 23:37 1325936 -c--a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\emMON]
2006-05-31 02:24 61440 -c--a-w- c:\windows\emMON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 12:59 155648 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 -csh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
2009-10-16 23:39 136544 -c--a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 18:42 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 -c----w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
2004-06-03 06:51 172032 ----a-w- c:\program files\Microsoft IntelliType Pro\type32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Titan Backup"="c:\progra~1\TITANB~1\TITANB~2.EXE" /startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\xqttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe Version Cue CS2"=e:\adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\ResMed\\AutoScan\\5.4\\crws.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"e:\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\BlueSoleil\\BlueSoleil.exe"=
"\\??\\c:\\WINDOWS\\system32\\winlogon.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/15/2011 5:34 PM 28552]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [9/28/2010 1:03 PM 15328]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [3/4/2011 1:23 PM 11352]
R2 KirbyAlarmPro;Kirby Alarm Pro;c:\program files\Kirby Alarm Pro\kirbyalarmpro.exe [2/3/2009 3:46 PM 3579904]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [9/28/2010 1:02 PM 220128]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 6:39 PM 431456]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [3/10/2011 6:34 PM 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 8:27 PM 19472]
S0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
S1 MpKsl05b8ec11;MpKsl05b8ec11;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF9C8DF2-582E-4A0B-A51F-7E845E1CD6FD}\MpKsl05b8ec11.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF9C8DF2-582E-4A0B-A51F-7E845E1CD6FD}\MpKsl05b8ec11.sys [?]
S1 MpKsl2c04e557;MpKsl2c04e557;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC45769-A94D-4949-A210-4E7DD42E8B5A}\MpKsl2c04e557.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC45769-A94D-4949-A210-4E7DD42E8B5A}\MpKsl2c04e557.sys [?]
S1 MpKsl30221af3;MpKsl30221af3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsl30221af3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsl30221af3.sys [?]
S1 MpKsl3bbc9cb7;MpKsl3bbc9cb7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B65B421E-520C-4DC3-BB0B-E0B13CCACB29}\MpKsl3bbc9cb7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B65B421E-520C-4DC3-BB0B-E0B13CCACB29}\MpKsl3bbc9cb7.sys [?]
S1 MpKsl50c6aa21;MpKsl50c6aa21;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FBCED0E-C906-4526-8AC0-A3E173BD644C}\MpKsl50c6aa21.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FBCED0E-C906-4526-8AC0-A3E173BD644C}\MpKsl50c6aa21.sys [?]
S1 MpKsl63115aff;MpKsl63115aff;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F268287-023A-4EF1-8111-EED0D192DFAE}\MpKsl63115aff.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F268287-023A-4EF1-8111-EED0D192DFAE}\MpKsl63115aff.sys [?]
S1 MpKsl6992bf7e;MpKsl6992bf7e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00DD543A-485E-4F5C-805E-5CCCBA25D24D}\MpKsl6992bf7e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00DD543A-485E-4F5C-805E-5CCCBA25D24D}\MpKsl6992bf7e.sys [?]
S1 MpKsl6f4364a6;MpKsl6f4364a6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49F1789D-F463-4AE6-9A66-747134266B78}\MpKsl6f4364a6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49F1789D-F463-4AE6-9A66-747134266B78}\MpKsl6f4364a6.sys [?]
S1 MpKsl91e50612;MpKsl91e50612;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AFA9519-2DC2-4F4A-BC6A-67DB575AD69F}\MpKsl91e50612.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AFA9519-2DC2-4F4A-BC6A-67DB575AD69F}\MpKsl91e50612.sys [?]
S1 MpKsl957cbe81;MpKsl957cbe81;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D7ADC2B-9E7C-499B-8B4B-970056C021C5}\MpKsl957cbe81.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D7ADC2B-9E7C-499B-8B4B-970056C021C5}\MpKsl957cbe81.sys [?]
S1 MpKsla44f2d84;MpKsla44f2d84;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsla44f2d84.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsla44f2d84.sys [?]
S1 MpKslb1eef83e;MpKslb1eef83e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC47350A-2863-4F9A-90E4-6AAB11DC7F96}\MpKslb1eef83e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC47350A-2863-4F9A-90E4-6AAB11DC7F96}\MpKslb1eef83e.sys [?]
S1 MpKslbb72fb26;MpKslbb72fb26;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02B31D1-047A-4A74-B222-564F57750561}\MpKslbb72fb26.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02B31D1-047A-4A74-B222-564F57750561}\MpKslbb72fb26.sys [?]
S1 MpKslc6a20e02;MpKslc6a20e02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22038661-62E7-42F4-A3BD-BD6D7EA26198}\MpKslc6a20e02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22038661-62E7-42F4-A3BD-BD6D7EA26198}\MpKslc6a20e02.sys [?]
S1 MpKslc86a0644;MpKslc86a0644;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F951E807-42B7-42A5-8E28-F10B74BCA579}\MpKslc86a0644.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F951E807-42B7-42A5-8E28-F10B74BCA579}\MpKslc86a0644.sys [?]
S1 MpKslcfc4f3af;MpKslcfc4f3af;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9F5F717-DE2B-42A3-AD96-B15B8B26858B}\MpKslcfc4f3af.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9F5F717-DE2B-42A3-AD96-B15B8B26858B}\MpKslcfc4f3af.sys [?]
S1 MpKsldfa7710c;MpKsldfa7710c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D66A504-67FE-4FC0-B704-9AFF011607F5}\MpKsldfa7710c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D66A504-67FE-4FC0-B704-9AFF011607F5}\MpKsldfa7710c.sys [?]
S1 MpKslf156ae64;MpKslf156ae64;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{021DE105-DC76-4D6E-BEB8-B9D47DD524A3}\MpKslf156ae64.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{021DE105-DC76-4D6E-BEB8-B9D47DD524A3}\MpKslf156ae64.sys [?]
S1 MpKslf9cc0160;MpKslf9cc0160;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E84C3EA2-141B-4581-A47D-CA48B2E8C486}\MpKslf9cc0160.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E84C3EA2-141B-4581-A47D-CA48B2E8C486}\MpKslf9cc0160.sys [?]
S1 MpKslfd8e6181;MpKslfd8e6181;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E3C987-72E8-40B3-A256-DA415B7829B5}\MpKslfd8e6181.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E3C987-72E8-40B3-A256-DA415B7829B5}\MpKslfd8e6181.sys [?]
S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys --> c:\windows\system32\drivers\pxrts.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 6:03 AM 7808]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [9/28/2010 1:03 PM 44512]
S3 PSVolAcc;PSVolAcc;c:\windows\system32\drivers\PSVolAcc.sys [9/28/2010 1:03 PM 12256]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys --> c:\windows\system32\drivers\pxkbf.sys [?]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\drivers\sustucap.sys [2/3/2006 8:56 AM 37632]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:14 PM 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:14 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-26 20:31]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 02:14]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 02:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = cookiecop:8100
uInternet Settings,ProxyOverride = 192.168;<local>
IE: Convert link target to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{320AF880-6646-11D3-ABEE-C5DBF3571F4E} - c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
Trusted Zone: gamehouse.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: macys.com\www
Trusted Zone: mycheckfree.com
Trusted Zone: onlinesearches.com\publicrecords
Trusted Zone: pointspot.com\www
Trusted Zone: thdathomeservices.com\webmail
Trusted Zone: turbotax.com
TCP: Interfaces\{DC70D44C-CFA4-4CFB-AA8F-23E25AF64531}: NameServer = 208.67.220.220,208.67.222.222
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.ftp - cookiecop
FF - prefs.js: network.proxy.ftp_port - 8100
FF - prefs.js: network.proxy.gopher - cookiecop
FF - prefs.js: network.proxy.gopher_port - 8100
FF - prefs.js: network.proxy.http - cookiecop
FF - prefs.js: network.proxy.http_port - 8100
FF - prefs.js: network.proxy.socks - cookiecop
FF - prefs.js: network.proxy.socks_port - 8100
FF - prefs.js: network.proxy.ssl - cookiecop
FF - prefs.js: network.proxy.ssl_port - 8100
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: PlainOldFavorites: {7E7165E2-0767-448c-852F-5FA8714F2C37} - %profile%\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadLite\EditPad.exe" "%1"
.
- - - - ORPHANS REMOVED - - - -
.
Notify-AutorunsDisabled - (no file)
SafeBoot-79768126.sys
AddRemove-CdaC13Ba - c:\windows\CDAC13BA.EXE
AddRemove-PC Authorize - e:\tellan\PCAuth\DeIsL1.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-16 12:51
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1572)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(2036)
c:\windows\system32\WININET.dll
c:\program files\Volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\crypserv.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\progra~1\PCMAGA~1\COOKIE~1\COOKIE~1.EXE
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
.
**************************************************************************
.
Completion time: 2011-12-16 13:01:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-16 18:01
.
Pre-Run: 1,089,880,064 bytes free
Post-Run: 1,376,165,888 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="TYC MS Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 5DAE4B4BE54E1DC804A32F93B940828C

vict0r
2011-12-19, 22:50
What happened here? What happened with GMER? Did you get a log?

spybob
2011-12-20, 00:22
Guess I pasted wrong log...


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-16 12:21:12
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340014A rev.3.16
Running: r7t5kvyb.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\fgldipow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xEC074FBA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xEC0758B4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xEC08EAEE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xEC075E26]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xEC075D14]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xEC08EE06]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateProcess [0xEC076056]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateProcessEx [0xEC07621E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xEC074D76]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xEC075F3E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xEC0755E6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xEC08EECE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xEC07653C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xEC089084]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xEC08A88E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xEC0758F6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xEC07753C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xEC08A088]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xEC08AA38]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xEC07662E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xEC089BC0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xEC089E1C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xEC076B9A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xEC08D30A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xEC075EB8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xEC075DA0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xEC0751F4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xEC07697E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xEC075FD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xEC0750E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xEC088EB8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xEC08A698]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryObject [0xEC08D500]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xEC076EC0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xEC08A488]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xEC0767CE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xEC089198]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xEC08980C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xEC08F048]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xEC08EF96]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xEC08F0B4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xEC089A14]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xEC0773DE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xEC08933E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKeyEx [0xEC0894D4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveMergedKeys [0xEC089670]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xEC08EC76]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xEC075756]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xEC0763E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xEC077010]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xEC08A248]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xEC077104]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xEC07723E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xEC07645E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xEC075392]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xEC0752EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xEC076D78]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xEC07547C]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB44907$\3260245246 0 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407 0 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\bckfg.tmp 824 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\keywords 89 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\L 0 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\L\cmhpaair 162816 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\lsflt7.ver 1872 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U 0 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\80000032.@ 98304 bytes

---- EOF - GMER 1.0.15 ----

vict0r
2011-12-20, 00:57
It's a bit confusing to research the logs from this computer. I can see signs of several anti-virus programs (Microsoft Security Essentials, Panda, Prevx, Kaspersky).

Which one are you using as your current anti-virus program?

spybob
2011-12-20, 06:15
Kaspersky. When I installed the trial recently it uninstalled all the others.

vict0r
2011-12-25, 15:59
Hi.

I'm sorry, I have messed up and missed replying to this topic. Are you still with me?


I elected not to remove some of the last programs mentioned prior to following the rest of your instructions. Would there be any difference had I not removed any programs from the beginning of this?No problem and no difference.

Zero Access is a serious rootkit infection that patches system drivers on your computer, it is known to be highly resistant to being removed and difficult to repair the damage it does to the system. With some versions the only practical way to remove it is to re-format the hard drive and re-install Windows.

Also, there are non-malware related issues in the logs you have provided from your computer which show the need of a reformat and re-installation of Windows:
There are signs of so many install/uninstall of programs and broken programs.
There's very little space left on the hard drive. The system drive (C:\) needs more space for Windows to function properly.

The best advise I can give you for this computer is to backup all important files (those you don't want to lose) and perform the re-format and re-installation of Windows.

spybob
2011-12-27, 00:02
yes I am. I understand you are all volunteers but does it usually take a month to get an issue resolved? I am now having an issue with my other computer but dont' want to do anything till this one is resolved.

vict0r
2011-12-27, 01:14
If done correctly, re-formatting and re-installing Windows XP will resolve both the malware and non-malware related problems on the computer. Do you need any help with the process?

spybob
2011-12-27, 04:13
How do I avoid infecting any data or program settings (i.e. excel & word toolbar customizations) that I would backup for reinstall?

vict0r
2011-12-27, 05:57
How do I avoid infecting any data or program settings (i.e. excel & word toolbar customizations) that I would backup for reinstall
I do not use Word and Excel, so you must be more specific:
-Explain how (and maybe why) you have customized word/excel toolbars.
-Are these customizations so extensive that they can't be reapplied manually after the re-install?
-Other information that could help me understand.

spybob
2011-12-27, 07:07
regardless of word or excel, how can i figure out if any file i've backed up from my data (assuming there are no .exe) is infected? What are the odds that backing up, formatting, doing a clean install and then putting my data on the newly installed drive will be infected from what i've backed up?

vict0r
2011-12-27, 21:56
This will minimize the risk of bringing any infection with you to the fresh install:

In addition to exe-files, you should generally not backup any html-files. Run a online virus scan on the backup media after the re-install (before restoring). Programs should be re-installed from the offical source.

Windows itself should be re-installed from the official cd and the computer should not be connected to any network until updated to Service Pack 3 (SP3) and anti virus installed. Service Pack 2 (SP2) or Windows XP Service Pack 1a (SP1a) must be installed to apply SP3. Using the computer with only SP2 (or lower) installed is absolutely not recommended and makes it vulnerable for attacks using already known security holes.


Here's instructions to use a online scan after the re-install.


ESET Online Scanner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Open the following link in a new window:
ESET Online Scanner (http://www.eset.com/us/online-scanner/run)

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
You can use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif

spybob
2011-12-28, 06:41
Before I format my hard drive I reread these emails and am wondering if I actually still have the Zero Access problem, or other malware threats?

vict0r
2011-12-28, 22:37
Before I format my hard drive I reread these emails and am wondering if I actually still have the Zero Access problem, or other malware threats?At this point it's still not clear what remaining malware threats that may still reside on this computer. Given the nature of any rootkit infection, it is impossible to know all the changes that may have been made to your system. There exists no tool that can reset the security in Windows to a fresh clean install.

This is a list of files to backup when doing a reformat. It should cover most, but may not be complete for your computer.

Remember to backup all important documents, personal data files, music, photos, e-mails and bookmarks.

This is a list of Microsoft Office Word/Excel files that you may want to backup:
custom.dic (personal dictionary)
*.acl (personal autocorrect list)
mssp2_en.exc (personal exclusion dictionary)
normal.dot (default new documents template)
*.dot (Any other templates you've made)

*.xlb (personal toolbar)
book.xlt (defaults for new workbooks)
sheet.xlt (defaults for new worksheets)
personal.xl* (personal macros)
*.xlt (Any other templates you've made)

The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab.


The logs has shown that there are almost no space left on the hard drives. Did you fill the hard drives with data?

How are you planning to backup your files?

How old is the hard drive on this computer?

Do you have futher questions related to this topic?

spybob
2011-12-29, 19:46
thank you for the list of items.

If I install XP on a different hard drive and then attach the original as a secondary, run virus detection on both drives then copy data from secondary to primary and then repartition the secondary, is there any more risk than copying data to a different backup since I would no longer be booting from the original or using any of the exe's from there?

vict0r
2011-12-31, 05:05
If I install XP on a different hard drive and then attach the original as a secondary, run virus detection on both drives then copy data from secondary to primary and then repartition the secondary, is there any more risk than copying data to a different backup since I would no longer be booting from the original or using any of the exe's from there?
There's a bump in the road again.

Do you have any experience in how to swap out internal components of a computer? Do you know how minimize the risk of static discharge while working with computers like that?

spybob
2012-01-03, 00:19
I'm not concerned with the physical tasks as an issue, just the OS and software implications.

vict0r
2012-01-03, 03:06
It appears to me that you have experience with hard drive swapping and that you know how to minimize the risk of damaging static discharge while swapping internal components of a computer.


(...) is there any more risk than copying data to a different backup since I would no longer be booting from the original or using any of the exe's from there?Using a different (empty) physical hard drive should work and you will definitely not lose any data until you repartition the original drive. The risk is low if you only copy the files described in my previous post back to the fresh install.

Please note:
It might be a good idea to have the original drive disconnected while installing Windows on the different drive to avoid accidental format and loss of data on the original drive.
Please make sure that you do not accidentally boot from the original hard drive.
Run an online virus scan on the files before copying anything back. Note that copying back entire profile/user directories is really bad practice.
Use extra care not to accidentally copy back other files and directories than described since your backup now contain all files.
Keep the computer disconnected from any network until Service Pack 3 and anti-virus is installed (read below).


When you have finished installing windows, determine which service pack is installed:
Click Start, and then click Run.
Copy and paste, or type the following command and then click OK:
winver
A dialog box displays the version of Windows and the service pack that is currently installed on your computer.

As previously written, you should not connect the computer to any network until updated to Service Pack 3 (SP3) and anti-virus installed. Currently I'm only recommending Microsoft's anti-virus solution.

Service Pack version must be SP1a or SP2 to upgrade to SP3. Install the appropriate service packs, SP1a if no service pack or SP2 if your Windows media had SP1 preinstalled, then install SP3. Make sure to reboot after each service pack install.

The safest method is to download and burn the necessary tools to cd(s) on a known uninfected computer:

Windows XP Service Pack 1a (SP1a) (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=19751)
Windows XP Service Pack 2 (SP2) (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28)
Windows XP Service Pack 3 (SP3) (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24)
Microsoft Security Essentials Installer (http://windows.microsoft.com/en-US/windows/products/security-essentials)
Microsoft Security Essentials Definitions (https://www.microsoft.com/security/portal/Definitions/ADL.aspx)
Flash Disinfector (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe)

When finished installing SP3, run the Microsoft Security Essentials Installer, followed by the definitions update, then run Flash_Disinfector.


Flash Disinfector

Running Flash Disinfector will disable autorun on your computer to avoid infection if plugging in an infected external usb/hard-drive.

Double click the file to run it.
You will be prompted to plug in your flash drive. Please do not plug in any external drives for this first run! Just click OK.
Flash_Disinfector will start disinfecting and secure your hard drive(s). This takes a few seconds, and your desktop will disappear during the process (this is normal).
When done, a message box will appear. Click OK.
Your desktop should now re-appear.
If it doesn't.

Press Ctrl + Alt + Del to open Task Manager.
Click on File > New Task (Run...).
Type in explorer.exe and press OK.
Your desktop should now appear.
If you want to "disinfect" and secure external drives later, then re-run Flash Disinfector and plug in the device when prompted.



Update Windows and Internet Explorer

Connect the computer to the internet, but do not use it for anything until you have fully updated Windows and Internet Explorer:

Update Windows and Internet Explorer to protect your computer from malware. Update Internet Explorer even if you do not plan to use it. Having an outdated version installed is a security risk.

Please open the Windows Update site (http://windowsupdate.microsoft.com/) in Internet Explorer and install all critical updates. Repeat the process until no further updates are offered.


Select your desired settings for updating.

Go to Start > Control Panel > Automatic Updates
Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
Select Download updates for me, but let me choose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.


I'll be back with another post with further recommendations, please do not download files/install any further programs until you have read my next post.

vict0r
2012-01-05, 04:37
Install Various Common Programs

Here follows instructions to install various common programs. Please do not install a program you don't need. Make sure you read the prompts during the installation of all programs and uncheck options to install any toolbars and alternate homepage.

Mozilla Firefox: http://www.mozilla.org/en-US/firefox/new/

Java: Download and install Java Runtime Environment (JRE) 6 Update 30 (~16Mb) (Windows Offline) (http://java.com/en/download/manual.jsp)

Adobe Flash Player:
Uncheck the option to install McAfee Security Scan Plus before downloading!
http://get.adobe.com/flashplayer/otherversions/
Note: There are separate versions for "other browsers" and Internet Explorer. Don't install the one for Internet Explorer if you do not plan to use Internet Explorer.

Consider using the more lightweight Foxit Reader (14Mb) rather than Adobe Reader (66Mb) to read pdf files.

Please uncheck the options to Install Foxit PDF Creator Toolbar and make Ask my browser default search provider, also uncheck the option to Set Ask.com as my hompage while installing Foxit Reader (http://www.foxitsoftware.com/Secure_PDF_Reader/).
Please uncheck the optional install of McAfee Security Scan Plus if/when downloading Adobe Reader (http://get.adobe.com/reader/)



Consider using the following security programs


WinPatrol
This is a lightweight system monitor. Download it from here (http://www.winpatrol.com/download.html). You can find information about how WinPatrol works here (http://www.winpatrol.com/features.html).
Malwarebytes' Anti-Malware
Download and install Malwarebytes Anti Malware Free (http://www.malwarebytes.org/mbam-download.php).
Update and perform a quick scan 1-2 times a week.
Spybot Search & Destroy
Instructions are located here (http://www.safer-networking.org/en/tutorial/index.html). Do not enable Teatimer during the install if using Winpatrol. Update, re-immunize & scan using Spybot Search & Destroy regularly.
Hosts File
Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites.
Download HostsXpert (http://www.funkytoad.com/download/HostsXpert.zip) and unzip it to your computer, somewhere where you can find it.

Run HostsXpert
If Hosts file is Read Only, click on Make Writeable, otherwise move on to next stage.
Click Download button.
Click MVPs Hosts
Click Merge File
Press OK to download latest MVPs update and merge it with your Hosts file.
When finished click File Handling
Click Make Read Only to secure your Hosts file.
Close HostsXpert.


Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue:


Click Start > Run
Type services.msc & click OK
In the list, find the service called DNS Client & double click on it.
On the dropdown box, change the setting from automatic to manual.
Click OK & then close the Services window.


Update the hosts file regularly. For a more detailed explanation of the HOSTS file, click here (http://forum.malwareremoval.com/viewtopic.php?t=22187).
Secunia Online Inspector
Microsoft isn't the only company whose products can contain security vulnerabilities. To check for vulnerable programs running on your PC that are in need of an update, you can use the Secunia Online Software Inspector (OSI) (http://secunia.com/software_inspector). I suggest that you run it and install the suggested updates at least once a week.



It is ABSOLUTELY ESSENTIAL to keep Windows, Java, Adobe and all of your security programs up to date. If you forget, then your computer will likely get reinfected.


Please read the topic below which will give you a few suggestions on how to minimize your chances of getting another infection.

Computer Security - a short guide to staying safer online. (http://www.malwareremoval.com/forum/viewtopic.php?p=557960#p557960)


If following all this advise does not keep your computer clear of infections, then ask for help at the forum directly. Installing/uninstalling all sorts of anti virus and security programs to scan your computer is not recommended.


Do you have any further questions related to this case?