Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 35

Thread: win32.delf.uc keeps coming back

  1. #11
    Junior Member
    Join Date
    Dec 2011
    Posts
    18

    Default

    I have removed the programs you asked. Frankly, there are other programs that could have been removed to create more space. Booksmart 227Mb, Garmin web updater 501 Mb, google earth 85 Mb, hp officejet 150Mb, Kirby 2.11 3.5mb, .NET framework (not sure what it is used for and both 2.0 SP2 and 3.0 SP2 are installed at 180Mb each),>NET frameworkd 3.5 SP1 20mb, seagate discwizard 256mb for a total of almost 1.5 gig.

    I have not removed these trying to follow the first readme before you post section of not doing things we're not asked for.

    On that note, when I ran OTL i had noticed my flash drive was attached so I took it off and ran OTL again but it did not produce a 2nd EXTRAS file. enclosed is the result of the 2nd OTL.txt and the 1st EXTAS file. I apologize for the confusion.


    FYI, PC Authorize & Wextech could not be removed from the list since the folders do not exist. they had been deleted some time prior.



    OTL logfile created on: 12/10/2011 9:21:54 PM - Run 2
    OTL by OldTimer - Version 3.2.31.0 Folder = D:\Desktop
    Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.11)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1022.00 Mb Total Physical Memory | 575.49 Mb Available Physical Memory | 56.31% Memory free
    2.49 Gb Paging File | 2.04 Gb Available in Paging File | 81.88% Paging File free
    Paging file location(s): D:\pagefile.sys 100 200E:\pagefile.sys 0 0 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 9.78 Gb Total Space | 1.02 Gb Free Space | 10.42% Space Free | Partition Type: NTFS
    Drive D: | 11.45 Gb Total Space | 0.38 Gb Free Space | 3.35% Space Free | Partition Type: NTFS
    Drive E: | 16.02 Gb Total Space | 0.15 Gb Free Space | 0.91% Space Free | Partition Type: NTFS

    Computer Name: TYC | User Name: Bob | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/12/10 20:47:46 | 000,584,192 | ---- | M] (OldTimer Tools) -- D:\Desktop\OTL.exe
    PRC - [2011/04/24 23:15:02 | 000,202,296 | ---- | M] (Kaspersky Lab ZAO) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
    PRC - [2010/10/29 03:50:25 | 000,160,328 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    PRC - [2010/09/28 13:02:58 | 000,220,128 | ---- | M] () -- C:\Program Files\Macrium\Reflect\ReflectService.exe
    PRC - [2010/09/09 17:09:36 | 001,511,424 | ---- | M] (Mortal Universe) -- C:\Program Files\POP Peeper\POPPeeper.exe
    PRC - [2010/08/26 10:07:04 | 000,531,664 | ---- | M] (Acronis) -- C:\Program Files\Acronis\DriveMonitor\adm_tray.exe
    PRC - [2010/08/13 18:01:56 | 000,660,576 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    PRC - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
    PRC - [2009/10/16 18:39:28 | 000,431,456 | ---- | M] (Seagate) -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    PRC - [2008/04/14 12:40:32 | 003,579,904 | ---- | M] (Kirby Software) -- C:\Program Files\Kirby Alarm Pro\kirbyalarmpro.exe
    PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2006/03/22 23:13:46 | 001,591,808 | ---- | M] (YourWare Solutions (TM)) -- C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
    PRC - [2005/07/15 16:48:33 | 000,479,232 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Gmail Notifier\gnotify.exe
    PRC - [2005/06/04 21:16:44 | 000,024,064 | ---- | M] (NirSoft) -- C:\Program Files\Volumouse\volumouse.exe
    PRC - [2004/08/04 00:56:56 | 000,419,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe
    PRC - [2004/04/15 17:07:01 | 000,073,728 | ---- | M] (CrypKey (Canada) Ltd.) -- C:\WINDOWS\system32\Crypserv.exe
    PRC - [2002/11/20 18:37:46 | 000,188,416 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
    PRC - [2002/11/20 18:17:20 | 000,057,344 | ---- | M] (HP) -- C:\WINDOWS\system32\hpoipm07.exe
    PRC - [2002/11/20 18:09:10 | 000,294,912 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
    PRC - [2002/11/20 17:48:24 | 000,299,008 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpoevm07.exe
    PRC - [2002/11/20 17:15:00 | 000,151,552 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
    PRC - [2001/12/30 18:27:12 | 000,475,136 | ---- | M] (Ziff Davis Media, Inc. ) -- C:\Program Files\PC Magazine Utilities\CookieCop\CookieCop.exe
    PRC - [2000/02/24 11:38:08 | 000,838,656 | ---- | M] () -- D:\keyexp\KEYEXP.EXE


    ========== Modules (No Company Name) ==========

    MOD - [2011/11/29 17:51:12 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\klartew.dll
    MOD - [2011/04/24 23:13:30 | 007,008,656 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtgui4.dll
    MOD - [2011/04/24 23:13:28 | 000,192,912 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtsql4.dll
    MOD - [2011/04/24 23:13:26 | 001,270,160 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtscript4.dll
    MOD - [2011/04/24 23:13:26 | 000,758,160 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtnetwork4.dll
    MOD - [2011/04/24 23:13:24 | 002,118,032 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtcore4.dll
    MOD - [2011/04/24 23:13:24 | 002,089,360 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtdeclarative4.dll
    MOD - [2011/04/20 19:56:28 | 000,025,088 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\imageformats\qgif4.dll
    MOD - [2010/09/28 13:02:58 | 000,220,128 | ---- | M] () -- C:\Program Files\Macrium\Reflect\ReflectService.exe
    MOD - [2010/08/26 09:46:18 | 000,012,128 | ---- | M] () -- C:\Program Files\Common Files\Acronis\DriveMonitor\Common\icudt38.dll
    MOD - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
    MOD - [2008/01/21 20:19:30 | 000,133,120 | ---- | M] () -- C:\Program Files\Kirby Alarm Pro\vuFT3.dll
    MOD - [2006/10/11 10:31:20 | 000,013,312 | ---- | M] () -- C:\Program Files\Kirby Alarm Pro\xlswrite.dll
    MOD - [2006/09/25 21:12:58 | 001,118,720 | ---- | M] () -- C:\Program Files\Kirby Alarm Pro\gca631.dll
    MOD - [2006/01/17 16:57:52 | 000,590,440 | ---- | M] () -- C:\Program Files\Kirby Alarm Pro\c6fm3x.dll
    MOD - [2002/11/20 18:37:02 | 000,028,672 | ---- | M] () -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpopxs07.dll
    MOD - [2000/02/24 11:38:08 | 000,838,656 | ---- | M] () -- D:\keyexp\KEYEXP.EXE
    MOD - [1998/07/29 00:20:00 | 000,039,424 | ---- | M] () -- D:\keyexp\KYX95HK.DLL


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
    SRV - [2011/04/24 23:15:02 | 000,202,296 | ---- | M] (Kaspersky Lab ZAO) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe -- (AVP)
    SRV - [2010/09/28 13:02:58 | 000,220,128 | ---- | M] () [Auto | Running] -- C:\Program Files\Macrium\Reflect\ReflectService.exe -- (ReflectService)
    SRV - [2010/08/23 19:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
    SRV - [2010/08/13 18:01:56 | 000,660,576 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
    SRV - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
    SRV - [2009/10/16 18:39:28 | 000,431,456 | ---- | M] (Seagate) [Auto | Running] -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe -- (SgtSch2Svc)
    SRV - [2008/04/14 12:40:32 | 003,579,904 | ---- | M] (Kirby Software) [Auto | Running] -- C:\Program Files\Kirby Alarm Pro\kirbyalarmpro.exe -- (KirbyAlarmPro)
    SRV - [2006/05/04 17:40:14 | 000,052,736 | ---- | M] (Macrovision) [Disabled | Stopped] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)
    SRV - [2005/04/06 16:03:28 | 000,110,592 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\BlueSoleil\BTNtService.exe -- (BlueSoleil Hid Service)
    SRV - [2005/04/04 17:58:28 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- E:\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -- (Adobe Version Cue CS2)
    SRV - [2005/01/13 00:04:41 | 000,068,096 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
    SRV - [2004/11/02 16:59:50 | 000,316,544 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- (SymWSC)
    SRV - [2004/04/15 17:07:01 | 000,073,728 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/12/02 18:29:32 | 000,565,552 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
    DRV - [2011/03/10 18:34:46 | 000,034,608 | ---- | M] (Kaspersky Lab ZAO) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
    DRV - [2011/03/04 13:23:20 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl2.sys -- (kl2)
    DRV - [2011/03/04 13:23:14 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\kl1.sys -- (KL1)
    DRV - [2010/12/15 10:09:29 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
    DRV - [2010/12/15 10:09:29 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
    DRV - [2010/12/15 10:09:18 | 000,132,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
    DRV - [2010/12/15 10:09:09 | 000,368,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)
    DRV - [2010/09/28 13:03:46 | 000,012,256 | ---- | M] (Paramount Software UK Ltd) [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\PSVolAcc.sys -- (PSVolAcc)
    DRV - [2010/09/28 13:03:22 | 000,015,328 | ---- | M] (Macrium Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\pssnap.sys -- (pssnap)
    DRV - [2010/09/28 13:03:10 | 000,044,512 | ---- | M] (Macrium Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psmounter.sys -- (PSMounter)
    DRV - [2010/02/11 07:01:43 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
    DRV - [2009/11/12 13:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2009/11/02 20:27:24 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
    DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
    DRV - [2009/03/24 06:03:08 | 000,007,808 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
    DRV - [2007/10/10 14:58:19 | 000,011,376 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\CdaC15BA.SYS -- (CdaC15BA)
    DRV - [2007/03/28 18:26:25 | 000,017,480 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
    DRV - [2006/11/21 03:25:44 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
    DRV - [2006/09/12 21:21:46 | 000,292,864 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emBDA.sys -- (USB28xxBGA)
    DRV - [2006/08/21 23:38:46 | 000,007,168 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emOEM.sys -- (USB28xxOEM)
    DRV - [2006/02/03 08:56:14 | 000,037,632 | ---- | M] (Susteen, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sustucap.sys -- (SUSTUCAP)
    DRV - [2005/05/31 15:40:20 | 000,020,480 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\blueletaudio.sys -- (BlueletAudio)
    DRV - [2005/05/31 09:42:28 | 000,023,000 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)
    DRV - [2005/04/30 14:50:20 | 000,011,860 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vbtenum.sys -- (BTHidEnum)
    DRV - [2005/04/30 14:50:10 | 000,028,271 | ---- | M] (IVT Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\BTHidMgr.sys -- (BTHidMgr)
    DRV - [2005/04/30 14:48:58 | 000,010,804 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BtNetDrv.sys -- (BT)
    DRV - [2005/03/25 17:18:48 | 000,082,148 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VcommMgr.sys -- (VcommMgr)
    DRV - [2004/12/16 16:32:54 | 000,013,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BTNetFilter.sys -- (BTNetFilter)
    DRV - [2004/10/19 13:37:38 | 000,061,312 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VComm.sys -- (VComm)
    DRV - [2004/09/17 08:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
    DRV - [2004/09/07 17:57:00 | 000,316,152 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\windrvr6.sys -- (WinDriver6)
    DRV - [2004/08/03 23:10:14 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
    DRV - [2004/07/29 19:35:52 | 000,031,654 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\ckldrv.sys -- (NetworkX)
    DRV - [2004/05/05 21:48:40 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\PQNTDRV.sys -- (PQNTDrv)
    DRV - [2004/03/05 22:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
    DRV - [2004/03/05 22:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
    DRV - [2004/03/05 22:13:52 | 000,060,949 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
    DRV - [2004/03/05 22:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
    DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google, = www.google.com $s
    IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google, = +
    IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google,# = %23
    IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google,% = %25
    IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google,& = %26
    IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google,+ = %2B
    IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 192.168;<local>
    IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = cookiecop:8100

    ========== FireFox ==========

    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
    FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.10
    FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.10.1
    FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.1.0
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.1.5
    FF - prefs.js..extensions.enabledItems: {7E7165E2-0767-448c-852F-5FA8714F2C37}:1.2
    FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.7.3
    FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.67
    FF - prefs.js..extensions.enabledItems: {4ED1F68A-5463-4931-9384-8FFF5ED91D92}:3.4.0
    FF - prefs.js..network.proxy.backup.ftp: "cookiecop"
    FF - prefs.js..network.proxy.backup.ftp_port: 8100
    FF - prefs.js..network.proxy.backup.gopher: "cookiecop"
    FF - prefs.js..network.proxy.backup.gopher_port: 8100
    FF - prefs.js..network.proxy.backup.socks: "cookiecop"
    FF - prefs.js..network.proxy.backup.socks_port: 8100
    FF - prefs.js..network.proxy.backup.ssl: "cookiecop"
    FF - prefs.js..network.proxy.backup.ssl_port: 8100
    FF - prefs.js..network.proxy.ftp: "cookiecop"
    FF - prefs.js..network.proxy.ftp_port: 8100
    FF - prefs.js..network.proxy.gopher: "cookiecop"
    FF - prefs.js..network.proxy.gopher_port: 8100
    FF - prefs.js..network.proxy.http: "cookiecop"
    FF - prefs.js..network.proxy.http_port: 8100
    FF - prefs.js..network.proxy.no_proxies_on: "192.168,localhost,127.0.0.1"
    FF - prefs.js..network.proxy.share_proxy_settings: true
    FF - prefs.js..network.proxy.socks: "cookiecop"
    FF - prefs.js..network.proxy.socks_port: 8100
    FF - prefs.js..network.proxy.ssl: "cookiecop"
    FF - prefs.js..network.proxy.ssl_port: 8100
    FF - prefs.js..network.proxy.type: 1

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@garmin.com/GpsControl: C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@macromedia.com/FlashPlayer6: File not found
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2105: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1212: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll File not found
    FF - HKCU\Software\MozillaPlugins\@macromedia.com/FlashPlayer6: File not found

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2007/03/23 08:17:11 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linkfilter@kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\FFExt\linkfilter@kaspersky.ru [2011/12/02 19:31:45 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtualKeyboard@kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\FFExt\virtualKeyboard@kaspersky.ru [2011/12/02 19:31:45 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/31 08:10:15 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/15 06:51:32 | 000,000,000 | ---D | M]

    [2010/01/01 14:59:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Extensions
    [2010/01/01 14:59:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Extensions\home2@tomtom.com
    [2011/11/29 22:27:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions
    [2010/01/03 14:32:59 | 000,000,000 | ---D | M] ("Garmin Communicator") -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
    [2011/11/09 17:21:14 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    [2011/11/09 17:21:14 | 000,000,000 | ---D | M] (PlainOldFavorites) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
    [2011/11/09 17:21:13 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    [2011/11/09 17:21:13 | 000,000,000 | ---D | M] ("BetterPrivacy") -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
    [2011/01/07 13:39:22 | 000,000,000 | ---D | M] (User Agent Switcher) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
    [2006/12/20 23:38:33 | 000,002,386 | ---- | M] () -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\searchplugins\siteadvisor.xml
    [2011/12/10 20:46:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    File not found (No name found) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    File not found (No name found) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
    File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2007/03/23 08:17:11 | 000,000,000 | ---D | M] (AI Roboform Toolbar for Firefox) -- C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\FIREFOX
    [2010/04/25 22:31:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
    [2010/05/14 12:40:28 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2006/11/09 14:20:40 | 002,111,096 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\oldNPSWF32.dll

    O1 HOSTS File: ([2008/12/11 23:41:36 | 000,290,674 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 127.0.0.1 CookieCop
    O1 - Hosts: 127.0.0.1 www.007guard.com
    O1 - Hosts: 127.0.0.1 007guard.com
    O1 - Hosts: 127.0.0.1 008i.com
    O1 - Hosts: 127.0.0.1 www.008k.com
    O1 - Hosts: 127.0.0.1 008k.com
    O1 - Hosts: 127.0.0.1 www.00hq.com
    O1 - Hosts: 127.0.0.1 00hq.com
    O1 - Hosts: 127.0.0.1 010402.com
    O1 - Hosts: 127.0.0.1 www.032439.com
    O1 - Hosts: 127.0.0.1 032439.com
    O1 - Hosts: 127.0.0.1 www.100888290cs.com
    O1 - Hosts: 127.0.0.1 100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100sexlinks.com
    O1 - Hosts: 127.0.0.1 100sexlinks.com
    O1 - Hosts: 127.0.0.1 www.10sek.com
    O1 - Hosts: 127.0.0.1 10sek.com
    O1 - Hosts: 127.0.0.1 www.123topsearch.com
    O1 - Hosts: 127.0.0.1 123topsearch.com
    O1 - Hosts: 127.0.0.1 www.132.com
    O1 - Hosts: 127.0.0.1 132.com
    O1 - Hosts: 127.0.0.1 www.136136.net
    O1 - Hosts: 127.0.0.1 136136.net
    O1 - Hosts: 127.0.0.1 www.163ns.com
    O1 - Hosts: 10012 more lines...
    O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\ievkbd.dll (Kaspersky Lab ZAO)
    O2 - BHO: (no name) - {69D72956-317C-44bd-B369-8E44D4EF9801} - No CLSID value found.
    O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
    O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
    O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\klwtbbho.dll (Kaspersky Lab ZAO)
    O3 - HKLM\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O3 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..\Toolbar\ShellBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O3 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe (Google Inc.)
    O4 - HKLM..\Run: [adm_tray.exe] C:\Program Files\Acronis\DriveMonitor\adm_tray.exe (Acronis)
    O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe (Kaspersky Lab ZAO)
    O4 - HKLM..\Run: [CookieCop] C:\Program Files\PC Magazine Utilities\CookieCop\CookieCop.exe (Ziff Davis Media, Inc. )
    O4 - HKU\.DEFAULT..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
    O4 - HKU\S-1-5-18..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
    O4 - HKU\S-1-5-21-117609710-602609370-839522115-1004..\Run: [$Volumouse$] C:\Program Files\Volumouse\volumouse.exe (NirSoft)
    O4 - HKU\S-1-5-21-117609710-602609370-839522115-1004..\Run: [FreeRAM XP] C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe (YourWare Solutions (TM))
    O4 - HKU\S-1-5-21-117609710-602609370-839522115-1004..\Run: [POP Peeper] C:\Program Files\POP Peeper\POPPeeper.exe (Mortal Universe)
    O4 - HKU\S-1-5-21-117609710-602609370-839522115-1004..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
    O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2009/04/23 08:30:11 | 000,000,000 | -H-D | M]
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe (Hewlett-Packard Co.)
    O4 - Startup: C:\Documents and Settings\Bob\Start Menu\Programs\Startup\KeyExpress.lnk = D:\keyexp\KEYEXP.EXE ()
    O4 - Startup: C:\Documents and Settings\Bob\Start Menu\Programs\Startup\Today.pif ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
    O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
    O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
    O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0
    O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
    O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
    O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
    O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
    O8 - Extra context menu item: Convert link target to Adobe PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert link target to existing PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to Adobe PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to existing PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to Adobe PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to existing PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to Adobe PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to existing PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
    O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\ievkbd.dll (Kaspersky Lab ZAO)
    O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
    O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\klwtbbho.dll (Kaspersky Lab ZAO)
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
    O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: gamehouse.com ([www] http in Trusted sites)
    O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
    O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: macys.com ([www] https in Trusted sites)
    O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: mycheckfree.com ([]https in Trusted sites)
    O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: onlinesearches.com ([publicrecords] http in Trusted sites)
    O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: pointspot.com ([www] https in Trusted sites)
    O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: thdathomeservices.com ([webmail] https in Trusted sites)
    O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: turbotax.com ([]https in Trusted sites)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/pr.../ieawsdc32.cab (Microsoft Office Template and Media Control)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/s...irector/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?link...38&clcid=0x409 (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} http://a516.g.akamai.net/f/516/25175...at-no-eula.cab (Reg Error: Key error.)
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} http://ppupdates.ca.com/downloads/scanner/axscanner.cab (Reg Error: Key error.)
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeup...tent/opuc2.cab (Office Update Installation Engine)
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://appldnld.m7z.net/qtinstall.in...lInstaller.exe (Reg Error: Key error.)
    O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} https://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupdate.microsoft.co...?1105290237593 (WUWebControl Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsof...?1147109959609 (MUWebControl Class)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab (Reg Error: Key error.)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/actives.../as2stubie.cab (ActiveScan 2.0 Installer Class)
    O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} http://www.imgag.com/cp/install/AxCtp2.cab (Create & Print ActiveX Plug-in)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub...sh/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 (QDiagHUpdateObj Class)
    O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: ppctlcab http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DC70D44C-CFA4-4CFB-AA8F-23E25AF64531}: NameServer = 208.67.220.220,208.67.222.222
    O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
    O18 - Protocol\Handler\AutorunsDisabled\belarc - No CLSID value found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AutorunsDisabled: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
    O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O20 - Winlogon\Notify\klartew: DllName - (C:\Documents and Settings\NetworkService\Local Settings\Application Data\klartew.dll) - C:\Documents and Settings\NetworkService\Local Settings\Application Data\klartew.dll ()
    O20 - Winlogon\Notify\klogon: DllName - (C:\WINDOWS\system32\klogon.dll) - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab ZAO)
    O24 - Desktop Components:0 () -
    O24 - Desktop WallPaper: C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)
    O30 - LSA: Authentication Packages - (relog_ap) -C:\WINDOWS\System32\relog_ap.dll (Acronis)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/08/16 15:26:04 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2007/08/01 14:32:39 | 000,000,000 | ---D | M] - C:\autoruns -- [ NTFS ]
    O32 - AutoRun File - [2011/10/19 15:35:12 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2009/08/16 15:26:04 | 000,000,000 | RHSD | M] - E:\autorun.inf -- [ NTFS ]
    O33 - MountPoints2\{83925004-f3bb-11de-9450-101111111111}\Shell\AutoRun\command - "" = I:\WDSetup.exe
    O33 - MountPoints2\{ed613d16-f5a7-11e0-968d-101111111111}\Shell\AutoRun\command - "" = J:\PortableRoboForm.exe
    O33 - MountPoints2\{ed613d16-f5a7-11e0-968d-101111111111}\Shell\RoboForm2Go\command - "" = J:\PortableRoboForm.exe
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/12/10 21:02:14 | 000,584,192 | ---- | C] (OldTimer Tools) -- D:\Desktop\OTL.exe
    [2011/12/10 20:36:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
    [2011/12/09 11:47:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
    [2011/12/09 11:46:27 | 002,031,992 | ---- | C] (Microsoft Corporation) -- D:\Desktop\MGADiag.exe
    [2011/12/03 23:47:23 | 000,000,000 | ---D | C] -- D:\Desktop\logs
    [2011/12/03 13:04:50 | 000,607,260 | R--- | C] (Swearware) -- D:\Desktop\dds.scr
    [2011/12/02 18:32:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Kaspersky Anti-Virus 2012
    [2011/12/02 18:29:57 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
    [2011/12/02 18:29:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    [2011/12/02 18:29:32 | 000,565,552 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
    [2011/12/01 14:29:31 | 000,000,000 | ---D | C] -- C:\SDFix
    [2011/12/01 11:37:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\Local Settings\Application Data\fxnetlib
    [2011/11/30 18:51:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis
    [2011/11/30 18:06:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2011/11/30 17:22:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Bob\Recent
    [2011/11/30 12:10:41 | 000,071,880 | ---- | C] (Prevx) -- C:\WINDOWS\System32\PxSecure.dll-19202703
    [2011/11/29 17:51:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2011/11/29 17:51:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2011/11/15 17:34:40 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
    [2006/08/22 23:12:12 | 000,032,768 | ---- | C] ( ) -- C:\WINDOWS\System32\ShellLnkSSE.dll
    [1 D:\*.tmp files -> D:\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/12/10 21:12:04 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
    [2011/12/10 21:10:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/12/10 20:47:46 | 000,584,192 | ---- | M] (OldTimer Tools) -- D:\Desktop\OTL.exe
    [2011/12/10 18:05:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\DAILY DFG Backup Daily.job
    [2011/12/10 17:10:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/12/09 11:47:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/12/09 11:45:44 | 002,031,992 | ---- | M] (Microsoft Corporation) -- D:\Desktop\MGADiag.exe
    [2011/12/09 11:42:58 | 000,458,240 | ---- | M] () -- D:\Desktop\CKScanner.exe
    [2011/12/07 20:12:07 | 000,000,207 | ---- | M] () -- C:\WINDOWS\hmapro.ini
    [2011/12/05 19:30:15 | 003,219,344 | ---- | M] () -- D:\Desktop\popups.reg
    [2011/12/05 07:21:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/12/04 15:52:26 | 000,005,714 | ---- | M] () -- D:\bob 120411.Theme
    [2011/12/03 13:04:51 | 000,607,260 | R--- | M] (Swearware) -- D:\Desktop\dds.scr
    [2011/12/03 09:46:53 | 000,109,670 | ---- | M] () -- D:\Desktop\todays santa.jpg
    [2011/12/02 19:31:36 | 000,115,369 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
    [2011/12/02 19:31:35 | 000,097,961 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
    [2011/12/02 18:34:46 | 000,017,408 | ---- | M] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\WebpageIcons.db
    [2011/12/02 18:32:53 | 000,000,032 | ---- | M] () -- C:\WINDOWS\gca631.INI
    [2011/12/02 18:29:32 | 000,565,552 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
    [2011/12/02 18:24:55 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
    [2011/12/01 14:32:05 | 015,990,784 | ---- | M] () -- C:\Documents and Settings\Bob\NTUSER.bak
    [2011/12/01 09:16:46 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\FULL DFG Backup.job
    [2011/11/30 18:51:32 | 000,001,653 | ---- | M] () -- D:\Desktop\HijackThis.lnk
    [2011/11/30 18:07:51 | 000,023,624 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2011/11/30 12:10:42 | 000,071,880 | ---- | M] (Prevx) -- C:\WINDOWS\System32\PxSecure.dll-19202703
    [2011/11/30 12:10:20 | 000,000,447 | ---- | M] () -- C:\WINDOWS\wininit.ini
    [2011/11/25 14:08:28 | 000,004,421 | ---- | M] () -- C:\WINDOWS\DevMgr.ini
    [2011/11/15 17:22:09 | 000,000,114 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.tgz
    [2011/11/15 17:22:09 | 000,000,100 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.dll
    [2011/11/15 08:17:59 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
    [2011/11/14 08:39:41 | 000,000,539 | ---- | M] () -- C:\WINDOWS\KEYEX2.INI
    [1 D:\*.tmp files -> D:\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/12/09 11:43:52 | 000,458,240 | ---- | C] () -- D:\Desktop\CKScanner.exe
    [2011/12/05 19:30:14 | 003,219,344 | ---- | C] () -- D:\Desktop\popups.reg
    [2011/12/04 15:52:25 | 000,005,714 | ---- | C] () -- D:\bob 120411.Theme
    [2011/12/03 09:48:36 | 000,109,670 | ---- | C] () -- D:\Desktop\todays santa.jpg
    [2011/12/02 18:34:43 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\WebpageIcons.db
    [2011/12/02 18:32:30 | 000,115,369 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
    [2011/12/02 18:32:30 | 000,097,961 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
    [2011/11/30 18:51:32 | 000,001,653 | ---- | C] () -- D:\Desktop\HijackThis.lnk
    [2011/11/30 18:07:51 | 000,023,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2011/11/29 17:51:12 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\klartew.dll
    [2011/09/21 17:18:53 | 000,001,088 | ---- | C] () -- C:\WINDOWS\B.COM
    [2011/08/30 22:45:09 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll
    [2011/08/30 22:45:09 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll
    [2011/08/30 22:45:09 | 000,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
    [2011/07/19 08:40:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ckconfig.INI
    [2011/06/30 23:02:30 | 000,327,656 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2011/03/11 12:43:54 | 000,029,763 | ---- | C] () -- C:\WINDOWS\System32\drivers\klopp.dat
    [2010/10/22 15:07:33 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
    [2010/05/07 06:39:38 | 000,000,036 | -H-- | C] () -- C:\Documents and Settings\Bob\Application Data\swk.ini
    [2010/01/01 17:59:40 | 000,001,226 | ---- | C] () -- C:\WINDOWS\Mpcwty02.ini
    [2009/05/07 16:41:57 | 000,000,268 | ---- | C] () -- C:\WINDOWS\SYMGAMES.INI
    [2009/02/18 13:50:41 | 000,000,032 | ---- | C] () -- C:\WINDOWS\gca631.INI
    [2009/02/10 16:48:58 | 000,013,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\BTNetFilter.sys
    [2009/02/10 16:48:58 | 000,011,860 | ---- | C] () -- C:\WINDOWS\System32\drivers\vbtenum.sys
    [2008/09/11 07:12:55 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2008/01/24 10:34:23 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
    [2007/11/02 13:19:20 | 000,040,960 | ---- | C] () -- C:\WINDOWS\emunist.exe
    [2007/11/02 13:19:20 | 000,003,254 | ---- | C] () -- C:\WINDOWS\TVEpaDrv.ini
    [2006/12/10 09:03:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\MSTRC32.DLL
    [2006/11/20 23:09:59 | 000,000,004 | ---- | C] () -- C:\WINDOWS\vx86036.dat
    [2006/11/20 23:09:09 | 000,000,036 | ---- | C] () -- C:\WINDOWS\Crypkey.ini
    [2006/11/20 23:09:05 | 000,031,654 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys
    [2006/11/20 23:09:05 | 000,027,648 | R--- | C] () -- C:\WINDOWS\Setup_ck.exe
    [2006/11/20 23:09:05 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll
    [2006/11/20 23:09:05 | 000,011,776 | ---- | C] () -- C:\WINDOWS\Ckrfresh.exe
    [2006/11/17 12:19:36 | 000,000,781 | ---- | C] () -- C:\WINDOWS\BTI.INI
    [2006/11/16 17:11:36 | 000,088,576 | -H-- | C] () -- C:\Documents and Settings\Bob\Application Data\rbap550.dll
    [2006/09/29 22:21:33 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\FileOps.exe
    [2006/08/22 23:12:12 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll
    [2006/08/16 07:50:26 | 000,000,013 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\13.sys
    [2006/05/05 18:28:09 | 000,000,447 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2006/05/04 17:40:15 | 000,202,752 | ---- | C] () -- C:\WINDOWS\CDAC14BA.DLL
    [2006/05/04 17:40:15 | 000,020,992 | ---- | C] () -- C:\WINDOWS\CDAC13BA.EXE
    [2006/05/04 17:40:14 | 000,011,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\CdaC15BA.SYS
    [2006/01/27 14:52:41 | 000,046,345 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
    [2006/01/27 01:57:00 | 000,000,325 | ---- | C] () -- C:\WINDOWS\PCAuth.ini
    [2005/10/28 01:10:04 | 000,000,032 | ---- | C] () -- C:\WINDOWS\kemail.INI
    [2005/08/19 11:58:04 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\cdtool.dll
    [2005/03/23 01:02:54 | 000,107,134 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
    [2005/03/22 23:47:41 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2005/03/22 23:47:21 | 000,105,168 | ---- | C] () -- C:\WINDOWS\NSUninst.exe
    [2005/03/22 23:46:58 | 000,105,168 | ---- | C] () -- C:\WINDOWS\GREUninstall.exe
    [2005/03/22 23:46:52 | 000,013,111 | ---- | C] () -- C:\WINDOWS\mozver.dat
    [2005/02/07 11:37:38 | 000,000,539 | ---- | C] () -- C:\WINDOWS\KEYEX2.INI
    [2005/02/04 10:35:21 | 000,000,207 | ---- | C] () -- C:\WINDOWS\hmapro.ini
    [2005/02/01 22:50:31 | 000,000,043 | ---- | C] () -- C:\WINDOWS\pdf2rtf.INI
    [2005/02/01 22:49:37 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\pdf2word.DAT
    [2005/01/25 10:41:52 | 000,070,656 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2005/01/23 10:35:51 | 000,071,749 | ---- | C] () -- C:\WINDOWS\hcextoutput.dll
    [2005/01/23 10:35:22 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
    [2005/01/18 19:52:12 | 000,000,123 | ---- | C] () -- C:\WINDOWS\_vmtel.INI
    [2005/01/11 11:28:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\crws.INI
    [2005/01/10 15:34:54 | 000,004,421 | ---- | C] () -- C:\WINDOWS\DevMgr.ini
    [2005/01/10 11:52:24 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
    [2005/01/09 22:59:47 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ICOA.INI
    [2005/01/09 22:59:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
    [2005/01/09 22:59:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
    [2005/01/09 22:45:02 | 000,000,064 | ---- | C] () -- C:\WINDOWS\QBWCD.INI
    [2005/01/09 22:45:01 | 000,006,472 | ---- | C] () -- C:\WINDOWS\Icoadb32.dat
    [2005/01/09 22:37:28 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2005/01/09 21:42:10 | 000,000,032 | -HS- | C] () -- C:\WINDOWS\System32\{2737521E-0016-4A5D-B638-1119267B18C9}.dat
    [2005/01/09 21:42:10 | 000,000,032 | -HS- | C] () -- C:\WINDOWS\{2170D095-C0E7-4439-99C2-1171934A303A}.dat
    [2005/01/09 21:42:06 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\SR2.dat
    [2005/01/09 11:36:19 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2005/01/09 11:28:49 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2005/01/09 05:50:34 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2005/01/09 05:49:36 | 000,563,912 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/07/26 13:36:10 | 000,131,148 | ---- | C] () -- C:\WINDOWS\System32\WdReg.exe
    [2003/07/16 15:54:55 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2003/07/16 15:54:54 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2003/07/16 15:41:25 | 000,513,048 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2003/07/16 15:41:25 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2003/07/16 15:41:23 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2003/07/16 15:41:21 | 000,085,916 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2003/07/16 15:39:07 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/07/16 15:33:50 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2003/07/16 15:33:39 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2003/07/16 15:27:41 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2003/07/16 15:26:37 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2003/01/20 15:48:41 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\mscfcword.dll
    [2002/12/19 21:15:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\SAWZip.dll
    [2002/11/20 18:51:34 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\win2000.dll
    [2002/11/01 16:17:50 | 000,000,256 | ---- | C] () -- C:\WINDOWS\aucfg.ini
    [2002/07/04 15:05:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\tmupdate.ini
    [2002/06/26 18:38:44 | 000,002,249 | ---- | C] () -- C:\WINDOWS\System32\mswincore.dll
    [2002/03/14 11:00:26 | 000,038,567 | ---- | C] () -- C:\WINDOWS\System32\pcpbios.exe
    [2001/12/14 13:34:46 | 000,164,864 | ---- | C] () -- C:\WINDOWS\patchw32.dll
    [2001/04/12 20:19:16 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
    [1999/07/23 12:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
    [1999/07/23 09:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
    [1998/08/16 04:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
    [1997/06/25 15:24:16 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
    [1996/12/13 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 219 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7204B89D
    @Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8927A071
    @Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1AE68282

    < End of report >



    reports are too long, next report in next reply

  2. #12
    Junior Member
    Join Date
    Dec 2011
    Posts
    18

    Default

    OTL Extras logfile created on: 12/10/2011 9:02:28 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = D:\Desktop
    Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.11)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1022.00 Mb Total Physical Memory | 589.99 Mb Available Physical Memory | 57.73% Memory free
    2.49 Gb Paging File | 2.06 Gb Available in Paging File | 82.45% Paging File free
    Paging file location(s): D:\pagefile.sys 100 200E:\pagefile.sys 0 0 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 9.78 Gb Total Space | 1.02 Gb Free Space | 10.43% Space Free | Partition Type: NTFS
    Drive D: | 11.45 Gb Total Space | 0.38 Gb Free Space | 3.35% Space Free | Partition Type: NTFS
    Drive E: | 16.02 Gb Total Space | 0.15 Gb Free Space | 0.91% Space Free | Partition Type: NTFS
    Drive J: | 1.83 Gb Total Space | 1.49 Gb Free Space | 81.80% Space Free | Partition Type: FAT32

    Computer Name: TYC | User Name: Bob | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
    .js [@ = JSFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
    .jse [@ = JSEFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
    .txt [@ = txtfile] -- C:\Program Files\JGsoft\EditPadLite\EditPad.exe (Just Great Software)
    .vbe [@ = VBEFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
    .vbs [@ = VBSFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
    .wsf [@ = WSFFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
    https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    jsfile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
    jsefile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    txtfile [open] -- "C:\Program Files\JGsoft\EditPadLite\EditPad.exe" "%1" (Just Great Software)
    vbefile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
    vbsfile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
    wsffile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 4

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
    "67:UDP" = 67:UDP:*:Enabled:DHCP Discovery Service

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Disabled:AOL Instant Messenger -- (America Online, Inc.)
    "C:\Program Files\ResMed\AutoScan\5.4\crws.exe" = C:\Program Files\ResMed\AutoScan\5.4\crws.exe:*:Enabled:CRWS -- (ResMed)
    "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe:*:Enabled:Dreamweaver MX 2004 -- (Macromedia, Inc.)
    "C:\Program Files\DFG\BackUp3\BackUp.exe" = C:\Program Files\DFG\BackUp3\BackUp.exe:*:Enabled:BackUp
    "C:\totalcmd\TOTALCMD.EXE" = C:\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows
    "C:\Program Files\SmartFTP\SmartFTP.exe" = C:\Program Files\SmartFTP\SmartFTP.exe:*:Enabled:SmartFTP Client
    "C:\Program Files\PC Magazine Utilities\FTPpie.exe" = C:\Program Files\PC Magazine Utilities\FTPpie.exe:*:Enabled:FTP usage piechart utility
    "C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)
    "C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
    "C:\Program Files\SJLabs\SJphone\SJphone.exe" = C:\Program Files\SJLabs\SJphone\SJphone.exe:*:Enabled:SJphone
    "C:\Program Files\jajah\jajah.exe" = C:\Program Files\jajah\jajah.exe:*:Enabled:jajah
    "C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
    "C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" = C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe:*:Enabled:VoipBuster
    "E:\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" = E:\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2 -- (Adobe Systems Incorporated)
    "E:\Program Files\TurboTax\2006\TurboTax Deluxe 2006\32bit\ttax.exe" = E:\Program Files\TurboTax\2006\TurboTax Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax
    "E:\Program Files\TurboTax\2006\TurboTax Deluxe 2006\32bit\updatemgr.exe" = E:\Program Files\TurboTax\2006\TurboTax Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager
    "E:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = E:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax
    "E:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = E:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager
    "C:\Program Files\BlueSoleil\BlueSoleil.exe" = C:\Program Files\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil -- (IVT Corporation)
    "C:\WINDOWS\system32\javaw.exe" = C:\WINDOWS\system32\javaw.exe:*:Enabled:Java(TM) Platform SE binary
    "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
    "C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
    "C:\Program Files\FavoriteSync\FavoriteSync.exe" = C:\Program Files\FavoriteSync\FavoriteSync.exe:*:Enabled:Internet Explorer Sync Application
    "C:\WINDOWS\TEMP\spsvrb\setup.exe" = C:\WINDOWS\TEMP\spsvrb\setup.exe:*:Enabled:setup


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0134A1A1-C283-4A47-91A1-92F19F960372}" = Adobe Creative Suite 2
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = Google Gmail Notifier
    "{03DF638A-D61C-4893-B8B9-845900C03163}" = TurboTax 2010 wnyiper
    "{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}" = Macromedia Dreamweaver MX 2004
    "{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
    "{1526D87C-A955-4FAB-BF18-697BA457E352}" = Norton WMI Update
    "{1873789F-59D5-4002-8A2F-60A827B78F98}_is1" = GmapTool 0.6.0
    "{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic
    "{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
    "{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
    "{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
    "{2FD94FBC-07AE-475C-B522-BFE899B9048E}" = Garmin WebUpdater
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
    "{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
    "{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
    "{3B1D6DF0-EAA2-012B-AE51-000000000000}" = TurboTax 2009 wnjiper
    "{3B8186F0-EAA2-012B-AE69-000000000000}" = TurboTax 2009 wnyiper
    "{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
    "{41369F9D-FF51-464F-9FFB-33198BA24CC9}" = USB Modem Driver
    "{45E557D6-2271-4F13-8101-C620B4285AB0}" = Kaspersky Anti-Virus 2012
    "{46548E80-0409-0000-7E8A-45000F855001}" = Adobe GoLive CS2
    "{47CB8B6B-49DF-4058-AC2B-1596E3BE63EA}" = Garmin City Navigator North America 2009
    "{5B893587-00A8-4A4E-83F0-8AFA7BFC7C1A}" = PVR Plus
    "{5D5B9E6A-344C-4976-95AB-ABBDC648E5DA}" = Microsoft IntelliType Pro 5.2
    "{5E3CFCA6-C95A-47CB-A822-7FA80D423AF2}" = MapSource
    "{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
    "{64D36D7C-B821-42E5-8BDB-239812D1D752}" = Microsoft Tool Web Package : GETMAC.EXE
    "{64EF9937-CDDA-11D7-9FEB-0000E22B272F}" = AutoScan5.4
    "{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
    "{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP
    "{6C6F0968-2B86-42B4-AF34-46A5F06E8FA4}" = MySoftware Fonts
    "{706AE61D-40A4-4F50-8359-FE8F6F7FA461}" = Acronis Drive Monitor
    "{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
    "{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
    "{7F4C8163-F259-49A0-A018-2857A90578BC}" = Adobe InDesign CS2
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{84CC9583-C2D6-42E6-A373-6FDDDA6A8BA6}" = Garmin Communicator Plugin
    "{86BB059D-1231-457B-B88F-F9B315A18F90}" = Windows Vista Upgrade Advisor
    "{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
    "{8C6DAA0F-D94F-475C-A82F-2E7B91BE7B58}" = Eudora
    "{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{9021848E-F315-44C7-8D45-3B16162AA73A}" = TurboTax 2010 wneiper
    "{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
    "{923CAE62-30C9-425E-B4ED-F5E9C09C5C4A}" = TurboTax 2008 wnjiper
    "{939740B5-0064-4779-854A-8C1086181C05}" = Macromedia FreeHand MXa
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}" =
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
    "{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
    "{A8DF1374-7E6B-448A-87BB-2DCE71874F2B}" = Macrium Reflect - Free Edition
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AA1542E6-D54D-4AB3-97E1-28DB4CEB4B90}" = Garmin City Navigator North America 2008
    "{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
    "{ADBE46EE-54E0-4610-B436-D7E93D829100}" = Adobe Version Cue CS2
    "{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
    "{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
    "{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
    "{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
    "{B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}" = Adobe Illustrator CS2
    "{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
    "{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}" = BlueSoleil
    "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
    "{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C43E4B9C-14C8-4EB0-998B-85211B6EDD61}" = Seagate DiscWizard
    "{C49DAA9C-5BA8-459A-8244-E57B69DF0F04}" = Suite Specific
    "{C4D26D60-7B43-4CE9-AE19-A380D9DF126B}" = Garmin MapSource
    "{CA19AEA3-B949-41DA-AFBA-692356230F6E}" = TurboTax 2010 wnjiper
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
    "{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
    "{E583ED6F-BD99-4066-A420-C815BF692B69}" = Macromedia Fireworks MX 2004
    "{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
    "{E8DA0DB7-51C7-4D47-A9FC-51F206ED0045}" = MapSource - City Select North America v7
    "{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
    "{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
    "{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}" =
    "{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}" = Adobe Stock Photos 1.0
    "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
    "{F186D52C-BBD6-4C7D-80FA-28D0662D7ABD}" = Jalbum
    "{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
    "{F7E1CA14-B39D-452A-960B-39423DDDD933}" = DriveImage XML
    "{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 1.0.4
    "{FBE4694D-AA7D-491A-8EE5-53695CDCF921}_is1" = Stuff Organizer
    "{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
    "45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    "ActiveScan 2.0" = Panda ActiveScan 2.0
    "AddressBook" =
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe GoLive CS2 English" =
    "Adobe Illustrator CS2" =
    "Adobe InDesign CS2 - {7F4C8163-F259-49A0-A018-2857A90578BC}" =
    "Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" =
    "Adobe Shockwave Player" = Adobe Shockwave Player
    "Adobe SVG Viewer" = Adobe SVG Viewer 3.0
    "AI RoboForm" = AI RoboForm (All Users)
    "AOL Instant Messenger" = AOL Instant Messenger
    "AOL Instant Messenger (SM)" = AOL Instant Messenger (SM)
    "ASAP Utilities_is1" = ASAP Utilities
    "BookSmart® 2.9.1 2.9.1" = BookSmart® 2.9.1 2.9.1
    "Branding" =
    "CCleaner" = CCleaner
    "CdaC13Ba" = SafeCast Shared Components
    "cGPSmapper Shareware_is1" = cGPSmapper Shareware 0087
    "Complete Cleanup Trial_is1" = Complete Cleanup Trial
    "Connection Manager" =
    "CookieCop® 2" = CookieCop® 2
    "DirectAnimation" =
    "DirectDrawEx" =
    "EASEUS Data Recovery Wizard Free Edition 5.5.1_is1" = EASEUS Data Recovery Wizard Free Edition 5.5.1
    "EditPad Lite" = Just Great Software EditPad Lite 6.6.3
    "ERUNT_is1" = ERUNT 1.1j
    "Excel VBA Code Cleaner 4.4" = Excel VBA Code Cleaner 4.4
    "Excel VBA Code Documentor 4.0" = Excel VBA Code Documentor 4.0
    "FileNote" = FileNote (Remove Only)
    "Fontcore" =
    "Free CD to MP3 Converter" = Free CD to MP3 Converter
    "Google Updater" = Google Updater
    "GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
    "HijackThis" = HijackThis 2.0.2
    "hp officejet g series 1105389292" = hp officejet g series
    "ICW" =
    "IE40" =
    "IE4Data" =
    "IE5BAKEX" =
    "ie7" = Windows Internet Explorer 7
    "IEData" =
    "InstallShield Uninstall Information" =
    "InstallShield_{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic 8.0
    "InstallShield_{41369F9D-FF51-464F-9FFB-33198BA24CC9}" = USB Modem Driver
    "InstallShield_{E8DA0DB7-51C7-4D47-A9FC-51F206ED0045}" = MapSource - City Select North America v7
    "InstallWIX_{45E557D6-2271-4F13-8101-C620B4285AB0}" = Kaspersky Anti-Virus 2012
    "Intel(R) 537EP V9x DF PCI Modem" = Intel(R) 537EP V9x DF PCI Modem
    "IrfanView" = IrfanView (remove only)
    "jv16 PowerTools_is1" = jv16 PowerTools 2005
    "Kirby Alarm Pro_is1" = Kirby Alarm Pro v4.45
    "Kirby Alarm_is1" = Kirby Alarm v2.11
    "LiveReg" = LiveReg (Symantec Corporation)
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "MobileOptionPack" =
    "MozBackup_is1" = MozBackup 1.4.7
    "Mozilla Firefox (3.6.23)" = Mozilla Firefox (3.6.23)
    "MSI30a-KB884016" =
    "MSI30-Beta1" =
    "MSI30-Beta2" =
    "MSI30-KB884016" =
    "MSI30-RC1" =
    "MSI30-RC2" =
    "MSI31-Beta" =
    "MSI31-RC1" =
    "NeroMultiInstaller!UninstallKey" = Nero Suite
    "NetMeeting" =
    "NTREGOPT_is1" = NTREGOPT 1.1j
    "OSM map" = OSM map
    "OutlookExpress" =
    "PandoraRecovery" = PandoraRecovery (Remove Only)
    "PC Authorize" = PC Authorize
    "PC Magazine's Startup Cop_is1" = Startup Cop 1.1
    "PCHealth" =
    "Pidgin" = Pidgin
    "POP Peeper" = POP Peeper
    "Powerpnt" = Microsoft PowerPoint 97
    "QuickBooks 99" = QuickBooks Pro 99
    "QuicktimeAlt_is1" = QuickTime Alternative 3.2.2
    "RealAlt_is1" = Real Alternative 1.42
    "SchedulingAgent" =
    "Secunia PSI" = Secunia PSI
    "Shockwave" =
    "Smart Defrag 1.0_is1" = Smart Defrag 1.0
    "Smart Indenter v3.5 for Office 2000-2003" = Smart Indenter v3.5 for Office 2000-2003
    "Snapshot Viewer" = Snapshot Viewer
    "ST6UNST #1" = dfg BackUp XP 2005
    "ST6UNST #4" = dfg BackUp XP 2005 (C:\Program Files\DFG\BackUp3\)
    "SyncBack_is1" = SyncBack
    "TurboTax 2009" = TurboTax 2009
    "tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
    "Tweak UI 2.10" = Tweak UI
    "Volumouse" = Volumouse
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 2
    "WinDriver6.22 USB Driver" = WinDriver6.22 USB Driver
    "WinRAR archiver" = WinRAR archiver
    "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
    "XQXSetup_is1" = Xteq Systems X-Setup 6.2

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 11/29/2011 11:26:04 PM | Computer Name = TYC | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The connection with the server was terminated abnormally

    Error - 11/29/2011 11:26:04 PM | Computer Name = TYC | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 12/1/2011 1:24:02 PM | Computer Name = TYC | Source = Acronis Scheduler | ID = 1
    Description =

    Error - 12/2/2011 10:29:45 AM | Computer Name = TYC | Source = MPSampleSubmission | ID = 5000
    Description =

    Error - 12/2/2011 3:42:08 PM | Computer Name = TYC | Source = MPSampleSubmission | ID = 5000
    Description =

    Error - 12/2/2011 4:18:11 PM | Computer Name = TYC | Source = MPSampleSubmission | ID = 5000
    Description =

    Error - 12/2/2011 7:21:15 PM | Computer Name = TYC | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This operation returned because the timeout period expired.

    Error - 12/2/2011 7:24:32 PM | Computer Name = TYC | Source = Microsoft Security Client | ID = 1001
    Description =

    Error - 12/10/2011 9:39:10 PM | Computer Name = TYC | Source = Application Error | ID = 1000
    Description = Faulting application set8a.tmp, version 7.1.100.1248, faulting module
    , version 0.0.0.0, fault address 0x00000000.

    Error - 12/10/2011 9:39:17 PM | Computer Name = TYC | Source = Application Error | ID = 1000
    Description = Faulting application set8b.tmp, version 7.1.100.1248, faulting module
    , version 0.0.0.0, fault address 0x00000000.

    [ System Events ]
    Error - 12/2/2011 7:28:21 PM | Computer Name = TYC | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    pxrts pxscan

    Error - 12/4/2011 8:44:30 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the Google Update Service
    (gupdate) service to connect.

    Error - 12/4/2011 8:44:30 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7000
    Description = The Google Update Service (gupdate) service failed to start due to
    the following error: %%1053

    Error - 12/4/2011 8:44:30 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7022
    Description = The Intuit Update Service service hung on starting.

    Error - 12/4/2011 8:44:30 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    pxrts pxscan

    Error - 12/5/2011 8:23:34 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    pxrts pxscan

    Error - 12/6/2011 8:47:18 AM | Computer Name = TYC | Source = Windows Update Agent | ID = 16
    Description = Unable to Connect: Windows is unable to connect to the automatic updates
    service and therefore cannot download and install updates according to the set
    schedule. Windows will continue to try to establish a connection.

    Error - 12/8/2011 8:47:19 AM | Computer Name = TYC | Source = Windows Update Agent | ID = 16
    Description = Unable to Connect: Windows is unable to connect to the automatic updates
    service and therefore cannot download and install updates according to the set
    schedule. Windows will continue to try to establish a connection.

    Error - 12/10/2011 8:47:20 AM | Computer Name = TYC | Source = Windows Update Agent | ID = 16
    Description = Unable to Connect: Windows is unable to connect to the automatic updates
    service and therefore cannot download and install updates according to the set
    schedule. Windows will continue to try to establish a connection.

    Error - 12/10/2011 7:58:41 PM | Computer Name = TYC | Source = DCOM | ID = 10005
    Description = DCOM got error "%1058" attempting to start the service upnphost with
    arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}


    < End of report >

  3. #13
    Malware Team-Emeritus
    Join Date
    May 2010
    Posts
    212

    Default

    Hi,

    I haven't forgotten you and will post further instructions as soon as possible.

  4. #14
    Junior Member
    Join Date
    Dec 2011
    Posts
    18

    Default

    thank you

  5. #15
    Malware Team-Emeritus
    Join Date
    May 2010
    Posts
    212

    Default

    Hello,

    I'm sorry for the delay.


    Please go ahead and uninstall Booksmart, google earth, hp officejet and Kirby 2.11.


    Download Tools

    Instruction on how to use these tools is found further down this post.

    A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper.

    Download the following 3 files & save them with the original name.

    Please download GMER Rootkit Scanner from the following link:
    http://www2.gmer.net/download.php

    Please download WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe from the following link:
    http://www.microsoft.com/download/en...ng=en&id=12934

    Please download ComboFix from one of the following links, do not run the tool yet:

    Link1
    Link2

    Transfer the files to the desktop of the infected computer.

    **IMPORTANT !!! ComboFix.exe must be saved to the Desktop**


    Disable Kaspersky Anti Virus

    • Please navigate to the system tray on the bottom right hand corner and look for a sign.
    • right click it-> select Pause Protection.
    • click on -> By User Request
    • a popup will claim that protection is now disabled and a sign like this: will now be shown.
    • Note: Don't forget to re-enable it after the fix.



    Run GMER Rootkit Scanner

    If this scan crashes, please retry it a maximum of two times (a restart of your computer may be required), then continue with the next steps.

    • Double click the GMER .exe file. If asked to allow gmer's .sys driver to load, please consent
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All << (don't miss this one)

      See image below, Click the image to enlarge it


    • Then click the Scan button & wait for it to finish
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
    • Save it where you can easily find it, such as your desktop, and post it in your next reply
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Note: Do not run any programs or use your computer while Gmer is scanning.


    Install the Recovery Console and run Combofix

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    • Drag the setup package (WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe) onto ComboFix.exe and drop it:

    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console
    • At the next prompt, click Yes to continue scanning for malware. Please do not use the computer once Combofix has started scanning.


    Please include the ComboFix log (C:\ComboFix.txt) in your next reply for further review.

    Please enable Kaspersky Anti-Virus after ComboFix is finished.

  6. #16
    Junior Member
    Join Date
    Dec 2011
    Posts
    18

    Default

    I elected not to remove some of the last programs mentioned prior to following the rest of your instructions. Would there be any difference had I not removed any programs from the beginning of this?


    The process did find rootkit.zeroaccess and needed to reboot before being run again.

    Thanks

    -Bob




    ComboFix 11-12-16.01 - Bob 12/16/2011 12:36:52.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.614 [GMT -5:00]
    Running from: d:\desktop\ComboFix.exe
    Command switches used :: d:\desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\13.sys
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Bob\Application Data\rbap550.dll
    c:\documents and settings\Bob\GoToAssistDownloadHelper.exe
    c:\documents and settings\Bob\WINDOWS
    c:\documents and settings\NetworkService\Local Settings\Application Data\klartew.dll
    c:\windows\$NtUninstallKB44907$
    c:\windows\$NtUninstallKB44907$\3260245246
    c:\windows\$NtUninstallKB44907$\3558636407\@
    c:\windows\$NtUninstallKB44907$\3558636407\bckfg.tmp
    c:\windows\$NtUninstallKB44907$\3558636407\cfg.ini
    c:\windows\$NtUninstallKB44907$\3558636407\Desktop.ini
    c:\windows\$NtUninstallKB44907$\3558636407\keywords
    c:\windows\$NtUninstallKB44907$\3558636407\kwrd.dll
    c:\windows\$NtUninstallKB44907$\3558636407\L\cmhpaair
    c:\windows\$NtUninstallKB44907$\3558636407\lsflt7.ver
    c:\windows\$NtUninstallKB44907$\3558636407\U\00000001.@
    c:\windows\$NtUninstallKB44907$\3558636407\U\00000002.@
    c:\windows\$NtUninstallKB44907$\3558636407\U\00000004.@
    c:\windows\$NtUninstallKB44907$\3558636407\U\80000000.@
    c:\windows\$NtUninstallKB44907$\3558636407\U\80000004.@
    c:\windows\$NtUninstallKB44907$\3558636407\U\80000032.@
    c:\windows\CDAC13BA.EXE
    c:\windows\CDAC14BA.DLL
    c:\windows\system32\PowerToyReadme.htm
    c:\windows\system32\prsgrc.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-09 16:47 . 2011-12-09 16:47 -------- dc----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2011-12-02 23:32 . 2011-12-03 00:31 115369 -c--a-w- c:\windows\system32\drivers\klin.dat
    2011-12-02 23:32 . 2011-12-03 00:31 97961 -c--a-w- c:\windows\system32\drivers\klick.dat
    2011-12-02 23:29 . 2011-12-02 23:29 -------- dc----w- c:\program files\Kaspersky Lab
    2011-12-02 23:29 . 2011-12-16 17:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2011-12-01 19:29 . 2008-11-06 07:03 -------- dc----w- C:\SDFix
    2011-12-01 16:37 . 2011-12-01 22:00 -------- dc----w- c:\documents and settings\Bob\Local Settings\Application Data\fxnetlib
    2011-11-30 23:07 . 2011-11-30 23:07 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-11-30 23:06 . 2011-11-30 23:07 -------- dc----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-11-30 17:10 . 2011-11-30 17:10 71880 -c--a-w- c:\windows\system32\PxSecure.dll-19202703
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-01 00:08 . 2003-07-16 20:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
    2011-11-15 13:17 . 2011-05-20 10:52 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2006-11-09 19:20 . 2006-06-05 03:13 2111096 -c--a-w- c:\program files\mozilla firefox\plugins\oldNPSWF32.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
    "$Volumouse$"="c:\program files\Volumouse\volumouse.exe" [2005-06-05 24064]
    "POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2010-09-09 1511424]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-29 160328]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    "adm_tray.exe"="c:\program files\Acronis\DriveMonitor\adm_tray.exe" [2010-08-26 531664]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2011-04-25 202296]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-29 160328]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2006-10-04 53760]
    .
    c:\documents and settings\Bob\Start Menu\Programs\Startup\
    KeyExpress.lnk - d:\keyexp\KEYEXP.EXE [2005-1-10 838656]
    Today.pif [2007-10-1 2855]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
    Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-9-29 25214]
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    Kirby Alarm.lnk - c:\program files\Kirby Alarm\kirbyalarm.exe [2004-1-21 1366528]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoRecentDocsNetHood"= 1 (0x1)
    "NoWelcomeScreen"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Secunia PSI.lnk]
    backup=c:\windows\pss\Secunia PSI.lnkStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    2008-04-23 06:08 483328 ----a-w- e:\adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
    2010-08-13 23:01 365632 -c--a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
    2009-10-16 23:42 904840 -c--a-w- c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 05:56 15360 -c--a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
    2009-10-16 23:37 1325936 -c--a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\emMON]
    2006-05-31 02:24 61440 -c--a-w- c:\windows\emMON.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2005-10-19 12:59 155648 -c--a-w- c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 16:24 1694208 -csh--w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 14:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
    2009-10-16 23:39 136544 -c--a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2004-10-14 18:42 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:07 2260480 -c----w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
    2004-06-03 06:51 172032 ----a-w- c:\program files\Microsoft IntelliType Pro\type32.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "MDM"=2 (0x2)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Titan Backup"="c:\progra~1\TITANB~1\TITANB~2.EXE" /startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files\QuickTime\xqttask.exe" -atboottime
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "Adobe Version Cue CS2"=e:\adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\ResMed\\AutoScan\\5.4\\crws.exe"=
    "c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\WINDOWS\\system32\\ftp.exe"=
    "e:\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
    "c:\\Program Files\\BlueSoleil\\BlueSoleil.exe"=
    "\\??\\c:\\WINDOWS\\system32\\winlogon.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service
    .
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/15/2011 5:34 PM 28552]
    R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [9/28/2010 1:03 PM 15328]
    R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [3/4/2011 1:23 PM 11352]
    R2 KirbyAlarmPro;Kirby Alarm Pro;c:\program files\Kirby Alarm Pro\kirbyalarmpro.exe [2/3/2009 3:46 PM 3579904]
    R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [9/28/2010 1:02 PM 220128]
    R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 6:39 PM 431456]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [3/10/2011 6:34 PM 34608]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 8:27 PM 19472]
    S0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
    S1 MpKsl05b8ec11;MpKsl05b8ec11;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF9C8DF2-582E-4A0B-A51F-7E845E1CD6FD}\MpKsl05b8ec11.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF9C8DF2-582E-4A0B-A51F-7E845E1CD6FD}\MpKsl05b8ec11.sys [?]
    S1 MpKsl2c04e557;MpKsl2c04e557;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC45769-A94D-4949-A210-4E7DD42E8B5A}\MpKsl2c04e557.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC45769-A94D-4949-A210-4E7DD42E8B5A}\MpKsl2c04e557.sys [?]
    S1 MpKsl30221af3;MpKsl30221af3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsl30221af3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsl30221af3.sys [?]
    S1 MpKsl3bbc9cb7;MpKsl3bbc9cb7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B65B421E-520C-4DC3-BB0B-E0B13CCACB29}\MpKsl3bbc9cb7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B65B421E-520C-4DC3-BB0B-E0B13CCACB29}\MpKsl3bbc9cb7.sys [?]
    S1 MpKsl50c6aa21;MpKsl50c6aa21;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FBCED0E-C906-4526-8AC0-A3E173BD644C}\MpKsl50c6aa21.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FBCED0E-C906-4526-8AC0-A3E173BD644C}\MpKsl50c6aa21.sys [?]
    S1 MpKsl63115aff;MpKsl63115aff;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F268287-023A-4EF1-8111-EED0D192DFAE}\MpKsl63115aff.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F268287-023A-4EF1-8111-EED0D192DFAE}\MpKsl63115aff.sys [?]
    S1 MpKsl6992bf7e;MpKsl6992bf7e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00DD543A-485E-4F5C-805E-5CCCBA25D24D}\MpKsl6992bf7e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00DD543A-485E-4F5C-805E-5CCCBA25D24D}\MpKsl6992bf7e.sys [?]
    S1 MpKsl6f4364a6;MpKsl6f4364a6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49F1789D-F463-4AE6-9A66-747134266B78}\MpKsl6f4364a6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49F1789D-F463-4AE6-9A66-747134266B78}\MpKsl6f4364a6.sys [?]
    S1 MpKsl91e50612;MpKsl91e50612;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AFA9519-2DC2-4F4A-BC6A-67DB575AD69F}\MpKsl91e50612.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AFA9519-2DC2-4F4A-BC6A-67DB575AD69F}\MpKsl91e50612.sys [?]
    S1 MpKsl957cbe81;MpKsl957cbe81;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D7ADC2B-9E7C-499B-8B4B-970056C021C5}\MpKsl957cbe81.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D7ADC2B-9E7C-499B-8B4B-970056C021C5}\MpKsl957cbe81.sys [?]
    S1 MpKsla44f2d84;MpKsla44f2d84;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsla44f2d84.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsla44f2d84.sys [?]
    S1 MpKslb1eef83e;MpKslb1eef83e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC47350A-2863-4F9A-90E4-6AAB11DC7F96}\MpKslb1eef83e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC47350A-2863-4F9A-90E4-6AAB11DC7F96}\MpKslb1eef83e.sys [?]
    S1 MpKslbb72fb26;MpKslbb72fb26;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02B31D1-047A-4A74-B222-564F57750561}\MpKslbb72fb26.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02B31D1-047A-4A74-B222-564F57750561}\MpKslbb72fb26.sys [?]
    S1 MpKslc6a20e02;MpKslc6a20e02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22038661-62E7-42F4-A3BD-BD6D7EA26198}\MpKslc6a20e02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22038661-62E7-42F4-A3BD-BD6D7EA26198}\MpKslc6a20e02.sys [?]
    S1 MpKslc86a0644;MpKslc86a0644;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F951E807-42B7-42A5-8E28-F10B74BCA579}\MpKslc86a0644.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F951E807-42B7-42A5-8E28-F10B74BCA579}\MpKslc86a0644.sys [?]
    S1 MpKslcfc4f3af;MpKslcfc4f3af;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9F5F717-DE2B-42A3-AD96-B15B8B26858B}\MpKslcfc4f3af.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9F5F717-DE2B-42A3-AD96-B15B8B26858B}\MpKslcfc4f3af.sys [?]
    S1 MpKsldfa7710c;MpKsldfa7710c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D66A504-67FE-4FC0-B704-9AFF011607F5}\MpKsldfa7710c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D66A504-67FE-4FC0-B704-9AFF011607F5}\MpKsldfa7710c.sys [?]
    S1 MpKslf156ae64;MpKslf156ae64;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{021DE105-DC76-4D6E-BEB8-B9D47DD524A3}\MpKslf156ae64.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{021DE105-DC76-4D6E-BEB8-B9D47DD524A3}\MpKslf156ae64.sys [?]
    S1 MpKslf9cc0160;MpKslf9cc0160;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E84C3EA2-141B-4581-A47D-CA48B2E8C486}\MpKslf9cc0160.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E84C3EA2-141B-4581-A47D-CA48B2E8C486}\MpKslf9cc0160.sys [?]
    S1 MpKslfd8e6181;MpKslfd8e6181;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E3C987-72E8-40B3-A256-DA415B7829B5}\MpKslfd8e6181.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E3C987-72E8-40B3-A256-DA415B7829B5}\MpKslfd8e6181.sys [?]
    S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys --> c:\windows\system32\drivers\pxrts.sys [?]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 6:03 AM 7808]
    S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [9/28/2010 1:03 PM 44512]
    S3 PSVolAcc;PSVolAcc;c:\windows\system32\drivers\PSVolAcc.sys [9/28/2010 1:03 PM 12256]
    S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys --> c:\windows\system32\drivers\pxkbf.sys [?]
    S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\drivers\sustucap.sys [2/3/2006 8:56 AM 37632]
    S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:14 PM 135664]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:14 PM 135664]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-16 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-26 20:31]
    .
    2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 02:14]
    .
    2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 02:14]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyServer = cookiecop:8100
    uInternet Settings,ProxyOverride = 192.168;<local>
    IE: Convert link target to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    IE: {{320AF880-6646-11D3-ABEE-C5DBF3571F4E} - c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    Trusted Zone: gamehouse.com\www
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: macys.com\www
    Trusted Zone: mycheckfree.com
    Trusted Zone: onlinesearches.com\publicrecords
    Trusted Zone: pointspot.com\www
    Trusted Zone: thdathomeservices.com\webmail
    Trusted Zone: turbotax.com
    TCP: Interfaces\{DC70D44C-CFA4-4CFB-AA8F-23E25AF64531}: NameServer = 208.67.220.220,208.67.222.222
    DPF: Microsoft XML Parser for Java
    FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.ftp - cookiecop
    FF - prefs.js: network.proxy.ftp_port - 8100
    FF - prefs.js: network.proxy.gopher - cookiecop
    FF - prefs.js: network.proxy.gopher_port - 8100
    FF - prefs.js: network.proxy.http - cookiecop
    FF - prefs.js: network.proxy.http_port - 8100
    FF - prefs.js: network.proxy.socks - cookiecop
    FF - prefs.js: network.proxy.socks_port - 8100
    FF - prefs.js: network.proxy.ssl - cookiecop
    FF - prefs.js: network.proxy.ssl_port - 8100
    FF - prefs.js: network.proxy.type - 1
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: PlainOldFavorites: {7E7165E2-0767-448c-852F-5FA8714F2C37} - %profile%\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
    FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
    FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
    .
    .
    ------- File Associations -------
    .
    txtfile="c:\program files\JGsoft\EditPadLite\EditPad.exe" "%1"
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Notify-AutorunsDisabled - (no file)
    SafeBoot-79768126.sys
    AddRemove-CdaC13Ba - c:\windows\CDAC13BA.EXE
    AddRemove-PC Authorize - e:\tellan\PCAuth\DeIsL1.isu
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-16 12:51
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600
    .
    CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
    device: opened successfully
    user: error reading MBR
    kernel: MBR read successfully
    user != kernel MBR !!!
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
    "Licence0"="04F0D21-79D8-7A25-D702-433F"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(1572)
    c:\windows\system32\relog_ap.dll
    .
    - - - - - - - > 'explorer.exe'(2036)
    c:\windows\system32\WININET.dll
    c:\program files\Volumouse\vlmshlp.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\windows\system32\crypserv.exe
    c:\program files\CDBurnerXP\NMSAccessU.exe
    c:\progra~1\PCMAGA~1\COOKIE~1\COOKIE~1.EXE
    c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    c:\windows\system32\hpoipm07.exe
    c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-16 13:01:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-16 18:01
    .
    Pre-Run: 1,089,880,064 bytes free
    Post-Run: 1,376,165,888 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="TYC MS Windows XP Home Edition" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - 5DAE4B4BE54E1DC804A32F93B940828C

  7. #17
    Junior Member
    Join Date
    Dec 2011
    Posts
    18

    Default

    I elected not to remove some of the last programs mentioned prior to following the rest of your instructions. Would there be any difference had I not removed any programs from the beginning of this?


    The process did find rootkit.zeroaccess and needed to reboot before being run again.

    Thanks

    -Bob




    ComboFix 11-12-16.01 - Bob 12/16/2011 12:36:52.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.614 [GMT -5:00]
    Running from: d:\desktop\ComboFix.exe
    Command switches used :: d:\desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\13.sys
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Bob\Application Data\rbap550.dll
    c:\documents and settings\Bob\GoToAssistDownloadHelper.exe
    c:\documents and settings\Bob\WINDOWS
    c:\documents and settings\NetworkService\Local Settings\Application Data\klartew.dll
    c:\windows\$NtUninstallKB44907$
    c:\windows\$NtUninstallKB44907$\3260245246
    c:\windows\$NtUninstallKB44907$\3558636407\@
    c:\windows\$NtUninstallKB44907$\3558636407\bckfg.tmp
    c:\windows\$NtUninstallKB44907$\3558636407\cfg.ini
    c:\windows\$NtUninstallKB44907$\3558636407\Desktop.ini
    c:\windows\$NtUninstallKB44907$\3558636407\keywords
    c:\windows\$NtUninstallKB44907$\3558636407\kwrd.dll
    c:\windows\$NtUninstallKB44907$\3558636407\L\cmhpaair
    c:\windows\$NtUninstallKB44907$\3558636407\lsflt7.ver
    c:\windows\$NtUninstallKB44907$\3558636407\U\00000001.@
    c:\windows\$NtUninstallKB44907$\3558636407\U\00000002.@
    c:\windows\$NtUninstallKB44907$\3558636407\U\00000004.@
    c:\windows\$NtUninstallKB44907$\3558636407\U\80000000.@
    c:\windows\$NtUninstallKB44907$\3558636407\U\80000004.@
    c:\windows\$NtUninstallKB44907$\3558636407\U\80000032.@
    c:\windows\CDAC13BA.EXE
    c:\windows\CDAC14BA.DLL
    c:\windows\system32\PowerToyReadme.htm
    c:\windows\system32\prsgrc.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-09 16:47 . 2011-12-09 16:47 -------- dc----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2011-12-02 23:32 . 2011-12-03 00:31 115369 -c--a-w- c:\windows\system32\drivers\klin.dat
    2011-12-02 23:32 . 2011-12-03 00:31 97961 -c--a-w- c:\windows\system32\drivers\klick.dat
    2011-12-02 23:29 . 2011-12-02 23:29 -------- dc----w- c:\program files\Kaspersky Lab
    2011-12-02 23:29 . 2011-12-16 17:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2011-12-01 19:29 . 2008-11-06 07:03 -------- dc----w- C:\SDFix
    2011-12-01 16:37 . 2011-12-01 22:00 -------- dc----w- c:\documents and settings\Bob\Local Settings\Application Data\fxnetlib
    2011-11-30 23:07 . 2011-11-30 23:07 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-11-30 23:06 . 2011-11-30 23:07 -------- dc----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-11-30 17:10 . 2011-11-30 17:10 71880 -c--a-w- c:\windows\system32\PxSecure.dll-19202703
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-01 00:08 . 2003-07-16 20:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
    2011-11-15 13:17 . 2011-05-20 10:52 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2006-11-09 19:20 . 2006-06-05 03:13 2111096 -c--a-w- c:\program files\mozilla firefox\plugins\oldNPSWF32.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
    "$Volumouse$"="c:\program files\Volumouse\volumouse.exe" [2005-06-05 24064]
    "POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2010-09-09 1511424]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-29 160328]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    "adm_tray.exe"="c:\program files\Acronis\DriveMonitor\adm_tray.exe" [2010-08-26 531664]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2011-04-25 202296]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-29 160328]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2006-10-04 53760]
    .
    c:\documents and settings\Bob\Start Menu\Programs\Startup\
    KeyExpress.lnk - d:\keyexp\KEYEXP.EXE [2005-1-10 838656]
    Today.pif [2007-10-1 2855]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
    Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-9-29 25214]
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    Kirby Alarm.lnk - c:\program files\Kirby Alarm\kirbyalarm.exe [2004-1-21 1366528]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoRecentDocsNetHood"= 1 (0x1)
    "NoWelcomeScreen"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Secunia PSI.lnk]
    backup=c:\windows\pss\Secunia PSI.lnkStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    2008-04-23 06:08 483328 ----a-w- e:\adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
    2010-08-13 23:01 365632 -c--a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
    2009-10-16 23:42 904840 -c--a-w- c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 05:56 15360 -c--a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
    2009-10-16 23:37 1325936 -c--a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\emMON]
    2006-05-31 02:24 61440 -c--a-w- c:\windows\emMON.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2005-10-19 12:59 155648 -c--a-w- c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 16:24 1694208 -csh--w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 14:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
    2009-10-16 23:39 136544 -c--a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2004-10-14 18:42 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:07 2260480 -c----w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
    2004-06-03 06:51 172032 ----a-w- c:\program files\Microsoft IntelliType Pro\type32.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "MDM"=2 (0x2)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Titan Backup"="c:\progra~1\TITANB~1\TITANB~2.EXE" /startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files\QuickTime\xqttask.exe" -atboottime
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "Adobe Version Cue CS2"=e:\adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\ResMed\\AutoScan\\5.4\\crws.exe"=
    "c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\WINDOWS\\system32\\ftp.exe"=
    "e:\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
    "c:\\Program Files\\BlueSoleil\\BlueSoleil.exe"=
    "\\??\\c:\\WINDOWS\\system32\\winlogon.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service
    .
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/15/2011 5:34 PM 28552]
    R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [9/28/2010 1:03 PM 15328]
    R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [3/4/2011 1:23 PM 11352]
    R2 KirbyAlarmPro;Kirby Alarm Pro;c:\program files\Kirby Alarm Pro\kirbyalarmpro.exe [2/3/2009 3:46 PM 3579904]
    R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [9/28/2010 1:02 PM 220128]
    R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 6:39 PM 431456]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [3/10/2011 6:34 PM 34608]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 8:27 PM 19472]
    S0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
    S1 MpKsl05b8ec11;MpKsl05b8ec11;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF9C8DF2-582E-4A0B-A51F-7E845E1CD6FD}\MpKsl05b8ec11.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF9C8DF2-582E-4A0B-A51F-7E845E1CD6FD}\MpKsl05b8ec11.sys [?]
    S1 MpKsl2c04e557;MpKsl2c04e557;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC45769-A94D-4949-A210-4E7DD42E8B5A}\MpKsl2c04e557.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC45769-A94D-4949-A210-4E7DD42E8B5A}\MpKsl2c04e557.sys [?]
    S1 MpKsl30221af3;MpKsl30221af3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsl30221af3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsl30221af3.sys [?]
    S1 MpKsl3bbc9cb7;MpKsl3bbc9cb7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B65B421E-520C-4DC3-BB0B-E0B13CCACB29}\MpKsl3bbc9cb7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B65B421E-520C-4DC3-BB0B-E0B13CCACB29}\MpKsl3bbc9cb7.sys [?]
    S1 MpKsl50c6aa21;MpKsl50c6aa21;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FBCED0E-C906-4526-8AC0-A3E173BD644C}\MpKsl50c6aa21.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FBCED0E-C906-4526-8AC0-A3E173BD644C}\MpKsl50c6aa21.sys [?]
    S1 MpKsl63115aff;MpKsl63115aff;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F268287-023A-4EF1-8111-EED0D192DFAE}\MpKsl63115aff.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F268287-023A-4EF1-8111-EED0D192DFAE}\MpKsl63115aff.sys [?]
    S1 MpKsl6992bf7e;MpKsl6992bf7e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00DD543A-485E-4F5C-805E-5CCCBA25D24D}\MpKsl6992bf7e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00DD543A-485E-4F5C-805E-5CCCBA25D24D}\MpKsl6992bf7e.sys [?]
    S1 MpKsl6f4364a6;MpKsl6f4364a6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49F1789D-F463-4AE6-9A66-747134266B78}\MpKsl6f4364a6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49F1789D-F463-4AE6-9A66-747134266B78}\MpKsl6f4364a6.sys [?]
    S1 MpKsl91e50612;MpKsl91e50612;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AFA9519-2DC2-4F4A-BC6A-67DB575AD69F}\MpKsl91e50612.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AFA9519-2DC2-4F4A-BC6A-67DB575AD69F}\MpKsl91e50612.sys [?]
    S1 MpKsl957cbe81;MpKsl957cbe81;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D7ADC2B-9E7C-499B-8B4B-970056C021C5}\MpKsl957cbe81.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D7ADC2B-9E7C-499B-8B4B-970056C021C5}\MpKsl957cbe81.sys [?]
    S1 MpKsla44f2d84;MpKsla44f2d84;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsla44f2d84.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsla44f2d84.sys [?]
    S1 MpKslb1eef83e;MpKslb1eef83e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC47350A-2863-4F9A-90E4-6AAB11DC7F96}\MpKslb1eef83e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC47350A-2863-4F9A-90E4-6AAB11DC7F96}\MpKslb1eef83e.sys [?]
    S1 MpKslbb72fb26;MpKslbb72fb26;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02B31D1-047A-4A74-B222-564F57750561}\MpKslbb72fb26.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02B31D1-047A-4A74-B222-564F57750561}\MpKslbb72fb26.sys [?]
    S1 MpKslc6a20e02;MpKslc6a20e02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22038661-62E7-42F4-A3BD-BD6D7EA26198}\MpKslc6a20e02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22038661-62E7-42F4-A3BD-BD6D7EA26198}\MpKslc6a20e02.sys [?]
    S1 MpKslc86a0644;MpKslc86a0644;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F951E807-42B7-42A5-8E28-F10B74BCA579}\MpKslc86a0644.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F951E807-42B7-42A5-8E28-F10B74BCA579}\MpKslc86a0644.sys [?]
    S1 MpKslcfc4f3af;MpKslcfc4f3af;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9F5F717-DE2B-42A3-AD96-B15B8B26858B}\MpKslcfc4f3af.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9F5F717-DE2B-42A3-AD96-B15B8B26858B}\MpKslcfc4f3af.sys [?]
    S1 MpKsldfa7710c;MpKsldfa7710c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D66A504-67FE-4FC0-B704-9AFF011607F5}\MpKsldfa7710c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D66A504-67FE-4FC0-B704-9AFF011607F5}\MpKsldfa7710c.sys [?]
    S1 MpKslf156ae64;MpKslf156ae64;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{021DE105-DC76-4D6E-BEB8-B9D47DD524A3}\MpKslf156ae64.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{021DE105-DC76-4D6E-BEB8-B9D47DD524A3}\MpKslf156ae64.sys [?]
    S1 MpKslf9cc0160;MpKslf9cc0160;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E84C3EA2-141B-4581-A47D-CA48B2E8C486}\MpKslf9cc0160.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E84C3EA2-141B-4581-A47D-CA48B2E8C486}\MpKslf9cc0160.sys [?]
    S1 MpKslfd8e6181;MpKslfd8e6181;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E3C987-72E8-40B3-A256-DA415B7829B5}\MpKslfd8e6181.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E3C987-72E8-40B3-A256-DA415B7829B5}\MpKslfd8e6181.sys [?]
    S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys --> c:\windows\system32\drivers\pxrts.sys [?]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 6:03 AM 7808]
    S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [9/28/2010 1:03 PM 44512]
    S3 PSVolAcc;PSVolAcc;c:\windows\system32\drivers\PSVolAcc.sys [9/28/2010 1:03 PM 12256]
    S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys --> c:\windows\system32\drivers\pxkbf.sys [?]
    S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\drivers\sustucap.sys [2/3/2006 8:56 AM 37632]
    S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:14 PM 135664]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:14 PM 135664]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-16 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-26 20:31]
    .
    2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 02:14]
    .
    2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 02:14]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyServer = cookiecop:8100
    uInternet Settings,ProxyOverride = 192.168;<local>
    IE: Convert link target to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    IE: {{320AF880-6646-11D3-ABEE-C5DBF3571F4E} - c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    Trusted Zone: gamehouse.com\www
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: macys.com\www
    Trusted Zone: mycheckfree.com
    Trusted Zone: onlinesearches.com\publicrecords
    Trusted Zone: pointspot.com\www
    Trusted Zone: thdathomeservices.com\webmail
    Trusted Zone: turbotax.com
    TCP: Interfaces\{DC70D44C-CFA4-4CFB-AA8F-23E25AF64531}: NameServer = 208.67.220.220,208.67.222.222
    DPF: Microsoft XML Parser for Java
    FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.ftp - cookiecop
    FF - prefs.js: network.proxy.ftp_port - 8100
    FF - prefs.js: network.proxy.gopher - cookiecop
    FF - prefs.js: network.proxy.gopher_port - 8100
    FF - prefs.js: network.proxy.http - cookiecop
    FF - prefs.js: network.proxy.http_port - 8100
    FF - prefs.js: network.proxy.socks - cookiecop
    FF - prefs.js: network.proxy.socks_port - 8100
    FF - prefs.js: network.proxy.ssl - cookiecop
    FF - prefs.js: network.proxy.ssl_port - 8100
    FF - prefs.js: network.proxy.type - 1
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: PlainOldFavorites: {7E7165E2-0767-448c-852F-5FA8714F2C37} - %profile%\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
    FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
    FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
    .
    .
    ------- File Associations -------
    .
    txtfile="c:\program files\JGsoft\EditPadLite\EditPad.exe" "%1"
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Notify-AutorunsDisabled - (no file)
    SafeBoot-79768126.sys
    AddRemove-CdaC13Ba - c:\windows\CDAC13BA.EXE
    AddRemove-PC Authorize - e:\tellan\PCAuth\DeIsL1.isu
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-16 12:51
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600
    .
    CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
    device: opened successfully
    user: error reading MBR
    kernel: MBR read successfully
    user != kernel MBR !!!
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
    "Licence0"="04F0D21-79D8-7A25-D702-433F"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(1572)
    c:\windows\system32\relog_ap.dll
    .
    - - - - - - - > 'explorer.exe'(2036)
    c:\windows\system32\WININET.dll
    c:\program files\Volumouse\vlmshlp.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\windows\system32\crypserv.exe
    c:\program files\CDBurnerXP\NMSAccessU.exe
    c:\progra~1\PCMAGA~1\COOKIE~1\COOKIE~1.EXE
    c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    c:\windows\system32\hpoipm07.exe
    c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-16 13:01:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-16 18:01
    .
    Pre-Run: 1,089,880,064 bytes free
    Post-Run: 1,376,165,888 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="TYC MS Windows XP Home Edition" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - 5DAE4B4BE54E1DC804A32F93B940828C

  8. #18
    Malware Team-Emeritus
    Join Date
    May 2010
    Posts
    212

    Default

    What happened here? What happened with GMER? Did you get a log?

  9. #19
    Junior Member
    Join Date
    Dec 2011
    Posts
    18

    Default

    Guess I pasted wrong log...


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-16 12:21:12
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340014A rev.3.16
    Running: r7t5kvyb.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\fgldipow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xEC074FBA]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xEC0758B4]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xEC08EAEE]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xEC075E26]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xEC075D14]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xEC08EE06]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateProcess [0xEC076056]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateProcessEx [0xEC07621E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xEC074D76]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xEC075F3E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xEC0755E6]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xEC08EECE]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xEC07653C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xEC089084]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xEC08A88E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xEC0758F6]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xEC07753C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xEC08A088]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xEC08AA38]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xEC07662E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xEC089BC0]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xEC089E1C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xEC076B9A]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xEC08D30A]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xEC075EB8]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xEC075DA0]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xEC0751F4]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xEC07697E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xEC075FD0]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xEC0750E8]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xEC088EB8]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xEC08A698]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryObject [0xEC08D500]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xEC076EC0]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xEC08A488]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xEC0767CE]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xEC089198]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xEC08980C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xEC08F048]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xEC08EF96]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xEC08F0B4]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xEC089A14]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xEC0773DE]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xEC08933E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKeyEx [0xEC0894D4]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveMergedKeys [0xEC089670]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xEC08EC76]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xEC075756]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xEC0763E8]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xEC077010]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xEC08A248]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xEC077104]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xEC07723E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xEC07645E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xEC075392]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xEC0752EA]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xEC076D78]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xEC07547C]

    Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
    Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
    AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
    AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\$NtUninstallKB44907$\3260245246 0 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407 0 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\bckfg.tmp 824 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\cfg.ini 208 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\keywords 89 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\kwrd.dll 223744 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\L\cmhpaair 162816 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\lsflt7.ver 1872 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\00000001.@ 1536 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\00000002.@ 224768 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\00000004.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\80000000.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\80000004.@ 12800 bytes
    File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\80000032.@ 98304 bytes

    ---- EOF - GMER 1.0.15 ----

  10. #20
    Malware Team-Emeritus
    Join Date
    May 2010
    Posts
    212

    Default

    It's a bit confusing to research the logs from this computer. I can see signs of several anti-virus programs (Microsoft Security Essentials, Panda, Prevx, Kaspersky).

    Which one are you using as your current anti-virus program?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •