Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

System Fix Virus - Please Help. [Solved]


  • This topic is locked This topic is locked

#1
redleader74

redleader74

    Member

  • Member
  • PipPipPip
  • 165 posts
My laptop has been infected with the System Fix virus. I found another recent thread with the same virus and followed the instructions outlined there. Here is the thread I'm referring to: http://www.geekstogo...ix-virus-vista/

I've gone ahead with the steps in that thread and am posting all the logs generated from those procedures. I'm posting the logs in order:

-Rogue Killer (I ran it twice using option 2 by accident but the logs generated were different, so I'm posting both of them. Of course, I also ran option 6 as instructed)
-OTL
-aswMBR

Here are the logs:

RKreport (1):

RogueKiller V6.1.12 [12/02/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6000 ) 32 bits version
Started in : Normal mode
User: Kwong [Admin rights]
Mode: Remove -- Date : 12/12/2011 02:25:14

¤¤¤ Bad processes: 2 ¤¤¤
[WINDOW : System Fix] HXXFLlL5Vd1gKg.exe -- C:\ProgramData\HXXFLlL5Vd1gKg.exe -> KILLED [TermProc]
[SUSP PATH] KFfVaylJyVw.exe -- C:\ProgramData\KFfVaylJyVw.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 10 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : KFfVaylJyVw.exe (C:\ProgramData\KFfVaylJyVw.exe) -> DELETED
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{14731478-248E-4EB2-9108-8C2C748D6A10} : NameServer (172.18.7.170 172.18.7.170) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{14731478-248E-4EB2-9108-8C2C748D6A10} : NameServer (172.18.7.170 172.18.7.170) -> NOT REMOVED, USE DNSFIX
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Rogue.FakeHDD ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt



RKreport (2):
RogueKiller V6.1.12 [12/02/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6000 ) 32 bits version
Started in : Normal mode
User: Kwong [Admin rights]
Mode: Remove -- Date : 12/12/2011 02:25:43

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{14731478-248E-4EB2-9108-8C2C748D6A10} : NameServer (172.18.7.170 172.18.7.170) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{14731478-248E-4EB2-9108-8C2C748D6A10} : NameServer (172.18.7.170 172.18.7.170) -> NOT REMOVED, USE DNSFIX

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



RKreport (3):

RogueKiller V6.1.12 [12/02/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6000 ) 32 bits version
Started in : Normal mode
User: Kwong [Admin rights]
Mode: Shortcuts HJfix -- Date : 12/12/2011 02:28:28

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 253 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 67 / Fail 0
Start menu: Success 42 / Fail 0
User folder: Success 72382 / Fail 237
My documents: Success 42 / Fail 0
My favorites: Success 221 / Fail 0
My pictures: Success 5 / Fail 0
My music: Success 5306 / Fail 0
My videos: Success 4 / Fail 0
Local drives: Success 3199 / Fail 237
Backup: [FOUND] Success 1 / Fail 0

Drives:
[C:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : Rogue.FakeHDD ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



OTL (both logs):


OTL logfile created on: 12/12/2011 2:30:10 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Kwong\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.94 Gb Available Physical Memory | 47.28% Memory free
4.20 Gb Paging File | 3.28 Gb Available in Paging File | 78.08% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 285.51 Gb Total Space | 11.50 Gb Free Space | 4.03% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.88 Gb Free Space | 58.78% Space Free | Partition Type: NTFS

Computer Name: KC03 | User Name: Kwong | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/12 02:23:19 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Kwong\Desktop\OTL.exe
PRC - [2011/11/16 03:48:23 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/30 12:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 11:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/06/22 13:22:52 | 000,138,752 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
PRC - [2010/06/14 14:07:14 | 000,615,936 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
PRC - [2010/05/11 10:11:58 | 000,134,144 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
PRC - [2009/10/27 09:15:02 | 000,120,832 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
PRC - [2009/09/04 11:43:40 | 000,795,936 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2009/09/04 11:43:38 | 000,595,232 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
PRC - [2009/04/11 08:01:47 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/07/21 16:15:14 | 000,193,888 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe
PRC - [2007/09/20 13:31:10 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEstSrv.exe
PRC - [2007/09/13 13:45:38 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/09/13 13:44:48 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
PRC - [2007/05/10 01:01:00 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2007/02/12 14:38:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/02/12 14:37:58 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/01/04 13:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/16 03:48:23 | 001,989,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/06/12 22:04:51 | 006,271,136 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2009/09/04 11:43:54 | 000,132,384 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Nero BackItUp Scheduler 4.0)
SRV - [2011/11/03 12:06:56 | 002,152,152 | ---- | M] (Lavasoft Limited) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/11/11 11:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/08/19 18:14:44 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe -- (GoToAssist)
SRV - [2010/06/14 14:07:14 | 000,615,936 | ---- | M] (Nokia) [On_Demand | Running] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/09/04 11:43:38 | 000,595,232 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV - [2008/07/21 16:15:14 | 000,193,888 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2007/09/20 13:31:10 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
SRV - [2007/09/13 13:45:38 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/02/12 14:38:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/01/04 13:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/11/02 04:34:32 | 000,263,272 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2011/12/12 02:14:10 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7A387FA7-A064-4603-BAD6-71D4647E396D}\MpKslf6d4798d.sys -- (MpKslf6d4798d)
DRV - [2010/10/24 20:25:38 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2010/08/12 04:15:20 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/02/26 13:32:58 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2010/02/26 13:32:46 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2010/02/26 13:32:44 | 000,022,528 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2010/02/26 13:32:44 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2009/02/12 14:11:24 | 000,022,312 | ---- | M] (EldoS Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\rsdrv.sys -- (ElRawDisk)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/09/13 13:46:06 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/06/14 16:25:00 | 007,110,880 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/05/10 01:01:00 | 000,235,584 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/05/03 12:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2007/03/05 18:45:00 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2007/02/25 06:14:00 | 002,216,448 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2006/11/15 00:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 19:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 17:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555



IE - HKU\S-1-5-21-3634781665-3730177948-736442605-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-3634781665-3730177948-736442605-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2
IE - HKU\S-1-5-21-3634781665-3730177948-736442605-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3634781665-3730177948-736442605-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..keyword.URL: "http://search.yahoo....type=937811&p="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Musicnotes.com/Musicnotes Viewer,version=1.18.9: C:\Program Files\Musicnotes\npmusicn.dll (Musicnotes, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.633: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.633: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.633: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.633: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@Sibelius.com/Scorch Plugin,version=6.2.0.88: C:\Program Files\Musicnotes\npsibelius.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.1: C:\Users\Kwong\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll ( )

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2010/02/02 22:52:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/02/06 22:42:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ [2010/09/04 23:42:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/16 03:48:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/14 19:17:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2010/09/04 23:42:47 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/02/06 22:42:04 | 000,000,000 | ---D | M]

[2011/07/11 06:22:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kwong\AppData\Roaming\Mozilla\Extensions
[2011/11/16 03:48:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/16 23:40:21 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/11/16 03:48:24 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/04 23:47:57 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/16 03:48:24 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2006/09/18 13:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKU\S-1-5-21-3634781665-3730177948-736442605-1000\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter File not found
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\Windows\System32\nvHotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKU\S-1-5-21-3634781665-3730177948-736442605-1000..\Run: [] File not found
O4 - HKU\S-1-5-21-3634781665-3730177948-736442605-1000..\Run: [PC Suite Tray] C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe (Nokia)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3634781665-3730177948-736442605-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3634781665-3730177948-736442605-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe (PlotSoft LLC)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3634781665-3730177948-736442605-1000\..Trusted Domains: bankofamerica.com ([bills] https in Trusted sites)
O15 - HKU\S-1-5-21-3634781665-3730177948-736442605-1000\..Trusted Domains: lorexddns.net ([cpcoakland] https in Trusted sites)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.dell....r/SysProExe.CAB (WMI Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9A74E90C-0233-4E1F-8EA1-105991C6FA12} http://108.200.50.71/webviewer.cab (RemoteDvr Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmi...inAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.76.182 68.87.78.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{14731478-248E-4EB2-9108-8C2C748D6A10}: NameServer = 172.18.7.170 172.18.7.170
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A6B9967C-5C87-4D8A-AA55-BE9081EADCF0}: DhcpNameServer = 68.87.76.182 68.87.78.134
O18 - Protocol\Handler\cozi {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files\Cozi Express\CoziProtocolHandler.dll (Cozi Group, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\615\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 13:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{12597b50-346b-11de-b8cf-0015c582a394}\Shell - "" = AutoRun
O33 - MountPoints2\{12597b50-346b-11de-b8cf-0015c582a394}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{1bb298a0-830a-11df-8f4a-0015c582a394}\Shell - "" = AutoRun
O33 - MountPoints2\{1bb298a0-830a-11df-8f4a-0015c582a394}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{1ce2ca45-654e-11de-9276-0015c582a394}\Shell - "" = AutoRun
O33 - MountPoints2\{1ce2ca45-654e-11de-9276-0015c582a394}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{4bdcdae0-85b4-11e0-b78e-001d095c2b14}\Shell - "" = AutoRun
O33 - MountPoints2\{4bdcdae0-85b4-11e0-b78e-001d095c2b14}\Shell\AutoRun\command - "" = "G:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{73fda1dc-8311-11e0-b275-001d095c2b14}\Shell\AutoRun\command - "" = F:\Setup.exe
O33 - MountPoints2\{73fda1dc-8311-11e0-b275-001d095c2b14}\Shell\Install\command - "" = F:\Setup.exe
O33 - MountPoints2\{d1730b1d-afcd-11df-bf31-001d095c2b14}\Shell - "" = AutoRun
O33 - MountPoints2\{d1730b1d-afcd-11df-bf31-001d095c2b14}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\{e48cda3e-b8c2-11df-8fb2-000272aac3d7}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\pptview.exe /L "playlist.txt"
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/12/12 02:24:18 | 000,000,000 | ---D | C] -- C:\Users\Kwong\Desktop\RK_Quarantine
[2011/12/12 02:23:33 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Users\Kwong\Desktop\aswMBR.exe
[2011/12/12 02:23:13 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Kwong\Desktop\OTL.exe
[2011/12/12 02:15:28 | 000,000,000 | ---D | C] -- C:\Users\Kwong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
[2011/12/12 01:53:36 | 000,000,000 | ---D | C] -- C:\Users\Kwong\AppData\Local\Adobe
[2011/12/06 20:04:36 | 000,000,000 | ---D | C] -- C:\Users\Kwong\Desktop\2010-12 Xmas Presents
[2011/12/06 01:01:15 | 000,000,000 | ---D | C] -- C:\Users\Kwong\Desktop\New Folder
[2011/12/05 21:06:59 | 000,000,000 | ---D | C] -- C:\Users\Kwong\AppData\Local\CutePDF Writer
[2011/11/24 10:29:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft
[2011/11/24 10:29:00 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2011/11/24 10:18:34 | 000,000,000 | ---D | C] -- C:\Users\Kwong\AppData\Local\Apps
[2011/11/24 10:04:32 | 000,000,000 | ---D | C] -- C:\Users\Kwong\AppData\Local\Broadcom
[2011/11/23 18:13:01 | 000,000,000 | ---D | C] -- C:\Users\Kwong\AppData\Local\Apple Computer
[2011/11/20 15:33:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth

========== Files - Modified Within 30 Days ==========

[2011/12/12 02:30:03 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/12 02:28:36 | 000,111,872 | ---- | M] () -- C:\Windows\System32\drivers\TrueSight.sys
[2011/12/12 02:23:44 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\Kwong\Desktop\aswMBR.exe
[2011/12/12 02:23:19 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Kwong\Desktop\OTL.exe
[2011/12/12 02:22:07 | 000,754,176 | ---- | M] () -- C:\Users\Kwong\Desktop\RogueKiller.exe
[2011/12/12 02:20:49 | 000,638,696 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/12 02:20:49 | 000,111,078 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/12 02:17:51 | 000,000,304 | -H-- | M] () -- C:\ProgramData\~HXXFLlL5Vd1gKg
[2011/12/12 02:17:51 | 000,000,224 | -H-- | M] () -- C:\ProgramData\~HXXFLlL5Vd1gKgr
[2011/12/12 02:15:42 | 000,000,416 | ---- | M] () -- C:\ProgramData\HXXFLlL5Vd1gKg
[2011/12/12 02:15:28 | 000,000,608 | ---- | M] () -- C:\Users\Kwong\Desktop\System Fix.lnk
[2011/12/12 02:15:13 | 000,350,344 | ---- | M] () -- C:\ProgramData\HXXFLlL5Vd1gKg.exe
[2011/12/12 02:14:23 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/12 02:14:15 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/12 02:14:15 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/12 02:14:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/12 02:13:10 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/12/12 02:05:51 | 000,000,064 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
[2011/12/12 02:05:51 | 000,000,044 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
[2011/12/12 02:03:14 | 000,000,506 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/12/12 01:53:43 | 000,441,992 | ---- | M] () -- C:\ProgramData\KFfVaylJyVw.exe
[2011/12/09 23:48:33 | 000,014,336 | -H-- | M] () -- C:\Users\Kwong\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/12/09 23:25:12 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
[2011/12/05 23:37:49 | 000,094,061 | ---- | M] () -- C:\Users\Kwong\Desktop\2011-12-05 Handbell Glove Order.pdf
[2011/12/05 20:05:41 | 000,027,136 | ---- | M] () -- C:\Users\Kwong\Desktop\Your credit card statement is available online.msg
[2011/11/27 18:00:00 | 000,000,442 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration.job
[2011/11/24 10:29:12 | 000,000,944 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2011/11/21 19:14:58 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job

========== Files Created - No Company Name ==========

[2011/12/12 02:26:59 | 000,000,944 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2011/12/12 02:24:27 | 000,111,872 | ---- | C] () -- C:\Windows\System32\drivers\TrueSight.sys
[2011/12/12 02:21:25 | 000,754,176 | ---- | C] () -- C:\Users\Kwong\Desktop\RogueKiller.exe
[2011/12/12 02:17:51 | 000,000,304 | -H-- | C] () -- C:\ProgramData\~HXXFLlL5Vd1gKg
[2011/12/12 02:17:51 | 000,000,224 | -H-- | C] () -- C:\ProgramData\~HXXFLlL5Vd1gKgr
[2011/12/12 02:15:28 | 000,000,608 | ---- | C] () -- C:\Users\Kwong\Desktop\System Fix.lnk
[2011/12/12 02:15:24 | 000,000,416 | ---- | C] () -- C:\ProgramData\HXXFLlL5Vd1gKg
[2011/12/12 02:15:12 | 000,350,344 | ---- | C] () -- C:\ProgramData\HXXFLlL5Vd1gKg.exe
[2011/12/12 01:56:46 | 000,441,992 | ---- | C] () -- C:\ProgramData\KFfVaylJyVw.exe
[2011/12/09 23:25:12 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
[2011/12/05 23:38:07 | 000,094,061 | ---- | C] () -- C:\Users\Kwong\Desktop\2011-12-05 Handbell Glove Order.pdf
[2011/12/05 20:05:41 | 000,027,136 | ---- | C] () -- C:\Users\Kwong\Desktop\Your credit card statement is available online.msg
[2011/11/26 23:11:24 | 000,014,336 | -H-- | C] () -- C:\Users\Kwong\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/02 23:32:58 | 000,045,056 | ---- | C] () -- C:\Windows\System32\uninst.exe
[2011/09/02 23:32:58 | 000,000,000 | ---- | C] () -- C:\Windows\dvr2.ini
[2011/06/03 21:48:06 | 000,000,208 | -H-- | C] () -- C:\ProgramData\RmUserCfg.ini
[2011/06/03 21:48:06 | 000,000,031 | ---- | C] () -- C:\ProgramData\IpAndPort.fig
[2011/05/21 14:00:56 | 000,001,504 | --S- | C] () -- C:\Users\Kwong\AppData\Local\w7tkmxsa7y27k2i4k25v0l
[2011/05/21 14:00:56 | 000,001,504 | --S- | C] () -- C:\ProgramData\w7tkmxsa7y27k2i4k25v0l
[2011/04/21 18:01:56 | 000,000,023 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2011/03/05 21:33:34 | 000,048,128 | ---- | C] () -- C:\Windows\System32\HiDvrOcxCHT.dll
[2011/03/05 21:33:34 | 000,048,128 | ---- | C] () -- C:\Windows\System32\HiDvrOcxCHS.dll
[2010/08/26 02:33:26 | 000,000,005 | ---- | C] () -- C:\Windows\System32\SySAVI2WMV.dat
[2010/08/26 02:33:01 | 000,237,568 | ---- | C] () -- C:\Windows\System32\lame_enc.dll
[2010/08/19 18:40:27 | 000,000,146 | ---- | C] () -- C:\Windows\WININIT.INI
[2010/05/21 04:03:21 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2010/04/28 22:32:28 | 000,000,258 | R-S- | C] () -- C:\ProgramData\ntuser.pol
[2010/02/06 22:41:40 | 000,023,112 | ---- | C] () -- C:\Windows\hpqins15.dat
[2009/12/25 13:47:42 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2009/12/25 13:47:42 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2009/12/19 09:33:28 | 000,077,351 | ---- | C] () -- C:\Windows\hpqins05.dat
[2009/08/04 19:27:51 | 000,000,163 | ---- | C] () -- C:\Users\Kwong\AppData\Roaming\default.rss
[2009/08/04 09:03:30 | 000,000,039 | ---- | C] () -- C:\Windows\Irremote.ini
[2009/05/23 04:29:56 | 000,116,841 | ---- | C] () -- C:\Windows\hpqins00.dat
[2009/04/10 14:07:44 | 000,259,072 | ---- | C] () -- C:\Windows\VFIND.exe
[2009/04/10 14:07:44 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2009/04/10 14:07:44 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2009/04/10 14:07:44 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2009/03/22 23:05:21 | 000,179,909 | ---- | C] () -- C:\Windows\hpwins14.dat
[2009/03/22 23:05:21 | 000,001,108 | ---- | C] () -- C:\Windows\hpwmdl14.dat
[2009/03/10 11:03:36 | 000,087,552 | ---- | C] () -- C:\Windows\System32\cpwmon2k.dll
[2009/03/09 13:44:17 | 000,012,858 | ---- | C] () -- C:\Windows\hpwscr14.dat
[2009/03/08 15:41:40 | 000,077,824 | ---- | C] () -- C:\Windows\System32\adistres.dll
[2009/03/06 21:22:35 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/03/06 21:22:34 | 000,000,063 | ---- | C] () -- C:\Windows\mdm.ini
[2009/03/06 21:22:26 | 000,000,000 | ---- | C] () -- C:\Windows\NSREX.INI
[2009/03/05 18:57:38 | 000,174,171 | ---- | C] () -- C:\Users\Kwong\AppData\Roaming\nvModes.001
[2009/03/05 18:57:37 | 000,174,171 | ---- | C] () -- C:\Users\Kwong\AppData\Roaming\nvModes.dat
[2009/03/05 18:41:08 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2009/03/05 18:12:02 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2007/02/21 11:26:58 | 000,995,328 | ---- | C] () -- C:\Windows\System32\WLIHVUI.dll
[2006/11/02 04:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 04:47:37 | 000,344,520 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 04:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:33:01 | 000,638,696 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 02:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 02:33:01 | 000,111,078 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 02:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 02:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 00:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 00:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/01 23:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/01 23:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/01 23:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/01 23:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

========== LOP Check ==========

[2010/08/01 07:47:37 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\7E55410E11ED098331C6E564EEB2EA4C
[2009/03/11 20:35:46 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\acccore
[2011/06/22 22:48:37 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\AnvSoft
[2011/07/07 19:09:26 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\Any Audio Converter
[2011/07/17 23:30:59 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\Downloadr
[2011/08/24 23:57:14 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\Dropbox
[2009/04/29 19:57:18 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\ESRI
[2010/02/21 21:32:01 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\Facebook
[2011/08/15 21:24:40 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\GARMIN
[2009/03/08 15:40:10 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\InterTrust
[2011/04/14 18:49:54 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\Leadertech
[2011/04/14 18:55:27 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\Memeo
[2010/09/16 21:13:06 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\Nokia
[2010/06/23 23:33:57 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\PC Suite
[2011/03/05 08:42:18 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\PCDr
[2011/07/14 08:14:17 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\The Journal
[2011/04/21 18:26:55 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\ThumbsPlus
[2011/04/11 23:08:25 | 000,000,000 | ---D | M] -- C:\Users\Kwong\AppData\Roaming\tmp
[2010/05/27 22:58:26 | 000,000,000 | ---D | M] -- C:\Users\TEMP\AppData\Roaming\PC Suite
[2010/05/27 23:12:51 | 000,000,000 | ---D | M] -- C:\Users\Visitor\AppData\Roaming\Nokia
[2010/06/29 13:49:39 | 000,000,000 | ---D | M] -- C:\Users\Visitor\AppData\Roaming\PC Suite
[2010/07/17 08:54:26 | 000,000,000 | ---D | M] -- C:\Users\Visitor\AppData\Roaming\ThumbsPlus
[2011/11/27 18:00:00 | 000,000,442 | ---- | M] () -- C:\Windows\Tasks\ParetoLogic Registration.job
[2011/11/21 19:14:58 | 000,000,564 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
[2011/12/12 02:13:11 | 000,032,610 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/12/12 02:03:14 | 000,000,506 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2009/04/11 08:01:47 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\explorer.exe
[2009/04/11 08:01:47 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2011/08/31 17:00:48 | 001,047,208 | ---- | M] (Malwarebytes Corporation) MD5=4CBE2BD48A10404A7CB9FA9D45FD77A3 -- C:\Program Files\Malwarebytes' Anti-Malware\explorer.exe
[2009/04/11 08:01:45 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2009/04/11 08:01:45 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009/04/11 08:01:46 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2006/11/02 01:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

< MD5 for: SVCHOST.EXE >
[2006/11/02 01:45:47 | 000,022,016 | ---- | M] (Microsoft Corporation) MD5=10DA15933D582D2FEDCF705EFE394B09 -- C:\Windows\System32\svchost.exe
[2006/11/02 01:45:47 | 000,022,016 | ---- | M] (Microsoft Corporation) MD5=10DA15933D582D2FEDCF705EFE394B09 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6000.16386_none_b38497a50862ad11\svchost.exe

< MD5 for: USERINIT.EXE >
[2006/11/02 01:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\System32\userinit.exe
[2006/11/02 01:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe

< MD5 for: WINLOGON.EXE >
[2006/11/02 01:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\System32\winlogon.exe
[2006/11/02 01:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s >
"DisplayName" = NETBT
"Group" = PNP_TDI
"ImagePath" = System32\DRIVERS\netbt.sys -- [2006/11/02 00:57:20 | 000,184,320 | ---- | M] (Microsoft Corporation)
"Description" = This service implements NetBios over TCP/IP.
"ErrorControl" = 1
"Start" = 1
"Type" = 1
"DependOnService" = Tdxtcpip [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Linkage]
"OtherDependencies" = Tcpip [binary data]
"Bind" = [Binary data over 100 bytes]
"Route" = [Binary data over 100 bytes]
"Export" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters]
"BcastNameQueryCount" = 3
"BcastQueryTimeout" = 750
"CacheTimeout" = 600000
"EnableLMHOSTS" = 1
"NameServerPort" = 137
"NameSrvQueryCount" = 3
"NameSrvQueryTimeout" = 1500
"NbProvider" = _tcp
"SessionKeepAlive" = 3600000
"Size/Small/Medium/Large" = 1
"TransportBindName" = \Device\
"UseNewSmb" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{14731478-248E-4EB2-9108-8C2C748D6A10}]
"NameServerList" = [binary data]
"NetbiosOptions" = 2
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{1EE4017C-AF4E-4A05-9E95-7EEC8E7F338C}]
"NameServerList" = [binary data]
"NetbiosOptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{596D06E2-C3AE-4A10-B415-5C8E5352C722}]
"NameServerList" = [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{A6B9967C-5C87-4D8A-AA55-BE9081EADCF0}]
"NameServerList" = [binary data]
"NetbiosOptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{B9EE042E-421B-4007-A180-BB0CBA881A7D}]
"NameServerList" = [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{D8D8C62C-726F-4179-B15B-6E8EBC5CA43F}]
"NameServerList" = [binary data]
"NetbiosOptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{EBC5EEF1-09BB-4313-8A56-822260BCD5DC}]
"NameServerList" = [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Security]
"Security" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Enum]
"0" = Root\LEGACY_NETBT\0000
"Count" = 1
"NextInstance" = 1

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s >
"Type" = 2
"Start" = 1
"ErrorControl" = 1
"Tag" = 2
"ImagePath" = system32\DRIVERS\netbios.sys -- [2006/11/02 00:57:26 | 000,035,840 | ---- | M] (Microsoft Corporation)
"DisplayName" = NetBIOS Interface
"Group" = NetBIOSGroup
"Description" = NetBIOS Interface
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Linkage]
"LanaMap" = 01 02 01 00 01 04 01 03 01 01 01 05 [binary data]
"Bind" = [Binary data over 100 bytes]
"Route" = [Binary data over 100 bytes]
"Export" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Parameters]
"MaxLana" = 5
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Parameters\Winsock]
"HelperDllName" = %SystemRoot%\System32\wshnetbs.dll -- [2006/11/02 01:46:14 | 000,011,264 | ---- | M] (Microsoft Corporation)
"MaxSockAddrLength" = 20
"MinSockAddrLength" = 20
"Mapping" = 02 00 00 00 03 00 00 00 11 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00 02 00 00 00 00 00 00 00 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Enum]
"0" = Root\LEGACY_NETBIOS\0000
"Count" = 1
"NextInstance" = 1

< C:\Windows\assembly\tmp\U\*.* /s >

< %Temp%\smtmp\1\*.* >

< %Temp%\smtmp\2\*.* >

< %Temp%\smtmp\3\*.* >

< %Temp%\smtmp\4\*.* >
[2011/11/24 10:29:12 | 000,000,944 | ---- | M] () -- C:\Users\Kwong\AppData\Local\Temp\smtmp\4\Ad-Aware.lnk

========== Alternate Data Streams ==========

@Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:64202D1C
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:7631EA83
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:BC0013C8
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >


OTL Extras logfile created on: 12/12/2011 2:30:10 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Kwong\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.94 Gb Available Physical Memory | 47.28% Memory free
4.20 Gb Paging File | 3.28 Gb Available in Paging File | 78.08% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 285.51 Gb Total Space | 11.50 Gb Free Space | 4.03% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.88 Gb Free Space | 58.78% Space Free | Partition Type: NTFS

Computer Name: KC03 | User Name: Kwong | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3634781665-3730177948-736442605-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AutoUpdateDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04F94607-4C62-456C-AF9F-221ED24512B7}" = rport=138 | protocol=17 | dir=out | app=system |
"{1A406A0E-032F-48B4-BE69-AE9F23B9D2D6}" = rport=445 | protocol=6 | dir=out | app=system |
"{24BEF276-B99F-4AF9-AAF8-0E2CEEBC7B29}" = rport=139 | protocol=6 | dir=out | app=system |
"{2EB7450F-3F9E-4F2C-91CA-D4DCBC064EDA}" = lport=139 | protocol=6 | dir=in | app=system |
"{34431875-9338-4ECF-8CB1-D6C48DB8BDF9}" = lport=138 | protocol=17 | dir=in | app=system |
"{45D9F8FF-A0DF-49DF-81F1-5AB345916DF9}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{49816F1B-9438-4781-BB5B-A773157ECE43}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{7714818F-6BBB-4967-8E87-8EA5C93861EF}" = lport=137 | protocol=17 | dir=in | app=system |
"{7BDC2F0A-B7BE-439E-AE41-583C75A8D824}" = rport=137 | protocol=17 | dir=out | app=system |
"{AACAAEC5-5321-4EE4-BB2D-67D8AE74471C}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{FA0CCB83-F2AD-4238-B5FF-E4FB9FF4D7DC}" = lport=445 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02448D36-FE62-4D16-BB4C-847C1CFA1513}" = protocol=6 | dir=in | app=c:\users\kwong\appdata\roaming\dropbox\bin\dropbox.exe |
"{1B24B022-A6FC-40DF-9529-7715C2881CC7}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgpc01.exe |
"{1B728AD2-D373-4CD4-8D61-0566400455E1}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpofxm08.exe |
"{1DB830E9-560E-47D6-B2B7-65D838E60EF5}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgplgtupl.exe |
"{28CEA68E-59E5-436F-89A7-063260EEDD65}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{2B6ABF6A-302F-43D2-B0F4-D6F71F3A4BC2}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe |
"{2F237A43-DFCD-4ACE-B496-97794013F4FA}" = protocol=6 | dir=in | app=c:\program files\aim\aim.exe |
"{42CADCFE-2C55-44BF-AA5C-CB37E9C1CBEA}" = protocol=6 | dir=in | app=c:\program files\aim6\aim6.exe |
"{448A4E7E-4315-4A1A-B448-886B82D8BC09}" = protocol=1 | dir=in | [email protected],-28543 |
"{46A2BDC4-9FB7-4802-8624-E27A51A31855}" = protocol=17 | dir=in | app=c:\program files\lavasoft\ad-aware\aawwsc.exe |
"{4B134C7E-E238-4653-8EFC-56A4D548253C}" = protocol=6 | dir=in | app=c:\program files\lavasoft\ad-aware\ad-aware.exe |
"{503CFFB2-457D-4A26-8774-08C97B6798E5}" = protocol=1 | dir=out | [email protected],-28544 |
"{5673F270-F6FB-412D-B086-47BCB088F8D1}" = protocol=58 | dir=in | [email protected],-28545 |
"{575245CD-CE14-4419-AA2C-01B061A498F4}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposfx08.exe |
"{5811833D-A936-4CC2-88EE-3026A236238F}" = protocol=17 | dir=in | app=c:\program files\lavasoft\ad-aware\aawwsc.exe |
"{586EC2EA-66FC-4CD1-B084-F5B6275D5E8E}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{61D910E3-B8DF-4BF9-A3B7-90A913643939}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{6BFD881F-3DC1-4D03-BA9E-2EC7228AF5FF}" = dir=in | app=c:\program files\hp\digital imaging\smart web printing\smartwebprintexe.exe |
"{6C7A3C35-0EF5-4A0D-A7F2-61AB851EE3D1}" = protocol=58 | dir=out | [email protected],-28546 |
"{75CCFEF0-4D0A-44CF-966B-D7EB5A9372C3}" = protocol=6 | dir=in | app=c:\program files\lavasoft\ad-aware\aawwsc.exe |
"{788FFAB1-C4F4-4D9A-ABA8-B4D99E128740}" = protocol=17 | dir=in | app=c:\program files\aim6\aim6.exe |
"{8AB41C04-8834-4DED-9F3F-C5B532831050}" = protocol=17 | dir=in | app=c:\users\kwong\appdata\roaming\dropbox\bin\dropbox.exe |
"{8B6AA329-A82A-406B-99EB-B565EC58C547}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{8D9EB3D2-D3D0-42BC-BE4C-A069DA41A3B4}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpiscnapp.exe |
"{94F4E4CA-970F-42EE-BE9F-D77ED93996D6}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpzwiz01.exe |
"{9D2242BC-1C2F-4376-B149-E5A067B6DC77}" = protocol=58 | dir=in | [email protected],-28545 |
"{9DF0FAD6-DB7E-4482-AA34-51D6EB2B4CB4}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqkygrp.exe |
"{A0275B5D-6FF3-46FF-9694-314291183B04}" = protocol=58 | dir=out | [email protected],-28546 |
"{A6604856-9A86-4C3A-B632-D92951292214}" = protocol=6 | dir=in | app=c:\program files\lavasoft\ad-aware\aawwsc.exe |
"{A73D2202-BBD2-456B-AAC1-9EBF09887E24}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe |
"{A875D193-CFAA-4917-AC85-23E074B1A7B4}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{B7311BF0-DDCC-44B0-B8CD-5D7EAA870386}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqfxt08.exe |
"{BF0074E0-2FE3-4A2E-88B7-24B2D242EAD7}" = dir=in | app=c:\program files\hp\hp software update\hpwucli.exe |
"{C0423C48-4AAC-495E-91B0-8982818E02C5}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpoews01.exe |
"{C17140C6-9EC7-49F2-821D-6836B6BA1B5B}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{C8D7F369-F9B0-4835-BAB9-3D29B2AF6468}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpofxs08.exe |
"{CB0187C0-40A2-4DDE-9533-3CCD86EF8D50}" = protocol=17 | dir=in | app=c:\program files\lavasoft\ad-aware\ad-aware.exe |
"{D09DEB93-A7AC-481B-AC40-D6D8B6042090}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{D90CA1C2-26E3-4DD7-8AFC-23503023C7BD}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{E6549661-AB76-46A2-9235-5B59D230B0F3}" = protocol=1 | dir=in | [email protected],-28543 |
"{E96F7802-C650-4121-B647-C8C2191A575E}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{EC251EEB-E210-4227-8731-4058CB2CCD9B}" = protocol=1 | dir=out | [email protected],-28544 |
"{EFDD5137-1FC1-4040-BAFE-A7AC16271A93}" = protocol=17 | dir=in | app=c:\program files\aim\aim.exe |
"TCP Query User{191B1055-E545-4B89-89C1-36F0AD4C9693}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"TCP Query User{1C6B93B1-99F2-471D-923E-1BC727D56D68}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{28F5352E-A891-4E50-8D8A-D7CF8A487E86}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{383DC961-0735-468E-8AC6-3AC9F4F02D83}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"TCP Query User{398EE28F-4092-42A8-8092-1C5C3AC1E727}C:\program files\aim6\aim6.exe" = protocol=6 | dir=in | app=c:\program files\aim6\aim6.exe |
"TCP Query User{55D5C625-C227-47BC-BCFE-1DCD954FE596}C:\program files\itunes\itunes.exe" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"TCP Query User{6D0AFDD4-4951-4A52-8ACA-DAD6615D8816}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{79647C7C-250F-4202-B429-01486F2F96DF}C:\program files\nokia\nokia ovi suite\nokiaovisuite.exe" = protocol=6 | dir=in | app=c:\program files\nokia\nokia ovi suite\nokiaovisuite.exe |
"TCP Query User{BD44AB62-AEA9-4F9A-B21F-81F89F086DE3}C:\program files\mozilla firefox\plugin-container.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\plugin-container.exe |
"TCP Query User{D600FEC9-9E93-4C28-8321-95CF2EB45A8E}C:\program files\nokia\nokia software updater\nsu_ui_client.exe" = protocol=6 | dir=in | app=c:\program files\nokia\nokia software updater\nsu_ui_client.exe |
"TCP Query User{DFBBA2DF-8EFA-434D-AF51-C05EAB1E9971}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe |
"TCP Query User{F25135BC-C040-47CF-81EF-3DBC053905B9}C:\program files\common files\nokia\service layer\a\nsl_host_process.exe" = protocol=6 | dir=in | app=c:\program files\common files\nokia\service layer\a\nsl_host_process.exe |
"TCP Query User{F80107E8-A1EA-49BB-92CA-A90F54D9472B}C:\program files\aim\aim.exe" = protocol=6 | dir=in | app=c:\program files\aim\aim.exe |
"UDP Query User{0218BE51-A0B7-4918-8F38-AA58E1CF1D49}C:\program files\nokia\nokia ovi suite\nokiaovisuite.exe" = protocol=17 | dir=in | app=c:\program files\nokia\nokia ovi suite\nokiaovisuite.exe |
"UDP Query User{1B561B7E-3558-466B-B48E-BE059D153EBC}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"UDP Query User{1DBFC25E-9EE0-469B-9AA7-FCED0D76605E}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{227B4861-C602-404A-A733-911D40AF46C5}C:\program files\common files\nokia\service layer\a\nsl_host_process.exe" = protocol=17 | dir=in | app=c:\program files\common files\nokia\service layer\a\nsl_host_process.exe |
"UDP Query User{2AD6C477-CA3E-44F7-9068-4CFD6229E4F6}C:\program files\aim6\aim6.exe" = protocol=17 | dir=in | app=c:\program files\aim6\aim6.exe |
"UDP Query User{33850B62-8ABD-4E21-A9B1-A1AC54D6C27F}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{4235A945-6E60-4201-BB24-B52FF4B5DD24}C:\program files\aim\aim.exe" = protocol=17 | dir=in | app=c:\program files\aim\aim.exe |
"UDP Query User{70B5649A-AE41-45CF-9762-A8388D2C4C70}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"UDP Query User{7C9FF565-7EE4-421D-A60C-4EE622EB00C6}C:\program files\nokia\nokia software updater\nsu_ui_client.exe" = protocol=17 | dir=in | app=c:\program files\nokia\nokia software updater\nsu_ui_client.exe |
"UDP Query User{960CF617-9159-4F1F-9462-4B4CF9E5F993}C:\program files\mozilla firefox\plugin-container.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\plugin-container.exe |
"UDP Query User{A4CEA0DF-1BFC-49DC-BD90-5BE99C5115A1}C:\program files\itunes\itunes.exe" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"UDP Query User{B1D323F2-7833-4D6D-A158-BCFBCD5A24A9}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{BEDB409B-5048-47B0-8C29-0F167E62E88B}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0090A87C-3E0E-43D4-AA71-A71B06563A4A}" = Dell Support Center
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{09C468CA-2940-466A-AAE8-DCC0C6E9323C}" = Nokia Software Updater
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{15262012-213A-4f65-9019-C8A409EC0156}" = HP Officejet J6400 Series
"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
"{19DC9559-9C20-4A46-A67D-7ECBA52A2788}" = Nokia PC Suite
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 3.3
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{279D3818-7287-4ab4-A927-542EBEA9E365}" = ProductContext
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{380CC749-8C28-4C74-BE01-45921D062302}" = BPDSoftware_Ini
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{41853D20-40CC-4266-978D-F128BB97CA96}" = 6400_Help
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{45DF6D99-666D-41FA-8D62-0E183B6240F3}" = PC Connectivity Solution
"{50D25574-2C48-4AEC-8FFC-32AEAD2EAEFF}" = Nokia Ovi Player
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5BB4D7C1-52F2-4BFD-9E40-0D419E2E3021}" = bpd_scan
"{5D934326-165A-413b-B056-26BE1EC082AF}" = J6400
"{5D9B17E4-5C34-45B2-9C95-8B9DB4CF7AF3}" = HP_Network_UserGuide
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{6446BBD0-CB83-40E1-BEA1-0C147065E2A6}" = Maxtor Manager
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{676981B7-A2D9-49D0-9F4C-03018F131DA9}" = DocProc
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{69995C7A-062A-4A90-A4DF-8C22895DF522}" = iTunes
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{70B31335-50EE-4834-8431-27412CDE62BD}" = Nokia_Multimedia_Common_Components_2_5
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{749A1EDD-16C2-4C63-B013-D38F0F953973}" = OviMPlatform
"{75D48CBE-DE70-44AB-B631-C3E60F5184D5}" = STOIK Video Converter 3
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{779DECD7-E072-4B56-9B6B-BEB5973EEEB5}" = MobileMe Control Panel
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7F0C4457-8E64-491B-8D7B-991504365D1E}" = QuickSet
"{8112C6B3-91E1-4560-8AB9-876DADFA37C5}" = Ovi Desktop Sync Engine
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85C8D391-0EAE-4492-8A0A-2EE8B0B6DA03}" = BPDSoftware
"{868291A4-229E-4795-B0B0-E60E87AF53CD}" = Sibelius Scorch (ActiveX Only)
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91120000-001A-0000-0000-0000000FF1CE}" = Microsoft Office Outlook 2007
"{932D0FC7-6DF1-4136-A2EC-166E8DEFD6A4}" = Ad-Aware
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp
"{9E9D49A4-1DF4-4138-B7DB-5D87A893088E}" = WIDCOMM Bluetooth Software
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B8B4446F-87E1-4423-A47A-16832C24A199}" = Nokia Ovi Suite
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C1CEAB5E-23FE-4D62-96D7-AE2744367FD7}" = Cozi
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D1399216-81B2-457C-A0F7-73B9A2EF6902}" = PDFill PDF Editor with FREE PDF Writer and Tools
"{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom Gigabit Integrated Controller
"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{EE318321-7909-4D3E-8540-EFED111E1786}" = STOIK Video Converter 3
"{EE5B5B24-EEFC-4C8B-BF8B-256D705BAD89}" = Nokia Ovi Suite Software Updater
"{EEEB604C-C1A7-4f8c-B03F-56F9C1C9C45F}" = Fax
"{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F1FDAA01-988C-423F-AC12-0D8F333943FD}" = Nokia Connectivity Cable Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F5D7FAB5-A1FD-4DD3-983E-4155B09D7102}" = mCore
"{F95F178B-56AD-4fab-87F8-FA81E66C7D68}" = Network
"05B59228C7E1C21DFBE89260F879BD95880548D8" = Windows Driver Package - Nokia Modem (10/05/2009 4.2)
"0D5930BD8653120870DA6E7F2150CA8AB1CF22A5" = Windows Driver Package - Broadcom Bluetooth (06/15/2009 6.2.0.9000)
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"7-Zip" = 7-Zip 4.65
"8CDCFB95BB84DD9C0F88F22266A0CA86035E55BA" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"AIM_7" = AIM 7
"Any Audio Converter_is1" = Any Audio Converter 3.2.7
"Audacity_is1" = Audacity 1.2.6
"BF20603967CFDCB2BBF91950E8A56DFBC5C833FE" = Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800)
"Creative OEM002" = Laptop Integrated Webcam Driver (1.02.01.0612)
"CutePDF Writer Installation" = CutePDF Writer 2.7
"Dell Support Center" = Dell Support Center
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"Desktop Screen Record 5_is1" = Desktop Screen Record 5
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.2
"GoToAssist" = GoToAssist Corporate
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPOCR" = OCR Software by I.R.I.S. 10.0
"InstallShield_{6446BBD0-CB83-40E1-BEA1-0C147065E2A6}" = Maxtor Manager
"iSnooze" = iSnooze 1.3.3
"Magic DVD Ripper_is1" = Magic DVD Ripper V5.4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
"Musicnotes Combined Installer_is1" = Musicnotes Software Suite 1.5.3
"Nokia Ovi Suite" = Nokia Ovi Suite
"Nokia PC Suite" = Nokia PC Suite
"NVIDIA Drivers" = NVIDIA Drivers
"OUTLOOKR" = Microsoft Office Outlook 2007
"Picasa 3" = Picasa 3
"ProInst" = Intel® PROSet/Wireless Software
"RealPlayer 12.0" = RealPlayer
"Recuva" = Recuva
"ReNamer_is1" = ReNamer
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"SyncBack_is1" = SyncBack
"SynTPDeinstKey" = Dell Touchpad
"The Journal 4_is1" = The Journal 4
"ThumbsPlus7" = ThumbsPlus version 7 SP2
"TibetSystem - Uninstall Web Viewer" = Uninstall Web Viewer
"ViewpointMediaPlayer" = Viewpoint Media Player
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3634781665-3730177948-736442605-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"309a46b1dc89b774" = Dell Driver Download Manager
"757980bd62c97274" = Downloadr
"Dropbox" = Dropbox
"Facebook Plug-In" = Facebook Plug-In
"GoToMeeting" = GoToMeeting 4.8.0.723

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/4/2011 7:23:21 PM | Computer Name = KC03 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 4/4/2011 7:23:21 PM | Computer Name = KC03 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2566668

Error - 4/4/2011 7:23:21 PM | Computer Name = KC03 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2566668

Error - 4/4/2011 7:23:22 PM | Computer Name = KC03 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 4/4/2011 7:23:22 PM | Computer Name = KC03 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2567682

Error - 4/4/2011 7:23:22 PM | Computer Name = KC03 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2567682

Error - 4/4/2011 7:23:23 PM | Computer Name = KC03 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 4/4/2011 7:23:23 PM | Computer Name = KC03 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2568681

Error - 4/4/2011 7:23:23 PM | Computer Name = KC03 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2568681

Error - 4/4/2011 7:23:24 PM | Computer Name = KC03 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

[ OSession Events ]
Error - 9/30/2010 12:02:59 PM | Computer Name = KC03 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 33947
seconds with 1080 seconds of active time. This session ended with a crash.

Error - 11/9/2010 10:27:06 PM | Computer Name = KC03 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 764784
seconds with 4980 seconds of active time. This session ended with a crash.

Error - 1/9/2011 11:08:52 PM | Computer Name = KC03 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 13876
seconds with 240 seconds of active time. This session ended with a crash.

Error - 3/22/2011 7:57:14 AM | Computer Name = KC03 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 452041
seconds with 2580 seconds of active time. This session ended with a crash.

Error - 3/22/2011 7:58:48 AM | Computer Name = KC03 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 80
seconds with 60 seconds of active time. This session ended with a crash.

Error - 5/1/2011 11:06:33 PM | Computer Name = KC03 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 78798
seconds with 0 seconds of active time. This session ended with a crash.

Error - 5/2/2011 4:11:40 AM | Computer Name = KC03 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 18201
seconds with 420 seconds of active time. This session ended with a crash.

Error - 7/13/2011 3:15:02 AM | Computer Name = KC03 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 11975
seconds with 1500 seconds of active time. This session ended with a crash.

Error - 9/25/2011 5:41:48 PM | Computer Name = KC03 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 55317
seconds with 60 seconds of active time. This session ended with a crash.

Error - 11/16/2011 3:07:08 AM | Computer Name = KC03 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 346411
seconds with 4080 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 12/12/2011 6:05:16 AM | Computer Name = KC03 | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 12/12/2011 6:08:27 AM | Computer Name = KC03 | Source = Service Control Manager | ID = 7000
Description =

Error - 12/12/2011 6:08:27 AM | Computer Name = KC03 | Source = Service Control Manager | ID = 7000
Description =

Error - 12/12/2011 6:08:27 AM | Computer Name = KC03 | Source = Service Control Manager | ID = 7022
Description =

Error - 12/12/2011 6:08:42 AM | Computer Name = KC03 | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 12/12/2011 6:15:47 AM | Computer Name = KC03 | Source = Service Control Manager | ID = 7000
Description =

Error - 12/12/2011 6:15:47 AM | Computer Name = KC03 | Source = Service Control Manager | ID = 7000
Description =

Error - 12/12/2011 6:15:47 AM | Computer Name = KC03 | Source = Service Control Manager | ID = 7022
Description =

Error - 12/12/2011 6:15:58 AM | Computer Name = KC03 | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 12/12/2011 6:21:09 AM | Computer Name = KC03 | Source = Service Control Manager | ID = 7022
Description =


< End of report >


aswMBR:


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-12 02:39:43
-----------------------------
02:39:43.463 OS Version: Windows 6.0.6000
02:39:43.463 Number of processors: 2 586 0xF0D
02:39:43.464 ComputerName: KC03 UserName:
02:39:45.468 Initialize success
02:40:06.118 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
02:40:06.122 Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
02:40:06.202 Disk 0 MBR read successfully
02:40:06.207 Disk 0 MBR scan
02:40:06.212 Disk 0 Windows VISTA default MBR code
02:40:06.246 Disk 0 scanning sectors +625139712
02:40:06.388 Disk 0 scanning C:\Windows\system32\drivers
02:40:15.967 Service scanning
02:40:16.945 Service MpKslf6d4798d c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7A387FA7-A064-4603-BAD6-71D4647E396D}\MpKslf6d4798d.sys **LOCKED** 32
02:40:16.952 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
02:40:17.596 Modules scanning
02:40:27.794 Disk 0 trace - called modules:
02:40:27.813 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
02:40:27.813 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84c710d0]
02:40:27.814 3 ntkrnlpa.exe[824b07e2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84285030]
02:40:27.814 Scan finished successfully
02:41:06.072 Disk 0 MBR has been saved successfully to "C:\Users\Kwong\Desktop\MBR.dat"
02:41:06.110 The log file has been saved successfully to "C:\Users\Kwong\Desktop\aswMBR.txt"


Thanks for your help!!
  • 0

Advertisements


#2
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :)

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • Please tell me if you have your original Windows CD/DVD available
  • When in doubt, please stop and ask first. There's no harm in asking questions!

If you have since resolved the original problem you were having, I would appreciate you letting me know.

What problems are currently evident?

We should proceed with general antimalware scan which can take quite a long time so please be patient.

Download Virus Removal Tool (VRT) from Here to your desktop
(You have to enter your e-mail address and click on Submit Form button. Please download latest English version of this tool)

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
(Please be patient as this scan can take a few hours)
Posted Image

Allow VRT to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post


Now the Analysis

Rerun VRT and select the Manual Disinfection tab and press Start Gathering System Information

Posted Image

On completion click the link to locate the zip file to upload and attach to your next post

Posted Image
  • 0

#3
redleader74

redleader74

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 165 posts
Actually, just running the procedures described in my original post was enough to stop whatever was happening, at least, that's what it looks like. I'm not seeing any of the virus present, though of course that doesn't mean it's not lying dormant in the computer somewhere. So I went ahead and ran Kapersky as instructed and it appears to have found a ton of infections. I've copy and pasted the log below and have also attached the zip file:

Status: Deleted (events: 25)
12/16/2011 10:22:17 PM Deleted Trojan program Trojan.Win32.FraudPack.czfm C:\ProgramData\KFfVaylJyVw.exe High
12/16/2011 8:11:43 AM Deleted virus HEUR:Exploit.Script.Generic C:\Users\Kwong\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H76TI31P\0qw5izg3[1].htm High
12/16/2011 8:11:43 AM Deleted virus HEUR:Exploit.Script.Generic C:\Users\Kwong\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H76TI31P\0qw5izg3[1].htm//JIM High
12/16/2011 8:11:44 AM Deleted virus HEUR:Trojan.Win32.Generic C:\Users\Kwong\AppData\Local\Temp\8GrlDQpjP0tgmk.exe High
12/16/2011 10:22:17 PM Deleted Trojan program Trojan.Win32.FraudPack.czfm C:\Users\Kwong\AppData\Local\Temp\dm94KDBYb9mRCU.exe.tmp High
12/16/2011 10:22:17 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Users\Kwong\AppData\Local\Temp\EF54.tmp High
12/16/2011 10:22:17 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Users\Kwong\AppData\Local\Temp\F2ED.tmp High
12/16/2011 10:22:17 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Users\Kwong\AppData\Local\Temp\FDB7.tmp High
12/16/2011 10:22:17 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Users\Kwong\AppData\Local\Temp\FBD3.tmp High
12/16/2011 8:12:36 AM Deleted virus HEUR:Trojan.Win32.Generic C:\Users\Kwong\AppData\Local\Temp\jar_cache7629828025875598235.tmp High
12/16/2011 9:50:35 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\2d36ba81-49273bef High
12/16/2011 9:50:35 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\2d36ba81-1985b8da High
12/16/2011 10:22:17 PM Deleted Trojan program Backdoor.Win32.Agent.bydt C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\31cb8c1-65616739 High
12/16/2011 10:22:17 PM Deleted Trojan program Backdoor.Win32.Agent.bydt C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\31cb8c1-68a6fe84 High
12/16/2011 10:22:17 PM Deleted Trojan program Trojan.Win32.FraudPack.czfm C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\2cec524e-7df3bf6e High
12/16/2011 10:22:17 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\460df92a-1413fa39 High
12/16/2011 10:22:17 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\460df92a-2e0020e1 High
12/16/2011 10:22:17 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\460df92a-369119a3 High
12/16/2011 10:22:17 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\460df92a-4489c310 High
12/16/2011 10:22:17 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\460df92a-75ffce3f High
12/16/2011 10:22:17 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\460df92a-7673c04a High
12/16/2011 10:22:17 PM Deleted Trojan program Trojan.Win32.Jorik.ZAccess.rv C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\3765d0f2-25587779 High
12/16/2011 10:22:17 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Users\Kwong\Application Data\F3C7.tmp High
12/16/2011 10:22:17 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Users\Kwong\Application Data\F3C7.tmp//PE_Patch.MEW High
12/16/2011 10:22:17 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Users\Kwong\Application Data\Microsoft\3D74\38D1.tmp High
Status: Disinfected (events: 108)
12/16/2011 8:12:33 AM Disinfected Trojan program Exploit.Java.CVE-2010-0840.eu C:\Users\Kwong\AppData\Local\Temp\jar_cache5028442068304711345.tmp High
12/16/2011 8:12:33 AM Disinfected Trojan program Exploit.Java.CVE-2010-0840.eu C:\Users\Kwong\AppData\Local\Temp\jar_cache5028442068304711345.tmp/lee.class High
12/16/2011 9:50:39 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.ek C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\8c21a57-7aaaa945 High
12/16/2011 9:50:39 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.ek C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\8c21a57-7aaaa945/json/Parser.class High
12/16/2011 9:50:45 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.ko C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\391551b2-1647221a High
12/16/2011 9:50:45 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.ko C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\391551b2-1647221a/blor/hytji.class High
12/16/2011 9:50:45 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.ko C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\391551b2-1647221a/blor/rojk.class High
12/16/2011 9:50:45 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.ko C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\391551b2-1647221a/poml/noobl.class High
12/17/2011 2:42:36 AM Disinfected Trojan program Exploit.Java.CVE-2011-3544.ai C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\20fe0286-7e634a36 High
12/17/2011 2:42:35 AM Disinfected Trojan program Exploit.Java.CVE-2011-3544.ap C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\49c1b13d-14d64ce2 High
12/17/2011 2:42:36 AM Disinfected Trojan program Exploit.Java.CVE-2011-3544.ai C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\20fe0286-7e634a36/Market.class High
12/17/2011 2:42:35 AM Disinfected Trojan program Exploit.Java.CVE-2011-3544.ap C:\Users\Kwong\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\49c1b13d-14d64ce2/Market.class High
12/17/2011 8:23:58 AM Disinfected Trojan program Trojan-Spy.HTML.Fraud.gen Outlook\PER_2008\Top of Personal Folders\[From:Bank Of America][Subject:Bank Of America Alert: Action Required To Avoid Account Suspention][Time:2008/06/05 18:09:03]/HTMLBody High
12/17/2011 9:14:32 AM Disinfected Trojan program Trojan-Spy.HTML.Fraud.gen Outlook\PER_2009\Top of Personal Folders\[From:[email protected]][Subject:Your credit card information has been changed!][Time:2009/06/22 22:11:20]/HTMLBody High
12/17/2011 9:23:26 AM Disinfected Trojan program Trojan-Spy.HTML.Fraud.gen Outlook\PER_2009\Top of Personal Folders\[From:eBay.com][Subject:FPA NOTICE: eBay Registration Suspension - Pending ][Time:2009/05/12 17:47:36]/HTMLBody High
12/17/2011 9:48:02 AM Disinfected Trojan program Trojan.Win32.Oficla.ahc Outlook\PER_2010\Top of Personal Folders\[From:UPS Parcel Delivery][Subject:UPS Services. Get your parcel NR89816][Time:2010/09/29 19:23:41]/UPS_Attached_doc_NR144.zip High
12/17/2011 9:48:02 AM Disinfected Trojan program Trojan.Win32.Oficla.ahc Outlook\PER_2010\Top of Personal Folders\[From:UPS Parcel Delivery][Subject:UPS Services. Get your parcel NR89816][Time:2010/09/29 19:23:41]/UPS_Attached_doc_NR144.zip/UPS_Attached_doc_NR144.exe High
12/17/2011 9:56:36 AM Disinfected Trojan program Trojan.Win32.VBKrypt.bhko Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Post Express Service][Subject:Post Express! Delivery refuse! NR3647786][Time:2011/02/10 15:06:21]/Post_Express_Label_IVN72063.zip High
12/17/2011 9:56:36 AM Disinfected Trojan program Trojan.Win32.VBKrypt.bhko Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Post Express Service][Subject:Post Express! Delivery refuse! NR3647786][Time:2011/02/10 15:06:21]/Post_Express_Label_IVN72063.zip/Post Express Label.exe High
12/17/2011 9:56:36 AM Disinfected Trojan program Trojan.Win32.VBKrypt.bhko Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Post Express Service][Subject:Post Express! Delivery refuse! NR3647786][Time:2011/02/10 15:06:21]/Post_Express_Label_IVN72063.zip/Post Express Label.exe//UPX High
12/17/2011 9:56:39 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.fld Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Post Express Service][Subject:Post Express! Package is available for pickup! NR20488][Time:2011/02/11 20:55:28]/Post_Express_Label_NS.88876.zip High
12/17/2011 9:56:39 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.fld Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Post Express Service][Subject:Post Express! Package is available for pickup! NR20488][Time:2011/02/11 20:55:28]/Post_Express_Label_NS.88876.zip/Post Express Label.exe High
12/17/2011 9:56:39 AM Disinfected Trojan program Trojan-Spy.HTML.Fraud.gen Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:BancoPostaonline][Subject:Resettare la sua password][Time:2011/02/15 21:30:31]/HTMLBody High
12/17/2011 9:56:47 AM Disinfected Trojan program Trojan-Downloader.Win32.Small.bsbe Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx service][Subject:FedEx notice ][Time:2011/03/16 12:47:47]/Federal Express INC notification.zip High
12/17/2011 9:56:47 AM Disinfected Trojan program Trojan-Downloader.Win32.Small.bsbe Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx service][Subject:FedEx notice ][Time:2011/03/16 12:47:47]/Federal Express INC notification.zip/Federal Express INC notification.exe High
12/17/2011 9:56:49 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.e Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United Parcel Service][Subject:[SPAM] United Parcel Service notification #017][Time:2011/03/25 07:46:45]/United Parcel Service notification #017 (6.97 KB) High
12/17/2011 9:56:49 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.e Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United Parcel Service][Subject:[SPAM] United Parcel Service notification #017][Time:2011/03/25 07:46:45]/United Parcel Service notification #017 (6.97 KB)/UPS notification letter.zip High
12/17/2011 9:56:49 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.e Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United Parcel Service][Subject:[SPAM] United Parcel Service notification #017][Time:2011/03/25 07:46:45]/United Parcel Service notification #017 (6.97 KB)/UPS notification letter.zip/UPS notification letter.exe High
12/17/2011 9:56:50 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.o Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United Parcel Service][Subject:United Parcel Service notification #376365360][Time:2011/03/28 01:42:22]/UPS tracking number.zip High
12/17/2011 9:56:50 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.o Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United Parcel Service][Subject:United Parcel Service notification #376365360][Time:2011/03/28 01:42:22]/UPS tracking number.zip/UPS tracking number.exe High
12/17/2011 9:56:51 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.s Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United Parcel Service][Subject:United Parcel Service notification #362411553][Time:2011/03/29 10:02:29]/UPS-tracking.zip High
12/17/2011 9:56:51 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.s Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United Parcel Service][Subject:United Parcel Service notification #362411553][Time:2011/03/29 10:02:29]/UPS-tracking.zip/UPS-tracking.exe High
12/17/2011 9:56:53 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.af Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx][Subject:FedEx system notification][Time:2011/04/03 18:27:22]/FedEx document.zip High
12/17/2011 9:56:53 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.af Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx][Subject:FedEx system notification][Time:2011/04/03 18:27:22]/FedEx document.zip/FedEx document.exe High
12/17/2011 9:56:54 AM Disinfected Trojan program Trojan-Downloader.Win32.FraudLoad.hxv Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:DHL Global][Subject:DHL Express Services][Time:2011/04/03 14:45:12]/dhl.zip High
12/17/2011 9:56:54 AM Disinfected Trojan program Trojan-Downloader.Win32.FraudLoad.hxv Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:DHL Global][Subject:DHL Express Services][Time:2011/04/03 14:45:12]/dhl.zip/FedEx document.exe High
12/17/2011 9:56:55 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.ap Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx][Subject:FedEx system notification][Time:2011/04/05 14:20:03]/FedEx.zip High
12/17/2011 9:56:55 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.ap Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx][Subject:FedEx system notification][Time:2011/04/05 14:20:03]/FedEx.zip/FedEx.exe High
12/17/2011 9:57:10 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.frj Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Facebook Support][Subject:Spam from your Facebook account][Time:2011/04/19 03:26:09]/FacebookP891477.zip High
12/17/2011 9:57:10 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.frj Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Facebook Support][Subject:Spam from your Facebook account][Time:2011/04/19 03:26:09]/FacebookP891477.zip/FacebookPassword.exe High
12/17/2011 9:57:13 AM Disinfected Trojan program Trojan.Win32.Oficla.mme Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Facebook Abuse Department][Subject:Your password is changed][Time:2011/04/28 20:43:16]/Attached_SecurityCode88507.zip High
12/17/2011 9:57:13 AM Disinfected Trojan program Trojan.Win32.Oficla.mme Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Facebook Abuse Department][Subject:Your password is changed][Time:2011/04/28 20:43:16]/Attached_SecurityCode88507.zip/Attached_SecurityCode.exe High
12/17/2011 9:57:18 AM Disinfected Trojan program Trojan.Win32.Deliver.h Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:UPS System][Subject:UPS Express Services tracking #86586335][Time:2011/05/07 09:37:59]/UPS.zip High
12/17/2011 9:57:18 AM Disinfected Trojan program Trojan.Win32.Deliver.h Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:UPS System][Subject:UPS Express Services tracking #86586335][Time:2011/05/07 09:37:59]/UPS.zip/UPS.exe High
12/17/2011 9:57:21 AM Disinfected Trojan program Trojan.Win32.Deliver.p Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:UPS system][Subject:UPS System ticket 278832][Time:2011/05/08 14:51:15]/parcel information.zip High
12/17/2011 9:57:21 AM Disinfected Trojan program Trojan.Win32.Deliver.p Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:UPS system][Subject:UPS System ticket 278832][Time:2011/05/08 14:51:15]/parcel information.zip/parcel information.exe High
12/17/2011 9:57:23 AM Disinfected Trojan program Trojan-Downloader.Win32.FraudLoad.zfhd Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx system][Subject:FedEx System ticket 602215][Time:2011/05/13 13:07:16]/FedEx mail.zip High
12/17/2011 9:57:23 AM Disinfected Trojan program Trojan-Downloader.Win32.FraudLoad.zfhd Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx system][Subject:FedEx System ticket 602215][Time:2011/05/13 13:07:16]/FedEx mail.zip/FedEx mail.exe High
12/17/2011 9:57:23 AM Disinfected Trojan program Trojan-Downloader.Win32.FraudLoad.zfjc Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx system][Subject:FedEx System ticket 713448][Time:2011/05/17 14:11:35]/FedEx mail.zip High
12/17/2011 9:57:23 AM Disinfected Trojan program Trojan-Downloader.Win32.FraudLoad.zfjc Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx system][Subject:FedEx System ticket 713448][Time:2011/05/17 14:11:35]/FedEx mail.zip/FedEx mail.exe High
12/17/2011 9:57:24 AM Disinfected Trojan program Trojan-Downloader.Win32.FraudLoad.zfkq Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx system][Subject:FedEx System ticket 622235][Time:2011/05/19 17:05:10]/FedEx mail.zip High
12/17/2011 9:57:24 AM Disinfected Trojan program Trojan-Downloader.Win32.FraudLoad.zfkq Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx system][Subject:FedEx System ticket 622235][Time:2011/05/19 17:05:10]/FedEx mail.zip/FedEx mail.exe High
12/17/2011 9:57:25 AM Disinfected Trojan program Trojan.Win32.Menti.gnia Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:DHL][Subject:DHL notification][Time:2011/05/26 07:36:15]/DHL mail.zip High
12/17/2011 9:57:25 AM Disinfected Trojan program Trojan.Win32.Menti.gnia Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:DHL][Subject:DHL notification][Time:2011/05/26 07:36:15]/DHL mail.zip/DHL mail.exe High
12/17/2011 9:57:29 AM Disinfected Trojan program Trojan.Win32.Menti.gqqi Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:UPS inc.][Subject:UPS parcel information #474826456][Time:2011/06/09 20:27:43]/UPS mail.zip High
12/17/2011 9:57:29 AM Disinfected Trojan program Trojan.Win32.Menti.gqqi Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:UPS inc.][Subject:UPS parcel information #474826456][Time:2011/06/09 20:27:43]/UPS mail.zip/UPS mail.exe High
12/17/2011 9:57:29 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.qk Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:UPS inc.][Subject:UPS parcel information #550708318][Time:2011/06/11 09:36:25]/UPS_Document.zip High
12/17/2011 9:57:29 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.qk Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:UPS inc.][Subject:UPS parcel information #550708318][Time:2011/06/11 09:36:25]/UPS_Document.zip/UPS_Document.exe High
12/17/2011 9:57:47 AM Disinfected Trojan program Trojan.Win32.Sasfis.butk Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Reservation Departament][Subject:Hotel Four Seasons San Francisco made wrong transaction][Time:2011/07/28 07:26:51]/RefundForm646.zip High
12/17/2011 9:57:47 AM Disinfected Trojan program Trojan.Win32.Sasfis.butk Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Reservation Departament][Subject:Hotel Four Seasons San Francisco made wrong transaction][Time:2011/07/28 07:26:51]/RefundForm646.zip/Refund-Form.exe High
12/17/2011 11:39:01 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.gkn Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Postal Service][Subject:Error in the details of delivery][Time:2011/08/17 09:46:31]/PostLabel3212.rar High
12/17/2011 11:39:01 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.gkn Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Postal Service][Subject:Error in the details of delivery][Time:2011/08/17 09:46:31]/PostLabel3212.rar//PostLabel.exe High
12/17/2011 11:39:07 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.gls Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Global Express Guaranteed][Subject:You need to get parcel in the office of Postal Service #67563][Time:2011/08/18 01:21:51]/PostLabel1210.rar High
12/17/2011 11:39:07 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.gls Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Global Express Guaranteed][Subject:You need to get parcel in the office of Postal Service #67563][Time:2011/08/18 01:21:51]/PostLabel1210.rar//PostLabel.exe High
12/17/2011 11:39:07 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.gls Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Global Express Guaranteed][Subject:You need to get parcel in the office of Postal Service #67563][Time:2011/08/18 01:21:51]/PostLabel1210.rar//PostLabel.exe//UPX High
12/17/2011 11:39:23 AM Disinfected Trojan program Backdoor.Win32.Agobot.rrv Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:SHALANDAHairston][Subject:Re: Changlog 08.23.2011][Time:2011/08/23 17:22:53]/Change_08.21.2011_s8090.zip High
12/17/2011 11:39:23 AM Disinfected Trojan program Backdoor.Win32.Agobot.rrv Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:SHALANDAHairston][Subject:Re: Changlog 08.23.2011][Time:2011/08/23 17:22:53]/Change_08.21.2011_s8090.zip/Changelog_08.22.2011_SorGǫcod.exe High
12/17/2011 11:39:36 AM Disinfected Trojan program Trojan.Win32.Yakes.cez Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:LAKEISHA2cTlojHiq][Subject:Re: FW: End of July Statement Required][Time:2011/08/30 18:03:10]/Inv._08.29.2011_x6763.zip High
12/17/2011 11:39:36 AM Disinfected Trojan program Trojan.Win32.Yakes.cez Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:LAKEISHA2cTlojHiq][Subject:Re: FW: End of July Statement Required][Time:2011/08/30 18:03:10]/Inv._08.29.2011_x6763.zip/INVOICE__08_30_2011___CollGǫcod.exe High
12/17/2011 11:39:42 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.ma Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:UAE Central][Subject:UAE Central Bank Warning: E-mail scam alert][Time:2011/08/31 21:37:07]/document.zip High
12/17/2011 11:39:42 AM Disinfected Trojan program Trojan-Downloader.Win32.Deliver.ma Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:UAE Central][Subject:UAE Central Bank Warning: E-mail scam alert][Time:2011/08/31 21:37:07]/document.zip/document.exe High
12/17/2011 11:40:00 AM Disinfected Trojan program Trojan-Spy.Win32.SpyEyes.nau Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:[email protected]][Subject:Re: FW: End of July Statement required][Time:2011/09/05 14:03:29]/invoice_08.30.2011_Q313154.zip High
12/17/2011 11:40:00 AM Disinfected Trojan program Trojan-Spy.Win32.SpyEyes.nau Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:[email protected]][Subject:Re: FW: End of July Statement required][Time:2011/09/05 14:03:29]/invoice_08.30.2011_Q313154.zip/IRS.GOV_FORM_09252011___CollGǫredlof.exe High
12/17/2011 11:40:00 AM Disinfected Trojan program Trojan-Spy.Win32.SpyEyes.nau Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:[email protected]][Subject:Re: FW: End of July Statement required][Time:2011/09/05 14:03:29]/invoice_08.30.2011_Q313154.zip/IRS.GOV_FORM_09252011___CollGǫredlof.exe//PE_Patch.PECompact High
12/17/2011 11:40:00 AM Disinfected Trojan program Trojan-Spy.Win32.SpyEyes.nau Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:[email protected]][Subject:Re: FW: End of July Statement required][Time:2011/09/05 14:03:29]/invoice_08.30.2011_Q313154.zip/IRS.GOV_FORM_09252011___CollGǫredlof.exe//PE_Patch.PECompact//PecBundle High
12/17/2011 11:40:00 AM Disinfected Trojan program Trojan-Spy.Win32.SpyEyes.nau Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:[email protected]][Subject:Re: FW: End of July Statement required][Time:2011/09/05 14:03:29]/invoice_08.30.2011_Q313154.zip/IRS.GOV_FORM_09252011___CollGǫredlof.exe//PE_Patch.PECompact//PecBundle//PECompact High
12/17/2011 11:40:38 AM Disinfected Trojan program Trojan-Spy.HTML.Fraud.gen Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Wells Fargo Online][Subject:Important Information Regarding Your Wells Fargo Account !][Time:2011/10/02 11:23:35]/HTMLBody High
12/17/2011 11:41:13 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.gzi Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:[email protected]][Subject:Fw: ACH and Wire transfers disabled.][Time:2011/10/18 09:28:19]/NotificationFDIC_1013_IW29366.zip _.dat High
12/17/2011 11:41:13 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.gzi Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:[email protected]][Subject:Fw: ACH and Wire transfers disabled.][Time:2011/10/18 09:28:19]/NotificationFDIC_1013_IW29366.zip _.dat/FDIC_Notification_09252011___CollGǫfdp.exe High
12/17/2011 11:41:14 AM Disinfected Trojan program Trojan-Spy.HTML.Fraud.gen Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Wells Fargo Online Banking][Subject:Important Information Regarding Your Wells Fargo Account !][Time:2011/10/19 16:28:44]/HTMLBody High
12/17/2011 11:41:18 AM Disinfected Trojan program Trojan-Banker.Win32.Qhost.mmu Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Marie Vincent][Subject:Fw: Contract from Marie ][Time:2011/10/20 17:57:59]/PDF_Scan_N39972.rar High
12/17/2011 11:41:18 AM Disinfected Trojan program Trojan-Banker.Win32.Qhost.mmu Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Marie Vincent][Subject:Fw: Contract from Marie ][Time:2011/10/20 17:57:59]/PDF_Scan_N39972.rar//ScanTranslation_09252011___Coll?fdp.exe High
12/17/2011 11:41:18 AM Disinfected Trojan program Trojan-Banker.Win32.Qhost.mmu Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Marie Vincent][Subject:Fw: Contract from Marie ][Time:2011/10/20 17:57:59]/PDF_Scan_N39972.rar//ScanTranslation_09252011___Coll?fdp.exe//UPX High
12/17/2011 11:41:20 AM Disinfected Trojan program Trojan-Banker.Win32.Qhost.mmu Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:New York State Department of Motor Vehicles][Subject:UNIFORM TRAFFIC TICKET (ID:2764)][Time:2011/10/22 01:00:19]/Uniform traffic ticket.zip High
12/17/2011 11:41:20 AM Disinfected Trojan program Trojan-Banker.Win32.Qhost.mmu Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:New York State Department of Motor Vehicles][Subject:UNIFORM TRAFFIC TICKET (ID:2764)][Time:2011/10/22 01:00:19]/Uniform traffic ticket.zip/uniform traffic ticket.exe High
12/17/2011 11:41:20 AM Disinfected Trojan program Trojan-Banker.Win32.Qhost.mmu Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:New York State Department of Motor Vehicles][Subject:UNIFORM TRAFFIC TICKET (ID:2764)][Time:2011/10/22 01:00:19]/Uniform traffic ticket.zip/uniform traffic ticket.exe//UPX High
12/17/2011 11:41:21 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.hcc Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx Information][Subject:Track your parcel No4331][Time:2011/10/23 17:10:31]/Invoice_copy_N9092.zip High
12/17/2011 11:41:20 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.hcc Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx Information][Subject:Track your parcel No4331][Time:2011/10/23 17:10:31]/Invoice_copy_N9092.zip/Invoice_copy.exe High
12/17/2011 11:41:20 AM Disinfected Trojan program Trojan-Downloader.Win32.Injecter.hcc Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:FedEx Information][Subject:Track your parcel No4331][Time:2011/10/23 17:10:31]/Invoice_copy_N9092.zip/Invoice_copy.exe//UPX High
12/17/2011 11:41:22 AM Disinfected Trojan program Trojan.Win32.Jorik.MokesLoader.ai Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:[email protected]][Subject:Re: End of Aug. Statement Required][Time:2011/10/25 14:50:05]/Invoices_102311_g.zip High
12/17/2011 11:41:22 AM Disinfected Trojan program Trojan.Win32.Jorik.MokesLoader.ai Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:[email protected]][Subject:Re: End of Aug. Statement Required][Time:2011/10/25 14:50:05]/Invoices_102311_g.zip/Invoice_10_11_2011_CollesdopGǫcod.exe High
12/17/2011 11:41:29 AM Disinfected Trojan program Trojan.Win32.Jorik.MokesLoader.av Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Darrin Mooney][Subject:Re: FW: End of Aug. Statement Required][Time:2011/11/02 16:44:34]/Open_Invoices_10.22.2011_29749.zip High
12/17/2011 11:41:29 AM Disinfected Trojan program Trojan.Win32.Jorik.MokesLoader.av Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:Darrin Mooney][Subject:Re: FW: End of Aug. Statement Required][Time:2011/11/02 16:44:34]/Open_Invoices_10.22.2011_29749.zip/Invoice__N0825322011_CollGǫcod.exe High
12/17/2011 11:41:41 AM Disinfected Trojan program Trojan.Win32.Genome.yhmk Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United States Postal Service][Subject:USPS Delivery Failure Notification][Time:2011/11/19 09:53:58]/USPS report.zip High
12/17/2011 11:41:41 AM Disinfected Trojan program Trojan.Win32.Genome.yhmk Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United States Postal Service][Subject:USPS Delivery Failure Notification][Time:2011/11/19 09:53:58]/USPS report.zip/USPS report.exe High
12/17/2011 11:44:17 AM Disinfected virus HEUR:Trojan.Win32.Generic Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United States Postal Service][Subject:USPS Delivery Failure Notification][Time:2011/11/22 01:42:41]/USPS report.zip High
12/17/2011 11:44:16 AM Disinfected virus HEUR:Trojan.Win32.Generic Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United States Postal Service][Subject:USPS Delivery Failure Notification][Time:2011/11/22 01:42:41]/USPS report.zip/USPS report.exe High
12/17/2011 11:44:20 AM Disinfected Trojan program Trojan.Win32.Genome.ytxe Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United States Postal Service][Subject:USPS Delivery Failure Notification][Time:2011/11/24 18:39:09]/USPS report.zip High
12/17/2011 11:44:20 AM Disinfected Trojan program Trojan.Win32.Genome.ytxe Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United States Postal Service][Subject:USPS Delivery Failure Notification][Time:2011/11/24 18:39:09]/USPS report.zip/USPS report.exe High
12/17/2011 11:44:24 AM Disinfected Trojan program Trojan.Win32.Yakes.kra Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:USPS Service][Subject:Track your parcel NO#8433][Time:2011/11/29 12:53:20]/Post_Label_US#6334.zip High
12/17/2011 11:44:24 AM Disinfected Trojan program Trojan.Win32.Yakes.kra Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:USPS Service][Subject:Track your parcel NO#8433][Time:2011/11/29 12:53:20]/Post_Label_US#6334.zip/Post_Label.exe High
12/17/2011 11:44:27 AM Disinfected Trojan program Trojan.Win32.Genome.aagcc Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United States Postal Service][Subject:USPS Delivery Failure Notification][Time:2011/12/08 00:35:33]/USPS report.zip High
12/17/2011 11:44:27 AM Disinfected Trojan program Trojan.Win32.Genome.aagcc Outlook\Personal Folders\Top of Personal Folders\Deleted Items\[From:United States Postal Service][Subject:USPS Delivery Failure Notification][Time:2011/12/08 00:35:33]/USPS report.zip/USPS report.exe High
12/18/2011 12:00:19 AM Disinfected Trojan program Trojan.Win32.Sasfis.bfsv Outlook\Personal Folders\Top of Personal Folders\Inbox\[From:United Parcel Service][Subject:United Parcel Service notification][Time:2011/03/22 10:44:37]/UPS notice.rar High
12/18/2011 12:00:19 AM Disinfected Trojan program Trojan.Win32.Sasfis.bfsv Outlook\Personal Folders\Top of Personal Folders\Inbox\[From:United Parcel Service][Subject:United Parcel Service notification][Time:2011/03/22 10:44:37]/UPS notice.rar//UPS notice.exe High
12/18/2011 1:27:58 AM Disinfected Trojan program Backdoor.Win32.Agobot.asw Outlook\Personal Folders\Top of Personal Folders\Inbox\[From:AUBREY Blackmon][Subject:Re: Your Changelog 08.23.2011][Time:2011/08/22 23:04:54]/Change_08.12.2011_S517506981.zip/Changelog_08.22.2011_StorGǫcod.exe//UPX High
12/18/2011 1:27:58 AM Disinfected Trojan program Backdoor.Win32.Agobot.asw Outlook\Personal Folders\Top of Personal Folders\Inbox\[From:AUBREY Blackmon][Subject:Re: Your Changelog 08.23.2011][Time:2011/08/22 23:04:54]/Change_08.12.2011_S517506981.zip/Changelog_08.22.2011_StorGǫcod.exe High
12/18/2011 1:27:59 AM Disinfected Trojan program Backdoor.Win32.Agobot.asw Outlook\Personal Folders\Top of Personal Folders\Inbox\[From:AUBREY Blackmon][Subject:Re: Your Changelog 08.23.2011][Time:2011/08/22 23:04:54]/Change_08.12.2011_S517506981.zip High

Attached Files


  • 0

#4
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Posted Image Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware.
  • Select the Update tab.
  • Click on Check for Updates button.
  • Click on OK.
  • Select the Scanner tab.
  • Select Perform quick scan, then click on Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#5
redleader74

redleader74

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 165 posts
Ok, here is the MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8401

Windows 6.0.6000
Internet Explorer 8.0.6001.18904

12/20/2011 1:11:08 AM
mbam-log-2011-12-20 (01-11-08).txt

Scan type: Quick scan
Objects scanned: 206128
Time elapsed: 12 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#6
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Looks good. How is your computer running now. Any problems?

Do the following please:

Download Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • 0

#7
redleader74

redleader74

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 165 posts
Well, it WAS working fine and this morning I became infected with the Vista Antivirus 2011 (or something like that) virus. What terrible luck. I will be starting another thread to resolve this one.
  • 0

#8
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
No. Please stay in this thread. And please stop using this infected computer until I say all clean.

Do the following:

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
  • 0

#9
redleader74

redleader74

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 165 posts
Ok, here is the RKreport, thanks!:

RogueKiller V6.2.0 [12/12/2011] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo...13-roguekiller/

Blog: http://tigzyrk.blogspot.com



Operating System: Windows Vista (6.0.6000 ) 32 bits version

Started in : Normal mode

User: Kwong [Admin rights]

Mode: Scan -- Date : 12/20/2011 12:15:35



¤¤¤ Bad processes: 1 ¤¤¤

[WINDOW : Vista Antivirus 2012] yfb.exe -- C:\Users\Kwong\AppData\Local\yfb.exe -> KILLED [TermProc]



¤¤¤ Registry Entries: 9 ¤¤¤

[SUSP PATH] _uninst_38249947.lnk : C:\Users\Kwong\AppData\Local\Temp\_uninst_38249947.bat -> FOUND

[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{14731478-248E-4EB2-9108-8C2C748D6A10} : NameServer (172.18.7.170 172.18.7.170) -> FOUND

[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{14731478-248E-4EB2-9108-8C2C748D6A10} : NameServer (172.18.7.170 172.18.7.170) -> FOUND

[FILEASSO] HKCU\[...]Software\Classes\.exe\shell\open\command : ("C:\Users\Kwong\AppData\Local\yfb.exe" -a "%1" %*) -> FOUND

[FILEASSO] HKCR\[...].exe\shell\open\command : ("C:\Users\Kwong\AppData\Local\yfb.exe" -a "%1" %*) -> FOUND

[FILEASSO] HKCR\.exe : (8kD) -> FOUND

[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command : ("C:\Users\Kwong\AppData\Local\yfb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") -> FOUND

[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command : ("C:\Users\Kwong\AppData\Local\yfb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) -> FOUND

[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\Users\Kwong\AppData\Local\yfb.exe" -a "C:\Program Files\Intern") -> FOUND



¤¤¤ Particular Files / Folders: ¤¤¤



¤¤¤ Driver: [LOADED] ¤¤¤

S_SSDT[576] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C2A0)

S_SSDT[573] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C248)

S_SSDT[550] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0CC50)

S_SSDT[525] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C4A6)

S_SSDT[513] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C58A)

S_SSDT[498] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C3EE)

S_SSDT[497] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C39A)

S_SSDT[479] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C446)

S_SSDT[430] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C34E)

S_SSDT[428] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C602)

S_SSDT[397] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C302)

S_SSDT[391] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C4F4)

S_SSDT[322] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C87E)

S_SSDT[317] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0CD9E)

S_SSDT[301] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C73A)

S_SSDT[245] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C816)

S_SSDT[235] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C7A6)

S_SSDT[13] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\9381790drv.sys @ 0x9ED0C6D0)



¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤



¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

::1 localhost





¤¤¤ MBR Check: ¤¤¤

--- User ---

[MBR] b80d8aad0d4d70d0a376a58132ab2874

[BSP] 143500e28e0f7628a019343ed6099823 : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 82 Mo

1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 161792 | Size: 10737 Mo

2 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 21133312 | Size: 306566 Mo

3 - [XXXXXX] UNKNW [VISIBLE] Offset (sectors): 619896832 | Size: 2684 Mo

User = LL1 ... OK!

User = LL2 ... OK!



Finished : << RKreport[1].txt >>

RKreport[1].txt
  • 0

#10
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection
  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review

Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall.
  • 0

Advertisements


#11
redleader74

redleader74

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 165 posts
Ok, here is the ComboFix log:

ComboFix 11-12-20.04 - Kwong 12/20/2011 13:02:25.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.1174 [GMT -8:00]
Running from: c:\users\Kwong\Desktop\Combo-Fix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~HXXFLlL5Vd1gKg
c:\programdata\~HXXFLlL5Vd1gKgr
c:\programdata\HXXFLlL5Vd1gKg
c:\programdata\Roaming
c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
c:\users\Kwong\AppData\Local\yfb.exe
c:\users\Kwong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
c:\users\Kwong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\System Fix.lnk
c:\users\Kwong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
c:\users\Kwong\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))
.
.
2011-12-20 21:11 . 2011-12-20 21:11 -------- d-----w- c:\users\Kwong\AppData\Local\temp
2011-12-20 21:11 . 2011-12-20 21:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-20 21:11 . 2011-12-20 21:11 -------- d-----w- c:\users\Visitor\AppData\Local\temp
2011-12-20 09:05 . 2011-12-20 09:05 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{936645E6-2645-4FEA-B6A0-168F9C67F99F}\MpKslad1b5829.sys
2011-12-20 09:03 . 2011-12-20 09:03 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{936645E6-2645-4FEA-B6A0-168F9C67F99F}\offreg.dll
2011-12-20 09:03 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{936645E6-2645-4FEA-B6A0-168F9C67F99F}\mpengine.dll
2011-12-18 08:10 . 2011-12-18 08:15 -------- d-----w- c:\program files\Dell Support Center
2011-12-16 10:01 . 2011-12-16 10:01 -------- d-----w- c:\programdata\Kaspersky Lab
2011-12-14 09:02 . 2011-12-14 09:02 -------- d-----w- c:\users\Kwong\AppData\Local\Apple
2011-12-12 10:24 . 2011-12-20 20:15 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2011-12-12 09:53 . 2011-12-20 09:32 -------- d-----w- c:\users\Kwong\AppData\Local\Adobe
2011-12-06 05:06 . 2011-12-15 10:29 -------- d-----w- c:\users\Kwong\AppData\Local\CutePDF Writer
2011-11-24 18:29 . 2011-11-24 18:29 -------- d-----w- c:\program files\Lavasoft
2011-11-24 18:18 . 2011-11-24 18:18 -------- d-----w- c:\users\Kwong\AppData\Local\Apps
2011-11-24 18:04 . 2011-11-24 18:04 -------- d-----w- c:\users\Kwong\AppData\Local\Broadcom
2011-11-24 02:13 . 2011-12-20 09:16 -------- d-----w- c:\users\Kwong\AppData\Local\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 10:47 . 2011-05-29 09:48 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-16 11:48 . 2011-07-11 14:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Kwong\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Kwong\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-06-15 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-15 8433664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-15 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-06-15 67584]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\users\Kwong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
_uninst_38249947.lnk - c:\users\Kwong\AppData\Local\Temp\_uninst_38249947.bat [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-4 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-08-20 02:14 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-20 11:09 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
R1 bmssbsjt;bmssbsjt;c:\windows\system32\drivers\bmssbsjt.sys [x]
R1 hpqefxus;hpqefxus;c:\windows\system32\drivers\hpqefxus.sys [x]
R1 MpKsl09952ef0;MpKsl09952ef0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6F1317CC-F32F-47C2-877C-9CEF790EBE07}\MpKsl09952ef0.sys [x]
R1 MpKsl2e8a59be;MpKsl2e8a59be;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0F90D9B-F309-4307-8A82-BA15B9C09F73}\MpKsl2e8a59be.sys [x]
R1 MpKsl2fcfde35;MpKsl2fcfde35;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{21327596-CF19-4D15-A9B1-45EB574D0C1D}\MpKsl2fcfde35.sys [x]
R1 MpKsl408b2f9b;MpKsl408b2f9b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0B567FB8-4D86-4BFF-9A17-163FC7F57192}\MpKsl408b2f9b.sys [x]
R1 MpKsl4eb53418;MpKsl4eb53418;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F8D52490-DB9D-4C9E-89DD-761F1276329F}\MpKsl4eb53418.sys [x]
R1 MpKsl5a9698c0;MpKsl5a9698c0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2E6B8E56-4C98-44BB-978F-126DDF489EE6}\MpKsl5a9698c0.sys [x]
R1 MpKsl70fa2d21;MpKsl70fa2d21;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2E8EC2C-5D89-4FD8-87F4-34508D8110B2}\MpKsl70fa2d21.sys [x]
R1 MpKsl7379d252;MpKsl7379d252;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8524117A-0C25-4074-B0BE-59F8379B515A}\MpKsl7379d252.sys [x]
R1 MpKsla42d33f8;MpKsla42d33f8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{58FB0E20-8AC0-4ABA-AB06-5F472DA2AB1A}\MpKsla42d33f8.sys [x]
R1 MpKsla9af59df;MpKsla9af59df;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8FE19317-25D8-4BFE-A882-C9F58E21A502}\MpKsla9af59df.sys [x]
R1 MpKslbcabd8bd;MpKslbcabd8bd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0F90D9B-F309-4307-8A82-BA15B9C09F73}\MpKslbcabd8bd.sys [x]
R1 MpKslbd4218eb;MpKslbd4218eb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0B567FB8-4D86-4BFF-9A17-163FC7F57192}\MpKslbd4218eb.sys [x]
R1 MpKslbdff761a;MpKslbdff761a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7A6A506F-30CC-465F-8256-8238F93B1C66}\MpKslbdff761a.sys [x]
R1 MpKslc2eabbbc;MpKslc2eabbbc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2CACB8D-E23B-44CF-819D-1A11ACB06587}\MpKslc2eabbbc.sys [x]
R1 MpKslc70a5496;MpKslc70a5496;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0B567FB8-4D86-4BFF-9A17-163FC7F57192}\MpKslc70a5496.sys [x]
R1 MpKslcde93f29;MpKslcde93f29;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{96871914-1955-4A08-8CAE-BD140E578565}\MpKslcde93f29.sys [x]
R1 MpKsld549ee49;MpKsld549ee49;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9B8D1A8E-C8BD-454E-BB12-FA4B6A2D98F5}\MpKsld549ee49.sys [x]
R1 MpKsld56e7856;MpKsld56e7856;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2DD41451-AC02-4026-9716-44778C0525BB}\MpKsld56e7856.sys [x]
R1 MpKsld7826e40;MpKsld7826e40;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CDBC0914-C033-4250-82D4-1D9D0BD5D8A0}\MpKsld7826e40.sys [x]
R1 MpKslda51f98e;MpKslda51f98e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D882D4E8-F44B-4B1F-955F-3A67B82F81CE}\MpKslda51f98e.sys [x]
R1 MpKsldd36b19c;MpKsldd36b19c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{76D42C6A-750D-4CFB-9D26-84EDE6D05D46}\MpKsldd36b19c.sys [x]
R1 MpKsleea75b4b;MpKsleea75b4b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{719A77C1-3449-48B2-B44F-6A0F1561CA85}\MpKsleea75b4b.sys [x]
R1 MpKslf72a38a6;MpKslf72a38a6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E3581E4C-146E-4A71-B87A-E9E637D2B221}\MpKslf72a38a6.sys [x]
R1 MpKslf73c62d6;MpKslf73c62d6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0556EA28-BDBB-411D-8DBD-F8685EF40815}\MpKslf73c62d6.sys [x]
R1 oftbtanm;oftbtanm;c:\windows\system32\drivers\oftbtanm.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 135664]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-11-03 2152152]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 135664]
R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-26 179712]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 06107422
*NewlyCreated* - 38249947
*NewlyCreated* - MPKSL4340B97E
*NewlyCreated* - MPKSLAD1B5829
*NewlyCreated* - MPKSLFE8601B7
*NewlyCreated* - UTE2NTU4
*Deregistered* - Lavasoft Kernexplorer
*Deregistered* - MpKsl4340b97e
*Deregistered* - MpKslfe8601b7
*Deregistered* - TrueSight
*Deregistered* - ute2ntu4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 09:40]
.
2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 09:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: bankofamerica.com\bills
Trusted Zone: lorexddns.net\cpcoakland
TCP: DhcpNameServer = 10.1.10.1
TCP: Interfaces\{14731478-248E-4EB2-9108-8C2C748D6A10}: NameServer = 172.18.7.170 172.18.7.170
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {9A74E90C-0233-4E1F-8EA1-105991C6FA12} - hxxp://108.200.50.71/webviewer.cab
FF - ProfilePath - c:\users\Kwong\AppData\Roaming\Mozilla\Firefox\Profiles\zhip3ise.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Kwong\AppData\Local\Temp\nci.dll
HKLM-Run-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-20 13:11
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-12-20 13:14:07
ComboFix-quarantined-files.txt 2011-12-20 21:14
ComboFix2.txt 2009-04-16 00:01
ComboFix3.txt 2009-04-13 22:22
ComboFix4.txt 2009-04-10 22:11
.
Pre-Run: 6,556,098,560 bytes free
Post-Run: 8,342,622,208 bytes free
.
- - End Of File - - E109C106B0D4F516E83D1558E248A3B5
  • 0

#12
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\bmssbsjt.sys
c:\windows\system32\drivers\hpqefxus.sys
c:\windows\system32\drivers\oftbtanm.sys

Driver::
bmssbsjt
hpqefxus
oftbtanm


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#13
redleader74

redleader74

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 165 posts
Ok, here's the log. However, some issues. After running ComboFix as last instructed, there are now some issues with the system. For instance, when I try to launch programs by clicking on their short cut buttons in the tool bar at the bottom of the screen as I usually do, I get an error message:

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE Illegal operation attempted on a registry key that has been marked for deletion"

I have to right click on the button and select run as administrator in order to launch things. Also, the mouse buttons are now reversed (well, back to normal actually as usually my buttons are reversed from standard settings). So I'm wondering what happened and what other changes/issues are now lurking in the system as a result of the last ComboFix run.

Anyway, here's the log:

ComboFix 11-12-20.04 - Kwong 12/20/2011 13:02:25.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.1174 [GMT -8:00]
Running from: c:\users\Kwong\Desktop\Combo-Fix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~HXXFLlL5Vd1gKg
c:\programdata\~HXXFLlL5Vd1gKgr
c:\programdata\HXXFLlL5Vd1gKg
c:\programdata\Roaming
c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
c:\users\Kwong\AppData\Local\yfb.exe
c:\users\Kwong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
c:\users\Kwong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\System Fix.lnk
c:\users\Kwong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
c:\users\Kwong\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))
.
.
2011-12-20 21:11 . 2011-12-20 21:11 -------- d-----w- c:\users\Kwong\AppData\Local\temp
2011-12-20 21:11 . 2011-12-20 21:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-20 21:11 . 2011-12-20 21:11 -------- d-----w- c:\users\Visitor\AppData\Local\temp
2011-12-20 09:05 . 2011-12-20 09:05 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{936645E6-2645-4FEA-B6A0-168F9C67F99F}\MpKslad1b5829.sys
2011-12-20 09:03 . 2011-12-20 09:03 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{936645E6-2645-4FEA-B6A0-168F9C67F99F}\offreg.dll
2011-12-20 09:03 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{936645E6-2645-4FEA-B6A0-168F9C67F99F}\mpengine.dll
2011-12-18 08:10 . 2011-12-18 08:15 -------- d-----w- c:\program files\Dell Support Center
2011-12-16 10:01 . 2011-12-16 10:01 -------- d-----w- c:\programdata\Kaspersky Lab
2011-12-14 09:02 . 2011-12-14 09:02 -------- d-----w- c:\users\Kwong\AppData\Local\Apple
2011-12-12 10:24 . 2011-12-20 20:15 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2011-12-12 09:53 . 2011-12-20 09:32 -------- d-----w- c:\users\Kwong\AppData\Local\Adobe
2011-12-06 05:06 . 2011-12-15 10:29 -------- d-----w- c:\users\Kwong\AppData\Local\CutePDF Writer
2011-11-24 18:29 . 2011-11-24 18:29 -------- d-----w- c:\program files\Lavasoft
2011-11-24 18:18 . 2011-11-24 18:18 -------- d-----w- c:\users\Kwong\AppData\Local\Apps
2011-11-24 18:04 . 2011-11-24 18:04 -------- d-----w- c:\users\Kwong\AppData\Local\Broadcom
2011-11-24 02:13 . 2011-12-20 09:16 -------- d-----w- c:\users\Kwong\AppData\Local\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 10:47 . 2011-05-29 09:48 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-16 11:48 . 2011-07-11 14:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Kwong\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Kwong\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-06-15 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-15 8433664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-15 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-06-15 67584]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\users\Kwong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
_uninst_38249947.lnk - c:\users\Kwong\AppData\Local\Temp\_uninst_38249947.bat [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-4 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-08-20 02:14 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-20 11:09 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
R1 bmssbsjt;bmssbsjt;c:\windows\system32\drivers\bmssbsjt.sys [x]
R1 hpqefxus;hpqefxus;c:\windows\system32\drivers\hpqefxus.sys [x]
R1 MpKsl09952ef0;MpKsl09952ef0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6F1317CC-F32F-47C2-877C-9CEF790EBE07}\MpKsl09952ef0.sys [x]
R1 MpKsl2e8a59be;MpKsl2e8a59be;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0F90D9B-F309-4307-8A82-BA15B9C09F73}\MpKsl2e8a59be.sys [x]
R1 MpKsl2fcfde35;MpKsl2fcfde35;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{21327596-CF19-4D15-A9B1-45EB574D0C1D}\MpKsl2fcfde35.sys [x]
R1 MpKsl408b2f9b;MpKsl408b2f9b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0B567FB8-4D86-4BFF-9A17-163FC7F57192}\MpKsl408b2f9b.sys [x]
R1 MpKsl4eb53418;MpKsl4eb53418;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F8D52490-DB9D-4C9E-89DD-761F1276329F}\MpKsl4eb53418.sys [x]
R1 MpKsl5a9698c0;MpKsl5a9698c0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2E6B8E56-4C98-44BB-978F-126DDF489EE6}\MpKsl5a9698c0.sys [x]
R1 MpKsl70fa2d21;MpKsl70fa2d21;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2E8EC2C-5D89-4FD8-87F4-34508D8110B2}\MpKsl70fa2d21.sys [x]
R1 MpKsl7379d252;MpKsl7379d252;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8524117A-0C25-4074-B0BE-59F8379B515A}\MpKsl7379d252.sys [x]
R1 MpKsla42d33f8;MpKsla42d33f8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{58FB0E20-8AC0-4ABA-AB06-5F472DA2AB1A}\MpKsla42d33f8.sys [x]
R1 MpKsla9af59df;MpKsla9af59df;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8FE19317-25D8-4BFE-A882-C9F58E21A502}\MpKsla9af59df.sys [x]
R1 MpKslbcabd8bd;MpKslbcabd8bd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0F90D9B-F309-4307-8A82-BA15B9C09F73}\MpKslbcabd8bd.sys [x]
R1 MpKslbd4218eb;MpKslbd4218eb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0B567FB8-4D86-4BFF-9A17-163FC7F57192}\MpKslbd4218eb.sys [x]
R1 MpKslbdff761a;MpKslbdff761a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7A6A506F-30CC-465F-8256-8238F93B1C66}\MpKslbdff761a.sys [x]
R1 MpKslc2eabbbc;MpKslc2eabbbc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2CACB8D-E23B-44CF-819D-1A11ACB06587}\MpKslc2eabbbc.sys [x]
R1 MpKslc70a5496;MpKslc70a5496;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0B567FB8-4D86-4BFF-9A17-163FC7F57192}\MpKslc70a5496.sys [x]
R1 MpKslcde93f29;MpKslcde93f29;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{96871914-1955-4A08-8CAE-BD140E578565}\MpKslcde93f29.sys [x]
R1 MpKsld549ee49;MpKsld549ee49;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9B8D1A8E-C8BD-454E-BB12-FA4B6A2D98F5}\MpKsld549ee49.sys [x]
R1 MpKsld56e7856;MpKsld56e7856;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2DD41451-AC02-4026-9716-44778C0525BB}\MpKsld56e7856.sys [x]
R1 MpKsld7826e40;MpKsld7826e40;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CDBC0914-C033-4250-82D4-1D9D0BD5D8A0}\MpKsld7826e40.sys [x]
R1 MpKslda51f98e;MpKslda51f98e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D882D4E8-F44B-4B1F-955F-3A67B82F81CE}\MpKslda51f98e.sys [x]
R1 MpKsldd36b19c;MpKsldd36b19c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{76D42C6A-750D-4CFB-9D26-84EDE6D05D46}\MpKsldd36b19c.sys [x]
R1 MpKsleea75b4b;MpKsleea75b4b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{719A77C1-3449-48B2-B44F-6A0F1561CA85}\MpKsleea75b4b.sys [x]
R1 MpKslf72a38a6;MpKslf72a38a6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E3581E4C-146E-4A71-B87A-E9E637D2B221}\MpKslf72a38a6.sys [x]
R1 MpKslf73c62d6;MpKslf73c62d6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0556EA28-BDBB-411D-8DBD-F8685EF40815}\MpKslf73c62d6.sys [x]
R1 oftbtanm;oftbtanm;c:\windows\system32\drivers\oftbtanm.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 135664]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-11-03 2152152]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 135664]
R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-26 179712]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 06107422
*NewlyCreated* - 38249947
*NewlyCreated* - MPKSL4340B97E
*NewlyCreated* - MPKSLAD1B5829
*NewlyCreated* - MPKSLFE8601B7
*NewlyCreated* - UTE2NTU4
*Deregistered* - Lavasoft Kernexplorer
*Deregistered* - MpKsl4340b97e
*Deregistered* - MpKslfe8601b7
*Deregistered* - TrueSight
*Deregistered* - ute2ntu4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 09:40]
.
2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 09:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: bankofamerica.com\bills
Trusted Zone: lorexddns.net\cpcoakland
TCP: DhcpNameServer = 10.1.10.1
TCP: Interfaces\{14731478-248E-4EB2-9108-8C2C748D6A10}: NameServer = 172.18.7.170 172.18.7.170
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {9A74E90C-0233-4E1F-8EA1-105991C6FA12} - hxxp://108.200.50.71/webviewer.cab
FF - ProfilePath - c:\users\Kwong\AppData\Roaming\Mozilla\Firefox\Profiles\zhip3ise.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Kwong\AppData\Local\Temp\nci.dll
HKLM-Run-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-20 13:11
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-12-20 13:14:07
ComboFix-quarantined-files.txt 2011-12-20 21:14
ComboFix2.txt 2009-04-16 00:01
ComboFix3.txt 2009-04-13 22:22
ComboFix4.txt 2009-04-10 22:11
.
Pre-Run: 6,556,098,560 bytes free
Post-Run: 8,342,622,208 bytes free
.
- - End Of File - - E109C106B0D4F516E83D1558E248A3B5
  • 0

#14
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
CF reset some settings to default. If you have problems with some applications you should reinstall them.

This is previous CF log. Please post the latest one.
  • 0

#15
redleader74

redleader74

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 165 posts
Ok, the new log is below.

As for the error message I'm getting regarding "illegal operation attempted", I'm getting that message on every button/shortcut for every program/app on the machine. I'm also getting it when trying to double click on files to open them in windows explorer. It seems like it's a shortcut/quick launch related issue.


ComboFix 11-12-20.04 - Kwong 12/20/2011 14:43:12.5.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.1030 [GMT -8:00]

Running from: c:\users\Kwong\Desktop\Combo-Fix.exe

Command switches used :: c:\users\Kwong\Desktop\CFScript.txt

.

FILE ::

"c:\windows\system32\drivers\bmssbsjt.sys"

"c:\windows\system32\drivers\hpqefxus.sys"

"c:\windows\system32\drivers\oftbtanm.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_bmssbsjt

-------\Service_hpqefxus

-------\Service_oftbtanm

.

.

((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))

.

.

2011-12-20 22:52 . 2011-12-20 22:52 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{936645E6-2645-4FEA-B6A0-168F9C67F99F}\MpKsl258d4ff4.sys

2011-12-20 22:52 . 2011-12-20 22:52 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{936645E6-2645-4FEA-B6A0-168F9C67F99F}\offreg.dll

2011-12-20 22:50 . 2011-12-20 22:55 -------- d-----w- c:\users\Kwong\AppData\Local\temp

2011-12-20 22:50 . 2011-12-20 22:50 -------- d-----w- c:\users\Visitor\AppData\Local\temp

2011-12-20 22:50 . 2011-12-20 22:50 -------- d-----w- c:\users\TEMP\AppData\Local\temp

2011-12-20 22:50 . 2011-12-20 22:50 -------- d-----w- c:\users\TEMP.KC03\AppData\Local\temp

2011-12-20 22:50 . 2011-12-20 22:50 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-12-20 09:03 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{936645E6-2645-4FEA-B6A0-168F9C67F99F}\mpengine.dll

2011-12-18 08:10 . 2011-12-18 08:15 -------- d-----w- c:\program files\Dell Support Center

2011-12-16 10:01 . 2011-12-16 10:01 -------- d-----w- c:\programdata\Kaspersky Lab

2011-12-14 09:02 . 2011-12-14 09:02 -------- d-----w- c:\users\Kwong\AppData\Local\Apple

2011-12-12 10:24 . 2011-12-20 20:15 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2011-12-12 09:53 . 2011-12-20 09:32 -------- d-----w- c:\users\Kwong\AppData\Local\Adobe

2011-12-06 05:06 . 2011-12-15 10:29 -------- d-----w- c:\users\Kwong\AppData\Local\CutePDF Writer

2011-11-24 18:29 . 2011-11-24 18:29 -------- d-----w- c:\program files\Lavasoft

2011-11-24 18:18 . 2011-11-24 18:18 -------- d-----w- c:\users\Kwong\AppData\Local\Apps

2011-11-24 18:04 . 2011-11-24 18:04 -------- d-----w- c:\users\Kwong\AppData\Local\Broadcom

2011-11-24 02:13 . 2011-12-20 09:16 -------- d-----w- c:\users\Kwong\AppData\Local\Apple Computer

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-21 10:47 . 2011-05-29 09:48 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-11-16 11:48 . 2011-07-11 14:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Kwong\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Kwong\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]

"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-06-15 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-15 8433664]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-15 81920]

"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-06-15 67584]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

.

c:\users\Kwong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

_uninst_38249947.lnk - c:\users\Kwong\AppData\Local\Temp\_uninst_38249947.bat [N/A]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-4 795936]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-08-20 02:14 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk

backup=c:\windows\pss\QuickSet.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-11-20 11:09 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

.

R1 MpKsl09952ef0;MpKsl09952ef0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6F1317CC-F32F-47C2-877C-9CEF790EBE07}\MpKsl09952ef0.sys [x]

R1 MpKsl2e8a59be;MpKsl2e8a59be;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0F90D9B-F309-4307-8A82-BA15B9C09F73}\MpKsl2e8a59be.sys [x]

R1 MpKsl2fcfde35;MpKsl2fcfde35;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{21327596-CF19-4D15-A9B1-45EB574D0C1D}\MpKsl2fcfde35.sys [x]

R1 MpKsl408b2f9b;MpKsl408b2f9b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0B567FB8-4D86-4BFF-9A17-163FC7F57192}\MpKsl408b2f9b.sys [x]

R1 MpKsl4eb53418;MpKsl4eb53418;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F8D52490-DB9D-4C9E-89DD-761F1276329F}\MpKsl4eb53418.sys [x]

R1 MpKsl5a9698c0;MpKsl5a9698c0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2E6B8E56-4C98-44BB-978F-126DDF489EE6}\MpKsl5a9698c0.sys [x]

R1 MpKsl70fa2d21;MpKsl70fa2d21;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2E8EC2C-5D89-4FD8-87F4-34508D8110B2}\MpKsl70fa2d21.sys [x]

R1 MpKsl7379d252;MpKsl7379d252;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8524117A-0C25-4074-B0BE-59F8379B515A}\MpKsl7379d252.sys [x]

R1 MpKsla42d33f8;MpKsla42d33f8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{58FB0E20-8AC0-4ABA-AB06-5F472DA2AB1A}\MpKsla42d33f8.sys [x]

R1 MpKsla9af59df;MpKsla9af59df;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8FE19317-25D8-4BFE-A882-C9F58E21A502}\MpKsla9af59df.sys [x]

R1 MpKslad1b5829;MpKslad1b5829;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{936645E6-2645-4FEA-B6A0-168F9C67F99F}\MpKslad1b5829.sys [x]

R1 MpKslbcabd8bd;MpKslbcabd8bd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0F90D9B-F309-4307-8A82-BA15B9C09F73}\MpKslbcabd8bd.sys [x]

R1 MpKslbd4218eb;MpKslbd4218eb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0B567FB8-4D86-4BFF-9A17-163FC7F57192}\MpKslbd4218eb.sys [x]

R1 MpKslbdff761a;MpKslbdff761a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7A6A506F-30CC-465F-8256-8238F93B1C66}\MpKslbdff761a.sys [x]

R1 MpKslc2eabbbc;MpKslc2eabbbc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2CACB8D-E23B-44CF-819D-1A11ACB06587}\MpKslc2eabbbc.sys [x]

R1 MpKslc70a5496;MpKslc70a5496;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0B567FB8-4D86-4BFF-9A17-163FC7F57192}\MpKslc70a5496.sys [x]

R1 MpKslcde93f29;MpKslcde93f29;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{96871914-1955-4A08-8CAE-BD140E578565}\MpKslcde93f29.sys [x]

R1 MpKsld549ee49;MpKsld549ee49;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9B8D1A8E-C8BD-454E-BB12-FA4B6A2D98F5}\MpKsld549ee49.sys [x]

R1 MpKsld56e7856;MpKsld56e7856;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2DD41451-AC02-4026-9716-44778C0525BB}\MpKsld56e7856.sys [x]

R1 MpKsld7826e40;MpKsld7826e40;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CDBC0914-C033-4250-82D4-1D9D0BD5D8A0}\MpKsld7826e40.sys [x]

R1 MpKslda51f98e;MpKslda51f98e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D882D4E8-F44B-4B1F-955F-3A67B82F81CE}\MpKslda51f98e.sys [x]

R1 MpKsldd36b19c;MpKsldd36b19c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{76D42C6A-750D-4CFB-9D26-84EDE6D05D46}\MpKsldd36b19c.sys [x]

R1 MpKsleea75b4b;MpKsleea75b4b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{719A77C1-3449-48B2-B44F-6A0F1561CA85}\MpKsleea75b4b.sys [x]

R1 MpKslf72a38a6;MpKslf72a38a6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E3581E4C-146E-4A71-B87A-E9E637D2B221}\MpKslf72a38a6.sys [x]

R1 MpKslf73c62d6;MpKslf73c62d6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0556EA28-BDBB-411D-8DBD-F8685EF40815}\MpKslf73c62d6.sys [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 135664]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 135664]

R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [x]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]

S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]

S1 MpKsl258d4ff4;MpKsl258d4ff4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{936645E6-2645-4FEA-B6A0-168F9C67F99F}\MpKsl258d4ff4.sys [2011-12-20 29904]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-11-03 2152152]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-26 179712]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSL258D4FF4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

bthsvcs REG_MULTI_SZ BthServ

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 09:40]

.

2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 09:40]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Trusted Zone: bankofamerica.com\bills

Trusted Zone: lorexddns.net\cpcoakland

TCP: DhcpNameServer = 10.1.10.1

TCP: Interfaces\{14731478-248E-4EB2-9108-8C2C748D6A10}: NameServer = 172.18.7.170 172.18.7.170

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB

DPF: {9A74E90C-0233-4E1F-8EA1-105991C6FA12} - hxxp://108.200.50.71/webviewer.cab

FF - ProfilePath - c:\users\Kwong\AppData\Roaming\Mozilla\Firefox\Profiles\zhip3ise.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]

"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(1496)

c:\users\Kwong\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll

c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\windows\system32\WLANExt.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Maxtor\Sync\SyncServices.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\STacSV.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Completion time: 2011-12-20 15:01:39 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-20 23:01

ComboFix2.txt 2009-04-16 00:01

ComboFix3.txt 2009-04-13 22:22

ComboFix4.txt 2009-04-10 22:11

.

Pre-Run: 8,369,807,360 bytes free

Post-Run: 7,401,893,888 bytes free

.

- - End Of File - - E33F74FABC9FE8381200335F75AF50C4
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP