Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Persistent Vundo infection [Solved]

Started by lunaire , Mar 16 2009 08:18 AM

  • This topic is locked This topic is locked

#1
lunaire
Posted 16 March 2009 - 08:18 AM

lunaire

    New Member

  • Member
  • Pip
  • 4 posts
Hi guys, I'm hoping somebody can help me out with a persistent vundo infection... I've tried Kaspersky IS 2009, malwarebyte anti-malware, vundofix, adaware, all to no permanent solution. They managed to detect the vundo trojan, removed it, but the trojan came back after reboot. :)

Here's the twist: I'm in a hospital network with sensitive data and such, and I've been cut off access to the internet until the trojan is removed.

Below is pasted the OTlist logs, and the malwarebyte log. Any assistance is greatly appreciated.




OTListIt logfile created on: 3/16/2009 10:08:04 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.5.2 Folder = C:\Users\AndrewC\Desktop
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.93 Gb Total Physical Memory | 2.24 Gb Available Physical Memory | 57.03% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): c:\pagefile.sys 0 0;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232.88 Gb Total Space | 62.64 Gb Free Space | 26.90% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 1.90 Gb Total Space | 1.47 Gb Free Space | 77.14% Space Free | Partition Type: FAT32
Drive K: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MED-STATION
Current User Name: AndrewC
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Minimal
File Age = 30 Days
Company Name Whitelist: Off

========== Processes (SafeList) ==========

PRC - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
PRC - C:\Program Files (x86)\Windows Live\Sync\WindowsLiveSync.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\TypingMaster\KBoost.exe (TypingMaster Inc)
PRC - C:\Program Files (x86)\Synergy\synergys.exe ()
PRC - C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe (Siber Systems)
PRC - C:\Program Files (x86)\TypingMaster\QuickPhrase\quickphrase.exe (TypingMaster, Inc)
PRC - C:\Program Files (x86)\Pidgin\pidgin.exe (The Pidgin developer community)
PRC - C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files (x86)\Plustek\OpticBook 3600\Am32Plus.exe (Impacct)
PRC - C:\Program Files (x86)\TechSmith\SnagIt 9\SnagIt32.exe (TechSmith Corporation)
PRC - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe (Kaspersky Lab)
PRC - C:\Program Files (x86)\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe (Realtime Soft)
PRC - C:\Program Files (x86)\TechSmith\SnagIt 9\TSCHelp.exe (TechSmith Corporation)
PRC - C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
PRC - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
PRC - C:\Windows\SysWOW64\rundll32.exe (Microsoft Corporation)
PRC - C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe (Nero AG)
PRC - C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe (PostgreSQL Global Development Group)
PRC - C:\Windows\SysWOW64\PnkBstrA.exe ()
PRC - C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe (PostgreSQL Global Development Group)
PRC - C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe (PostgreSQL Global Development Group)
PRC - C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe (PostgreSQL Global Development Group)
PRC - C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe (PostgreSQL Global Development Group)
PRC - C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe (PostgreSQL Global Development Group)
PRC - C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe (PostgreSQL Global Development Group)
PRC - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Program Files (x86)\TechSmith\SnagIt 9\SnagPriv.exe (TechSmith Corporation)
PRC - C:\Program Files (x86)\TechSmith\SnagIt 9\snagiteditor.exe (TechSmith Corporation)
PRC - C:\Users\AndrewC\AppData\Roaming\U3\000015424C61CE81\LaunchPad.exe ()
PRC - C:\Users\AndrewC\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AcrSch2Svc [Auto | Running]) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
SRV - (Adobe LM Service [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (aspnet_state [On_Demand | Stopped]) -- File not found
SRV - (Ati External Event Utility [Auto | Running]) -- C:\Windows\sysnative\Ati2evxx.exe ()
SRV - (AVP [Auto | Running]) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe (Kaspersky Lab)
SRV - (BthServ [Auto | Running]) -- C:\Windows\sysnative\bthserv.dll ()
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_64 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (CscService [Auto | Running]) -- C:\Windows\sysnative\cscsvc.dll ()
SRV - (ehRecvr [On_Demand | Stopped]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [On_Demand | Stopped]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
SRV - (ehstart [Auto | Stopped]) -- C:\Windows\ehome\ehstart.dll (Microsoft Corporation)
SRV - (Fax [On_Demand | Stopped]) -- C:\Windows\sysnative\fxssvc.exe ()
SRV - (FLEXnet Licensing Service [On_Demand | Running]) -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (IAANTMON [Auto | Running]) -- C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe (Intel Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (Lavasoft Ad-Aware Service [Auto | Running]) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (MDM [Auto | Running]) -- C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (MSCamSvc [Auto | Running]) -- C:\Program Files\Microsoft LifeCam\MSCamS64.exe (Microsoft Corporation)
SRV - (Nero BackItUp Scheduler 3 [Auto | Running]) -- C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe (Nero AG)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NMIndexingService [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe (Nero AG)
SRV - (nTuneService [Auto | Running]) -- C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PcaSvc [Auto | Running]) -- C:\Windows\sysnative\pcasvc.dll ()
SRV - (PD91Agent [Auto | Running]) -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe (Raxco Software, Inc.)
SRV - (PD91Engine [On_Demand | Stopped]) -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe (Raxco Software, Inc.)
SRV - (PerfHost [On_Demand | Stopped]) -- C:\Windows\SysWow64\perfhost.exe (Microsoft Corporation)
SRV - (pgsql-8.3 [Auto | Running]) -- C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe (PostgreSQL Global Development Group)
SRV - (PnkBstrA [Auto | Running]) -- C:\Windows\system32\PnkBstrA.exe ()
SRV - (RapiMgr [Auto | Running]) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)
SRV - (STacSV [Auto | Running]) -- C:\Windows\sysnative\STacSV64.exe ()
SRV - (Steam Client Service [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (TryAndDecideService [Auto | Stopped]) -- C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe ()
SRV - (UmRdpService [On_Demand | Stopped]) -- C:\Windows\sysnative\umrdp.dll ()
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files (x86)\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (wbengine [On_Demand | Stopped]) -- C:\Windows\sysnative\wbengine.exe ()
SRV - (WcesComm [Auto | Running]) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files (x86)\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (atikmdag [On_Demand | Running]) -- C:\Windows\sysnative\DRIVERS\atikmdag.sys ()
DRV - (ATITool [On_Demand | Running]) -- C:\Windows\sysnative\DRIVERS\ATITool64.sys ()
DRV - (BthEnum [On_Demand | Stopped]) -- C:\Windows\sysnative\DRIVERS\BthEnum.sys ()
DRV - (BthPan [On_Demand | Stopped]) -- C:\Windows\sysnative\DRIVERS\bthpan.sys ()
DRV - (BTHPORT [On_Demand | Stopped]) -- C:\Windows\sysnative\Drivers\BTHport.sys ()
DRV - (BTHUSB [On_Demand | Stopped]) -- C:\Windows\sysnative\Drivers\BTHUSB.sys ()
DRV - (CSC [System | Running]) -- C:\Windows\sysnative\drivers\csc.sys ()
DRV - (DefragFS [Auto | Running]) -- C:\Windows\sysnative\DRIVERS\DefragFS.sys ()
DRV - (e1express [On_Demand | Running]) -- C:\Windows\sysnative\DRIVERS\e1e6032e.sys ()
DRV - (fvevol [Boot | Running]) -- C:\Windows\sysnative\DRIVERS\fvevol.sys ()
DRV - (HdAudAddService [On_Demand | Running]) -- C:\Windows\sysnative\drivers\HdAudio.sys ()
DRV - (HECIx64 [On_Demand | Running]) -- C:\Windows\sysnative\DRIVERS\HECIx64.sys ()
DRV - (iaStor [Boot | Running]) -- C:\Windows\sysnative\DRIVERS\iaStor.sys ()
DRV - (kl1 [System | Running]) -- C:\Windows\sysnative\DRIVERS\kl1.sys ()
DRV - (KLBG [Boot | Running]) -- C:\Windows\sysnative\DRIVERS\klbg.sys ()
DRV - (KLFLTDEV [On_Demand | Running]) -- C:\Windows\sysnative\DRIVERS\klfltdev.sys ()
DRV - (KLIF [System | Running]) -- C:\Windows\sysnative\DRIVERS\klif.sys ()
DRV - (KLIM6 [System | Running]) -- C:\Windows\sysnative\DRIVERS\klim6.sys ()
DRV - (Lbd [Boot | Running]) -- C:\Windows\sysnative\DRIVERS\Lbd.sys ()
DRV - (mcdbus [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\mcdbus.sys (MagicISO, Inc.)
DRV - (MSHUSBVideo [On_Demand | Running]) -- C:\Windows\sysnative\Drivers\nx6000.sys ()
DRV - (NAL [On_Demand | Stopped]) -- C:\Windows\sysnative\Drivers\iqvw64e.sys ()
DRV - (NVR0Dev [On_Demand | Running]) -- C:\Windows\nvoclk64.sys (NVidia Corp.)
DRV - (pcouffin [On_Demand | Running]) -- C:\Windows\sysnative\Drivers\pcouffin.sys ()
DRV - (RFCOMM [On_Demand | Stopped]) -- C:\Windows\sysnative\DRIVERS\rfcomm.sys ()
DRV - (rt61x64 [On_Demand | Running]) -- C:\Windows\sysnative\DRIVERS\WMP54Gv41x64.sys ()
DRV - (SASDIFSV [System | Stopped]) -- C:\Program Files (x86)\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM [On_Demand | Stopped]) -- C:\Program Files (x86)\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL [System | Stopped]) -- C:\Program Files (x86)\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (snapman [Boot | Running]) -- C:\Windows\sysnative\DRIVERS\snapman.sys ()
DRV - (speedfan [Boot | Running]) -- C:\Windows\SysWOW64\speedfan.sys (Windows ® Server 2003 DDK provider)
DRV - (STHDA [On_Demand | Running]) -- C:\Windows\sysnative\DRIVERS\stwrt64.sys ()
DRV - (SysTool [On_Demand | Stopped]) -- C:\Windows\sysnative\DRIVERS\SysTool64.sys ()
DRV - (tdrpman [Boot | Running]) -- C:\Windows\sysnative\DRIVERS\tdrpman.sys ()
DRV - (tifsfilter [Auto | Running]) -- C:\Windows\sysnative\DRIVERS\tifsfilt.sys ()
DRV - (timounter [Boot | Running]) -- C:\Windows\sysnative\DRIVERS\timntr.sys ()
DRV - (usbaudio [On_Demand | Running]) -- C:\Windows\sysnative\drivers\usbaudio.sys ()
DRV - (usbvideo [On_Demand | Running]) -- C:\Windows\sysnative\Drivers\usbvideo.sys ()
DRV - (usb_rndisx [On_Demand | Stopped]) -- C:\Windows\sysnative\DRIVERS\usb8023x.sys ()
DRV - (WpdUsb [On_Demand | Stopped]) -- C:\Windows\sysnative\DRIVERS\wpdusb.sys ()

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000\S-1-5-21-1571956043-1810585430-1875742678-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.0.1
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.91
FF - prefs.js..extensions.enabledItems: {097d3191-e6fa-4728-9826-b533d755359d}:0.7.8
FF - prefs.js..extensions.enabledItems: [email protected]:1.9.1
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.4
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.2
FF - prefs.js..extensions.enabledItems: {62760FD6-B943-48C9-AB09-F99C6FE96088}:1.6.9
FF - prefs.js..extensions.enabledItems: [email protected]:2.7.2
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.22
FF - prefs.js..extensions.enabledItems: {77b819fa-95ad-4f2c-ac7c-486b356188a9}:1.5.20090207
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}:6.0.06
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}:6.0.04
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.07103010
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.7.3
FF - prefs.js..extensions.enabledItems: {89736E8E-4B14-4042-8C75-AD00B6BD3900}:1.0.5
FF - prefs.js..extensions.enabledItems: {5c8bfb7c-9a54-11dc-8314-0800200c9a66}:3.0.2
FF - prefs.js..extensions.enabledItems: {5c876f30-10ce-11dd-bd0b-0800200c9a66}:3.0.2
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.6
FF - prefs.js..extensions.enabledItems: [email protected]:0.6.20090117
FF - prefs.js..extensions.enabledItems: [email protected]:2.95
FF - prefs.js..extensions.enabledItems: {5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}:1.8.47

FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\PROGRAM FILES (X86)\SIBER SYSTEMS\AI ROBOFORM\FIREFOX [2008/06/15 03:56:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components: C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\COMPONENTS [2009/02/04 15:01:09 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins: C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\PLUGINS [2009/02/04 15:01:09 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.19\extensions\\Components: C:\PROGRAM FILES (X86)\MOZILLA THUNDERBIRD\COMPONENTS [2009/01/28 12:23:29 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.19\extensions\\Plugins: C:\PROGRAM FILES (X86)\MOZILLA THUNDERBIRD\PLUGINS [2009/01/28 12:23:29 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\PROGRAM FILES (X86)\KASPERSKY LAB\KASPERSKY INTERNET SECURITY 2009\THBEXT [2009/01/07 15:05:49 | 00,000,000 | ---D | M]

[2008/06/17 20:29:35 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Extensions
[2008/06/17 20:29:35 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/06 16:41:51 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions
[2009/01/14 12:47:22 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
[2008/07/04 18:40:49 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}
[2009/02/27 12:16:09 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
[2008/10/20 02:04:22 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}
[2009/01/13 04:26:33 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
[2009/02/01 17:49:42 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}
[2009/02/08 00:27:33 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2009/01/30 02:42:49 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\{89736E8E-4B14-4042-8C75-AD00B6BD3900}
[2009/03/05 15:24:00 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/01/11 14:12:16 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/02/05 15:08:48 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2008/10/20 02:04:18 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2009/02/27 12:16:17 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\[email protected]
[2008/09/17 16:35:30 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\[email protected]
[2009/02/01 17:49:16 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\[email protected]
[2009/01/13 06:37:26 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\[email protected]
[2009/01/08 13:04:07 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\[email protected]
[2009/01/08 13:04:07 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\[email protected]
[2009/01/13 04:26:27 | 00,000,000 | ---D | M] -- C:\Users\AndrewC\AppData\Roaming\mozilla\Firefox\Profiles\oscx2wqc.default\extensions\[email protected]
[2009/02/20 01:07:00 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions
[2009/02/04 15:01:09 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/07/11 04:06:11 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
[2008/06/13 17:35:08 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
[2008/08/04 14:39:02 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2008/12/06 03:37:35 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/01/13 04:25:26 | 00,000,000 | ---D | M] -- C:\Program Files (x86)\mozilla firefox\extensions\[email protected]
[2009/02/04 15:01:08 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browserdirprovider.dll
[2009/02/04 15:01:08 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\brwsrcmp.dll
[2009/01/13 04:25:25 | 00,001,394 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom.xml
[2009/01/13 04:25:25 | 00,002,193 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\answers.xml
[2009/01/13 04:25:25 | 00,001,534 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\creativecommons.xml
[2009/01/13 04:25:25 | 00,002,343 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay.xml
[2009/01/13 04:25:25 | 00,001,706 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\google.xml
[2009/01/13 04:25:25 | 00,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia.xml
[2009/01/13 04:25:25 | 00,000,792 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\SnagIt 9\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\SnagIt 9\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [Ad-Watch] "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe" (Lavasoft)
O4 - HKLM..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" (Kaspersky Lab)
O4 - HKLM..\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" (Nero AG)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKU\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (Microsoft Corporation)
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000..\Run: [MSServer] rundll32.exe C:\Users\AndrewC\AppData\Local\Temp\efcDUnOE.dll,#1 ()
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000..\Run: [Pidgin] C:\Program Files (x86)\Pidgin\pidgin.exe (The Pidgin developer community)
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000..\Run: [QuickPhrase] "C:\Program Files (x86)\TypingMaster\QuickPhrase\quickphrase.exe" (TypingMaster, Inc)
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000..\Run: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (Siber Systems)
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (Microsoft Corporation)
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000..\Run: [Synergy Server] "C:\Program Files (x86)\Synergy\synergys.exe" --no-daemon --debug WARNING --name Med-Station --address :24800 ()
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000..\Run: [TypingSatellite] "C:\Program Files (x86)\TypingMaster\KBOOST.EXE" (TypingMaster Inc)
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000..\Run: [Windows Live Sync] "C:\Program Files (x86)\Windows Live\Sync\WindowsLiveSync.exe" /background (Microsoft Corporation)
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1000..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1003..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (Microsoft Corporation)
O4 - HKU\S-1-5-21-1571956043-1810585430-1875742678-1003..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra Button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - File not found
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - File not found
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - File not found
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - File not found
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - File not found
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [@%SystemRoot%\system32\nlasvc.dll,-1000] - C:\Windows\system32\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [@%SystemRoot%\system32\napinsp.dll,-1000] - C:\Windows\system32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [@%SystemRoot%\system32\pnrpnsp.dll,-1000] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [@%SystemRoot%\system32\pnrpnsp.dll,-1001] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [Bluetooth Namespace] - C:\Windows\system32\wshbth.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/...SetupClient.cab (JuniperSetupClientControl Class)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysWOW64\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files (x86)\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files (x86)\Common Files\microsoft shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files (x86)\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysWOW64\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter: - deflate - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - gzip - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\adialhk.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\adialhk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\system32\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\SysWOW64\webcheck.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files (x86)\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (relog_ap) - C:\Windows\System32\relog_ap.dll (Acronis)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - J:\AutoRun.inf () - [ FAT32 ]
O32 - Autorun File - K:\autorun.inf () - [ CDFS ]
O33 - MountPoints2\{a2de7a52-b4ae-11dd-8bba-00027280e4fb}\Shell\AutoRun\command - "" = J:\PortableRoboForm.exe -- [2009/01/13 04:25:34 | 00,648,016 | ---- | M] (Siber Systems)
O33 - MountPoints2\{a2de7a52-b4ae-11dd-8bba-00027280e4fb}\Shell\RoboForm2Go\command - "" = J:\PortableRoboForm.exe -- [2009/01/13 04:25:34 | 00,648,016 | ---- | M] (Siber Systems)
O33 - MountPoints2\{a2de7a55-b4ae-11dd-8bba-00027280e4fb}\Shell - "" = AutoRun
O33 - MountPoints2\{a2de7a55-b4ae-11dd-8bba-00027280e4fb}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- [2007/10/23 03:45:39 | 01,336,632 | R--- | M] ()

========== Files/Folders - Created Within 30 Days ==========

[2 C:\Users\AndrewC\Desktop\*.tmp files]
[2009/03/16 10:05:32 | 00,499,712 | ---- | C] (OldTimer Tools) -- C:\Users\AndrewC\Desktop\OTListIt2.exe
[2009/03/16 10:05:32 | 00,360,002 | ---- | C] () -- C:\Users\AndrewC\Desktop\dds.scr
[2009/03/16 10:05:32 | 00,267,612 | ---- | C] () -- C:\Users\AndrewC\Desktop\Rooter.exe
[2009/03/16 10:05:32 | 00,119,808 | ---- | C] (Atribune.org) -- C:\Users\AndrewC\Desktop\VundoFix.exe
[2009/03/16 10:05:32 | 00,050,688 | ---- | C] (Atribune.org) -- C:\Users\AndrewC\Desktop\ATF_Cleaner.exe
[2009/03/07 12:02:45 | 00,204,288 | ---- | C] () -- C:\Users\AndrewC\Desktop\indo church list.doc
[2009/03/07 11:54:27 | 00,117,248 | ---- | C] () -- C:\Users\AndrewC\Desktop\Church list.doc
[2009/03/06 19:36:23 | 00,001,928 | ---- | C] () -- C:\Users\AndrewC\Desktop\HijackThis.lnk
[2009/03/06 19:36:23 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2009/03/06 08:46:17 | 04,338,903 | -H-- | C] () -- C:\Users\AndrewC\AppData\Local\IconCache.db
[2009/03/05 18:48:28 | 00,000,000 | ---D | C] -- C:\Users\AndrewC\AppData\Local\Apps
[2009/03/05 18:28:30 | 00,001,944 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SnagIt 9.lnk
[2009/03/05 18:28:30 | 00,001,613 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Action Express (OpticBook 3600).lnk
[2009/03/05 18:28:30 | 00,000,953 | ---- | C] () -- C:\Users\AndrewC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4.lnk
[2009/03/05 18:28:30 | 00,000,953 | ---- | C] () -- C:\Users\AndrewC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a3.lnk
[2009/03/05 18:28:30 | 00,000,953 | ---- | C] () -- C:\Users\AndrewC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a2.lnk
[2009/03/05 18:28:30 | 00,000,953 | ---- | C] () -- C:\Users\AndrewC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1.lnk
[2009/03/05 18:28:30 | 00,000,953 | ---- | C] () -- C:\Users\AndrewC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1 (2).lnk
[2009/03/05 18:28:29 | 00,001,212 | ---- | C] () -- C:\Users\AndrewC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
[2009/03/05 18:28:29 | 00,000,953 | ---- | C] () -- C:\Users\AndrewC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a7.lnk
[2009/03/05 18:28:29 | 00,000,953 | ---- | C] () -- C:\Users\AndrewC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a6.lnk
[2009/03/05 18:28:29 | 00,000,953 | ---- | C] () -- C:\Users\AndrewC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a5.lnk
[2009/03/05 18:28:29 | 00,000,828 | ---- | C] () -- C:\Users\AndrewC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
[2009/03/04 05:47:33 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2009/03/04 05:47:26 | 00,000,944 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/03/04 05:47:25 | 00,000,000 | ---D | C] -- C:\Users\AndrewC\AppData\Roaming\SUPERAntiSpyware.com
[2009/03/04 05:47:25 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\SUPERAntiSpyware
[2009/03/03 15:05:57 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Live Safety Center
[2009/03/02 22:18:40 | 00,000,000 | -H-- | C] () -- C:\Users\AndrewC\Documents\Default.rdp
[2009/03/02 21:48:19 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/03/02 21:43:16 | 00,000,496 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2009/03/02 21:41:07 | 00,000,000 | -H-D | C] -- C:\ProgramData\{83C91755-2546-441D-AC40-9A6B4B860800}
[2009/03/02 21:41:06 | 00,001,049 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2009/03/02 21:41:04 | 00,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2009/03/02 21:41:04 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Lavasoft
[2009/03/02 21:26:54 | 00,000,000 | ---D | C] -- C:\Users\AndrewC\AppData\Roaming\Malwarebytes
[2009/03/02 21:26:51 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/03/02 21:26:48 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/03/02 21:26:47 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/03/02 21:26:47 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2009/02/27 07:34:19 | 00,032,256 | ---- | C] () -- C:\Users\AndrewC\Desktop\Learning Objectives.doc
[2009/02/16 20:23:15 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Bullfrog
[2009/02/16 08:48:07 | 00,428,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2009/02/16 08:48:06 | 00,217,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisrndr.ax
[2009/02/16 08:48:05 | 00,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll
[2009/02/16 08:48:04 | 00,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2009/02/16 08:48:04 | 00,080,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax
[2009/02/14 17:30:24 | 00,000,000 | ---D | C] -- C:\Users\AndrewC\Desktop\New Folder

========== Files - Modified Within 30 Days ==========

[2 C:\Users\AndrewC\Desktop\*.tmp files]
[2009/03/16 10:00:08 | 00,499,712 | ---- | M] (OldTimer Tools) -- C:\Users\AndrewC\Desktop\OTListIt2.exe
[2009/03/16 09:59:16 | 00,267,612 | ---- | M] () -- C:\Users\AndrewC\Desktop\Rooter.exe
[2009/03/16 09:56:02 | 00,050,688 | ---- | M] (Atribune.org) -- C:\Users\AndrewC\Desktop\ATF_Cleaner.exe
[2009/03/16 09:55:26 | 00,119,808 | ---- | M] (Atribune.org) -- C:\Users\AndrewC\Desktop\VundoFix.exe
[2009/03/16 09:50:18 | 00,360,002 | ---- | M] () -- C:\Users\AndrewC\Desktop\dds.scr
[2009/03/16 09:41:04 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/03/16 09:41:01 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/03/16 09:39:10 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2009/03/16 09:38:44 | 04,338,903 | -H-- | M] () -- C:\Users\AndrewC\AppData\Local\IconCache.db
[2009/03/15 15:46:02 | 00,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{18549C8E-4BC9-431C-8398-A8A2C55669EF}.job
[2009/03/07 12:16:11 | 00,204,288 | ---- | M] () -- C:\Users\AndrewC\Desktop\indo church list.doc
[2009/03/07 12:11:47 | 00,000,049 | ---- | M] () -- C:\Users\AndrewC\AppData\Roaming\Printer.ini
[2009/03/07 11:57:40 | 00,117,248 | ---- | M] () -- C:\Users\AndrewC\Desktop\Church list.doc
[2009/03/06 19:36:23 | 00,001,928 | ---- | M] () -- C:\Users\AndrewC\Desktop\HijackThis.lnk
[2009/03/05 19:53:41 | 00,042,496 | ---- | M] () -- C:\Users\AndrewC\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/04 05:47:26 | 00,000,944 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/03/02 22:25:59 | 00,000,496 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2009/03/02 22:18:40 | 00,000,000 | -H-- | M] () -- C:\Users\AndrewC\Documents\Default.rdp
[2009/03/02 21:41:06 | 00,001,049 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2009/02/27 11:52:45 | 00,106,048 | ---- | M] () -- C:\Users\AndrewC\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/02/27 07:34:20 | 00,032,256 | ---- | M] () -- C:\Users\AndrewC\Desktop\Learning Objectives.doc
[2009/02/26 04:51:15 | 00,001,972 | ---- | M] () -- C:\Users\Public\Desktop\VitalSource Bookshelf.lnk
[2009/02/22 20:21:31 | 00,002,188 | ---- | M] () -- C:\Users\AndrewC\AppData\Local\d3d9caps64.dat
< End of report >






OTListIt Extras logfile created on: 3/16/2009 10:08:04 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.5.2 Folder = C:\Users\AndrewC\Desktop
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.93 Gb Total Physical Memory | 2.24 Gb Available Physical Memory | 57.03% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): c:\pagefile.sys 0 0;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232.88 Gb Total Space | 62.64 Gb Free Space | 26.90% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 1.90 Gb Total Space | 1.47 Gb Free Space | 77.14% Space Free | Partition Type: FAT32
Drive K: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MED-STATION
Current User Name: AndrewC
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Minimal
File Age = 30 Days
Company Name Whitelist: Off

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\Windows\SysWOW64\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\Windows\system32\regedit.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-1571956043-1810585430-1875742678-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{021C4C4F-C93C-4425-BFFD-C2D16776BFAE}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{02EBDBB9-4600-41D3-B566-40CB861511D2}" = World of Warcraft FREE Trial
"{039E5107-9932-B731-A551-5BF554DA9542}" = Catalyst Control Center HydraVision Full
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0965D484-1777-4BA5-8C3A-095A6B0D2696}_is1" = Driver Sweeper 1.5.5
"{0D070C11-C7D6-4031-BC3D-D68650D63283}" = Winbond Desktop SI/O with Consumer IR support
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1BA7B068-4719-42A3-B553-D4ED97434F92}" = ASUS Utilities
"{1D46A3A0-B37D-423A-91C2-101A49E2FF80}" = Ventrilo Server
"{202A8C8E-1BE7-408B-987A-169434FE5222}" = VitalSource Bookshelf
"{20EB7BAE-7F60-34AD-130B-1C938FD65BE9}" = Catalyst Control Center Core Implementation
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{25235761-5EAB-76EA-2C7A-09FC6513784B}" = Catalyst Control Center Graphics Full Existing
"{25F4442A-6CA5-03F6-2470-E6DF04175374}" = CCC Help English
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{30CABAC3-F4C4-1E01-0136-27F9457B17FD}" = Catalyst Control Center Graphics Previews Vista
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java™ 6 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{45324745-1303-3CF5-0758-E0DA25261B04}" = Catalyst Control Center Graphics Previews Common
"{4E8BDBF1-0D57-02C3-F991-48896A0642CB}" = Skins
"{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{59991D18-A988-45AB-B1BF-5ADE6E64CD3F}" = SnagIt 9
"{59C80C5E-8C92-40FF-B910-2BB5C7281F61}" = Europa Universalis III
"{5FCCD531-1B38-4A94-924C-127F722F1033}" = Nero 8
"{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}" = Acronis True Image Home
"{63A56D6A-8AA4-4568-A9E0-790D31B2F30E}" = Adobe Flash Media Encoder 2.5
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}" = Power Tab Editor 1.7
"{6FA8D63A-D28F-9658-D8EE-00894ABA7E41}" = Catalyst Control Center Graphics Full New
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{7B08D306-7266-4647-A926-2F78817ED1E0}" = Microsoft Corporation
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA nTune
"{7F3AD00A-1819-4B15-BB7D-08B3586336D7}" = 3DMark06
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}" = Kaspersky Internet Security 2009
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}" = Microsoft Games for Windows - LIVE Redistributable
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"{98B6FB8A-8638-4037-AD44-CF7D0EEAB875}_is1" = TypingMaster Pro
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
"{B823632F-3B72-4514-8861-B961CE263224}" = PostgreSQL 8.3
"{C043B8C1-E512-46AB-AEE2-009EBDEC0061}" = Plustek OpticBook 3600
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D9F3D5C9-3543-480C-2350-66F55E287958}" = Catalyst Control Center Graphics Light
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FDBB8757-8897-B56E-6416-835697085B8F}" = ccc-core-static
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"{FE434300-A311-4BE1-93BA-B74BC8C4017B}" = Windows Live FolderShare Beta
"Ad-Aware" = Ad-Aware
"Adobe Acrobat 8 Professional - English, Français, Deutsch" = Adobe Acrobat 8.1.3 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"AI RoboForm" = AI RoboForm (All Users)
"ATITool" = ATITool Overclocking Utility
"Audacity_is1" = Audacity 1.2.6
"Azureus Vuze" = Azureus Vuze
"burnatonce_is1" = burnatonce
"Canon iP3500 series User Registration" = Canon iP3500 series User Registration
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CDisplay_is1" = CDisplay 1.8
"DeskScapes" = DeskScapes
"dog1" = dog1 Screen Saver
"dog2" = dog2 Screen Saver
"dog3" = dog3 Screen Saver
"dog4" = dog4 Screen Saver
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Fraps" = Fraps
"Frets on Fire - Alarian mod 2.7" = Frets on Fire - Alarian mod 2.7
"GTK 2.0" = GTK+ Runtime 2.14.6 rev a (remove only)
"HijackThis" = HijackThis 2.0.2
"In Nomine_is1" = In Nomine 1.0
"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA nTune
"InstallWIX_{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}" = Kaspersky Internet Security 2009
"Juniper_Setup_Client Activex Control" = Juniper Networks Setup Client Activex Control
"JuniperSetupClient Activex Control" = Juniper Networks Setup Client Activex Control
"Magic ISO Maker v5.5 (build 0273)" = Magic ISO Maker v5.5 (build 0273)
"MagicDisc 2.7.97" = MagicDisc 2.7.97
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mosby's Guide to Physical Examination" = Mosby's Guide to Physical Examination
"Mozilla Firefox (3.0.6)" = Mozilla Firefox (3.0.6)
"Mozilla Thunderbird (2.0.0.19)" = Mozilla Thunderbird (2.0.0.19)
"nTouch" = nTouch (remove only)
"Picasa 3" = Picasa 3
"Pidgin" = Pidgin
"PokerAcademyPro2" = Poker Academy Pro 2
"PokerStars" = PokerStars
"PokerTracker3" = PokerTracker 3 (remove only)
"PunkBusterSvc" = PunkBuster Services
"RecallPlus V4" = RecallPlus V4
"SpeedFan" = SpeedFan (remove only)
"Steam App 12900" = Audiosurf
"Steam App 215" = Source SDK Base
"Steam App 220" = Half-Life 2
"Steam App 530" = Left 4 Dead Demo
"SuperMemo" = SuperMemo
"Synergy" = Synergy
"VLC media player" = VideoLAN VLC media player 0.8.6h
"VSO PhotoDVD_is1" = PhotoDVD 2.9.6.1d
"WinRAR" = WinRAR

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Juniper_Networks_Cache_Cleaner 5.5.0" = Juniper Networks Cache Cleaner 5.5.0
"Juniper_Setup_Client" = Juniper Networks Setup Client
"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1571956043-1810585430-1875742678-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Juniper_Networks_Cache_Cleaner 5.5.0" = Juniper Networks Cache Cleaner 5.5.0
"Juniper_Setup_Client" = Juniper Networks Setup Client
"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/14/2009 12:13:56 AM | Computer Name = Med-Station | Source = Application Error | ID = 1000
Description = Faulting application TimounterMonitor.exe, version 4.0.0.452, time
stamp 0x472765d1, faulting module MSVCR71.dll, version 6.0.6001.18000, time stamp
0x4791a783, exception code 0xc0000135, fault offset 0x0006ecfb, process id 0x878,
application start time 0x01c9a45ad72bd058.

Error - 3/14/2009 12:13:56 AM | Computer Name = Med-Station | Source = Application Error | ID = 1000
Description = Faulting application TrueImageMonitor.exe, version 11.0.0.8053, time
stamp 0x4727649a, faulting module MSVCR71.dll, version 6.0.6001.18000, time stamp
0x4791a783, exception code 0xc0000135, fault offset 0x0006ecfb, process id 0xa84,
application start time 0x01c9a45ad2f03f6a.

Error - 3/14/2009 9:42:27 AM | Computer Name = Med-Station | Source = WinMgmt | ID = 10
Description =

Error - 3/15/2009 3:43:11 PM | Computer Name = Med-Station | Source = SideBySide | ID = 16842830
Description = Activation context generation failed for "C:\Program Files (x86)\Nero\Nero8\Nero
Toolkit\DiscSpeed.exe".Error in manifest or policy file "" on line . A component
version required by the application conflicts with another component version already
active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_152e7382f3bd50c6.manifest.
Component
2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc.manifest.

Error - 3/15/2009 3:43:46 PM | Computer Name = Med-Station | Source = WinMgmt | ID = 10
Description =

Error - 3/15/2009 4:09:04 PM | Computer Name = Med-Station | Source = Application Error | ID = 1000
Description = Faulting application TimounterMonitor.exe, version 4.0.0.452, time
stamp 0x472765d1, faulting module MSVCR71.dll, version 6.0.6001.18000, time stamp
0x4791a783, exception code 0xc0000135, fault offset 0x0006ecfb, process id 0x828,
application start time 0x01c9a5a63dfd4c89.

Error - 3/15/2009 4:09:04 PM | Computer Name = Med-Station | Source = Application Error | ID = 1000
Description = Faulting application TrueImageMonitor.exe, version 11.0.0.8053, time
stamp 0x4727649a, faulting module MSVCR71.dll, version 6.0.6001.18000, time stamp
0x4791a783, exception code 0xc0000135, fault offset 0x0006ecfb, process id 0xa70,
application start time 0x01c9a5a62f448c70.

Error - 3/16/2009 9:42:13 AM | Computer Name = Med-Station | Source = Application Error | ID = 1000
Description = Faulting application TimounterMonitor.exe, version 4.0.0.452, time
stamp 0x472765d1, faulting module MSVCR71.dll, version 6.0.6001.18000, time stamp
0x4791a783, exception code 0xc0000135, fault offset 0x0006ecfb, process id 0x17c,
application start time 0x01c9a63ceef259a3.

Error - 3/16/2009 9:42:13 AM | Computer Name = Med-Station | Source = Application Error | ID = 1000
Description = Faulting application TrueImageMonitor.exe, version 11.0.0.8053, time
stamp 0x4727649a, faulting module MSVCR71.dll, version 6.0.6001.18000, time stamp
0x4791a783, exception code 0xc0000135, fault offset 0x0006ecfb, process id 0xa74,
application start time 0x01c9a63cdf977d62.

Error - 3/16/2009 9:42:20 AM | Computer Name = Med-Station | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 2/3/2009 1:45:48 AM | Computer Name = Med-Station | Source = Service Control Manager | ID = 7009
Description =

Error - 2/3/2009 1:45:48 AM | Computer Name = Med-Station | Source = Service Control Manager | ID = 7000
Description =

Error - 2/4/2009 6:32:40 AM | Computer Name = Med-Station | Source = EventLog | ID = 6008
Description = The previous system shutdown at 5:29:33 AM on 2/4/2009 was unexpected.

Error - 2/4/2009 6:32:43 AM | Computer Name = Med-Station | Source = HTTP | ID = 15016
Description =

Error - 2/4/2009 6:34:24 AM | Computer Name = Med-Station | Source = Service Control Manager | ID = 7009
Description =

Error - 2/4/2009 6:34:24 AM | Computer Name = Med-Station | Source = Service Control Manager | ID = 7000
Description =

Error - 2/6/2009 12:18:01 AM | Computer Name = Med-Station | Source = EventLog | ID = 6008
Description = The previous system shutdown at 11:15:25 PM on 2/5/2009 was unexpected.

Error - 2/6/2009 12:18:05 AM | Computer Name = Med-Station | Source = HTTP | ID = 15016
Description =

Error - 2/6/2009 12:19:43 AM | Computer Name = Med-Station | Source = Service Control Manager | ID = 7009
Description =

Error - 2/6/2009 12:19:43 AM | Computer Name = Med-Station | Source = Service Control Manager | ID = 7000
Description =


< End of report >






Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 6.0.6001 Service Pack 1

3/16/2009 10:13:46 AM
mbam-log-2009-03-16 (10-13-46).txt

Scan type: Quick Scan
Objects scanned: 63319
Time elapsed: 2 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by lunaire, 16 March 2009 - 08:24 AM.

  • 0

Advertisements

#2
emeraldnzl
Posted 22 March 2009 - 05:17 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello lunaire,

Not a great deal leaping out at me there.

In this post we will deal with a couple of items with OTlistIt2 and run a scan to check for things we may not be picking up.

Now

Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O33 - MountPoints2\{a2de7a52-b4ae-11dd-8bba-00027280e4fb}\Shell\AutoRun\command - "" = J:\PortableRoboForm.exe -- [2009/01/13 04:25:34 | 00,648,016 | ---- | M] (Siber Systems)
O33 - MountPoints2\{a2de7a52-b4ae-11dd-8bba-00027280e4fb}\Shell\RoboForm2Go\command - "" = J:\PortableRoboForm.exe -- [2009/01/13 04:25:34 | 00,648,016 | ---- | M] (Siber Systems)
O33 - MountPoints2\{a2de7a55-b4ae-11dd-8bba-00027280e4fb}\Shell - "" = AutoRun
O33 - MountPoints2\{a2de7a55-b4ae-11dd-8bba-00027280e4fb}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- [2007/10/23 03:45:39 | 01,336,632 | R--- | M] ()

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.
Next

It is a pretty big download at 28mb's but is very useful at detecting\cleaning rootkits or whatever it finds.

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file, name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.



So when you return please post
  • OTListIt2 log
  • Kaspersky scan results

  • 0

#3
lunaire
Posted 23 March 2009 - 06:33 AM

lunaire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the reply, and the guide, emeraldnzl. Here are the resulting logs:

========== OTLISTIT ==========
No active process named explorer.exe was found!
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\Contains\Files\ not found.
C:\Windows\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2de7a52-b4ae-11dd-8bba-00027280e4fb}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2de7a52-b4ae-11dd-8bba-00027280e4fb}\ not found.
J:\PortableRoboForm.exe moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2de7a52-b4ae-11dd-8bba-00027280e4fb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2de7a52-b4ae-11dd-8bba-00027280e4fb}\ not found.
File J:\PortableRoboForm.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2de7a55-b4ae-11dd-8bba-00027280e4fb}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2de7a55-b4ae-11dd-8bba-00027280e4fb}\ not found.
File not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2de7a55-b4ae-11dd-8bba-00027280e4fb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2de7a55-b4ae-11dd-8bba-00027280e4fb}\ not found.
File move failed. K:\LaunchU3.exe scheduled to be moved on reboot.
========== COMMANDS ==========
File delete failed. C:\Users\AndrewC\AppData\Local\Temp\BCGE277.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\AndrewC\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be deleted on reboot.
File delete failed. C:\Users\AndrewC\AppData\Local\Temp\FXSTIFFDebugLogFile.txt scheduled to be deleted on reboot.
File delete failed. C:\Users\AndrewC\AppData\Local\Temp\qoMccBst.dll scheduled to be deleted on reboot.
File delete failed. C:\Users\AndrewC\AppData\Local\Temp\VGXBAF9.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\AndrewC\AppData\Local\Temp\~DF91CE.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.5.2 log created on 03222009_211932

Files moved on Reboot...
File K:\LaunchU3.exe not found!
File C:\Users\AndrewC\AppData\Local\Temp\BCGE277.tmp not found!
C:\Users\AndrewC\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\AndrewC\AppData\Local\Temp\FXSTIFFDebugLogFile.txt moved successfully.
DllUnregisterServer procedure not found in C:\Users\AndrewC\AppData\Local\Temp\qoMccBst.dll
C:\Users\AndrewC\AppData\Local\Temp\qoMccBst.dll NOT unregistered.
C:\Users\AndrewC\AppData\Local\Temp\qoMccBst.dll moved successfully.
File C:\Users\AndrewC\AppData\Local\Temp\VGXBAF9.tmp not found!
File C:\Users\AndrewC\AppData\Local\Temp\~DF91CE.tmp not found!

Registry entries deleted on Reboot...






KASPERSKY (nothing was detected):

Scan
----
Scanned: 1519293
Detected: 0
Untreated: 0
Start time: 3/22/2009 9:34:07 PM
Duration: 08:07:58
Finish time: 3/23/2009 5:42:05 AM


Detected
--------
Status Object
------ ------
  • 0

#4
emeraldnzl
Posted 23 March 2009 - 03:27 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Well it's looking awfully clean there lunaire.

Is your machine still having symptoms?
  • 0

#5
lunaire
Posted 23 March 2009 - 05:24 PM

lunaire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Ok, I did a quick scan with malwarebyte anti-malware again, and it detected a Vundo trojan again

(HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.)

I deleted it again, restarted, and ran another malwarebyte scan, and the result is..... nothing detected!! I think the OTListit fix fixed it.

Thanks a million, emeraldnzl! Expect a well-deserved donation from me, and keep up the good fight against malware, buddy!
  • 0

#6
emeraldnzl
Posted 23 March 2009 - 06:57 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

Ok, I did a quick scan with malwarebyte anti-malware again


I will leave this topic open for a short while in case you notice any return.

Thanks a million, emeraldnzl! Expect a well-deserved donation from me, and keep up the good fight against malware, buddy!


You are most welcome and thanks for your thought. :)

Now

We have a couple of last steps to perform and then you're all set.Posted Image

  • Make sure you have an Internet Connection.
  • Double-click OTListIt2.exe to run it. (Vista users, please right click on OTListIt2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTListIt2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep. The Kaspersky AVP tool should automatically uninstall but if for some reason it doesn't just delete the files/folders that remain.

Next, we need to clean your restore points and set a new one:

Reset and Re-enable your System Restore in Vista to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.Click on the Start button to open your Start Menu.
Click on the Control Panel menu option.
Click on the System and Maintenance menu option.
Click on the System menu option.
Click on System Protection in the left-hand task list.
Click on the System Protection tab.
Uncheck the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.

When you uncheck a disk you will be presented with this screen Posted Image
Click on the Turn System Protection Off button.

Press the Apply button and then the OK button.
2. Restart your computer.

3. Turn ON System Restore.Click on the Start button to open your Start Menu.
Click on the Control Panel menu option.
Click on the System and Maintenance menu option.
Click on the System menu option.
Click on System Protection in the left-hand task list.
Put a checkmark in the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

-------------------------------------------------------------------------------------------------------------------

A reminder now: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that you are clean here are some things I think are worth having a look at:

---------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program:--------------------------------------------------------------------------------------------------------------------

A great way to check that your Microsoft and Java have the latest updates is to go to Software Inspector at Secunia.

I do this weekly. Not only do they tell you which programs need updating but they give you the link to follow.

To bolster your security go to Secunia.com to ensure essential programs are up to date.

---------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Consider using an alternate browser. Mozilla's Firefox browser is excellant; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (Note: this as an added benefit!) that I have seen. Firefox is my default browser but I retain Internet Explorer as well so that I can access the very few sites that require it.

Firefox may be downloaded from Here

-----------------------------------------------------------------------------------------------------------------------

Startuplite is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:


To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Have a safe and happy computing day!
  • 0

#7
emeraldnzl
Posted 29 March 2009 - 03:44 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP