-
I have removed the programs you asked. Frankly, there are other programs that could have been removed to create more space. Booksmart 227Mb, Garmin web updater 501 Mb, google earth 85 Mb, hp officejet 150Mb, Kirby 2.11 3.5mb, .NET framework (not sure what it is used for and both 2.0 SP2 and 3.0 SP2 are installed at 180Mb each),>NET frameworkd 3.5 SP1 20mb, seagate discwizard 256mb for a total of almost 1.5 gig.
I have not removed these trying to follow the first readme before you post section of not doing things we're not asked for.
On that note, when I ran OTL i had noticed my flash drive was attached so I took it off and ran OTL again but it did not produce a 2nd EXTRAS file. enclosed is the result of the 2nd OTL.txt and the 1st EXTAS file. I apologize for the confusion.
FYI, PC Authorize & Wextech could not be removed from the list since the folders do not exist. they had been deleted some time prior.
OTL logfile created on: 12/10/2011 9:21:54 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = D:\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1022.00 Mb Total Physical Memory | 575.49 Mb Available Physical Memory | 56.31% Memory free
2.49 Gb Paging File | 2.04 Gb Available in Paging File | 81.88% Paging File free
Paging file location(s): D:\pagefile.sys 100 200E:\pagefile.sys 0 0 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9.78 Gb Total Space | 1.02 Gb Free Space | 10.42% Space Free | Partition Type: NTFS
Drive D: | 11.45 Gb Total Space | 0.38 Gb Free Space | 3.35% Space Free | Partition Type: NTFS
Drive E: | 16.02 Gb Total Space | 0.15 Gb Free Space | 0.91% Space Free | Partition Type: NTFS
Computer Name: TYC | User Name: Bob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2011/12/10 20:47:46 | 000,584,192 | ---- | M] (OldTimer Tools) -- D:\Desktop\OTL.exe
PRC - [2011/04/24 23:15:02 | 000,202,296 | ---- | M] (Kaspersky Lab ZAO) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
PRC - [2010/10/29 03:50:25 | 000,160,328 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
PRC - [2010/09/28 13:02:58 | 000,220,128 | ---- | M] () -- C:\Program Files\Macrium\Reflect\ReflectService.exe
PRC - [2010/09/09 17:09:36 | 001,511,424 | ---- | M] (Mortal Universe) -- C:\Program Files\POP Peeper\POPPeeper.exe
PRC - [2010/08/26 10:07:04 | 000,531,664 | ---- | M] (Acronis) -- C:\Program Files\Acronis\DriveMonitor\adm_tray.exe
PRC - [2010/08/13 18:01:56 | 000,660,576 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2009/10/16 18:39:28 | 000,431,456 | ---- | M] (Seagate) -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
PRC - [2008/04/14 12:40:32 | 003,579,904 | ---- | M] (Kirby Software) -- C:\Program Files\Kirby Alarm Pro\kirbyalarmpro.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/22 23:13:46 | 001,591,808 | ---- | M] (YourWare Solutions (TM)) -- C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
PRC - [2005/07/15 16:48:33 | 000,479,232 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Gmail Notifier\gnotify.exe
PRC - [2005/06/04 21:16:44 | 000,024,064 | ---- | M] (NirSoft) -- C:\Program Files\Volumouse\volumouse.exe
PRC - [2004/08/04 00:56:56 | 000,419,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe
PRC - [2004/04/15 17:07:01 | 000,073,728 | ---- | M] (CrypKey (Canada) Ltd.) -- C:\WINDOWS\system32\Crypserv.exe
PRC - [2002/11/20 18:37:46 | 000,188,416 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
PRC - [2002/11/20 18:17:20 | 000,057,344 | ---- | M] (HP) -- C:\WINDOWS\system32\hpoipm07.exe
PRC - [2002/11/20 18:09:10 | 000,294,912 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
PRC - [2002/11/20 17:48:24 | 000,299,008 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpoevm07.exe
PRC - [2002/11/20 17:15:00 | 000,151,552 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
PRC - [2001/12/30 18:27:12 | 000,475,136 | ---- | M] (Ziff Davis Media, Inc. ) -- C:\Program Files\PC Magazine Utilities\CookieCop\CookieCop.exe
PRC - [2000/02/24 11:38:08 | 000,838,656 | ---- | M] () -- D:\keyexp\KEYEXP.EXE
========== Modules (No Company Name) ==========
MOD - [2011/11/29 17:51:12 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\klartew.dll
MOD - [2011/04/24 23:13:30 | 007,008,656 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtgui4.dll
MOD - [2011/04/24 23:13:28 | 000,192,912 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtsql4.dll
MOD - [2011/04/24 23:13:26 | 001,270,160 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtscript4.dll
MOD - [2011/04/24 23:13:26 | 000,758,160 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtnetwork4.dll
MOD - [2011/04/24 23:13:24 | 002,118,032 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtcore4.dll
MOD - [2011/04/24 23:13:24 | 002,089,360 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\qtdeclarative4.dll
MOD - [2011/04/20 19:56:28 | 000,025,088 | ---- | M] () -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\imageformats\qgif4.dll
MOD - [2010/09/28 13:02:58 | 000,220,128 | ---- | M] () -- C:\Program Files\Macrium\Reflect\ReflectService.exe
MOD - [2010/08/26 09:46:18 | 000,012,128 | ---- | M] () -- C:\Program Files\Common Files\Acronis\DriveMonitor\Common\icudt38.dll
MOD - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
MOD - [2008/01/21 20:19:30 | 000,133,120 | ---- | M] () -- C:\Program Files\Kirby Alarm Pro\vuFT3.dll
MOD - [2006/10/11 10:31:20 | 000,013,312 | ---- | M] () -- C:\Program Files\Kirby Alarm Pro\xlswrite.dll
MOD - [2006/09/25 21:12:58 | 001,118,720 | ---- | M] () -- C:\Program Files\Kirby Alarm Pro\gca631.dll
MOD - [2006/01/17 16:57:52 | 000,590,440 | ---- | M] () -- C:\Program Files\Kirby Alarm Pro\c6fm3x.dll
MOD - [2002/11/20 18:37:02 | 000,028,672 | ---- | M] () -- C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpopxs07.dll
MOD - [2000/02/24 11:38:08 | 000,838,656 | ---- | M] () -- D:\keyexp\KEYEXP.EXE
MOD - [1998/07/29 00:20:00 | 000,039,424 | ---- | M] () -- D:\keyexp\KYX95HK.DLL
========== Win32 Services (SafeList) ==========
SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2011/04/24 23:15:02 | 000,202,296 | ---- | M] (Kaspersky Lab ZAO) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe -- (AVP)
SRV - [2010/09/28 13:02:58 | 000,220,128 | ---- | M] () [Auto | Running] -- C:\Program Files\Macrium\Reflect\ReflectService.exe -- (ReflectService)
SRV - [2010/08/23 19:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2010/08/13 18:01:56 | 000,660,576 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2009/10/16 18:39:28 | 000,431,456 | ---- | M] (Seagate) [Auto | Running] -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe -- (SgtSch2Svc)
SRV - [2008/04/14 12:40:32 | 003,579,904 | ---- | M] (Kirby Software) [Auto | Running] -- C:\Program Files\Kirby Alarm Pro\kirbyalarmpro.exe -- (KirbyAlarmPro)
SRV - [2006/05/04 17:40:14 | 000,052,736 | ---- | M] (Macrovision) [Disabled | Stopped] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)
SRV - [2005/04/06 16:03:28 | 000,110,592 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\BlueSoleil\BTNtService.exe -- (BlueSoleil Hid Service)
SRV - [2005/04/04 17:58:28 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- E:\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -- (Adobe Version Cue CS2)
SRV - [2005/01/13 00:04:41 | 000,068,096 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
SRV - [2004/11/02 16:59:50 | 000,316,544 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- (SymWSC)
SRV - [2004/04/15 17:07:01 | 000,073,728 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)
========== Driver Services (SafeList) ==========
DRV - [2011/12/02 18:29:32 | 000,565,552 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2011/03/10 18:34:46 | 000,034,608 | ---- | M] (Kaspersky Lab ZAO) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2011/03/04 13:23:20 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl2.sys -- (kl2)
DRV - [2011/03/04 13:23:14 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\kl1.sys -- (KL1)
DRV - [2010/12/15 10:09:29 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2010/12/15 10:09:29 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2010/12/15 10:09:18 | 000,132,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2010/12/15 10:09:09 | 000,368,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2010/09/28 13:03:46 | 000,012,256 | ---- | M] (Paramount Software UK Ltd) [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\PSVolAcc.sys -- (PSVolAcc)
DRV - [2010/09/28 13:03:22 | 000,015,328 | ---- | M] (Macrium Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\pssnap.sys -- (pssnap)
DRV - [2010/09/28 13:03:10 | 000,044,512 | ---- | M] (Macrium Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psmounter.sys -- (PSMounter)
DRV - [2010/02/11 07:01:43 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/11/12 13:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/11/02 20:27:24 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/03/24 06:03:08 | 000,007,808 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2007/10/10 14:58:19 | 000,011,376 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\CdaC15BA.SYS -- (CdaC15BA)
DRV - [2007/03/28 18:26:25 | 000,017,480 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2006/11/21 03:25:44 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/09/12 21:21:46 | 000,292,864 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emBDA.sys -- (USB28xxBGA)
DRV - [2006/08/21 23:38:46 | 000,007,168 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emOEM.sys -- (USB28xxOEM)
DRV - [2006/02/03 08:56:14 | 000,037,632 | ---- | M] (Susteen, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sustucap.sys -- (SUSTUCAP)
DRV - [2005/05/31 15:40:20 | 000,020,480 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\blueletaudio.sys -- (BlueletAudio)
DRV - [2005/05/31 09:42:28 | 000,023,000 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)
DRV - [2005/04/30 14:50:20 | 000,011,860 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vbtenum.sys -- (BTHidEnum)
DRV - [2005/04/30 14:50:10 | 000,028,271 | ---- | M] (IVT Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\BTHidMgr.sys -- (BTHidMgr)
DRV - [2005/04/30 14:48:58 | 000,010,804 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BtNetDrv.sys -- (BT)
DRV - [2005/03/25 17:18:48 | 000,082,148 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VcommMgr.sys -- (VcommMgr)
DRV - [2004/12/16 16:32:54 | 000,013,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BTNetFilter.sys -- (BTNetFilter)
DRV - [2004/10/19 13:37:38 | 000,061,312 | ---- | M] (IVT Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VComm.sys -- (VComm)
DRV - [2004/09/17 08:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/09/07 17:57:00 | 000,316,152 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\windrvr6.sys -- (WinDriver6)
DRV - [2004/08/03 23:10:14 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2004/07/29 19:35:52 | 000,031,654 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\ckldrv.sys -- (NetworkX)
DRV - [2004/05/05 21:48:40 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\PQNTDRV.sys -- (PQNTDrv)
DRV - [2004/03/05 22:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/05 22:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/05 22:13:52 | 000,060,949 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/05 22:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google, = www.google.com $s
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google, = +
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google,# = %23
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google,% = %25
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google,& = %26
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Internet Explorer\SearchURL\google,+ = %2B
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 192.168;<local>
IE - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = cookiecop:8100
========== FireFox ==========
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.10
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.10.1
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.1.5
FF - prefs.js..extensions.enabledItems: {7E7165E2-0767-448c-852F-5FA8714F2C37}:1.2
FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.7.3
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.67
FF - prefs.js..extensions.enabledItems: {4ED1F68A-5463-4931-9384-8FFF5ED91D92}:3.4.0
FF - prefs.js..network.proxy.backup.ftp: "cookiecop"
FF - prefs.js..network.proxy.backup.ftp_port: 8100
FF - prefs.js..network.proxy.backup.gopher: "cookiecop"
FF - prefs.js..network.proxy.backup.gopher_port: 8100
FF - prefs.js..network.proxy.backup.socks: "cookiecop"
FF - prefs.js..network.proxy.backup.socks_port: 8100
FF - prefs.js..network.proxy.backup.ssl: "cookiecop"
FF - prefs.js..network.proxy.backup.ssl_port: 8100
FF - prefs.js..network.proxy.ftp: "cookiecop"
FF - prefs.js..network.proxy.ftp_port: 8100
FF - prefs.js..network.proxy.gopher: "cookiecop"
FF - prefs.js..network.proxy.gopher_port: 8100
FF - prefs.js..network.proxy.http: "cookiecop"
FF - prefs.js..network.proxy.http_port: 8100
FF - prefs.js..network.proxy.no_proxies_on: "192.168,localhost,127.0.0.1"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "cookiecop"
FF - prefs.js..network.proxy.socks_port: 8100
FF - prefs.js..network.proxy.ssl: "cookiecop"
FF - prefs.js..network.proxy.ssl_port: 8100
FF - prefs.js..network.proxy.type: 1
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@garmin.com/GpsControl: C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@macromedia.com/FlashPlayer6: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2105: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1212: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll File not found
FF - HKCU\Software\MozillaPlugins\@macromedia.com/FlashPlayer6: File not found
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2007/03/23 08:17:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linkfilter@kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\FFExt\linkfilter@kaspersky.ru [2011/12/02 19:31:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtualKeyboard@kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\FFExt\virtualKeyboard@kaspersky.ru [2011/12/02 19:31:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/31 08:10:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/15 06:51:32 | 000,000,000 | ---D | M]
[2010/01/01 14:59:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Extensions
[2010/01/01 14:59:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Extensions\home2@tomtom.com
[2011/11/29 22:27:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions
[2010/01/03 14:32:59 | 000,000,000 | ---D | M] ("Garmin Communicator") -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2011/11/09 17:21:14 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2011/11/09 17:21:14 | 000,000,000 | ---D | M] (PlainOldFavorites) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
[2011/11/09 17:21:13 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/11/09 17:21:13 | 000,000,000 | ---D | M] ("BetterPrivacy") -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2011/01/07 13:39:22 | 000,000,000 | ---D | M] (User Agent Switcher) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2006/12/20 23:38:33 | 000,002,386 | ---- | M] () -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\searchplugins\siteadvisor.xml
[2011/12/10 20:46:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
File not found (No name found) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2007/03/23 08:17:11 | 000,000,000 | ---D | M] (AI Roboform Toolbar for Firefox) -- C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\FIREFOX
[2010/04/25 22:31:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2010/05/14 12:40:28 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2006/11/09 14:20:40 | 002,111,096 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\oldNPSWF32.dll
O1 HOSTS File: ([2008/12/11 23:41:36 | 000,290,674 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 CookieCop
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 10012 more lines...
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\ievkbd.dll (Kaspersky Lab ZAO)
O2 - BHO: (no name) - {69D72956-317C-44bd-B369-8E44D4EF9801} - No CLSID value found.
O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\klwtbbho.dll (Kaspersky Lab ZAO)
O3 - HKLM\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..\Toolbar\ShellBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe (Google Inc.)
O4 - HKLM..\Run: [adm_tray.exe] C:\Program Files\Acronis\DriveMonitor\adm_tray.exe (Acronis)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [CookieCop] C:\Program Files\PC Magazine Utilities\CookieCop\CookieCop.exe (Ziff Davis Media, Inc. )
O4 - HKU\.DEFAULT..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\S-1-5-18..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\S-1-5-21-117609710-602609370-839522115-1004..\Run: [$Volumouse$] C:\Program Files\Volumouse\volumouse.exe (NirSoft)
O4 - HKU\S-1-5-21-117609710-602609370-839522115-1004..\Run: [FreeRAM XP] C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe (YourWare Solutions (TM))
O4 - HKU\S-1-5-21-117609710-602609370-839522115-1004..\Run: [POP Peeper] C:\Program Files\POP Peeper\POPPeeper.exe (Mortal Universe)
O4 - HKU\S-1-5-21-117609710-602609370-839522115-1004..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2009/04/23 08:30:11 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\Bob\Start Menu\Programs\Startup\KeyExpress.lnk = D:\keyexp\KEYEXP.EXE ()
O4 - Startup: C:\Documents and Settings\Bob\Start Menu\Programs\Startup\Today.pif ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKU\S-1-5-21-117609710-602609370-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: Convert link target to Adobe PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - E:\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\ievkbd.dll (Kaspersky Lab ZAO)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\klwtbbho.dll (Kaspersky Lab ZAO)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: gamehouse.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: macys.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: mycheckfree.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: onlinesearches.com ([publicrecords] http in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: pointspot.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: thdathomeservices.com ([webmail] https in Trusted sites)
O15 - HKU\S-1-5-21-117609710-602609370-839522115-1004\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/pr.../ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/s...irector/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?link...38&clcid=0x409 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} http://a516.g.akamai.net/f/516/25175...at-no-eula.cab (Reg Error: Key error.)
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} http://ppupdates.ca.com/downloads/scanner/axscanner.cab (Reg Error: Key error.)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeup...tent/opuc2.cab (Office Update Installation Engine)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://appldnld.m7z.net/qtinstall.in...lInstaller.exe (Reg Error: Key error.)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} https://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupdate.microsoft.co...?1105290237593 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsof...?1147109959609 (MUWebControl Class)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/actives.../as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} http://www.imgag.com/cp/install/AxCtp2.cab (Create & Print ActiveX Plug-in)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub...sh/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 (QDiagHUpdateObj Class)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: ppctlcab http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DC70D44C-CFA4-4CFB-AA8F-23E25AF64531}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\belarc - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AutorunsDisabled: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\klartew: DllName - (C:\Documents and Settings\NetworkService\Local Settings\Application Data\klartew.dll) - C:\Documents and Settings\NetworkService\Local Settings\Application Data\klartew.dll ()
O20 - Winlogon\Notify\klogon: DllName - (C:\WINDOWS\system32\klogon.dll) - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab ZAO)
O24 - Desktop Components:0 () -
O24 - Desktop WallPaper: C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)
O30 - LSA: Authentication Packages - (relog_ap) -C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/16 15:26:04 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2007/08/01 14:32:39 | 000,000,000 | ---D | M] - C:\autoruns -- [ NTFS ]
O32 - AutoRun File - [2011/10/19 15:35:12 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/08/16 15:26:04 | 000,000,000 | RHSD | M] - E:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{83925004-f3bb-11de-9450-101111111111}\Shell\AutoRun\command - "" = I:\WDSetup.exe
O33 - MountPoints2\{ed613d16-f5a7-11e0-968d-101111111111}\Shell\AutoRun\command - "" = J:\PortableRoboForm.exe
O33 - MountPoints2\{ed613d16-f5a7-11e0-968d-101111111111}\Shell\RoboForm2Go\command - "" = J:\PortableRoboForm.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/12/10 21:02:14 | 000,584,192 | ---- | C] (OldTimer Tools) -- D:\Desktop\OTL.exe
[2011/12/10 20:36:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/12/09 11:47:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2011/12/09 11:46:27 | 002,031,992 | ---- | C] (Microsoft Corporation) -- D:\Desktop\MGADiag.exe
[2011/12/03 23:47:23 | 000,000,000 | ---D | C] -- D:\Desktop\logs
[2011/12/03 13:04:50 | 000,607,260 | R--- | C] (Swearware) -- D:\Desktop\dds.scr
[2011/12/02 18:32:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Kaspersky Anti-Virus 2012
[2011/12/02 18:29:57 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2011/12/02 18:29:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2011/12/02 18:29:32 | 000,565,552 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2011/12/01 14:29:31 | 000,000,000 | ---D | C] -- C:\SDFix
[2011/12/01 11:37:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\Local Settings\Application Data\fxnetlib
[2011/11/30 18:51:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis
[2011/11/30 18:06:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/11/30 17:22:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Bob\Recent
[2011/11/30 12:10:41 | 000,071,880 | ---- | C] (Prevx) -- C:\WINDOWS\System32\PxSecure.dll-19202703
[2011/11/29 17:51:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/11/29 17:51:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/11/15 17:34:40 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2006/08/22 23:12:12 | 000,032,768 | ---- | C] ( ) -- C:\WINDOWS\System32\ShellLnkSSE.dll
[1 D:\*.tmp files -> D:\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2011/12/10 21:12:04 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/12/10 21:10:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/10 20:47:46 | 000,584,192 | ---- | M] (OldTimer Tools) -- D:\Desktop\OTL.exe
[2011/12/10 18:05:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\DAILY DFG Backup Daily.job
[2011/12/10 17:10:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/09 11:47:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/09 11:45:44 | 002,031,992 | ---- | M] (Microsoft Corporation) -- D:\Desktop\MGADiag.exe
[2011/12/09 11:42:58 | 000,458,240 | ---- | M] () -- D:\Desktop\CKScanner.exe
[2011/12/07 20:12:07 | 000,000,207 | ---- | M] () -- C:\WINDOWS\hmapro.ini
[2011/12/05 19:30:15 | 003,219,344 | ---- | M] () -- D:\Desktop\popups.reg
[2011/12/05 07:21:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/04 15:52:26 | 000,005,714 | ---- | M] () -- D:\bob 120411.Theme
[2011/12/03 13:04:51 | 000,607,260 | R--- | M] (Swearware) -- D:\Desktop\dds.scr
[2011/12/03 09:46:53 | 000,109,670 | ---- | M] () -- D:\Desktop\todays santa.jpg
[2011/12/02 19:31:36 | 000,115,369 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2011/12/02 19:31:35 | 000,097,961 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2011/12/02 18:34:46 | 000,017,408 | ---- | M] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\WebpageIcons.db
[2011/12/02 18:32:53 | 000,000,032 | ---- | M] () -- C:\WINDOWS\gca631.INI
[2011/12/02 18:29:32 | 000,565,552 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2011/12/02 18:24:55 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/12/01 14:32:05 | 015,990,784 | ---- | M] () -- C:\Documents and Settings\Bob\NTUSER.bak
[2011/12/01 09:16:46 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\FULL DFG Backup.job
[2011/11/30 18:51:32 | 000,001,653 | ---- | M] () -- D:\Desktop\HijackThis.lnk
[2011/11/30 18:07:51 | 000,023,624 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/11/30 12:10:42 | 000,071,880 | ---- | M] (Prevx) -- C:\WINDOWS\System32\PxSecure.dll-19202703
[2011/11/30 12:10:20 | 000,000,447 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/11/25 14:08:28 | 000,004,421 | ---- | M] () -- C:\WINDOWS\DevMgr.ini
[2011/11/15 17:22:09 | 000,000,114 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.tgz
[2011/11/15 17:22:09 | 000,000,100 | ---- | M] () -- C:\WINDOWS\System32\prsgrc.dll
[2011/11/15 08:17:59 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/11/14 08:39:41 | 000,000,539 | ---- | M] () -- C:\WINDOWS\KEYEX2.INI
[1 D:\*.tmp files -> D:\*.tmp -> ]
========== Files Created - No Company Name ==========
[2011/12/09 11:43:52 | 000,458,240 | ---- | C] () -- D:\Desktop\CKScanner.exe
[2011/12/05 19:30:14 | 003,219,344 | ---- | C] () -- D:\Desktop\popups.reg
[2011/12/04 15:52:25 | 000,005,714 | ---- | C] () -- D:\bob 120411.Theme
[2011/12/03 09:48:36 | 000,109,670 | ---- | C] () -- D:\Desktop\todays santa.jpg
[2011/12/02 18:34:43 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\WebpageIcons.db
[2011/12/02 18:32:30 | 000,115,369 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2011/12/02 18:32:30 | 000,097,961 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2011/11/30 18:51:32 | 000,001,653 | ---- | C] () -- D:\Desktop\HijackThis.lnk
[2011/11/30 18:07:51 | 000,023,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/11/29 17:51:12 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\klartew.dll
[2011/09/21 17:18:53 | 000,001,088 | ---- | C] () -- C:\WINDOWS\B.COM
[2011/08/30 22:45:09 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll
[2011/08/30 22:45:09 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll
[2011/08/30 22:45:09 | 000,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
[2011/07/19 08:40:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ckconfig.INI
[2011/06/30 23:02:30 | 000,327,656 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/03/11 12:43:54 | 000,029,763 | ---- | C] () -- C:\WINDOWS\System32\drivers\klopp.dat
[2010/10/22 15:07:33 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2010/05/07 06:39:38 | 000,000,036 | -H-- | C] () -- C:\Documents and Settings\Bob\Application Data\swk.ini
[2010/01/01 17:59:40 | 000,001,226 | ---- | C] () -- C:\WINDOWS\Mpcwty02.ini
[2009/05/07 16:41:57 | 000,000,268 | ---- | C] () -- C:\WINDOWS\SYMGAMES.INI
[2009/02/18 13:50:41 | 000,000,032 | ---- | C] () -- C:\WINDOWS\gca631.INI
[2009/02/10 16:48:58 | 000,013,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\BTNetFilter.sys
[2009/02/10 16:48:58 | 000,011,860 | ---- | C] () -- C:\WINDOWS\System32\drivers\vbtenum.sys
[2008/09/11 07:12:55 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/01/24 10:34:23 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2007/11/02 13:19:20 | 000,040,960 | ---- | C] () -- C:\WINDOWS\emunist.exe
[2007/11/02 13:19:20 | 000,003,254 | ---- | C] () -- C:\WINDOWS\TVEpaDrv.ini
[2006/12/10 09:03:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\MSTRC32.DLL
[2006/11/20 23:09:59 | 000,000,004 | ---- | C] () -- C:\WINDOWS\vx86036.dat
[2006/11/20 23:09:09 | 000,000,036 | ---- | C] () -- C:\WINDOWS\Crypkey.ini
[2006/11/20 23:09:05 | 000,031,654 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys
[2006/11/20 23:09:05 | 000,027,648 | R--- | C] () -- C:\WINDOWS\Setup_ck.exe
[2006/11/20 23:09:05 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll
[2006/11/20 23:09:05 | 000,011,776 | ---- | C] () -- C:\WINDOWS\Ckrfresh.exe
[2006/11/17 12:19:36 | 000,000,781 | ---- | C] () -- C:\WINDOWS\BTI.INI
[2006/11/16 17:11:36 | 000,088,576 | -H-- | C] () -- C:\Documents and Settings\Bob\Application Data\rbap550.dll
[2006/09/29 22:21:33 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\FileOps.exe
[2006/08/22 23:12:12 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll
[2006/08/16 07:50:26 | 000,000,013 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\13.sys
[2006/05/05 18:28:09 | 000,000,447 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/05/04 17:40:15 | 000,202,752 | ---- | C] () -- C:\WINDOWS\CDAC14BA.DLL
[2006/05/04 17:40:15 | 000,020,992 | ---- | C] () -- C:\WINDOWS\CDAC13BA.EXE
[2006/05/04 17:40:14 | 000,011,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\CdaC15BA.SYS
[2006/01/27 14:52:41 | 000,046,345 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006/01/27 01:57:00 | 000,000,325 | ---- | C] () -- C:\WINDOWS\PCAuth.ini
[2005/10/28 01:10:04 | 000,000,032 | ---- | C] () -- C:\WINDOWS\kemail.INI
[2005/08/19 11:58:04 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\cdtool.dll
[2005/03/23 01:02:54 | 000,107,134 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2005/03/22 23:47:41 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/03/22 23:47:21 | 000,105,168 | ---- | C] () -- C:\WINDOWS\NSUninst.exe
[2005/03/22 23:46:58 | 000,105,168 | ---- | C] () -- C:\WINDOWS\GREUninstall.exe
[2005/03/22 23:46:52 | 000,013,111 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/02/07 11:37:38 | 000,000,539 | ---- | C] () -- C:\WINDOWS\KEYEX2.INI
[2005/02/04 10:35:21 | 000,000,207 | ---- | C] () -- C:\WINDOWS\hmapro.ini
[2005/02/01 22:50:31 | 000,000,043 | ---- | C] () -- C:\WINDOWS\pdf2rtf.INI
[2005/02/01 22:49:37 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\pdf2word.DAT
[2005/01/25 10:41:52 | 000,070,656 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/01/23 10:35:51 | 000,071,749 | ---- | C] () -- C:\WINDOWS\hcextoutput.dll
[2005/01/23 10:35:22 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/01/18 19:52:12 | 000,000,123 | ---- | C] () -- C:\WINDOWS\_vmtel.INI
[2005/01/11 11:28:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\crws.INI
[2005/01/10 15:34:54 | 000,004,421 | ---- | C] () -- C:\WINDOWS\DevMgr.ini
[2005/01/10 11:52:24 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
[2005/01/09 22:59:47 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ICOA.INI
[2005/01/09 22:59:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2005/01/09 22:59:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
[2005/01/09 22:45:02 | 000,000,064 | ---- | C] () -- C:\WINDOWS\QBWCD.INI
[2005/01/09 22:45:01 | 000,006,472 | ---- | C] () -- C:\WINDOWS\Icoadb32.dat
[2005/01/09 22:37:28 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/01/09 21:42:10 | 000,000,032 | -HS- | C] () -- C:\WINDOWS\System32\{2737521E-0016-4A5D-B638-1119267B18C9}.dat
[2005/01/09 21:42:10 | 000,000,032 | -HS- | C] () -- C:\WINDOWS\{2170D095-C0E7-4439-99C2-1171934A303A}.dat
[2005/01/09 21:42:06 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\SR2.dat
[2005/01/09 11:36:19 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/01/09 11:28:49 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/01/09 05:50:34 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/01/09 05:49:36 | 000,563,912 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/07/26 13:36:10 | 000,131,148 | ---- | C] () -- C:\WINDOWS\System32\WdReg.exe
[2003/07/16 15:54:55 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/07/16 15:54:54 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/07/16 15:41:25 | 000,513,048 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/07/16 15:41:25 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/07/16 15:41:23 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/07/16 15:41:21 | 000,085,916 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/07/16 15:39:07 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/07/16 15:33:50 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/07/16 15:33:39 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/07/16 15:27:41 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/07/16 15:26:37 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/01/20 15:48:41 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\mscfcword.dll
[2002/12/19 21:15:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\SAWZip.dll
[2002/11/20 18:51:34 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\win2000.dll
[2002/11/01 16:17:50 | 000,000,256 | ---- | C] () -- C:\WINDOWS\aucfg.ini
[2002/07/04 15:05:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\tmupdate.ini
[2002/06/26 18:38:44 | 000,002,249 | ---- | C] () -- C:\WINDOWS\System32\mswincore.dll
[2002/03/14 11:00:26 | 000,038,567 | ---- | C] () -- C:\WINDOWS\System32\pcpbios.exe
[2001/12/14 13:34:46 | 000,164,864 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2001/04/12 20:19:16 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[1999/07/23 12:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 09:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
[1998/08/16 04:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[1997/06/25 15:24:16 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[1996/12/13 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
========== Alternate Data Streams ==========
@Alternate Data Stream - 219 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7204B89D
@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8927A071
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1AE68282
< End of report >
reports are too long, next report in next reply
-
OTL Extras logfile created on: 12/10/2011 9:02:28 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = D:\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1022.00 Mb Total Physical Memory | 589.99 Mb Available Physical Memory | 57.73% Memory free
2.49 Gb Paging File | 2.06 Gb Available in Paging File | 82.45% Paging File free
Paging file location(s): D:\pagefile.sys 100 200E:\pagefile.sys 0 0 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9.78 Gb Total Space | 1.02 Gb Free Space | 10.43% Space Free | Partition Type: NTFS
Drive D: | 11.45 Gb Total Space | 0.38 Gb Free Space | 3.35% Space Free | Partition Type: NTFS
Drive E: | 16.02 Gb Total Space | 0.15 Gb Free Space | 0.91% Space Free | Partition Type: NTFS
Drive J: | 1.83 Gb Total Space | 1.49 Gb Free Space | 81.80% Space Free | Partition Type: FAT32
Computer Name: TYC | User Name: Bob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\Program Files\JGsoft\EditPadLite\EditPad.exe (Just Great Software)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
jsfile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- "C:\Program Files\JGsoft\EditPadLite\EditPad.exe" "%1" (Just Great Software)
vbefile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"67:UDP" = 67:UDP:*:Enabled:DHCP Discovery Service
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Disabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Program Files\ResMed\AutoScan\5.4\crws.exe" = C:\Program Files\ResMed\AutoScan\5.4\crws.exe:*:Enabled:CRWS -- (ResMed)
"C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe:*:Enabled:Dreamweaver MX 2004 -- (Macromedia, Inc.)
"C:\Program Files\DFG\BackUp3\BackUp.exe" = C:\Program Files\DFG\BackUp3\BackUp.exe:*:Enabled:BackUp
"C:\totalcmd\TOTALCMD.EXE" = C:\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows
"C:\Program Files\SmartFTP\SmartFTP.exe" = C:\Program Files\SmartFTP\SmartFTP.exe:*:Enabled:SmartFTP Client
"C:\Program Files\PC Magazine Utilities\FTPpie.exe" = C:\Program Files\PC Magazine Utilities\FTPpie.exe:*:Enabled:FTP usage piechart utility
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\SJLabs\SJphone\SJphone.exe" = C:\Program Files\SJLabs\SJphone\SJphone.exe:*:Enabled:SJphone
"C:\Program Files\jajah\jajah.exe" = C:\Program Files\jajah\jajah.exe:*:Enabled:jajah
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
"C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" = C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe:*:Enabled:VoipBuster
"E:\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" = E:\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2 -- (Adobe Systems Incorporated)
"E:\Program Files\TurboTax\2006\TurboTax Deluxe 2006\32bit\ttax.exe" = E:\Program Files\TurboTax\2006\TurboTax Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax
"E:\Program Files\TurboTax\2006\TurboTax Deluxe 2006\32bit\updatemgr.exe" = E:\Program Files\TurboTax\2006\TurboTax Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager
"E:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = E:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax
"E:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = E:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager
"C:\Program Files\BlueSoleil\BlueSoleil.exe" = C:\Program Files\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil -- (IVT Corporation)
"C:\WINDOWS\system32\javaw.exe" = C:\WINDOWS\system32\javaw.exe:*:Enabled:Java(TM) Platform SE binary
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\FavoriteSync\FavoriteSync.exe" = C:\Program Files\FavoriteSync\FavoriteSync.exe:*:Enabled:Internet Explorer Sync Application
"C:\WINDOWS\TEMP\spsvrb\setup.exe" = C:\WINDOWS\TEMP\spsvrb\setup.exe:*:Enabled:setup
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0134A1A1-C283-4A47-91A1-92F19F960372}" = Adobe Creative Suite 2
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = Google Gmail Notifier
"{03DF638A-D61C-4893-B8B9-845900C03163}" = TurboTax 2010 wnyiper
"{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}" = Macromedia Dreamweaver MX 2004
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1526D87C-A955-4FAB-BF18-697BA457E352}" = Norton WMI Update
"{1873789F-59D5-4002-8A2F-60A827B78F98}_is1" = GmapTool 0.6.0
"{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{2FD94FBC-07AE-475C-B522-BFE899B9048E}" = Garmin WebUpdater
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3B1D6DF0-EAA2-012B-AE51-000000000000}" = TurboTax 2009 wnjiper
"{3B8186F0-EAA2-012B-AE69-000000000000}" = TurboTax 2009 wnyiper
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{41369F9D-FF51-464F-9FFB-33198BA24CC9}" = USB Modem Driver
"{45E557D6-2271-4F13-8101-C620B4285AB0}" = Kaspersky Anti-Virus 2012
"{46548E80-0409-0000-7E8A-45000F855001}" = Adobe GoLive CS2
"{47CB8B6B-49DF-4058-AC2B-1596E3BE63EA}" = Garmin City Navigator North America 2009
"{5B893587-00A8-4A4E-83F0-8AFA7BFC7C1A}" = PVR Plus
"{5D5B9E6A-344C-4976-95AB-ABBDC648E5DA}" = Microsoft IntelliType Pro 5.2
"{5E3CFCA6-C95A-47CB-A822-7FA80D423AF2}" = MapSource
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{64D36D7C-B821-42E5-8BDB-239812D1D752}" = Microsoft Tool Web Package : GETMAC.EXE
"{64EF9937-CDDA-11D7-9FEB-0000E22B272F}" = AutoScan5.4
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP
"{6C6F0968-2B86-42B4-AF34-46A5F06E8FA4}" = MySoftware Fonts
"{706AE61D-40A4-4F50-8359-FE8F6F7FA461}" = Acronis Drive Monitor
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7F4C8163-F259-49A0-A018-2857A90578BC}" = Adobe InDesign CS2
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84CC9583-C2D6-42E6-A373-6FDDDA6A8BA6}" = Garmin Communicator Plugin
"{86BB059D-1231-457B-B88F-F9B315A18F90}" = Windows Vista Upgrade Advisor
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8C6DAA0F-D94F-475C-A82F-2E7B91BE7B58}" = Eudora
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9021848E-F315-44C7-8D45-3B16162AA73A}" = TurboTax 2010 wneiper
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{923CAE62-30C9-425E-B4ED-F5E9C09C5C4A}" = TurboTax 2008 wnjiper
"{939740B5-0064-4779-854A-8C1086181C05}" = Macromedia FreeHand MXa
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A8DF1374-7E6B-448A-87BB-2DCE71874F2B}" = Macrium Reflect - Free Edition
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA1542E6-D54D-4AB3-97E1-28DB4CEB4B90}" = Garmin City Navigator North America 2008
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{ADBE46EE-54E0-4610-B436-D7E93D829100}" = Adobe Version Cue CS2
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}" = Adobe Illustrator CS2
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
"{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}" = BlueSoleil
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43E4B9C-14C8-4EB0-998B-85211B6EDD61}" = Seagate DiscWizard
"{C49DAA9C-5BA8-459A-8244-E57B69DF0F04}" = Suite Specific
"{C4D26D60-7B43-4CE9-AE19-A380D9DF126B}" = Garmin MapSource
"{CA19AEA3-B949-41DA-AFBA-692356230F6E}" = TurboTax 2010 wnjiper
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E583ED6F-BD99-4066-A420-C815BF692B69}" = Macromedia Fireworks MX 2004
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E8DA0DB7-51C7-4D47-A9FC-51F206ED0045}" = MapSource - City Select North America v7
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}" =
"{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}" = Adobe Stock Photos 1.0
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F186D52C-BBD6-4C7D-80FA-28D0662D7ABD}" = Jalbum
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"{F7E1CA14-B39D-452A-960B-39423DDDD933}" = DriveImage XML
"{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 1.0.4
"{FBE4694D-AA7D-491A-8EE5-53695CDCF921}_is1" = Stuff Organizer
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"ActiveScan 2.0" = Panda ActiveScan 2.0
"AddressBook" =
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe GoLive CS2 English" =
"Adobe Illustrator CS2" =
"Adobe InDesign CS2 - {7F4C8163-F259-49A0-A018-2857A90578BC}" =
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" =
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"AI RoboForm" = AI RoboForm (All Users)
"AOL Instant Messenger" = AOL Instant Messenger
"AOL Instant Messenger (SM)" = AOL Instant Messenger (SM)
"ASAP Utilities_is1" = ASAP Utilities
"BookSmart® 2.9.1 2.9.1" = BookSmart® 2.9.1 2.9.1
"Branding" =
"CCleaner" = CCleaner
"CdaC13Ba" = SafeCast Shared Components
"cGPSmapper Shareware_is1" = cGPSmapper Shareware 0087
"Complete Cleanup Trial_is1" = Complete Cleanup Trial
"Connection Manager" =
"CookieCop® 2" = CookieCop® 2
"DirectAnimation" =
"DirectDrawEx" =
"EASEUS Data Recovery Wizard Free Edition 5.5.1_is1" = EASEUS Data Recovery Wizard Free Edition 5.5.1
"EditPad Lite" = Just Great Software EditPad Lite 6.6.3
"ERUNT_is1" = ERUNT 1.1j
"Excel VBA Code Cleaner 4.4" = Excel VBA Code Cleaner 4.4
"Excel VBA Code Documentor 4.0" = Excel VBA Code Documentor 4.0
"FileNote" = FileNote (Remove Only)
"Fontcore" =
"Free CD to MP3 Converter" = Free CD to MP3 Converter
"Google Updater" = Google Updater
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"HijackThis" = HijackThis 2.0.2
"hp officejet g series 1105389292" = hp officejet g series
"ICW" =
"IE40" =
"IE4Data" =
"IE5BAKEX" =
"ie7" = Windows Internet Explorer 7
"IEData" =
"InstallShield Uninstall Information" =
"InstallShield_{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic 8.0
"InstallShield_{41369F9D-FF51-464F-9FFB-33198BA24CC9}" = USB Modem Driver
"InstallShield_{E8DA0DB7-51C7-4D47-A9FC-51F206ED0045}" = MapSource - City Select North America v7
"InstallWIX_{45E557D6-2271-4F13-8101-C620B4285AB0}" = Kaspersky Anti-Virus 2012
"Intel(R) 537EP V9x DF PCI Modem" = Intel(R) 537EP V9x DF PCI Modem
"IrfanView" = IrfanView (remove only)
"jv16 PowerTools_is1" = jv16 PowerTools 2005
"Kirby Alarm Pro_is1" = Kirby Alarm Pro v4.45
"Kirby Alarm_is1" = Kirby Alarm v2.11
"LiveReg" = LiveReg (Symantec Corporation)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MobileOptionPack" =
"MozBackup_is1" = MozBackup 1.4.7
"Mozilla Firefox (3.6.23)" = Mozilla Firefox (3.6.23)
"MSI30a-KB884016" =
"MSI30-Beta1" =
"MSI30-Beta2" =
"MSI30-KB884016" =
"MSI30-RC1" =
"MSI30-RC2" =
"MSI31-Beta" =
"MSI31-RC1" =
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NetMeeting" =
"NTREGOPT_is1" = NTREGOPT 1.1j
"OSM map" = OSM map
"OutlookExpress" =
"PandoraRecovery" = PandoraRecovery (Remove Only)
"PC Authorize" = PC Authorize
"PC Magazine's Startup Cop_is1" = Startup Cop 1.1
"PCHealth" =
"Pidgin" = Pidgin
"POP Peeper" = POP Peeper
"Powerpnt" = Microsoft PowerPoint 97
"QuickBooks 99" = QuickBooks Pro 99
"QuicktimeAlt_is1" = QuickTime Alternative 3.2.2
"RealAlt_is1" = Real Alternative 1.42
"SchedulingAgent" =
"Secunia PSI" = Secunia PSI
"Shockwave" =
"Smart Defrag 1.0_is1" = Smart Defrag 1.0
"Smart Indenter v3.5 for Office 2000-2003" = Smart Indenter v3.5 for Office 2000-2003
"Snapshot Viewer" = Snapshot Viewer
"ST6UNST #1" = dfg BackUp XP 2005
"ST6UNST #4" = dfg BackUp XP 2005 (C:\Program Files\DFG\BackUp3\)
"SyncBack_is1" = SyncBack
"TurboTax 2009" = TurboTax 2009
"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
"Tweak UI 2.10" = Tweak UI
"Volumouse" = Volumouse
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinDriver6.22 USB Driver" = WinDriver6.22 USB Driver
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XQXSetup_is1" = Xteq Systems X-Setup 6.2
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 11/29/2011 11:26:04 PM | Computer Name = TYC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally
Error - 11/29/2011 11:26:04 PM | Computer Name = TYC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.
Error - 12/1/2011 1:24:02 PM | Computer Name = TYC | Source = Acronis Scheduler | ID = 1
Description =
Error - 12/2/2011 10:29:45 AM | Computer Name = TYC | Source = MPSampleSubmission | ID = 5000
Description =
Error - 12/2/2011 3:42:08 PM | Computer Name = TYC | Source = MPSampleSubmission | ID = 5000
Description =
Error - 12/2/2011 4:18:11 PM | Computer Name = TYC | Source = MPSampleSubmission | ID = 5000
Description =
Error - 12/2/2011 7:21:15 PM | Computer Name = TYC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.
Error - 12/2/2011 7:24:32 PM | Computer Name = TYC | Source = Microsoft Security Client | ID = 1001
Description =
Error - 12/10/2011 9:39:10 PM | Computer Name = TYC | Source = Application Error | ID = 1000
Description = Faulting application set8a.tmp, version 7.1.100.1248, faulting module
, version 0.0.0.0, fault address 0x00000000.
Error - 12/10/2011 9:39:17 PM | Computer Name = TYC | Source = Application Error | ID = 1000
Description = Faulting application set8b.tmp, version 7.1.100.1248, faulting module
, version 0.0.0.0, fault address 0x00000000.
[ System Events ]
Error - 12/2/2011 7:28:21 PM | Computer Name = TYC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
pxrts pxscan
Error - 12/4/2011 8:44:30 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Google Update Service
(gupdate) service to connect.
Error - 12/4/2011 8:44:30 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%1053
Error - 12/4/2011 8:44:30 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7022
Description = The Intuit Update Service service hung on starting.
Error - 12/4/2011 8:44:30 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
pxrts pxscan
Error - 12/5/2011 8:23:34 AM | Computer Name = TYC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
pxrts pxscan
Error - 12/6/2011 8:47:18 AM | Computer Name = TYC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.
Error - 12/8/2011 8:47:19 AM | Computer Name = TYC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.
Error - 12/10/2011 8:47:20 AM | Computer Name = TYC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.
Error - 12/10/2011 7:58:41 PM | Computer Name = TYC | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service upnphost with
arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
< End of report >
-
Hi,
I haven't forgotten you and will post further instructions as soon as possible.
-
-
Hello,
I'm sorry for the delay.
Please go ahead and uninstall Booksmart, google earth, hp officejet and Kirby 2.11.
Download Tools
Instruction on how to use these tools is found further down this post.
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper.
Download the following 3 files & save them with the original name.
Please download GMER Rootkit Scanner from the following link:
http://www2.gmer.net/download.php
Please download WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe from the following link:
http://www.microsoft.com/download/en...ng=en&id=12934
Please download ComboFix from one of the following links, do not run the tool yet:
Link1
Link2
Transfer the files to the desktop of the infected computer.
**IMPORTANT !!! ComboFix.exe must be saved to the Desktop**
Disable Kaspersky Anti Virus
- Please navigate to the system tray on the bottom right hand corner and look for a sign.
- right click it-> select Pause Protection.
- click on -> By User Request
- a popup will claim that protection is now disabled and a sign like this: will now be shown.
- Note: Don't forget to re-enable it after the fix.
Run GMER Rootkit Scanner
If this scan crashes, please retry it a maximum of two times (a restart of your computer may be required), then continue with the next steps.
- Double click the GMER .exe file. If asked to allow gmer's .sys driver to load, please consent
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All << (don't miss this one)
See image below, Click the image to enlarge it
- Then click the Scan button & wait for it to finish
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
- Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs or use your computer while Gmer is scanning.
Install the Recovery Console and run Combofix
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
- Drag the setup package (WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe) onto ComboFix.exe and drop it:
- Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console
- At the next prompt, click Yes to continue scanning for malware. Please do not use the computer once Combofix has started scanning.
Please include the ComboFix log (C:\ComboFix.txt) in your next reply for further review.
Please enable Kaspersky Anti-Virus after ComboFix is finished.
-
I elected not to remove some of the last programs mentioned prior to following the rest of your instructions. Would there be any difference had I not removed any programs from the beginning of this?
The process did find rootkit.zeroaccess and needed to reboot before being run again.
Thanks
-Bob
ComboFix 11-12-16.01 - Bob 12/16/2011 12:36:52.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.614 [GMT -5:00]
Running from: d:\desktop\ComboFix.exe
Command switches used :: d:\desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\13.sys
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Bob\Application Data\rbap550.dll
c:\documents and settings\Bob\GoToAssistDownloadHelper.exe
c:\documents and settings\Bob\WINDOWS
c:\documents and settings\NetworkService\Local Settings\Application Data\klartew.dll
c:\windows\$NtUninstallKB44907$
c:\windows\$NtUninstallKB44907$\3260245246
c:\windows\$NtUninstallKB44907$\3558636407\@
c:\windows\$NtUninstallKB44907$\3558636407\bckfg.tmp
c:\windows\$NtUninstallKB44907$\3558636407\cfg.ini
c:\windows\$NtUninstallKB44907$\3558636407\Desktop.ini
c:\windows\$NtUninstallKB44907$\3558636407\keywords
c:\windows\$NtUninstallKB44907$\3558636407\kwrd.dll
c:\windows\$NtUninstallKB44907$\3558636407\L\cmhpaair
c:\windows\$NtUninstallKB44907$\3558636407\lsflt7.ver
c:\windows\$NtUninstallKB44907$\3558636407\U\00000001.@
c:\windows\$NtUninstallKB44907$\3558636407\U\00000002.@
c:\windows\$NtUninstallKB44907$\3558636407\U\00000004.@
c:\windows\$NtUninstallKB44907$\3558636407\U\80000000.@
c:\windows\$NtUninstallKB44907$\3558636407\U\80000004.@
c:\windows\$NtUninstallKB44907$\3558636407\U\80000032.@
c:\windows\CDAC13BA.EXE
c:\windows\CDAC14BA.DLL
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\prsgrc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-09 16:47 . 2011-12-09 16:47 -------- dc----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-12-02 23:32 . 2011-12-03 00:31 115369 -c--a-w- c:\windows\system32\drivers\klin.dat
2011-12-02 23:32 . 2011-12-03 00:31 97961 -c--a-w- c:\windows\system32\drivers\klick.dat
2011-12-02 23:29 . 2011-12-02 23:29 -------- dc----w- c:\program files\Kaspersky Lab
2011-12-02 23:29 . 2011-12-16 17:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2011-12-01 19:29 . 2008-11-06 07:03 -------- dc----w- C:\SDFix
2011-12-01 16:37 . 2011-12-01 22:00 -------- dc----w- c:\documents and settings\Bob\Local Settings\Application Data\fxnetlib
2011-11-30 23:07 . 2011-11-30 23:07 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-30 23:06 . 2011-11-30 23:07 -------- dc----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-11-30 17:10 . 2011-11-30 17:10 71880 -c--a-w- c:\windows\system32\PxSecure.dll-19202703
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-01 00:08 . 2003-07-16 20:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-15 13:17 . 2011-05-20 10:52 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2006-11-09 19:20 . 2006-06-05 03:13 2111096 -c--a-w- c:\program files\mozilla firefox\plugins\oldNPSWF32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"$Volumouse$"="c:\program files\Volumouse\volumouse.exe" [2005-06-05 24064]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2010-09-09 1511424]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-29 160328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"adm_tray.exe"="c:\program files\Acronis\DriveMonitor\adm_tray.exe" [2010-08-26 531664]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2011-04-25 202296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-29 160328]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
c:\documents and settings\Bob\Start Menu\Programs\Startup\
KeyExpress.lnk - d:\keyexp\KEYEXP.EXE [2005-1-10 838656]
Today.pif [2007-10-1 2855]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-9-29 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Kirby Alarm.lnk - c:\program files\Kirby Alarm\kirbyalarm.exe [2004-1-21 1366528]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- e:\adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-08-13 23:01 365632 -c--a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-10-16 23:42 904840 -c--a-w- c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:56 15360 -c--a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
2009-10-16 23:37 1325936 -c--a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\emMON]
2006-05-31 02:24 61440 -c--a-w- c:\windows\emMON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 12:59 155648 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 -csh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
2009-10-16 23:39 136544 -c--a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 18:42 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 -c----w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
2004-06-03 06:51 172032 ----a-w- c:\program files\Microsoft IntelliType Pro\type32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Titan Backup"="c:\progra~1\TITANB~1\TITANB~2.EXE" /startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\xqttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe Version Cue CS2"=e:\adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\ResMed\\AutoScan\\5.4\\crws.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"e:\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\BlueSoleil\\BlueSoleil.exe"=
"\\??\\c:\\WINDOWS\\system32\\winlogon.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/15/2011 5:34 PM 28552]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [9/28/2010 1:03 PM 15328]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [3/4/2011 1:23 PM 11352]
R2 KirbyAlarmPro;Kirby Alarm Pro;c:\program files\Kirby Alarm Pro\kirbyalarmpro.exe [2/3/2009 3:46 PM 3579904]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [9/28/2010 1:02 PM 220128]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 6:39 PM 431456]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [3/10/2011 6:34 PM 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 8:27 PM 19472]
S0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
S1 MpKsl05b8ec11;MpKsl05b8ec11;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF9C8DF2-582E-4A0B-A51F-7E845E1CD6FD}\MpKsl05b8ec11.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF9C8DF2-582E-4A0B-A51F-7E845E1CD6FD}\MpKsl05b8ec11.sys [?]
S1 MpKsl2c04e557;MpKsl2c04e557;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC45769-A94D-4949-A210-4E7DD42E8B5A}\MpKsl2c04e557.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC45769-A94D-4949-A210-4E7DD42E8B5A}\MpKsl2c04e557.sys [?]
S1 MpKsl30221af3;MpKsl30221af3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsl30221af3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsl30221af3.sys [?]
S1 MpKsl3bbc9cb7;MpKsl3bbc9cb7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B65B421E-520C-4DC3-BB0B-E0B13CCACB29}\MpKsl3bbc9cb7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B65B421E-520C-4DC3-BB0B-E0B13CCACB29}\MpKsl3bbc9cb7.sys [?]
S1 MpKsl50c6aa21;MpKsl50c6aa21;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FBCED0E-C906-4526-8AC0-A3E173BD644C}\MpKsl50c6aa21.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FBCED0E-C906-4526-8AC0-A3E173BD644C}\MpKsl50c6aa21.sys [?]
S1 MpKsl63115aff;MpKsl63115aff;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F268287-023A-4EF1-8111-EED0D192DFAE}\MpKsl63115aff.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F268287-023A-4EF1-8111-EED0D192DFAE}\MpKsl63115aff.sys [?]
S1 MpKsl6992bf7e;MpKsl6992bf7e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00DD543A-485E-4F5C-805E-5CCCBA25D24D}\MpKsl6992bf7e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00DD543A-485E-4F5C-805E-5CCCBA25D24D}\MpKsl6992bf7e.sys [?]
S1 MpKsl6f4364a6;MpKsl6f4364a6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49F1789D-F463-4AE6-9A66-747134266B78}\MpKsl6f4364a6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49F1789D-F463-4AE6-9A66-747134266B78}\MpKsl6f4364a6.sys [?]
S1 MpKsl91e50612;MpKsl91e50612;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AFA9519-2DC2-4F4A-BC6A-67DB575AD69F}\MpKsl91e50612.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AFA9519-2DC2-4F4A-BC6A-67DB575AD69F}\MpKsl91e50612.sys [?]
S1 MpKsl957cbe81;MpKsl957cbe81;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D7ADC2B-9E7C-499B-8B4B-970056C021C5}\MpKsl957cbe81.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D7ADC2B-9E7C-499B-8B4B-970056C021C5}\MpKsl957cbe81.sys [?]
S1 MpKsla44f2d84;MpKsla44f2d84;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsla44f2d84.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsla44f2d84.sys [?]
S1 MpKslb1eef83e;MpKslb1eef83e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC47350A-2863-4F9A-90E4-6AAB11DC7F96}\MpKslb1eef83e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC47350A-2863-4F9A-90E4-6AAB11DC7F96}\MpKslb1eef83e.sys [?]
S1 MpKslbb72fb26;MpKslbb72fb26;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02B31D1-047A-4A74-B222-564F57750561}\MpKslbb72fb26.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02B31D1-047A-4A74-B222-564F57750561}\MpKslbb72fb26.sys [?]
S1 MpKslc6a20e02;MpKslc6a20e02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22038661-62E7-42F4-A3BD-BD6D7EA26198}\MpKslc6a20e02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22038661-62E7-42F4-A3BD-BD6D7EA26198}\MpKslc6a20e02.sys [?]
S1 MpKslc86a0644;MpKslc86a0644;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F951E807-42B7-42A5-8E28-F10B74BCA579}\MpKslc86a0644.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F951E807-42B7-42A5-8E28-F10B74BCA579}\MpKslc86a0644.sys [?]
S1 MpKslcfc4f3af;MpKslcfc4f3af;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9F5F717-DE2B-42A3-AD96-B15B8B26858B}\MpKslcfc4f3af.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9F5F717-DE2B-42A3-AD96-B15B8B26858B}\MpKslcfc4f3af.sys [?]
S1 MpKsldfa7710c;MpKsldfa7710c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D66A504-67FE-4FC0-B704-9AFF011607F5}\MpKsldfa7710c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D66A504-67FE-4FC0-B704-9AFF011607F5}\MpKsldfa7710c.sys [?]
S1 MpKslf156ae64;MpKslf156ae64;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{021DE105-DC76-4D6E-BEB8-B9D47DD524A3}\MpKslf156ae64.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{021DE105-DC76-4D6E-BEB8-B9D47DD524A3}\MpKslf156ae64.sys [?]
S1 MpKslf9cc0160;MpKslf9cc0160;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E84C3EA2-141B-4581-A47D-CA48B2E8C486}\MpKslf9cc0160.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E84C3EA2-141B-4581-A47D-CA48B2E8C486}\MpKslf9cc0160.sys [?]
S1 MpKslfd8e6181;MpKslfd8e6181;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E3C987-72E8-40B3-A256-DA415B7829B5}\MpKslfd8e6181.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E3C987-72E8-40B3-A256-DA415B7829B5}\MpKslfd8e6181.sys [?]
S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys --> c:\windows\system32\drivers\pxrts.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 6:03 AM 7808]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [9/28/2010 1:03 PM 44512]
S3 PSVolAcc;PSVolAcc;c:\windows\system32\drivers\PSVolAcc.sys [9/28/2010 1:03 PM 12256]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys --> c:\windows\system32\drivers\pxkbf.sys [?]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\drivers\sustucap.sys [2/3/2006 8:56 AM 37632]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:14 PM 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:14 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-26 20:31]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 02:14]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 02:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = cookiecop:8100
uInternet Settings,ProxyOverride = 192.168;<local>
IE: Convert link target to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{320AF880-6646-11D3-ABEE-C5DBF3571F4E} - c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
Trusted Zone: gamehouse.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: macys.com\www
Trusted Zone: mycheckfree.com
Trusted Zone: onlinesearches.com\publicrecords
Trusted Zone: pointspot.com\www
Trusted Zone: thdathomeservices.com\webmail
Trusted Zone: turbotax.com
TCP: Interfaces\{DC70D44C-CFA4-4CFB-AA8F-23E25AF64531}: NameServer = 208.67.220.220,208.67.222.222
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.ftp - cookiecop
FF - prefs.js: network.proxy.ftp_port - 8100
FF - prefs.js: network.proxy.gopher - cookiecop
FF - prefs.js: network.proxy.gopher_port - 8100
FF - prefs.js: network.proxy.http - cookiecop
FF - prefs.js: network.proxy.http_port - 8100
FF - prefs.js: network.proxy.socks - cookiecop
FF - prefs.js: network.proxy.socks_port - 8100
FF - prefs.js: network.proxy.ssl - cookiecop
FF - prefs.js: network.proxy.ssl_port - 8100
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: PlainOldFavorites: {7E7165E2-0767-448c-852F-5FA8714F2C37} - %profile%\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadLite\EditPad.exe" "%1"
.
- - - - ORPHANS REMOVED - - - -
.
Notify-AutorunsDisabled - (no file)
SafeBoot-79768126.sys
AddRemove-CdaC13Ba - c:\windows\CDAC13BA.EXE
AddRemove-PC Authorize - e:\tellan\PCAuth\DeIsL1.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-16 12:51
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1572)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(2036)
c:\windows\system32\WININET.dll
c:\program files\Volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\crypserv.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\progra~1\PCMAGA~1\COOKIE~1\COOKIE~1.EXE
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
.
**************************************************************************
.
Completion time: 2011-12-16 13:01:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-16 18:01
.
Pre-Run: 1,089,880,064 bytes free
Post-Run: 1,376,165,888 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="TYC MS Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 5DAE4B4BE54E1DC804A32F93B940828C
-
I elected not to remove some of the last programs mentioned prior to following the rest of your instructions. Would there be any difference had I not removed any programs from the beginning of this?
The process did find rootkit.zeroaccess and needed to reboot before being run again.
Thanks
-Bob
ComboFix 11-12-16.01 - Bob 12/16/2011 12:36:52.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.614 [GMT -5:00]
Running from: d:\desktop\ComboFix.exe
Command switches used :: d:\desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\13.sys
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Bob\Application Data\rbap550.dll
c:\documents and settings\Bob\GoToAssistDownloadHelper.exe
c:\documents and settings\Bob\WINDOWS
c:\documents and settings\NetworkService\Local Settings\Application Data\klartew.dll
c:\windows\$NtUninstallKB44907$
c:\windows\$NtUninstallKB44907$\3260245246
c:\windows\$NtUninstallKB44907$\3558636407\@
c:\windows\$NtUninstallKB44907$\3558636407\bckfg.tmp
c:\windows\$NtUninstallKB44907$\3558636407\cfg.ini
c:\windows\$NtUninstallKB44907$\3558636407\Desktop.ini
c:\windows\$NtUninstallKB44907$\3558636407\keywords
c:\windows\$NtUninstallKB44907$\3558636407\kwrd.dll
c:\windows\$NtUninstallKB44907$\3558636407\L\cmhpaair
c:\windows\$NtUninstallKB44907$\3558636407\lsflt7.ver
c:\windows\$NtUninstallKB44907$\3558636407\U\00000001.@
c:\windows\$NtUninstallKB44907$\3558636407\U\00000002.@
c:\windows\$NtUninstallKB44907$\3558636407\U\00000004.@
c:\windows\$NtUninstallKB44907$\3558636407\U\80000000.@
c:\windows\$NtUninstallKB44907$\3558636407\U\80000004.@
c:\windows\$NtUninstallKB44907$\3558636407\U\80000032.@
c:\windows\CDAC13BA.EXE
c:\windows\CDAC14BA.DLL
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\prsgrc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-09 16:47 . 2011-12-09 16:47 -------- dc----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-12-02 23:32 . 2011-12-03 00:31 115369 -c--a-w- c:\windows\system32\drivers\klin.dat
2011-12-02 23:32 . 2011-12-03 00:31 97961 -c--a-w- c:\windows\system32\drivers\klick.dat
2011-12-02 23:29 . 2011-12-02 23:29 -------- dc----w- c:\program files\Kaspersky Lab
2011-12-02 23:29 . 2011-12-16 17:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2011-12-01 19:29 . 2008-11-06 07:03 -------- dc----w- C:\SDFix
2011-12-01 16:37 . 2011-12-01 22:00 -------- dc----w- c:\documents and settings\Bob\Local Settings\Application Data\fxnetlib
2011-11-30 23:07 . 2011-11-30 23:07 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-30 23:06 . 2011-11-30 23:07 -------- dc----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-11-30 17:10 . 2011-11-30 17:10 71880 -c--a-w- c:\windows\system32\PxSecure.dll-19202703
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-01 00:08 . 2003-07-16 20:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-15 13:17 . 2011-05-20 10:52 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2006-11-09 19:20 . 2006-06-05 03:13 2111096 -c--a-w- c:\program files\mozilla firefox\plugins\oldNPSWF32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"$Volumouse$"="c:\program files\Volumouse\volumouse.exe" [2005-06-05 24064]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2010-09-09 1511424]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-29 160328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"adm_tray.exe"="c:\program files\Acronis\DriveMonitor\adm_tray.exe" [2010-08-26 531664]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2011-04-25 202296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-29 160328]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
c:\documents and settings\Bob\Start Menu\Programs\Startup\
KeyExpress.lnk - d:\keyexp\KEYEXP.EXE [2005-1-10 838656]
Today.pif [2007-10-1 2855]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-9-29 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Kirby Alarm.lnk - c:\program files\Kirby Alarm\kirbyalarm.exe [2004-1-21 1366528]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- e:\adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-08-13 23:01 365632 -c--a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-10-16 23:42 904840 -c--a-w- c:\program files\Seagate\DiscWizard\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:56 15360 -c--a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
2009-10-16 23:37 1325936 -c--a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\emMON]
2006-05-31 02:24 61440 -c--a-w- c:\windows\emMON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 12:59 155648 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 -csh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
2009-10-16 23:39 136544 -c--a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 18:42 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 -c----w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
2004-06-03 06:51 172032 ----a-w- c:\program files\Microsoft IntelliType Pro\type32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Titan Backup"="c:\progra~1\TITANB~1\TITANB~2.EXE" /startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\xqttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe Version Cue CS2"=e:\adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\ResMed\\AutoScan\\5.4\\crws.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"e:\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\BlueSoleil\\BlueSoleil.exe"=
"\\??\\c:\\WINDOWS\\system32\\winlogon.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/15/2011 5:34 PM 28552]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [9/28/2010 1:03 PM 15328]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [3/4/2011 1:23 PM 11352]
R2 KirbyAlarmPro;Kirby Alarm Pro;c:\program files\Kirby Alarm Pro\kirbyalarmpro.exe [2/3/2009 3:46 PM 3579904]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [9/28/2010 1:02 PM 220128]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 6:39 PM 431456]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [3/10/2011 6:34 PM 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 8:27 PM 19472]
S0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
S1 MpKsl05b8ec11;MpKsl05b8ec11;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF9C8DF2-582E-4A0B-A51F-7E845E1CD6FD}\MpKsl05b8ec11.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF9C8DF2-582E-4A0B-A51F-7E845E1CD6FD}\MpKsl05b8ec11.sys [?]
S1 MpKsl2c04e557;MpKsl2c04e557;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC45769-A94D-4949-A210-4E7DD42E8B5A}\MpKsl2c04e557.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC45769-A94D-4949-A210-4E7DD42E8B5A}\MpKsl2c04e557.sys [?]
S1 MpKsl30221af3;MpKsl30221af3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsl30221af3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsl30221af3.sys [?]
S1 MpKsl3bbc9cb7;MpKsl3bbc9cb7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B65B421E-520C-4DC3-BB0B-E0B13CCACB29}\MpKsl3bbc9cb7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B65B421E-520C-4DC3-BB0B-E0B13CCACB29}\MpKsl3bbc9cb7.sys [?]
S1 MpKsl50c6aa21;MpKsl50c6aa21;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FBCED0E-C906-4526-8AC0-A3E173BD644C}\MpKsl50c6aa21.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FBCED0E-C906-4526-8AC0-A3E173BD644C}\MpKsl50c6aa21.sys [?]
S1 MpKsl63115aff;MpKsl63115aff;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F268287-023A-4EF1-8111-EED0D192DFAE}\MpKsl63115aff.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F268287-023A-4EF1-8111-EED0D192DFAE}\MpKsl63115aff.sys [?]
S1 MpKsl6992bf7e;MpKsl6992bf7e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00DD543A-485E-4F5C-805E-5CCCBA25D24D}\MpKsl6992bf7e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{00DD543A-485E-4F5C-805E-5CCCBA25D24D}\MpKsl6992bf7e.sys [?]
S1 MpKsl6f4364a6;MpKsl6f4364a6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49F1789D-F463-4AE6-9A66-747134266B78}\MpKsl6f4364a6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49F1789D-F463-4AE6-9A66-747134266B78}\MpKsl6f4364a6.sys [?]
S1 MpKsl91e50612;MpKsl91e50612;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AFA9519-2DC2-4F4A-BC6A-67DB575AD69F}\MpKsl91e50612.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7AFA9519-2DC2-4F4A-BC6A-67DB575AD69F}\MpKsl91e50612.sys [?]
S1 MpKsl957cbe81;MpKsl957cbe81;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D7ADC2B-9E7C-499B-8B4B-970056C021C5}\MpKsl957cbe81.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D7ADC2B-9E7C-499B-8B4B-970056C021C5}\MpKsl957cbe81.sys [?]
S1 MpKsla44f2d84;MpKsla44f2d84;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsla44f2d84.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC380205-6E12-4E7D-93E7-85F54D3DB76C}\MpKsla44f2d84.sys [?]
S1 MpKslb1eef83e;MpKslb1eef83e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC47350A-2863-4F9A-90E4-6AAB11DC7F96}\MpKslb1eef83e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC47350A-2863-4F9A-90E4-6AAB11DC7F96}\MpKslb1eef83e.sys [?]
S1 MpKslbb72fb26;MpKslbb72fb26;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02B31D1-047A-4A74-B222-564F57750561}\MpKslbb72fb26.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D02B31D1-047A-4A74-B222-564F57750561}\MpKslbb72fb26.sys [?]
S1 MpKslc6a20e02;MpKslc6a20e02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22038661-62E7-42F4-A3BD-BD6D7EA26198}\MpKslc6a20e02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22038661-62E7-42F4-A3BD-BD6D7EA26198}\MpKslc6a20e02.sys [?]
S1 MpKslc86a0644;MpKslc86a0644;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F951E807-42B7-42A5-8E28-F10B74BCA579}\MpKslc86a0644.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F951E807-42B7-42A5-8E28-F10B74BCA579}\MpKslc86a0644.sys [?]
S1 MpKslcfc4f3af;MpKslcfc4f3af;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9F5F717-DE2B-42A3-AD96-B15B8B26858B}\MpKslcfc4f3af.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9F5F717-DE2B-42A3-AD96-B15B8B26858B}\MpKslcfc4f3af.sys [?]
S1 MpKsldfa7710c;MpKsldfa7710c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D66A504-67FE-4FC0-B704-9AFF011607F5}\MpKsldfa7710c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D66A504-67FE-4FC0-B704-9AFF011607F5}\MpKsldfa7710c.sys [?]
S1 MpKslf156ae64;MpKslf156ae64;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{021DE105-DC76-4D6E-BEB8-B9D47DD524A3}\MpKslf156ae64.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{021DE105-DC76-4D6E-BEB8-B9D47DD524A3}\MpKslf156ae64.sys [?]
S1 MpKslf9cc0160;MpKslf9cc0160;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E84C3EA2-141B-4581-A47D-CA48B2E8C486}\MpKslf9cc0160.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E84C3EA2-141B-4581-A47D-CA48B2E8C486}\MpKslf9cc0160.sys [?]
S1 MpKslfd8e6181;MpKslfd8e6181;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E3C987-72E8-40B3-A256-DA415B7829B5}\MpKslfd8e6181.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71E3C987-72E8-40B3-A256-DA415B7829B5}\MpKslfd8e6181.sys [?]
S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys --> c:\windows\system32\drivers\pxrts.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 6:03 AM 7808]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [9/28/2010 1:03 PM 44512]
S3 PSVolAcc;PSVolAcc;c:\windows\system32\drivers\PSVolAcc.sys [9/28/2010 1:03 PM 12256]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys --> c:\windows\system32\drivers\pxkbf.sys [?]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\drivers\sustucap.sys [2/3/2006 8:56 AM 37632]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:14 PM 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:14 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-26 20:31]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 02:14]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 02:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = cookiecop:8100
uInternet Settings,ProxyOverride = 192.168;<local>
IE: Convert link target to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{320AF880-6646-11D3-ABEE-C5DBF3571F4E} - c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
Trusted Zone: gamehouse.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: macys.com\www
Trusted Zone: mycheckfree.com
Trusted Zone: onlinesearches.com\publicrecords
Trusted Zone: pointspot.com\www
Trusted Zone: thdathomeservices.com\webmail
Trusted Zone: turbotax.com
TCP: Interfaces\{DC70D44C-CFA4-4CFB-AA8F-23E25AF64531}: NameServer = 208.67.220.220,208.67.222.222
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\12nouic8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.ftp - cookiecop
FF - prefs.js: network.proxy.ftp_port - 8100
FF - prefs.js: network.proxy.gopher - cookiecop
FF - prefs.js: network.proxy.gopher_port - 8100
FF - prefs.js: network.proxy.http - cookiecop
FF - prefs.js: network.proxy.http_port - 8100
FF - prefs.js: network.proxy.socks - cookiecop
FF - prefs.js: network.proxy.socks_port - 8100
FF - prefs.js: network.proxy.ssl - cookiecop
FF - prefs.js: network.proxy.ssl_port - 8100
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: PlainOldFavorites: {7E7165E2-0767-448c-852F-5FA8714F2C37} - %profile%\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadLite\EditPad.exe" "%1"
.
- - - - ORPHANS REMOVED - - - -
.
Notify-AutorunsDisabled - (no file)
SafeBoot-79768126.sys
AddRemove-CdaC13Ba - c:\windows\CDAC13BA.EXE
AddRemove-PC Authorize - e:\tellan\PCAuth\DeIsL1.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-16 12:51
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-117609710-602609370-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1572)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(2036)
c:\windows\system32\WININET.dll
c:\program files\Volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\crypserv.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\progra~1\PCMAGA~1\COOKIE~1\COOKIE~1.EXE
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
.
**************************************************************************
.
Completion time: 2011-12-16 13:01:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-16 18:01
.
Pre-Run: 1,089,880,064 bytes free
Post-Run: 1,376,165,888 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="TYC MS Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 5DAE4B4BE54E1DC804A32F93B940828C
-
What happened here? What happened with GMER? Did you get a log?
-
Guess I pasted wrong log...
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-16 12:21:12
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340014A rev.3.16
Running: r7t5kvyb.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\fgldipow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xEC074FBA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xEC0758B4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xEC08EAEE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xEC075E26]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xEC075D14]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xEC08EE06]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateProcess [0xEC076056]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateProcessEx [0xEC07621E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xEC074D76]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xEC075F3E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xEC0755E6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xEC08EECE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xEC07653C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xEC089084]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xEC08A88E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xEC0758F6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xEC07753C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xEC08A088]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xEC08AA38]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xEC07662E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xEC089BC0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xEC089E1C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xEC076B9A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xEC08D30A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xEC075EB8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xEC075DA0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xEC0751F4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xEC07697E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xEC075FD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xEC0750E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xEC088EB8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xEC08A698]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryObject [0xEC08D500]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xEC076EC0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xEC08A488]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xEC0767CE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xEC089198]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xEC08980C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xEC08F048]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xEC08EF96]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xEC08F0B4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xEC089A14]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xEC0773DE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xEC08933E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKeyEx [0xEC0894D4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveMergedKeys [0xEC089670]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xEC08EC76]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xEC075756]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xEC0763E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xEC077010]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xEC08A248]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xEC077104]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xEC07723E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xEC07645E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xEC075392]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xEC0752EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xEC076D78]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xEC07547C]
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\$NtUninstallKB44907$\3260245246 0 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407 0 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\bckfg.tmp 824 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\keywords 89 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\L 0 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\L\cmhpaair 162816 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\lsflt7.ver 1872 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U 0 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB44907$\3558636407\U\80000032.@ 98304 bytes
---- EOF - GMER 1.0.15 ----
-
It's a bit confusing to research the logs from this computer. I can see signs of several anti-virus programs (Microsoft Security Essentials, Panda, Prevx, Kaspersky).
Which one are you using as your current anti-virus program?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules