Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help! - Search Engine Redirect and Hidden Internet Radio

Started by tc.bd.walt , Jun 21 2011 06:20 PM

  • This topic is locked This topic is locked

#16
tc.bd.walt
Posted 28 June 2011 - 05:37 AM

tc.bd.walt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
After killing ComboFix again, on a whim I killed all the running iexplore.exe processes and immediately tried running ComboFix one last time. This time it continued past the previous hang-up point and them popped up a dialog box that said "Volsnap.sys is patched with a rootkit. Attempting disinfection..."

After rebooting, a blue cmd window opened and then updated ComboFix to the lastes version. Then it ran ComboFix again, attmpted to create a new System Restore point, popped up the message that this machine did not have it installed, I clicked Yes to install it...

Apparently, before when I thought is was running, it was getting stuck on loading? It never got to this point with the blue CMD window.

System Recovery was installed. I have to run to a meeting, I will post the log as soon as I get back.

After that, should I wait to hear back, or continue with the other steps we were going to do after ComboFix failed to run?
  • 0

Advertisements

#17
Aaron
Posted 28 June 2011 - 06:53 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
Skip Combofix as it is being blocked. Follow the steps I posts (OTL and GMER). You can try to run TDSSKiller, if it works then your computer will run a lot better. If it doesn't follow the steps from my previous post:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • 0

#18
tc.bd.walt
Posted 28 June 2011 - 08:20 AM

tc.bd.walt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I got back from my meeting and ComboFix seems to have completed successfully. (I know you said to skip it, but I had left it running before seeing that reply.) Also, after the last reboot, triggered by ComboFix, iexplore.exe is not running in the background.

I realize this does not mean we are completely out of the woods, but it seems promising. I will list the log below, then go through the other steps you posted and list logs/results in my next post.

Here is the log from ComboFix:


ComboFix 11-06-27.04 - Walt 06/28/2011 6:34.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2737 [GMT -5:00]
Running from: c:\apps\ComboFix.exe
AV: Sunbelt VIPRE *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Walt.BENEFITDATA\g2mdlhlpx.exe
c:\documents and settings\Walt.BENEFITDATA\GoToAssistDownloadHelper.exe
c:\documents and settings\Walt.BENEFITDATA\WINDOWS
c:\documents and settings\Walt\g2mdlhlpx.exe
c:\documents and settings\Walt\GoToAssistDownloadHelper.exe
c:\windows\ST6UNST.000
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-28 )))))))))))))))))))))))))))))))
.
.
2011-06-22 08:00 . 2011-06-22 08:00 -------- d-----w- c:\program files\MSXML 4.0
2011-06-21 23:35 . 2011-05-11 21:26 74968 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-06-21 23:35 . 2011-05-11 21:26 21592 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-06-21 23:30 . 2011-06-21 23:30 -------- d-----w- c:\documents and settings\Walt\Application Data\Sunbelt
2011-06-21 23:29 . 2011-06-21 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2011-06-21 23:28 . 2011-04-05 22:35 212568 ----a-w- c:\windows\system32\drivers\sbtis.sys
2011-06-21 23:27 . 2011-06-21 23:27 -------- d-----w- c:\program files\Sunbelt Software
2011-06-21 21:31 . 2011-06-21 21:31 -------- d-----w- C:\_OTL
2011-06-21 15:18 . 2011-06-21 15:18 -------- d-----w- c:\documents and settings\Walt\Application Data\Managed Antivirus
2011-06-21 15:17 . 2011-06-21 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Managed Antivirus
2011-06-20 17:19 . 2011-06-20 17:19 -------- d-----w- c:\program files\Common Files\Java
2011-06-20 17:18 . 2011-06-20 17:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-19 06:37 . 2011-06-19 06:37 -------- d-----w- c:\program files\ESET
2011-06-19 06:03 . 2011-06-21 23:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-19 06:03 . 2011-06-21 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-06-18 18:02 . 2011-06-18 18:02 388096 ----a-r- c:\documents and settings\Walt\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-18 18:02 . 2011-06-18 18:02 -------- d-----w- c:\program files\Trend Micro
2011-06-18 04:28 . 2011-06-18 04:28 169472 ----a-w- c:\windows\system32\kbdycl32.dll
2011-06-16 21:57 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-15 15:53 . 2011-06-15 15:53 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint
2011-06-15 14:34 . 2008-03-05 02:55 40960 ----a-w- c:\windows\system32\lxebvs.dll
2011-06-15 14:34 . 2010-04-13 19:41 442368 ----a-w- c:\windows\system32\lxebcoin.dll
2011-06-15 14:34 . 2009-11-04 13:14 157696 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxebdrpp.dll
2011-06-15 14:34 . 2009-11-09 07:59 86016 ----a-w- c:\windows\system32\lxebgcfg.dll
2011-06-15 14:34 . 2009-10-21 10:06 110592 ----a-w- c:\windows\system32\lxebcuir.dll
2011-06-15 14:34 . 2009-10-21 10:06 294912 ----a-w- c:\windows\system32\lxebcui.dll
2011-06-15 14:34 . 2008-04-30 06:32 983121 ----a-w- c:\windows\system32\lxk_gf.dll
2011-06-15 08:12 . 2011-06-21 22:50 -------- d-----w- c:\program files\TeamViewer
2011-06-15 03:22 . 2011-06-15 03:22 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-06-15 03:21 . 2011-06-15 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-06-15 01:17 . 2011-06-15 01:17 -------- d-----w- c:\documents and settings\Walt\Application Data\SUPERAntiSpyware.com
2011-06-15 01:17 . 2011-06-15 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-15 01:17 . 2011-06-15 01:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-15 01:16 . 2011-06-15 01:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-14 18:53 . 2011-06-28 11:29 -------- d-----w- C:\Apps
2011-06-10 16:29 . 2011-06-10 16:29 -------- d-----w- c:\program files\Common Files\VectorVest
2011-06-10 16:23 . 2011-06-10 16:23 -------- d-----w- c:\documents and settings\Walt\Local Settings\Application Data\Citrix
2011-06-09 18:14 . 2011-06-09 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstopDat
2011-06-09 17:26 . 2011-06-09 17:26 -------- d-----w- c:\documents and settings\Walt\Local Settings\Application Data\Help
2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-06-02 18:22 . 2011-06-02 18:22 -------- d-----w- c:\documents and settings\Walt\Application Data\bgaDesktop
2011-06-02 18:22 . 2011-06-02 18:22 -------- d-----w- c:\program files\SureLC_Desktop
2011-06-02 18:22 . 2011-06-02 18:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-20 17:18 . 2010-05-10 14:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-29 14:11 . 2011-02-11 03:33 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-18 17:06 . 2011-05-18 17:06 40960 ----a-r- c:\documents and settings\Walt\Application Data\Microsoft\Installer\{EE532913-7C50-40CF-A1FB-07BC11CD5E47}\NewShortcut11_EE5329137C5040CFA1FB07BC11CD5E47.exe
2011-05-18 17:06 . 2011-05-18 17:06 40960 ----a-r- c:\documents and settings\Walt\Application Data\Microsoft\Installer\{EE532913-7C50-40CF-A1FB-07BC11CD5E47}\NewShortcut1_EE5329137C5040CFA1FB07BC11CD5E47.exe
2011-05-11 21:55 . 2011-05-11 21:55 42832 ----a-w- c:\windows\system32\sbbd.exe
2011-05-02 15:31 . 2004-08-11 22:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 19:15 . 2011-04-29 19:15 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-29 16:19 . 2004-08-11 22:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2004-08-11 22:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2004-08-11 22:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2004-08-11 22:00 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-11 22:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-10 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"lxebmon.exe"="c:\program files\Lexmark Pro200-S500 Series\lxebmon.exe" [2011-01-24 770728]
"EzPrint"="c:\program files\Lexmark Pro200-S500 Series\ezprint.exe" [2011-01-24 148280]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2011-05-11 1353040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 19:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 07:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-09-25 14:12 90112 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 16:50 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 15:57 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 10:17 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"idsvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"\\\\bds01\\asc\\NPL\\RTIWIN32.EXE"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=
"c:\\WINDOWS\\system32\\lxebcoms.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [6/21/2011 6:35 PM 21592]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [6/21/2011 6:28 PM 212568]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\Walt\My Documents\Downloads\Jim\Extract\VCdRom.sys [12/19/2001 11:45 AM 8576]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/30/2010 10:13 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [6/21/2011 6:35 PM 74968]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [5/11/2011 4:54 PM 181584]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/29/2011 2:15 PM 101720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxebserv.exe [6/15/2011 9:34 AM 193192]
S2 SBAMSvc;VIPRE Antivirus;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [5/11/2011 4:54 PM 2804280]
S3 cpuz134;cpuz134;\??\c:\docume~1\Walt\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Walt\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2010 2:22 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2010 2:22 PM 133104]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys --> c:\windows\system32\DRIVERS\radpms.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 19:22]
.
2011-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-08 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://jim/office
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: vectorvest.com\www
TCP: DhcpNameServer = 192.168.0.2 192.168.0.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Walt\Application Data\Mozilla\Firefox\Profiles\3bhrmaz8.default\
FF - prefs.js: browser.startup.homepage -
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
Notify-NavLogon - (no file)
AddRemove-Adobe Connect Add-in - c:\documents and settings\Walt\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-28 06:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-06-28 06:39:05
ComboFix-quarantined-files.txt 2011-06-28 11:39
.
Pre-Run: 33,930,014,720 bytes free
Post-Run: 34,341,380,096 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 83E4C3A0AA2EAD42CA321299CD75553C
  • 0

#19
Aaron
Posted 28 June 2011 - 09:46 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
Looks good! :) Combofix replaced the infected driver that caused this problem.

I would like you to scan 2 files:

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    • c:\documents and settings\Walt\Application Data\Microsoft\Installer\{EE532913-7C50-40CF-A1FB-07BC11CD5E47}\NewShortcut11_EE5329137C5040CFA1FB07BC11CD5E47.exe
      c:\documents and settings\Walt\Application Data\Microsoft\Installer\{EE532913-7C50-40CF-A1FB-07BC11CD5E47}\NewShortcut1_EE5329137C5040CFA1FB07BC11CD5E47.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
Repeat this for the other file too.

Let's do some finals scan to be sure your system is clean.

============ Step one ============

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

============ Step two ============

I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

- Maser00
  • 0

#20
tc.bd.walt
Posted 28 June 2011 - 02:22 PM

tc.bd.walt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I am running behind on the steps you have given me. I had started through the 3 steps that got skipped earlier, (near the bottom of page 1) and had left GMER running for a few hours. I just got back and was posting these logs when I noticed the new steps. Everything below is referencing your post from page one. I will do the steps in your latest post now, which means that after that I will have skipped the TDSSKiller steps. Let me know if you would like me to go back and follow those instructions.
----------------------------------------



I have disabled SuperAntiSpyware at startup.

I had to run OTL a few times because I didn't realize that to get the Extras.txt log you asked for I needed to select Use SafeList or All in the Extra Registry section and that I needed to use RunScan, not Quick Scan.


============ Step one ============


============ OTL.txt ============



OTL logfile created on: 6/28/2011 10:06:52 AM - Run 11
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Apps
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.70 Gb Available Physical Memory | 83.02% Memory free
5.09 Gb Paging File | 4.73 Gb Available in Paging File | 93.03% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.02 Gb Total Space | 31.98 Gb Free Space | 21.46% Space Free | Partition Type: NTFS
Drive D: | 149.01 Gb Total Space | 137.55 Gb Free Space | 92.31% Space Free | Partition Type: NTFS
Drive J: | 931.51 Gb Total Space | 812.98 Gb Free Space | 87.28% Space Free | Partition Type: NTFS
Drive K: | 68.23 Gb Total Space | 46.82 Gb Free Space | 68.62% Space Free | Partition Type: NTFS
Drive O: | 931.51 Gb Total Space | 812.98 Gb Free Space | 87.28% Space Free | Partition Type: NTFS
Drive S: | 931.51 Gb Total Space | 812.98 Gb Free Space | 87.28% Space Free | Partition Type: NTFS
Drive T: | 931.51 Gb Total Space | 812.98 Gb Free Space | 87.28% Space Free | Partition Type: NTFS

Computer Name: WALT_DESKTOP | User Name: Walt | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/19 20:41:02 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Apps\OTL.exe
PRC - [2011/05/11 16:54:06 | 000,181,584 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
PRC - [2011/01/23 20:00:20 | 000,770,728 | ---- | M] () -- C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe
PRC - [2010/12/08 14:11:38 | 000,136,584 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2010/12/08 14:11:32 | 000,374,152 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2010/04/14 14:56:01 | 000,598,696 | ---- | M] ( ) -- C:\WINDOWS\system32\lxebcoms.exe
PRC - [2008/08/11 12:41:00 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/06/19 20:41:02 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Apps\OTL.exe
MOD - [2010/12/08 14:11:40 | 000,202,112 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIhook.001.dll
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/05/13 12:13:36 | 000,077,824 | ---- | M] (SuperAdBlocker.com) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
MOD - [2008/04/13 19:12:10 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wsock32.dll
MOD - [2008/04/13 19:12:10 | 000,018,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wtsapi32.dll
MOD - [2008/04/13 19:12:09 | 000,053,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winsta.dll
MOD - [2008/04/13 19:12:06 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmpapi.dll
MOD - [2008/04/13 19:12:04 | 000,044,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rtutils.dll
MOD - [2008/04/13 19:12:03 | 000,016,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rassapi.dll
MOD - [2008/04/13 19:11:57 | 000,087,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mprapi.dll
MOD - [2008/04/13 19:11:55 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\iphlpapi.dll
MOD - [2008/04/13 19:11:55 | 000,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetmib1.dll
MOD - [2008/04/13 19:11:50 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cabinet.dll
MOD - [2008/04/13 19:11:48 | 000,193,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\activeds.dll
MOD - [2008/04/13 19:11:48 | 000,143,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\adsldpc.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/05/11 16:54:28 | 002,804,280 | ---- | M] (Sunbelt Software) [Auto | Stopped] -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe -- (SBAMSvc)
SRV - [2011/05/11 16:54:06 | 000,181,584 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe -- (SBPIMSvc)
SRV - [2010/12/08 14:11:38 | 000,136,584 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2010/12/08 14:11:32 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2010/04/14 14:56:01 | 000,598,696 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxebcoms.exe -- (lxeb_device)
SRV - [2010/04/14 14:55:54 | 000,193,192 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxebserv.exe -- (lxebCATSCustConnectService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2011/05/11 16:26:04 | 000,074,968 | ---- | M] (Sunbelt Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\sbapifs.sys -- (sbapifs)
DRV - [2011/05/11 16:26:04 | 000,021,592 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbaphd.sys -- (sbaphd)
DRV - [2011/04/29 14:15:42 | 000,101,720 | ---- | M] (Sunbelt Software) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2011/04/05 17:35:20 | 000,212,568 | ---- | M] (Sunbelt Software, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbtis.sys -- (SbTis)
DRV - [2011/03/15 12:49:19 | 000,008,576 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\Documents and Settings\Walt\My Documents\Downloads\Jim\Extract\VCdRom.sys -- (vcdrom)
DRV - [2010/12/08 14:12:02 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/08/11 12:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/08/11 12:41:00 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2007/09/23 19:32:20 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2007/09/23 19:32:12 | 002,371,584 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/07/23 15:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 15:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 15:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 15:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 15:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 15:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 15:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 15:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 14:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 14:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/07/22 15:27:12 | 004,424,704 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/04/11 16:32:58 | 000,036,112 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2007/04/11 16:32:52 | 000,034,832 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080611
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080611

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://jim/office
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 5A 69 7E 00 67 28 A7 4D 91 D5 62 B5 A4 45 5A ED [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search..defaultengine: ""
FF - prefs.js..browser.search..defaultenginename: ""
FF - prefs.js..browser.search..order.1: ""
FF - prefs.js..browser.search..selectedEngine: ""
FF - prefs.js..browser.search..selectedEngineURL: ""
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: [email protected]:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/27 18:24:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/22 15:41:45 | 000,000,000 | ---D | M]

[2010/11/13 12:52:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Walt\Application Data\Mozilla\Extensions
[2011/06/23 10:58:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Walt\Application Data\Mozilla\Firefox\Profiles\3bhrmaz8.default\extensions
[2010/11/13 12:52:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Walt\Application Data\Mozilla\Firefox\Profiles\3bhrmaz8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/23 10:58:52 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/01 17:32:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/06/20 12:18:47 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/06/20 12:18:32 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/06/20 12:18:32 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/06/28 06:38:01 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagitBHO.dll (TechSmith Corporation)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagitIEAddin.dll (TechSmith Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark Pro200-S500 Series\ezprint.exe ()
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [lxebmon.exe] C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe ()
O4 - HKLM..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe (Sunbelt Software)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O15 - HKCU\..Trusted Domains: vectorvest.com ([www] * in Trusted sites)
O15 - HKCU\..Trusted Domains: vectorvest.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: vectorvest.com ([www] https in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.micr...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1213633610906 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.2 192.168.0.1
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Walt\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/28 06:33:11 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/06/28 06:30:21 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/06/28 06:30:21 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/06/28 06:30:21 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/06/28 06:30:21 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/06/28 06:22:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/06/28 06:22:12 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/25 18:03:16 | 001,904,128 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Walt\Desktop\aswMBR.exe
[2011/06/22 14:17:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/22 03:00:49 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2011/06/21 18:35:44 | 000,074,968 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\sbapifs.sys
[2011/06/21 18:35:43 | 000,021,592 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\sbaphd.sys
[2011/06/21 18:30:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walt\Application Data\Sunbelt
[2011/06/21 18:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sunbelt
[2011/06/21 18:28:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sunbelt Software
[2011/06/21 18:28:04 | 000,212,568 | ---- | C] (Sunbelt Software, Inc.) -- C:\WINDOWS\System32\drivers\sbtis.sys
[2011/06/21 18:27:59 | 000,000,000 | ---D | C] -- C:\Program Files\Sunbelt Software
[2011/06/21 16:31:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/06/21 10:18:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walt\Application Data\Managed Antivirus
[2011/06/21 10:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Managed Antivirus
[2011/06/20 12:19:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/06/20 12:18:45 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/06/20 12:18:45 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/06/20 12:18:45 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/06/20 12:18:45 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/06/20 11:32:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VectorVest, Inc
[2011/06/20 01:12:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walt\Start Menu\Programs\Logmein
[2011/06/20 01:11:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walt\Start Menu\Programs\Firefox
[2011/06/19 01:37:07 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/19 01:03:02 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/06/19 01:03:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/06/18 13:02:00 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/06/18 13:02:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walt\Start Menu\Programs\HiJackThis
[2011/06/17 23:28:53 | 000,169,472 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\kbdycl32.dll
[2011/06/17 08:36:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/06/16 16:57:44 | 000,105,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mup.sys
[2011/06/15 10:53:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ABBYY FineReader 6.0 Sprint
[2011/06/15 10:53:18 | 000,000,000 | ---D | C] -- C:\Program Files\ABBYY FineReader 6.0 Sprint
[2011/06/15 09:36:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ODBC
[2011/06/15 09:34:04 | 000,442,368 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebcoin.dll
[2011/06/15 09:34:01 | 000,983,121 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\lxk_gf.dll
[2011/06/15 09:33:50 | 000,372,736 | ---- | C] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LXEBwupd.dll
[2011/06/15 09:33:50 | 000,213,672 | ---- | C] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LXEBwupd.exe
[2011/06/15 09:33:37 | 000,000,000 | ---D | C] -- C:\Program Files\Lexmark
[2011/06/15 09:33:33 | 000,000,000 | ---D | C] -- C:\Program Files\Lexmark Toolbar
[2011/06/15 09:33:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Lexmark
[2011/06/15 09:33:14 | 001,048,576 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebserv.dll
[2011/06/15 09:33:14 | 000,847,872 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebusb1.dll
[2011/06/15 09:33:14 | 000,688,128 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebhbn3.dll
[2011/06/15 09:33:14 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebpmui.dll
[2011/06/15 09:33:14 | 000,577,536 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeblmpm.dll
[2011/06/15 09:33:14 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebinpa.dll
[2011/06/15 09:33:14 | 000,356,352 | ---- | C] ( ) -- C:\WINDOWS\System32\LXEBhcp.dll
[2011/06/15 09:33:14 | 000,344,064 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebiesc.dll
[2011/06/15 09:33:14 | 000,324,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebih.exe
[2011/06/15 09:33:13 | 000,802,816 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebcomc.dll
[2011/06/15 09:33:13 | 000,598,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebcoms.exe
[2011/06/15 09:33:13 | 000,373,416 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebcfg.exe
[2011/06/15 09:33:13 | 000,372,736 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebcomm.dll
[2011/06/15 09:33:13 | 000,086,183 | ---- | C] (Lexmark International) -- C:\WINDOWS\System32\LXEBcfg.dll
[2011/06/15 09:33:03 | 000,000,000 | ---D | C] -- C:\Program Files\Lexmark Pro200-S500 Series
[2011/06/15 03:12:24 | 000,000,000 | ---D | C] -- C:\Program Files\TeamViewer
[2011/06/14 22:21:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/06/14 20:17:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walt\Application Data\SUPERAntiSpyware.com
[2011/06/14 20:17:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/06/14 20:17:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/06/14 20:17:51 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/06/14 20:16:59 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/06/14 13:53:37 | 000,000,000 | ---D | C] -- C:\Apps
[2011/06/14 13:51:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Walt\Recent
[2011/06/10 11:29:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\VectorVest
[2011/06/10 11:23:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walt\Local Settings\Application Data\Citrix
[2011/06/09 13:14:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCPitstopDat
[2011/06/09 12:26:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walt\Local Settings\Application Data\Help
[2011/06/09 12:26:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walt\Application Data\Help
[2011/06/02 13:22:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walt\Application Data\bgaDesktop
[2011/06/02 13:22:11 | 000,000,000 | ---D | C] -- C:\Program Files\SureLC_Desktop
[2011/06/02 13:22:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR

========== Files - Modified Within 30 Days ==========

[2011/06/28 10:05:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/28 06:38:01 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/06/28 06:33:15 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/06/28 06:28:36 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/28 06:28:32 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/28 06:24:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/28 06:24:12 | 3487,744,000 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/27 21:40:29 | 000,001,324 | ---- | M] () -- C:\Documents and Settings\Walt\Local Settings\Application Data\d3d9caps.dat
[2011/06/27 17:24:05 | 000,000,394 | ---- | M] () -- C:\WINDOWS\ASC.INI
[2011/06/27 16:50:19 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Walt\Desktop\Microsoft Office Outlook 2003 (2).lnk
[2011/06/27 10:18:03 | 000,001,682 | ---- | M] () -- C:\WINDOWS\System32\EmailAVConfig.xml
[2011/06/25 18:06:11 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Walt\Desktop\MBR.dat
[2011/06/25 18:03:18 | 001,904,128 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Walt\Desktop\aswMBR.exe
[2011/06/24 19:19:03 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/06/24 12:14:06 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Walt\Desktop\Microsoft Office Word 2003 (2).lnk
[2011/06/24 10:03:28 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\Walt\Desktop\Microsoft Office Excel 2003 (2).lnk
[2011/06/23 10:48:40 | 000,000,730 | ---- | M] () -- C:\Documents and Settings\Walt\Desktop\Shortcut to firefox (2).lnk
[2011/06/23 03:25:20 | 000,525,976 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/23 03:25:20 | 000,097,884 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/22 17:39:57 | 001,763,125 | ---- | M] () -- C:\Documents and Settings\Walt\My Documents\06-22-2011 05;39;53PM.PDF
[2011/06/22 15:41:45 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/06/22 14:17:10 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/22 13:59:56 | 000,000,286 | ---- | M] () -- C:\WINDOWS\reimage.ini
[2011/06/21 18:28:05 | 000,001,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VIPRE.lnk
[2011/06/21 11:25:16 | 000,001,190 | ---- | M] () -- C:\WINDOWS\System32\ServiceConfig.xml
[2011/06/20 22:43:18 | 000,001,722 | -H-- | M] () -- C:\Documents and Settings\Walt\My Documents\Default.rdp
[2011/06/20 12:18:31 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/06/20 12:18:31 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/06/20 12:18:31 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/06/20 12:18:31 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/06/20 12:18:31 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/06/20 11:32:51 | 000,001,904 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VectorVest 7.lnk
[2011/06/18 13:02:00 | 000,001,982 | ---- | M] () -- C:\Documents and Settings\Walt\Desktop\HiJackThis.lnk
[2011/06/17 23:28:53 | 000,169,472 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\kbdycl32.dll
[2011/06/17 12:45:22 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Walt\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/06/17 09:07:23 | 000,000,651 | ---- | M] () -- C:\WINDOWS\RTIWIN.INI
[2011/06/17 08:36:40 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/06/15 10:30:20 | 000,210,305 | ---- | M] () -- C:\WINDOWS\System32\LexFiles.ulf
[2011/06/15 09:33:38 | 000,000,814 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Launch Lexmark Printer Home.LNK
[2011/06/14 22:22:49 | 000,017,480 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/06/14 20:17:54 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/06/14 20:16:59 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/06/14 08:01:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/06/09 15:49:16 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Walt\Desktop\Microsoft Office Publisher 2003 (2).lnk

========== Files Created - No Company Name ==========

[2011/06/28 06:33:15 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/06/28 06:33:12 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/06/28 06:30:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/06/28 06:30:21 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/06/28 06:30:21 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/06/28 06:30:21 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/06/28 06:30:21 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/06/27 10:18:03 | 000,001,682 | ---- | C] () -- C:\WINDOWS\System32\EmailAVConfig.xml
[2011/06/25 18:06:11 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Walt\Desktop\MBR.dat
[2011/06/25 10:22:41 | 3487,744,000 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/23 10:48:40 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\Walt\Desktop\Shortcut to firefox (2).lnk
[2011/06/22 17:39:57 | 001,763,125 | ---- | C] () -- C:\Documents and Settings\Walt\My Documents\06-22-2011 05;39;53PM.PDF
[2011/06/22 15:41:45 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/22 15:41:45 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/06/22 14:17:10 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/22 13:59:44 | 000,000,286 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2011/06/21 18:28:05 | 000,001,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VIPRE.lnk
[2011/06/21 11:25:16 | 000,001,190 | ---- | C] () -- C:\WINDOWS\System32\ServiceConfig.xml
[2011/06/20 22:27:29 | 000,001,722 | -H-- | C] () -- C:\Documents and Settings\Walt\My Documents\Default.rdp
[2011/06/20 11:32:51 | 000,001,904 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VectorVest 7.lnk
[2011/06/18 13:02:00 | 000,001,982 | ---- | C] () -- C:\Documents and Settings\Walt\Desktop\HiJackThis.lnk
[2011/06/17 12:45:22 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Walt\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/06/15 09:34:05 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxebvs.dll
[2011/06/15 09:34:01 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\lxebcui.dll
[2011/06/15 09:34:01 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\lxebcuir.dll
[2011/06/15 09:34:01 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\lxebgcfg.dll
[2011/06/15 09:34:01 | 000,065,106 | ---- | C] () -- C:\WINDOWS\System32\lxebprpr.chm
[2011/06/15 09:34:01 | 000,008,694 | ---- | C] () -- C:\WINDOWS\System32\lxebcommuilogo_rtl.bmp
[2011/06/15 09:34:01 | 000,008,694 | ---- | C] () -- C:\WINDOWS\System32\lxebcommuilogo.bmp
[2011/06/15 09:33:38 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Launch Lexmark Printer Home.LNK
[2011/06/15 09:33:14 | 000,331,776 | ---- | C] () -- C:\WINDOWS\System32\LXEBinst.dll
[2011/06/15 09:33:14 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\lxebins.dll
[2011/06/15 09:33:14 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\lxebinsb.dll
[2011/06/15 09:33:14 | 000,210,305 | ---- | C] () -- C:\WINDOWS\System32\LexFiles.ulf
[2011/06/15 09:33:14 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxebgrd.dll
[2011/06/15 09:33:14 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\lxebinsr.dll
[2011/06/15 09:33:14 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\lxebcub.dll
[2011/06/15 09:33:14 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\lxebjswr.dll
[2011/06/15 09:33:13 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\lxebcu.dll
[2011/06/15 09:33:13 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\lxebcur.dll
[2011/06/15 09:33:13 | 000,002,110 | ---- | C] () -- C:\WINDOWS\System32\lxeb.loc
[2011/06/14 22:22:49 | 000,017,480 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/06/14 20:17:54 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/05/09 17:04:24 | 000,000,450 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2011/02/24 09:42:49 | 004,426,657 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-924622083-92417848-350737671-1005-0.dat
[2011/02/24 09:42:49 | 000,242,190 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/01/21 11:04:39 | 000,299,008 | ---- | C] () -- C:\WINDOWS\System32\LXEBsm.dll
[2011/01/21 11:04:39 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\LXEBsmr.dll
[2010/11/24 20:06:36 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Walt\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/22 10:47:38 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/11/13 12:51:22 | 000,001,324 | ---- | C] () -- C:\Documents and Settings\Walt\Local Settings\Application Data\d3d9caps.dat
[2010/10/14 03:21:36 | 010,869,520 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/09/23 10:50:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/11/27 18:15:16 | 000,173,049 | ---- | C] () -- C:\WINDOWS\hpwins21.dat
[2009/11/27 18:15:16 | 000,000,428 | ---- | C] () -- C:\WINDOWS\hpwmdl21.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/03/24 14:29:37 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\NPLSecureps.dll
[2009/03/24 14:23:00 | 000,000,184 | ---- | C] () -- C:\WINDOWS\bti.ini
[2009/03/24 14:22:00 | 000,043,760 | ---- | C] () -- C:\WINDOWS\System32\nwlocale.dll
[2009/03/24 14:14:31 | 000,000,651 | ---- | C] () -- C:\WINDOWS\RTIWIN.INI
[2009/03/24 14:08:09 | 000,000,394 | ---- | C] () -- C:\WINDOWS\ASC.INI
[2009/02/06 16:16:37 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD-Start.INI
[2008/06/17 09:37:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\SBFC.dat
[2008/06/16 16:35:52 | 000,000,515 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2008/06/16 16:24:28 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ICOA.INI
[2008/06/16 16:24:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2008/06/16 16:24:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
[2008/06/16 16:15:54 | 000,000,064 | ---- | C] () -- C:\WINDOWS\QBWCD.INI
[2008/06/16 16:15:53 | 000,007,102 | ---- | C] () -- C:\WINDOWS\Icoadb32.dat
[2008/06/16 14:29:40 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\PROTOCOL.INI
[2008/06/16 13:21:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/06/16 11:52:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/06/16 11:18:37 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Walt\Local Settings\Application Data\fusioncache.dat
[2008/06/11 15:25:05 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/06/11 15:20:46 | 000,000,232 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/06/11 14:58:08 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2008/06/11 14:58:08 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2008/06/11 14:58:08 | 000,972,072 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2008/06/11 14:58:07 | 000,151,367 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2008/06/11 14:58:07 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ATIODE.exe
[2008/06/11 14:58:07 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ATIODCLI.exe
[2008/06/11 14:57:32 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2008/06/11 14:57:07 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2008/06/11 14:55:47 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/10/14 17:09:48 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2004/08/11 17:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 17:19:30 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/11 17:12:14 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/11 17:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 17:07:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/11 17:06:43 | 000,246,312 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/11 17:00:30 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/11 17:00:28 | 000,525,976 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/11 17:00:28 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/11 17:00:28 | 000,097,884 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/11 17:00:28 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/11 17:00:27 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/11 17:00:26 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/11 17:00:24 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/11 17:00:19 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/11 17:00:19 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/11 17:00:12 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/11 17:00:04 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/05/08 14:21:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/12/08 11:02:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2009/10/29 09:21:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fund Manager
[2010/06/25 12:13:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Gecko Software
[2009/10/30 11:59:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GrebleSoft
[2011/06/14 22:21:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/02/22 17:04:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lexmark Pro200-S500 Series
[2011/06/28 06:18:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2011/06/21 10:17:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Managed Antivirus
[2011/06/21 12:34:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2011/06/09 13:14:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCPitstopDat
[2009/06/03 17:56:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2010/06/25 12:25:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TNT-HF
[2011/06/02 13:22:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walt\Application Data\bgaDesktop
[2010/11/13 12:52:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walt\Application Data\FileOpen
[2011/04/01 12:39:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walt\Application Data\Fund Manager
[2011/05/09 17:03:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walt\Application Data\Insurance Technologies
[2010/11/13 12:52:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walt\Application Data\Leadertech
[2011/06/21 10:18:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walt\Application Data\Managed Antivirus
[2010/11/13 12:52:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walt\Application Data\Steele Systems
[2010/11/13 12:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walt\Application Data\Techsmith
[2010/11/13 12:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walt\Application Data\TurboMeeting
[2010/11/13 12:52:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walt\Application Data\VectorVest, Inc
[2011/06/16 14:01:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walt\Application Data\webex

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %USERPROFILE%\..|smtmp;true;true;true /FP >


< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2010/12/27 18:24:37 | 000,553,696 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2010/12/27 18:24:37 | 000,553,696 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2010/12/27 18:24:37 | 000,553,696 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2010/12/27 18:24:34 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2010/12/27 18:24:34 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2010/12/27 18:24:34 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/04/25 07:00:32 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/04/25 07:00:32 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/04/25 07:00:32 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2011/04/21 05:58:25 | 000,634,648 | ---- | M] (Microsoft Corporation)

< End of report >





============ Extras.txt ============


OTL Extras logfile created on: 6/28/2011 10:06:52 AM - Run 11
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Apps
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.70 Gb Available Physical Memory | 83.02% Memory free
5.09 Gb Paging File | 4.73 Gb Available in Paging File | 93.03% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.02 Gb Total Space | 31.98 Gb Free Space | 21.46% Space Free | Partition Type: NTFS
Drive D: | 149.01 Gb Total Space | 137.55 Gb Free Space | 92.31% Space Free | Partition Type: NTFS
Drive J: | 931.51 Gb Total Space | 812.98 Gb Free Space | 87.28% Space Free | Partition Type: NTFS
Drive K: | 68.23 Gb Total Space | 46.82 Gb Free Space | 68.62% Space Free | Partition Type: NTFS
Drive O: | 931.51 Gb Total Space | 812.98 Gb Free Space | 87.28% Space Free | Partition Type: NTFS
Drive S: | 931.51 Gb Total Space | 812.98 Gb Free Space | 87.28% Space Free | Partition Type: NTFS
Drive T: | 931.51 Gb Total Space | 812.98 Gb Free Space | 87.28% Space Free | Partition Type: NTFS

Computer Name: WALT_DESKTOP | User Name: Walt | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
InternetShortcut [print] -- rundll32.exe %SystemRoot%\System32\Mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"135:TCP" = 135:TCP:LocalSubNet:Enabled:NPLSecure

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)
"D:\FT\FT4WIN\ftwinapp.exe" = D:\FT\FT4WIN\ftwinapp.exe:*:Enabled:FastTrack Communications Software -- (Investors FastTrack)
"C:\Program Files\Xpress Mail\Professional Editon\XpressMailDesktopClient.exe" = C:\Program Files\Xpress Mail\Professional Editon\XpressMailDesktopClient.exe:*:Enabled:XpressMailDesktopClient
"\\bds01\asc\NPL\RTIWIN32.EXE" = \\bds01\asc\NPL\RTIWIN32.EXE:LocalSubNet:Enabled:rtiwin32.exe
"\\bds01\asc\NPL\rtpwin32.exe" = \\bds01\asc\NPL\rtpwin32.exe:LocalSubNet:Enabled:rtpwin32.exe
"C:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE" = C:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE:*:Enabled:Microsoft Office FrontPage
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech Inc.)
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech Inc.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)
"\\bds01\asc\NPL\RTIWIN32.EXE" = \\bds01\asc\NPL\RTIWIN32.EXE:*:Disabled:RTIWIN32
"C:\Program Files\Abbyy FineReader 6.0 Sprint\scan\scanman6.exe" = C:\Program Files\Abbyy FineReader 6.0 Sprint\scan\scanman6.exe:*:Enabled:ABBYY FineReader -- (ABBYY (BIT Software))
"C:\WINDOWS\system32\lxebcoms.exe" = C:\WINDOWS\system32\lxebcoms.exe:*:Enabled:Pro200-S500 Series Server -- ( )


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{07EF3970-F8E5-4A27-A5A3-230484D35026}" = Microsoft Expression Encoder 4
"{087A66B8-1F0F-4a8d-A649-0CFE276AA7C0}" = WebReg
"{08D605B4-DCD1-451F-ABD7-52E6BB868E4E}" = Microsoft Expression Design 4
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{1C997E1C-5CE9-4AF3-AAA9-DC65E6090827}" = Microsoft Expression Blend SDK for Silverlight 4
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2012098D-EEE9-4769-8DD3-B038050854D4}" = Microsoft Silverlight 3 SDK
"{2474940F-E12A-4BB4-A574-D925573FE9BC}" = WebEx Meeting Manager for Internet Explorer
"{256E7DAC-9BE8-494E-8DE7-7857BF96B774}" = Microsoft Expression Blend 3 SDK
"{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java™ 6 Update 26
"{2BD5C305-1B27-4D41-B690-7A61172D2FEB}" = Macromedia Flash 8
"{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}" = Logitech SetPoint
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{32611749-470C-427F-B631-7621B16AA604}" = Track 'n Trade Live
"{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{39A3DC93-4EE4-40A8-A85E-6188BDABD651}" = Pervasive.SQL V8 Client (v8.6)
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = Logitech Registration
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4761EB82-E8BD-45A4-B19B-586FA9D1D7E6}" = Camtasia Studio 6
"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C6D5779-A766-45DF-9938-D6F595A66F2B}" = Microsoft Expression Blend 4
"{4CAB57E8-3B9A-4E2D-80FE-D7846BEDCF5F}" = Track 'n Trade Live
"{542C0F0B-FBDF-45d9-AF8A-345C1A9B5AE3}" = 8000A809
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{56918C0C-0D87-4CA6-92BF-4975A43AC719}" = KhalInstallWrapper
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5C47C8B6-77FF-4FC7-A388-66FCF9CFC24C}" = Snagit 9.1.3
"{5EE6E987-1B79-4A93-832B-27472C7D1579}" = WPF Toolkit February 2010 (Version 3.5.50211.1)
"{5F8D931D-B230-47F3-A9C0-0C8CA459A332}" = Microsoft Expression Web 4
"{65F9D1CB-4B9E-82E4-4D2D-B01C53395B9A}" = SureLC Desktop
"{666A81D6-8826-47FA-AF88-67B880A362DB}" = VIPRE Antivirus
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{671B4BAD-D681-4d29-9498-D8BF3F1A389D}" = BPDSoftware
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A3F98BA-338E-49a1-9D79-D786A83E6621}" = HP Officejet Pro 8000 A809 Series
"{6E4EE9B5-F69D-4455-B430-40FA5F0DC988}" = ProductContext
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7370C0A9-327E-4A56-A611-EE9D69AA75C0}" = VectorVest 7
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0
"{7780C740-C674-11D2-A431-0040C77908EF}" = STEELE Mutual Fund Expert
"{7BB40A22-8D98-43F9-A08A-E7EFF5AB1324}" = Camtasia Studio 5
"{7F831576-6246-42C7-B523-55B3F96509CC}" = LogMeIn
"{7F94FB03-6617-4442-9817-CDDB36EAE529}" = 8000A809_eDocs
"{801B0DA3-A3FF-46CC-B97F-D76D510AF5AE}" = Microsoft Silverlight 4 SDK
"{86BC184E-CFCD-48D5-829A-666A36C6ACC9}" = 8000A809_Help
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{87841AF8-C785-42FF-A76E-CC0F0C2816CC}" = ATI Catalyst Control Center
"{87A9A9A9-FAB7-4224-9328-0FA2058C0FD5}" = Network
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}" = Macromedia Flash 8 Video Encoder
"{8C8556D0-D07C-11D4-92A3-0040055A8106}" = NPL
"{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}" = CDDRV_Installer
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95F9D960-C571-11D0-90F0-00001B1EFBA8}" = QuickBooks Pro 2001
"{9876EC91-D77E-4EDD-8885-6DAA560C1C0E}" = FastTrack Communications
"{9B3A1C97-A361-463E-8817-444F9F88CDFE}" = Microsoft Expression Blend SDK for .NET 4
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A06FE62B-CEBC-4E94-AED8-92DCC33BC8EA}" = Microsoft Expression Studio 4
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6B82920-25DD-41B5-A680-5B6FB65BA6D9}" = VectorVest U.S.
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC13BA3A-336B-45a4-B3FE-2D3058A7B533}" = Toolbox
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AFB69549-3AAE-4433-A99B-673B8A513379}" = BPDSoftware_Ini
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B10A30CF-CCFF-4056-9ABC-F8D42BDF141F}" = myPrintMileage (Officejet Pro 8000 A809)
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BE66348A-E83F-4982-941F-DFF2F742B851}" = Microsoft Office Live Meeting 2007
"{BF127B80-CFD5-4379-9752-E8AF1A5D0141}" = Microsoft Expression Encoder 4 Screen Capture Codec
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}" = VIPRE Antivirus
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}" = Microsoft .NET Framework 4 Multi-Targeting Pack
"{D12CD09C-BFEE-4B6F-A7F7-054AEA2E369C}" = Network Recording Player
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{EE532913-7C50-40CF-A1FB-07BC11CD5E47}" = Ohio National Product Illustrations
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"ActiveTouchMeetingClient" = WebEx
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATI Display Driver" = ATI Display Driver
"bgaDesktop" = SureLC Desktop
"Blend_4.0.20525.0" = Microsoft Expression Blend 4
"C333CF5AF8E48DB2BA7D6C7D7C5BC69A5C8CF7BF" = Windows Driver Package - Intel (e1express) Net (12/04/2008 9.12.36.0)
"CodeStuff Starter" = CodeStuff Starter
"Design_7.0.20516.0" = Microsoft Expression Design 4
"Encoder_4.0.1639.0" = Microsoft Expression Encoder 4
"ESET Online Scanner" = ESET Online Scanner v3
"ExpressionStudio_4.0.20525.0" = Microsoft Expression Studio 4
"Fund Manager" = Fund Manager
"FXOrder2Go" = FXOrder2Go
"ie7" = Windows Internet Explorer 7
"ImgBurn" = ImgBurn
"Lexmark Pro200-S500 Series" = Lexmark Pro200-S500 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"ST6UNST #1" = ASC Components
"thinkorswim" = thinkorswim
"thinkpipes" = thinkpipes
"TurboMeeting" = TurboMeeting
"VLC media player" = VLC media player 0.9.6
"Web_4.0.1165.0" = Microsoft Expression Web 4
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"e198fe59e6db0240" = Allianz ForeSight Console 5.1.6.48
"GoToMeeting" = GoToMeeting 4.5.0.457

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/21/2011 4:54:25 PM | Computer Name = WALT_DESKTOP | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\689b9.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 6/21/2011 4:59:27 PM | Computer Name = WALT_DESKTOP | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\689b9.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 6/21/2011 5:03:15 PM | Computer Name = WALT_DESKTOP | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\689b9.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 6/21/2011 5:03:16 PM | Computer Name = WALT_DESKTOP | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\689b9.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 6/21/2011 5:08:16 PM | Computer Name = WALT_DESKTOP | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\689b9.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 6/21/2011 5:13:16 PM | Computer Name = WALT_DESKTOP | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\689b9.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 6/21/2011 5:18:17 PM | Computer Name = WALT_DESKTOP | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\689b9.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 6/21/2011 5:23:46 PM | Computer Name = WALT_DESKTOP | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\689b9.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 6/21/2011 5:28:50 PM | Computer Name = WALT_DESKTOP | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\689b9.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 6/23/2011 9:43:19 AM | Computer Name = WALT_DESKTOP | Source = .NET Runtime Optimization Service | ID = 1103
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Tried to start a service that wasn't the latest version of CLR Optimization service.
Will shutdown

[ System Events ]
Error - 6/26/2011 1:47:39 PM | Computer Name = WALT_DESKTOP | Source = Service Control Manager | ID = 7034
Description = The VIPRE Antivirus service terminated unexpectedly. It has done
this 1 time(s).

Error - 6/26/2011 1:47:39 PM | Computer Name = WALT_DESKTOP | Source = Service Control Manager | ID = 7034
Description = The SB Recovery Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 6/27/2011 10:37:30 AM | Computer Name = WALT_DESKTOP | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxebCATSCustConnectService
service to connect.

Error - 6/27/2011 10:37:30 AM | Computer Name = WALT_DESKTOP | Source = Service Control Manager | ID = 7000
Description = The lxebCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 6/27/2011 11:19:12 AM | Computer Name = WALT_DESKTOP | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxebCATSCustConnectService
service to connect.

Error - 6/27/2011 11:19:12 AM | Computer Name = WALT_DESKTOP | Source = Service Control Manager | ID = 7000
Description = The lxebCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 6/27/2011 9:37:22 PM | Computer Name = WALT_DESKTOP | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxebCATSCustConnectService
service to connect.

Error - 6/27/2011 9:37:22 PM | Computer Name = WALT_DESKTOP | Source = Service Control Manager | ID = 7000
Description = The lxebCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 6/28/2011 7:24:56 AM | Computer Name = WALT_DESKTOP | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxebCATSCustConnectService
service to connect.

Error - 6/28/2011 7:24:56 AM | Computer Name = WALT_DESKTOP | Source = Service Control Manager | ID = 7000
Description = The lxebCATSCustConnectService service failed to start due to the
following error: %%1053


< End of report >




============ Step two ============


============ ark.txt ============


GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-28 15:10:36
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3320620AS rev.3.ADJ
Running: gmer.exe; Driver: C:\DOCUME~1\Walt\LOCALS~1\Temp\pwlyypob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xAD75C4D0]
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xAD75C520]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAD138620]

Code \??\C:\DOCUME~1\Walt\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Walt\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A9626D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----




============ Step three ============


Extras.txt - already posted in Step One above.
  • 0

#21
tc.bd.walt
Posted 29 June 2011 - 12:05 AM

tc.bd.walt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
============ VirSCAN Check ============


============ VirSCAN Report for NewShortcut11_EE5329137C5040CFA1FB07BC11CD5E47.exe ============

VirSCAN.org Scanned Report :
Scanned time : 2011/06/29 12:08:45 (CST)
Scanner results: Scanners did not find malware!
File Name : NewShortcut11_EE5329137C5040CFA1FB07BC11CD5E47.exe
File Size : 40960 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 28cbbc2be227cb5f2e18d783da179157
SHA1 : d5a5ffa0d0b2554219a3c69dadf77359e944f0b5
Online report : http://file.virscan....5d3294720d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110629040730 2011-06-29 4.66 -
AhnLab V3 2011.06.29.00 2011.06.29 2011-06-29 24.29 -
AntiVir 8.2.5.24 7.11.10.142 2011-06-29 0.27 -
Antiy 2.0.18 20110205.7694535 2011-02-05 0.02 -
Arcavir 2011 201105080215 2011-05-08 0.04 -
Authentium 5.1.1 201106281013 2011-06-28 1.49 -
AVAST! 4.7.4 110628-1 2011-06-28 0.01 -
AVG 8.5.850 271.1.1/3732 2011-06-29 0.26 -
BitDefender 7.90123.8403362 7.38084 2011-06-29 4.18 -
ClamAV 0.96.5 13244 2011-06-28 0.03 -
Comodo 4.0 9216 2011-06-28 1.59 -
CP Secure 1.3.0.5 2011.06.28 2011-06-28 0.05 -
Dr.Web 5.0.2.3300 2011.06.29 2011-06-29 13.15 -
F-Prot 4.4.4.56 20110628 2011-06-28 1.47 -
F-Secure 7.02.73807 2011.06.28.05 2011-06-28 0.28 -
Fortinet 4.2.257 13.375 2011-06-28 11.04 -
GData 22.753/22.191 20110629 2011-06-29 10.26 -
ViRobot 20110628 2011.06.28 2011-06-28 0.38 -
Ikarus T3.1.32.20.0 2011.06.29.78698 2011-06-29 4.72 -
JiangMin 13.0.900 2011.06.28 2011-06-28 2.59 -
Kaspersky 5.5.10 2011.06.29 2011-06-29 0.18 -
KingSoft 2009.2.5.15 2011.6.28.18 2011-06-28 9.04 -
McAfee 5400.1158 6391 2011-06-28 9.27 -
Microsoft 1.7000 2011.06.28 2011-06-28 3.78 -
NOD32 3.0.21 6248 2011-06-28 0.02 -
Norman 6.07.10 6.07.00 2011-06-28 14.02 -
Panda 9.05.01 2011.06.28 2011-06-28 3.69 -
Trend Micro 9.200-1012 8.256.01 2011-06-28 0.06 -
Quick Heal 11.00 2011.06.28 2011-06-28 4.12 -
Rising 20.0 23.64.01.03 2011-06-28 2.27 -
Sophos 3.20.2 4.66 2011-06-29 3.68 -
Sunbelt 3.9.2496.2 9723 2011-06-28 0.92 -
Symantec 1.3.0.24 20110628.002 2011-06-28 0.05 -
nProtect 20110601.01 3460661 2011-06-01 8.27 -
The Hacker 6.7.0.1 v00244 2011-06-28 0.46 -
VBA32 3.12.16.3 20110628.0459 2011-06-28 4.50 -
VirusBuster 5.3.0.4 14.0.100.0/54834332011-06-28 0.00 -



============ VirSCAN Report for NewShortcut11_EE5329137C5040CFA1FB07BC11CD5E47.exe ============


VirSCAN.org Scanned Report :
Scanned time : 2011/06/29 12:19:45 (CST)
Scanner results: Scanners did not find malware!
File Name : NewShortcut1_EE5329137C5040CFA1FB07BC11CD5E47.exe
File Size : 40960 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 28cbbc2be227cb5f2e18d783da179157
SHA1 : d5a5ffa0d0b2554219a3c69dadf77359e944f0b5
Online report : http://file.virscan....86b6e2ddfb.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110629040730 2011-06-29 0.29 -
AhnLab V3 2011.06.29.00 2011.06.29 2011-06-29 1.95 -
AntiVir 8.2.5.24 7.11.10.142 2011-06-29 0.28 -
Antiy 2.0.18 20110205.7694535 2011-02-05 0.02 -
Arcavir 2011 201105080215 2011-05-08 0.03 -
Authentium 5.1.1 201106281013 2011-06-28 1.51 -
AVAST! 4.7.4 110628-1 2011-06-28 0.01 -
AVG 8.5.850 271.1.1/3732 2011-06-29 0.26 -
BitDefender 7.90123.8403362 7.38084 2011-06-29 4.15 -
ClamAV 0.96.5 13244 2011-06-28 0.00 -
Comodo 4.0 9216 2011-06-28 1.35 -
CP Secure 1.3.0.5 2011.06.28 2011-06-28 0.06 -
Dr.Web 5.0.2.3300 2011.06.29 2011-06-29 13.67 -
F-Prot 4.4.4.56 20110628 2011-06-28 1.46 -
F-Secure 7.02.73807 2011.06.28.05 2011-06-28 13.07 -
Fortinet 4.2.257 13.375 2011-06-28 0.22 -
GData 22.753/22.191 20110629 2011-06-29 7.88 -
ViRobot 20110628 2011.06.28 2011-06-28 0.39 -
Ikarus T3.1.32.20.0 2011.06.29.78698 2011-06-29 4.74 -
JiangMin 13.0.900 2011.06.28 2011-06-28 1.55 -
Kaspersky 5.5.10 2011.06.29 2011-06-29 0.17 -
KingSoft 2009.2.5.15 2011.6.29.9 2011-06-29 0.77 -
McAfee 5400.1158 6391 2011-06-28 9.52 -
Microsoft 1.7000 2011.06.28 2011-06-28 3.34 -
NOD32 3.0.21 6248 2011-06-28 0.02 -
Norman 6.07.10 6.07.00 2011-06-28 14.01 -
Panda 9.05.01 2011.06.28 2011-06-28 6.51 -
Trend Micro 9.200-1012 8.256.01 2011-06-28 0.05 -
Quick Heal 11.00 2011.06.28 2011-06-28 1.05 -
Rising 20.0 23.64.01.03 2011-06-28 2.28 -
Sophos 3.20.2 4.66 2011-06-29 3.70 -
Sunbelt 3.9.2496.2 9723 2011-06-28 0.96 -
Symantec 1.3.0.24 20110628.002 2011-06-28 0.06 -
nProtect 20110601.01 3460661 2011-06-01 6.27 -
The Hacker 6.7.0.1 v00244 2011-06-28 0.56 -
VBA32 3.12.16.3 20110628.0459 2011-06-28 4.51 -
VirusBuster 5.3.0.4 14.0.100.0/54834332011-06-28 0.00 -




============ Step one ============



============ MBAM Log ============

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6973

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/28/2011 11:31:49 PM
mbam-log-2011-06-28 (23-31-49).txt

Scan type: Quick scan
Objects scanned: 214276
Time elapsed: 1 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



============ Step two ============


============ ESET Log ============


C:\Program Files\Trend Micro\HiJackThis\backups\backup-20110621-155725-552.dll a variant of Win32/Kryptik.OKQ trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1198\A0106226.exe a variant of Win32/Kryptik.PGS trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1198\A0106244.exe a variant of Win32/Kryptik.PGS trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1198\A0106245.exe a variant of Win32/Kryptik.PGS trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1204\A0107985.sys Win32/Olmasco.E trojan
C:\WINDOWS\system32\kbdycl32.dll a variant of Win32/Kryptik.OKQ trojan
  • 0

#22
Aaron
Posted 29 June 2011 - 03:43 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
Follow these steps to uninstall Combofix:
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself
Hi, your logs look clean :)

I'm happy I could help. I'm giving you some tips about preventing new infections and how to increase your computer's speed.
Let's first remove all system restore points (because they may still contain malware) and create a new restore point. To do this:

  • Open OTL
  • Under the Custom Scans/Fixes box at the bottom, paste the following:

    :Commands
[clearallrestorepoints]
  • Click the Run Fix button at the top
  • It might ask you to reboot, if so click YES
Now we can cleanup the tools we used:
  • Open OTL to run it.
  • Click on the CleanUp button.
  • Click Yes to begin the cleanup process and remove tools, including this application.
  • You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes.
  • Note: if there are still some files left then you may delete them manually
============ 1. Cleaning your temporary files ============

We've already cleaned your temporary files when we removed the malware on your computer, but you could do this step once a month to keep your computer clean and faster. It will also greatly decrease the time a program like e.g. MBAM needs to scan for malware

Download Posted ImageTFC by OldTimer to your desktop
  • Please right-click TFC.exe and choose Run As Administrator.
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it''s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
You can find more information about TFC here.
Another great program you could use instead is Posted ImageCcleaner, it's best to download and install Ccleaner Slim that does not contain the Yahoo! Toolbar.

============ 2. Updating your programs ============

It is recommended to update all your programs, as this will result in a faster working computer and optimal protection. I highly recommended you to update most programs at least once a month!

  • Posted ImageIt is very important to update Windows as this will make your computer a lot safer, stable and maybe even faster. Every XP user should have Service Pack 3 & every Vista user should have Service Pack 2.
    For XP users: You can start it by clicking Start -> All programs -> Windows Update or go to this site.

    For Vista/Windows 7 users: Go to Control Panel and select System and Maintenance, then select Windows Update and install every update.
  • Posted Image It is also very important to update Java! Older versions have vulnerabilities that malware can use to infect your system (like when playing a browser game or even by visiting certain sites). Please follow these steps to remove older versions of Java and to install the newest one available.
    • Download the latest version of Java SE Runtime Environment (JRE) here.
    • Please go to Start -> Control Panel -> Add/Remove Programs and remove all old versions like Java™ 6 Update *version*. The following versions of Java could also be installed, uninstall these too: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE and J2SE.
    • Reboot your computer once all Java components are removed.
    • If you are experiencing problems while removing Java then you can try JavaRa to remove all leftovers.
    • Then from your desktop double-click on the download to install the newest version.
  • Posted ImageIt is also important to update Adobe Reader. Please go to Start > Control Panel > Add/Remove Programs and remove Adobe Reader. Then download and install the latest version here.
  • Posted ImageSecunia and the Posted ImageFilehippo Update Checker are two programs which can help you updating your programs. These will notify you when an update is found an suggest you a download link.
============ 3. How to prevent an new infection ============

I will list some program's here to secure your computer. At first look this could seem as a security overkill, but it isn't. Most program's aren't active so they won't slow down your computer at all. Only your antivirus, firewall, Winpatrol and Autorun Eater are active. These last two use almost no system resources from your computer, so your computer won't slow down a bit. All these programs are also free or have a free version.

  • First of all you need a good antivirus. Only install one antivirus program at the time because they can conflict! A few good antivirus to buy are Avira, Kaspersky, Avast and Norton (there are other good ones too). You see for yourself, you can find test reports ones a month at AV-Comparatives.org.
    If you want a free antivirus then I recommend you ONE of these:

    ! McAfee and Norton are known for their inability to uninstall themselves correctly, so after you uninstall them then run the corresponding uninstaller before trying to install a new anti-virus!
    McAfee Uninstaller
    Norton Uninstaller
  • Posted ImageSpywareblaster protects against bad ActiveX, it immunizes your PC against them. For more information see the TUTORIAL
  • Posted Image MVPS Hosts file this hosts file should replace your current hosts file. When done, a lot of 'bad' sites will be blocked so you can't access them and you won't be infected. For more information see the TUTORIAL
  • A firewall is important to prevent malware connecting the internet (for sending personal information or to copy itself to other computers) and blocking unauthorised access to your computer, however this is can only come in handy for -very- experienced users. The windows firewall is fine for the most users, but it doesn't allow you to monitor outgoing connections. A tutorial on understanding and using firewalls may be found here. If you want a third-party firewall then I recommend you ONE of these to:

  • I recommend you to install Posted ImageWinPatrol. It's a small program that will sit in your systray and warn you if something like malware tries to make changes to your system.
  • If you use USB drives a lot then you might want to install Posted ImageAutorun Eater. This is a small program which will stay resident and prevent an infected USB device from infecting your PC. This is the ONLY secure way to use USB drives that aren't yours! For more information see the FAQ
  • Posted ImageSandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. It therefore greatly increases your security ! Anything done in the 'Sandbox' can easily be undone, for more information see the Help & FAQ
  • Have a look at Posted ImageOpenDNS.
  • If you have a router, logon to it today and change the password from the default. If you don't know how, get the make and model from the router then google for the router maker's site. Almost all router makers have very clear instructions for each router they make. This will prevent DNS hijacking.
  • For safest browsing use a login which does not have admin rights. Any login (especially those with admin rights should have a password and it should be something you can remember but which a random hacker can't guess.)
    How to create User Accounts XP
    How to create User Accounts Video - Windows 7 (& Vista)
============ 4. Detecting and deleting infections ============

Unfortunately some malware will always be able to get through our very good prevention, however this is very rare. To check your system for malware or to remove it I recommend you to scan monthly with these three programs:

Always update these programs before you start scanning, this is very important !!
If you are happy with MBAM or SuperAntiSpyware then you might consider buying a license. A license isn't expensive at all and they are valid for ever, so no need to buy a new every year. With a license you have real-time protection (besides your antivirus software) and will prevent a lot of malware before they get on your computer! I strongly recommend you try a free trail to test each program and make up for yourself which one suites you best. BUT, do not buy a license for both. If you have these two programs running at the same time, then they may conflict.

============ 5. What browser should I use and how do I surf the internet safe? ============

There are a lot of browsers you can use. Some are more secure, faster, have a better compatibility with most sites and some are more customizable then others, but they all have there strong and weak points.

Posted ImageInternet Explorer is installed on almost every Windows computer. It is the slowest browser of all browser listed here and it's targeted most by malware. However Internet Explorer has a very high compatibility with most sites, it is a browser that most people use and there is good support from Microsoft.

How to make Internet Explorer more secure ?
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Posted ImageFirefox is a very good open source browser. It's the secondly most used browser, it has a high compatibility with most sites and it's highly customizable. It is my personal favourite. FireFox is also targeted a lot by malware and it's not the fastest one, it has a slow startup. If you use Firefox then I recommend these add-ons:

  • Adblock Plus will block almost all ads on the internet.
  • WOT this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling!
  • NoScript provides extra protection to your Firefox (for more experienced users). It really makes Firefox safer!
    It allows JavaScript, Java and other executable content to run only from trusted domains of your choice, e.g. your home-banking web site, guarding your "trust boundaries" against cross-site scripting attacks (XSS) and Clickjacking attempts.
  • Vacuum Places Improved defragments your Firefox "Places" database (history/bookmarks)
    This greatly reduces the lag while typing in the address bar and the start-up time.
    This extension features configurable automatic cleaning, periodic reminder, and internationalization.
  • SpeedyFox another good tool that also boosts Firefox.
See here for a list of popular extensions, I'm sure it will improve your browser experience!

Posted ImageOpera is a good looking and very fast browser that has a lot of features other browsers don't have and it also isn't really targeted by malware. Not as customizable as Firefox and you can have some compatibility problems. Some features are: Mouse gestures, Opera Link, Opera Mail, Opera Turbo, Widgets, Speed Dial, Opera Unite... See here for more information.

Posted ImageGoogle Chrome is relatively new browser that is getting popular very fast. It is made by Google, it's the fastest browser of all and it's also easy looking. It also has support for add-ons like Firefox, but not as many as Firefox:

  • Adblock will block almost all ads on the internet.
  • WOT this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling!
See here for a list of popular extensions, I'm sure it will improve your browser experience!

============ 6. A few tips ============

  • Remove trail software and programs that you don't use any more, it will free disk space and can speed up your computer.
  • Make sure your hard drive is defragmented, this will also increase your computers' speed.

    • Windows XP users: have a look here
    • Windows Vista & 7 users: Windows normally defragments automatcly so you don't need to do anything. If you want to do it yourself then you can find information here
      I strongly recommend you to let Windows automatically defragment your drive once a month - not more, not less. You can check this option if you open Disk Defragmenter.
  • Make sure you always have backups! If anything goes wrong, you will always have your most precious data stored safe.
  • Open WinPatrol (see 3. How to prevent an new infection) and go to the Startup Programs tab. Make sure 'Display Secret Startup Locations (Advanced mode)' is UNCHECKED . Then disable (not remove) all programs except for your security programs or set some programs on the Delayed Start.
    This will greatly improve your computers' speed!
  • Think twice when before downloading things like attachments, torrents, cracks, keygens, codecs and using P2P program's. Also watch out what sites you visit: particularly +18 sites and sites where you can download illegal or cracked software.
  • Do not use following software or be very, very careful: register cleaners, driver updating software, codecs (for music or movies) and Windows Transformation Packs. These often contain malware and even if they are malware free then they can still do severe damage to your system!
  • Also see the general the Preventing Malware and Safe Computing guide, made by one of my excellent former teachers.
Happy surfing again ! :unsure:
  • 0

#23
tc.bd.walt
Posted 29 June 2011 - 06:24 AM

tc.bd.walt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks so much for all your help.

I don't mean to second guess you, but are we sure that the file 'C:\WINDOWS\System32\kbdycl32.dll' is not a problem?

I know we scanned it once before, but I went and scanned it again with VirSCAN.org and this time the report shows twice as many AV programs believing it to be an infection. The first time we scanned it on the 25th, only 4 products reported something, this time 8 products reported it as a virus/trojan, and one more as a "probably."

I am posting the log here:



VirSCAN.org Scanned Report :
Scanned time : 2011/06/29 20:06:22 (CST)
Scanner results: 24% Scanner(s) (9/37) found malware!
File Name : kbdycl32.dll
File Size : 169472 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 5d3a3feea8bb595a109a2a4de91eccc4
SHA1 : 8c70e827045addb67e16c22c5510816ec58a4dbc
Online report : http://file.virscan....377a2b08fd.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110629040730 2011-06-29 0.34 Gen.Variant.Kazy!IK
AhnLab V3 2011.06.29.02 2011.06.29 2011-06-29 10.51 -
AntiVir 8.2.5.24 7.11.10.145 2011-06-29 0.28 TR/Kazy.27226.3
Antiy 2.0.18 20110205.7694535 2011-02-05 0.02 -
Arcavir 2011 201105080215 2011-05-08 0.06 -
Authentium 5.1.1 201106281013 2011-06-28 1.50 -
AVAST! 4.7.4 110628-1 2011-06-28 0.02 -
AVG 8.5.850 271.1.1/3733 2011-06-29 0.29 -
BitDefender 7.90123.8404098 7.38089 2011-06-29 4.17 Gen:Variant.Kazy.27226
ClamAV 0.96.5 13248 2011-06-29 0.04 -
Comodo 4.0 9221 2011-06-29 1.49 -
CP Secure 1.3.0.5 2011.06.29 2011-06-29 0.07 -
Dr.Web 5.0.2.3300 2011.06.29 2011-06-29 13.24 -
F-Prot 4.4.4.56 20110628 2011-06-28 1.50 -
F-Secure 7.02.73807 2011.06.29.03 2011-06-29 12.93 -
Fortinet 4.2.257 13.377 2011-06-29 1.87 W32/FakeAV.EBX!tr
GData 22.757/22.192 20110629 2011-06-29 15.45 -
ViRobot 20110628 2011.06.28 2011-06-28 0.38 -
Ikarus T3.1.32.20.0 2011.06.29.78700 2011-06-29 4.58 Gen.Variant.Kazy
JiangMin 13.0.900 2011.06.28 2011-06-28 1.59 -
Kaspersky 5.5.10 2011.06.29 2011-06-29 0.10 -
KingSoft 2009.2.5.15 2011.6.29.18 2011-06-29 0.89 -
McAfee 5400.1158 6391 2011-06-28 9.16 Generic Downloader.x!fzl
Microsoft 1.7000 2011.06.29 2011-06-29 16.55 TrojanDownloader:Win32/Tracur.B
NOD32 3.0.21 6248 2011-06-28 0.01 probably a variant of Win32/TrojanDownloader.Agent.TISMPW trojan
Norman 6.07.10 6.07.00 2011-06-28 16.61 -
Panda 9.05.01 2011.06.28 2011-06-28 4.47 -
Trend Micro 9.200-1012 8.256.08 2011-06-29 0.04 -
Quick Heal 11.00 2011.06.29 2011-06-29 1.12 -
Rising 20.0 23.64.02.03 2011-06-29 2.52 -
Sophos 3.20.2 4.66 2011-06-29 3.67 Troj/FakeAV-EBX
Sunbelt 3.9.2496.2 9723 2011-06-28 1.97 -
Symantec 1.3.0.24 20110628.002 2011-06-28 0.05 -
nProtect 20110601.01 3460661 2011-06-01 6.46 -
The Hacker 6.7.0.1 v00244 2011-06-28 0.53 -
VBA32 3.12.16.3 20110629.0705 2011-06-29 5.55 -
VirusBuster 5.3.0.4 14.0.100.0/54834332011-06-28 0.00 -
  • 0

#24
Aaron
Posted 29 June 2011 - 06:53 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
I wasn't sure about that file, but I supposed it was safe:

- As you said only 4 AV's detected it then.
- It appeared to be from CrypKey, which doesn't seem to be malicious.
- It isn't created at the same time as the infections, so it's probably not part of them.

However, it isn't a system file, if you don't not know installing anything from CrypKey, it won't hurt to delete the file.
You can delete the file with this:

Run OTL again

  • Under the Posted Image box at the bottom, paste in the following

    :OTL

:Services

:Reg

:Files
C:\WINDOWS\System32\kbdycl32.dll

:Commands
[emptytemp]
[EMPTYFLASH]
[Reboot]
  • Then click the Posted Image button at the top

  • 0

#25
tc.bd.walt
Posted 30 June 2011 - 12:53 AM

tc.bd.walt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks so much for all your help! This was driving me nuts and I had all but given up hope. I really appreciate your time and patience in helping me get this resolved.

I didn't get to use it much this afternoon, but from all appearances, it is not having any of the issues that started all this. I will be more confident about our success after working with it tomorrow. If I don't respond again in 24 hours, you can assume it is all good!

Hopefully my small donation will pay it forward in some way allowing you to be able to spend time helping the next guy.

Thanks again.
  • 0

Advertisements

#26
Aaron
Posted 30 June 2011 - 01:05 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
You're welcome :unsure:

I will be more confident about our success after working with it tomorrow. If I don't respond again in 24 hours, you can assume it is all good!

OK, I'll leave the topic open.

Hopefully my small donation will pay it forward in some way allowing you to be able to spend time helping the next guy.

That's very kind. Thank you. :)

- Maser00
  • 0

#27
Aaron
Posted 01 July 2011 - 08:37 AM

Aaron

    Expert

  • Expert
  • 3,155 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP