Although Combofix will not run - I was able to get DSS to work and have posted the log below.
Note that the problem first occurred yesterday (July 1) at around noon - I noticed on the DSS log there are several "new" files that were added around that time....
Also note that I still cannot access this GEEKSTOGO website from my infected computer (I am posting from a separate computer). Likewise, I cannot access many different anti-virus and anti-spyware websites.
Thanks in advance.
- - - -
Deckard's System Scanner v20071014.68
Run by gcorbett on 2008-07-02 00:10:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
5: 2008-07-02 04:11:06 UTC - RP5 - Deckard's System Scanner Restore Point
4: 2008-07-01 20:11:51 UTC - RP4 - Installed Ad-Aware
3: 2008-07-01 20:11:34 UTC - RP3 - Removed Ad-Aware SE Personal
2: 2008-07-01 16:10:26 UTC - RP2 - Last known good configuration
1: 2008-07-01 16:10:21 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
System Drive C: has 3.46 GiB (less than 15%) free.-- HijackThis (run as gcorbett.exe) --------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:21 AM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\program files\notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\GCorbett\Desktop\dss.exe
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\DOCUME~1\GCorbett\Desktop\gcorbett.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.defaulthomepage.infoR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://keconnect/O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {28220052-D9A9-44B1-AB98-EDC594D238B6} - C:\WINDOWS\system32\xxyywxvt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {C358357F-2E26-46C0-ACD2-474B2F8F308B} - C:\WINDOWS\system32\yayxyywV.dll
O2 - BHO: QXK Olive - {EBD82173-92C5-42F9-8A62-B573912E1F7B} - C:\WINDOWS\kgqfweltkxw.dll
O3 - Toolbar: nqgpedlr - {08E11E95-E8E4-43DD-B762-43F2159C8759} - C:\WINDOWS\nqgpedlr.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CheckPoint\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [CurrentUser] "c:\temp\iManage Current User.exe" /s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [CurrentUser] "c:\temp\iManage Current User.exe" /s (User 'Default user')
O4 - .DEFAULT User Startup: Interwoven Current User Registry Install.lnk = C:\WINDOWS\Interwoven Current User Registry.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF269~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .efp: C:\Program Files\Internet Explorer\Plugins\NPEFPrn.dll
O12 - Plugin for .efv: C:\Program Files\Internet Explorer\Plugins\NPEFV.dll
O12 - Plugin for .fmp: C:\Program Files\Internet Explorer\Plugins\NPFMP.dll
O12 - Plugin for .fmr: C:\Program Files\Internet Explorer\Plugins\NPFME.dll
O12 - Plugin for .ifx: C:\Program Files\Internet Explorer\Plugins\NPWebPrn.dll
O12 - Plugin for .lfx: C:\Program Files\Internet Explorer\Plugins\NPLaunch.dll
O12 - Plugin for .mwp: C:\Program Files\Internet Explorer\Plugins\NPMWPrn.dll
O15 - Trusted Zone: *.qa.kirkland.com
O15 - Trusted Zone: *.test.kirkland.com
O15 - Trusted Zone:
http://AttendanceRep...ng.kirkland.comO15 - Trusted Zone:
http://blackberry.kirkland.comO15 - Trusted Zone:
http://EU-iSolve.kirkland.comO15 - Trusted Zone:
http://eu-kedmssvc.kirkland.comO15 - Trusted Zone:
http://eu.kemsam.kirkland.comO15 - Trusted Zone:
http://fundstest.kirkland.comO15 - Trusted Zone:
http://iSolve.kirkland.comO15 - Trusted Zone:
http://kecollab-admin.kirkland.comO15 - Trusted Zone:
http://kecollab-atty.kirkland.comO15 - Trusted Zone:
http://kedmssvc.kirkland.comO15 - Trusted Zone:
http://kemsam.kirkland.comO15 - Trusted Zone:
http://keni.kirkland.comO15 - Trusted Zone:
http://kenitest.kirkland.comO15 - Trusted Zone:
http://kenotesapp1.kirkland.comO15 - Trusted Zone:
http://kenotesqa1.kirkland.comO15 - Trusted Zone: keris.kirkland.com
O15 - Trusted Zone: KESurveys.kirkland.com
O15 - Trusted Zone:
http://KnowNow.kirkland.comO15 - Trusted Zone:
http://KronosOTTools.kirkland.comO15 - Trusted Zone:
http://remote.kirkland.comO15 - Trusted Zone:
http://review.kirkland.comO15 - Trusted Zone: reviewtest.kirkland.com
O15 - Trusted Zone:
http://roomtracker.kirkland.comO15 - Trusted Zone: *.kirkland.com
O15 - Trusted Zone: *.westlaw.com
O15 - Trusted Zone: *.qa.kirkland.com (HKLM)
O15 - Trusted Zone: *.test.kirkland.com (HKLM)
O15 - Trusted Zone: *.kirkland.com (HKLM)
O15 - Trusted Zone: *.westlaw.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=67633O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) -
http://www.alternati.../00/alttiff.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) -
https://remote.kirkl...ca32/wficat.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1151020131811O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.mi...b?1194851856046O16 - DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} (SecureSession Class) -
http://ftp.samsungse...uiSECIE_eng.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
https://freetrial.we...bex/ieatgpc.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kirkland.com
O17 - HKLM\Software\..\Telephony: DomainName = kirkland.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kirkland.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: xxyywxvt - C:\WINDOWS\SYSTEM32\xxyywxvt.dll
O21 - SSODL: okmdepgb - {593C0DE6-592F-4CB6-83F7-C7B74CBC0BCE} - C:\WINDOWS\okmdepgb.dll
O21 - SSODL: axrfgvek - {7C85C97D-70F3-4DC5-B6C6-6425725E6DAF} - C:\WINDOWS\axrfgvek.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\program files\notes\ntmulti.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 10926 bytes
-- HijackThis Fixed Entries (C:\DOCUME~1\GCorbett\Desktop\backups\) ------------
backup-20080701-225210-732 O23 - Service: Abel - Unknown owner - C:\Program Files\Cain\Abel.exe (file missing)
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R2 MDC80211 (iPass Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc80211.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 PGPmemlock - c:\windows\system32\drivers\pgpmemlock.sys <Not Verified; Network Associates, Inc.; PGPsdk>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
S3 AlKernel (Altiris Kernel Driver) - c:\windows\system32\drivers\alkernel.sys
S3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys (file missing)
S3 PCASp50 (PCASp50 NDIS Protocol Driver) - c:\windows\system32\drivers\pcasp50.sys (file missing)
S3 slabbus (BTWIN BM2001 USB Adapter driver (WDM)) - c:\windows\system32\drivers\slabbus.sys (file missing)
S3 slabser (BTWIN BM2001 USB Adapter Drivers) - c:\windows\system32\drivers\slabser.sys (file missing)
S3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)
S3 vsinstdv - c:\docume~1\gcorbett\locals~1\temp\{84d2c697-075f-4cd3-a2ab-f1666a44e9b0}\vsinstdv.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Diskeeper - "c:\program files\executive software\diskeeper\dkservice.exe" <Not Verified; Executive Software International, Inc.; Diskeeper Disk Defragmenter>
R2 iPCAgent - c:\program files\ipass\ipassconnect\ipcagent.exe <Not Verified; iPass, Inc.; iPCAgent Module>
R2 Multi-user Cleanup Service - "c:\program files\notes\ntmulti.exe" <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 odClientService (Odyssey Client) - "c:\program files\funk software\odyssey client\odclientservice.exe" <Not Verified; Funk Software, Inc.; Odyssey>
R2 Rpcnet (Remote Procedure Call (RPC) Net) - c:\windows\system32\rpcnet.exe <Not Verified; Absolute Software Corp.; Installation/Management Application>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
S3 AClient (Altiris Client Service) - c:\program files\altiris\aclient\aclient.exe -service <Not Verified; Altiris, Inc.; Altiris Client Agent for Windows>
S3 AeXNSClient (Altiris Agent) - c:\program files\altiris\altiris agent\aexnsagent.exe <Not Verified; Altiris, Inc.; Altiris Agent>
S3 iPassConnectEngine - c:\program files\ipass\ipassconnect\ipassconnectengine.exe <Not Verified; iPass; iPassConnectEngine Module>
S3 License Management Service ESD - "c:\program files\common files\element5 shared\service\licence manager esd.exe" <Not Verified; element5; License Management Service ESD>
S4 Abel - c:\program files\cain\abel.exe (file missing)
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {E0CBF06C-CD8B-4647-BB8A-263B43F0F974}
Description: Dell Wireless 350 Bluetooth Module
Device ID: USB\VID_413C&PID_8103\6&17D0A9A2&0&4
Manufacturer: Dell
Name: Dell Wireless 350 Bluetooth Module
PNP Device ID: USB\VID_413C&PID_8103\6&17D0A9A2&0&4
Service: BTHUSB
-- Files created between 2008-06-02 and 2008-07-02 -----------------------------
2008-07-01 18:11:58 92032 --a------ C:\WINDOWS\system32\vibygeor.dll
2008-07-01 16:11:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-01 12:43:43 0 d-------- C:\Program Files\Enigma Software Group
2008-07-01 12:14:14 0 d-------- C:\Documents and Settings\GCorbett\Application Data\rhcat6j0ev2n
2008-07-01 12:10:57 92032 --a------ C:\WINDOWS\system32\bdjpffoq.dll
2008-07-01 12:10:11 237866 --ahs---- C:\WINDOWS\system32\Vwyyxyay.ini2
2008-07-01 12:10:09 318720 --a------ C:\WINDOWS\system32\yayxyywV.dll
2008-07-01 12:01:00 28288 --a------ C:\WINDOWS\system32\urqNHyvW.dll
2008-07-01 12:00:54 28288 --a------ C:\WINDOWS\system32\xxyywxvt.dll
2008-07-01 12:00:19 229376 --a------ C:\WINDOWS\okmdepgb.dll
2008-07-01 12:00:19 155648 --a------ C:\WINDOWS\nqgpedlr.dll
2008-07-01 12:00:19 81920 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-07-01 12:00:19 303104 --a------ C:\WINDOWS\kgqfweltkxw.dll
2008-07-01 12:00:19 94208 --a------ C:\WINDOWS\eolk.exe
2008-07-01 12:00:19 180224 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-01 11:58:42 109056 --a------ C:\WINDOWS\system32\lphcet6j0ev2n.exe
2008-07-01 11:54:46 156672 --a------ C:\WINDOWS\sprof32.dll <Not Verified; Eastman Kodak Company; KODAK DIGITAL SCIENCE ICC Profile API>
2008-07-01 11:54:46 53760 --a------ C:\WINDOWS\PTPICK32.DLL <Not Verified; Eastman Kodak Company; Kodak Precision PT Picker>
2008-07-01 11:54:46 58368 --a------ C:\WINDOWS\pfpick.dll <Not Verified; Eastman Kodak Company; Kodak Digital Science Profile Picker>
2008-07-01 11:54:46 48128 --a------ C:\WINDOWS\KPSYS32.DLL <Not Verified; Eastman Kodak Company; KCMS System Interface Library>
2008-07-01 11:54:46 31744 --a------ C:\WINDOWS\KPSHARP.DLL <Not Verified; Eastman Kodak Company; KODAK PRECISION Sharpen Plug-in>
2008-07-01 11:54:46 31232 --a------ C:\WINDOWS\KPSCALE.DLL <Not Verified; Eastman Kodak Company; KODAK PRECISION Scaling Plug-in>
2008-07-01 11:54:46 70144 --a------ C:\WINDOWS\KPFP32.DLL <Not Verified; Eastman Kodak Company; Kodak Precision Filter Processor (Win32)>
2008-07-01 11:54:46 243712 --a------ C:\WINDOWS\KPCP32.DLL <Not Verified; Eastman Kodak Company; KODAK DIGITAL SCIENCE Professional Color Processor (Win32)>
2008-07-01 11:54:46 39095 --a------ C:\WINDOWS\Iccsigs.dat
2008-07-01 11:54:46 20992 --a------ C:\WINDOWS\icccodes.dll <Not Verified; Eastman Kodak Company; KCMS ICCCODES>
2008-07-01 11:54:46 42483 --a------ C:\WINDOWS\ICCCODES.DAT
2008-07-01 11:54:27 33424 --a------ C:\WINDOWS\system32\URLCACHE.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows NT Operating System>
2008-07-01 11:54:27 32792 --a------ C:\WINDOWS\SPWHPT.DLL <Not Verified; Eastman Kodak Company; Kodak Digital Science White Point>
2008-07-01 11:54:20 0 d-------- C:\WINDOWS\system32\Color
2008-07-01 11:54:20 0 d-------- C:\Kpcms
-- Find3M Report ---------------------------------------------------------------
2008-07-01 23:39:51 17408 --a------ C:\WINDOWS\system32\rpcnetp.dll
2008-07-01 23:39:50 47104 --a------ C:\WINDOWS\system32\rpcnet.dll <Not Verified; Absolute Software Corp.; Installation/Management Application>
2008-07-01 23:36:13 17408 --a------ C:\WINDOWS\system32\rpcnetp.exe
2008-07-01 21:38:33 0 d-------- C:\Program Files\notes
2008-07-01 16:11:54 0 d-------- C:\Program Files\Lavasoft
2008-07-01 16:11:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 12:02:21 679 --ah----- C:\os084633.bin
2008-07-01 11:54:20 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-11 18:19:41 0 d-------- C:\Documents and Settings\GCorbett\Application Data\Skype
2008-06-11 18:19:07 0 d-------- C:\Documents and Settings\GCorbett\Application Data\skypePM
2008-06-02 15:37:36 0 d-------- C:\Documents and Settings\GCorbett\Application Data\Adobe
2008-05-22 16:32:10 0 d-------- C:\Program Files\PicoZipRT
2008-05-22 15:58:13 0 d-------- C:\Program Files\PasswordTools
2008-05-22 15:54:26 0 d-------- C:\Program Files\ElcomSoft
2008-05-07 14:07:08 0 d-------- C:\Program Files\LimeWire2
2008-05-07 01:39:11 0 d-------- C:\Program Files\Registry Workshop
2008-04-30 01:34:11 46221 --a------ C:\WINDOWS\msginst.exe
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28220052-D9A9-44B1-AB98-EDC594D238B6}]
07/01/2008 12:00 PM 28288 --a------ C:\WINDOWS\system32\xxyywxvt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C358357F-2E26-46C0-ACD2-474B2F8F308B}]
07/01/2008 12:10 PM 318720 --a------ C:\WINDOWS\system32\yayxyywV.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBD82173-92C5-42F9-8A62-B573912E1F7B}]
07/01/2008 08:15 AM 303104 --a------ C:\WINDOWS\kgqfweltkxw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\CheckPoint\Integrity Client\iclient.exe" [03/07/2007 07:48 PM]
"OdTray.exe"="C:\Program Files\Funk Software\Odyssey Client\OdTray.exe" [03/23/2006 09:52 PM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"CurrentUser"="c:\temp\iManage Current User.exe" /s
"RunNarrator"=Narrator.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"DisablePersonalDirChange"=1 (0x1)
"NoPropertiesMyDocuments"=1 (0x1)
"NoPropertiesRecycleBin"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)
"NoStartMenuMyMusic"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"NoStartMenuSubFolders"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Folders"=1 (0x1)
"Btn_Fullscreen"=1 (0x1)
"Btn_Tools"=1 (0x1)
"Btn_MailNews"=1 (0x1)
"Btn_Size"=1 (0x1)
"Btn_Print"=1 (0x1)
"Btn_Edit"=1 (0x1)
"Btn_Discussions"=2 (0x2)
"Btn_Cut"=1 (0x1)
"Btn_Copy"=1 (0x1)
"Btn_Paste"=1 (0x1)
"Btn_Encoding"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoManageMyComputerVerb"=1 (0x1)
"NoDFSTab"=1 (0x1)
"NoHardwareTab"=1 (0x1)
"NoSecurityTab"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoChangeKeyboardNavigationIndicators"=1 (0x1)
"NoChangeAnimation"=1 (0x1)
"NoThumbnailCache"=1 (0x1)
"NoAutoUpdate"=1 (0x1)
"RestrictCpl"=0 (0x0)
"DisallowRun"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"=aoldnld.exe
"2"=aolsetup.exe
"3"=bb2.exe
"4"=bb2remix.exe
"5"=bearshare.exe
"6"=bejeweled2.exe
"7"=bonzibdy.exe
"8"=cardgames.exe
"9"=funpack.exe
"10"=gmt.exe
"11"=googledesktop.exe
"12"=googledesktopcrawl.exe
"13"=googledesktopdisplay.exe
"14"=googledesktopindex.exe
"15"=googledesktopsetup.exe
"16"=GooglewebAccClient.exe
"17"=GoogleWebAcceleratorsetup.msi
"18"=GooglewebAccwarden.exe
"19"=hoyle_card_games.exe
"20"=IE7-WindowsXP-x86-enu.exe
"21"=kazaa.exe
"22"=limewire.exe
"23"=morphexe.exe
"24"=p2p networking.exe
"25"=pinball.exe
"26"=q-bert2005.exe
"27"=save.exe
"28"=sol.exe
"29"=solitaire.exe
"30"=tiptop.exe
"31"=tumblebugs.exe
"32"=weather.exe
"33"=wints.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictCpl]
"1"=Accessibility Options
"2"=Add or Remove Programs
"3"=Administrative Tools
"4"=Bluetooth Devices
"5"=Display
"6"=Fonts
"7"=Keyboard
"8"=mail
"9"=Mouse
"10"=Phone and Modem Options
"11"=Power Options
"12"=Regional and Language Options
"13"=Sounds and Audio Devices
"14"=System
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"= qvphook.dll [ ]
"{28220052-D9A9-44B1-AB98-EDC594D238B6}"= C:\WINDOWS\system32\xxyywxvt.dll [07/01/2008 12:00 PM 28288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"okmdepgb"= {593C0DE6-592F-4CB6-83F7-C7B74CBC0BCE} - C:\WINDOWS\okmdepgb.dll [07/01/2008 08:15 AM 229376]
"axrfgvek"= {7C85C97D-70F3-4DC5-B6C6-6425725E6DAF} - C:\WINDOWS\axrfgvek.dll [07/01/2008 08:15 AM 180224]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
odyEvent.dll 12/08/2006 12:49 PM 106496 C:\WINDOWS\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyywxvt]
xxyywxvt.dll 07/01/2008 12:00 PM 28288 C:\WINDOWS\system32\xxyywxvt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yayxyywV
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=DCcms1.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1154184054-119158659-1237804090-10876\Scripts\Logon\0\0]
"Script"=CopyFolders.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1154184054-119158659-1237804090-10876\Scripts\Logon\1\0]
"Script"=NotesIDCopyXCopy.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1154184054-119158659-1237804090-10876\Scripts\Logon\2\0]
"Script"=\\kirkland.com\SysVol\kirkland.com\scripts\DCLogonScript.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1154184054-119158659-1237804090-10876\Scripts\Logon\3\0]
"Script"=\\kirkland.com\SYSVOL\kirkland.com\scripts\DC Robocopy.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28bb38cb-dcd1-11dc-8850-0015c551fc11}]
AutoRun\command- E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6355881-abb2-11dc-8827-0015c551fc11}]
AutoRun\command- E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b777cb85-ba12-11dc-882e-0015c551fc11}]
1\Command- E:\.\RECYCLER\RECYCLER\autorun.exe -autorun
2\Command- E:\.\RECYCLER\RECYCLER\autorun.exe -autorun
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe -autorun
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbc4f7ed-d911-11dc-884a-0015c551fc11}]
AutoRun\command- E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e80f4152-d5a5-11dc-8846-0015c551fc11}]
1\Command- .\RECYCLER\RECYCLER\autorun.exe -autorun
2\Command- .\RECYCLER\RECYCLER\autorun.exe -autorun
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe -autorun
-- Hosts -----------------------------------------------------------------------
192.168.0.103 HP0017A479D809
-- End of Deckard's System Scanner: finished at 2008-07-02 00:13:40 ------------