Help Please - Alureon.H

JKREAM · May 17, 2010

Ok, I admit I've tried some things I'm not supposed to do on my own here, but I consider myself knowledgeable enough that I thought I had a chance. I was hoping to not have to bother anyone else to solve this - but when I found myself considering a HDD format, I thought I would reach out for help first

MSE detected Alureon.H. I've tried Combofix and Tdsskiller without success. Malwarebytes does not see anything at all.

Symptoms are generally severe sluggishness, and browser redirects. Here are the logs:

DDS.TXT

DDS (Ver_10-03-17.01) - NTFSx86

Run by jokream at 9:09:09.35 on Mon 05/17/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2476 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k eapsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\NWTRAY.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Cactus Spam Filter 3.00\cactusspamfilter.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\jokream\Desktop\UNI\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

EB: Google Side Bar: {32004b8a-44a9-43e7-84e9-808838809519} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [com.codeode.cactusspamfilter] "c:\program files\cactus spam filter 3.00\cactusspamfilter.exe" -minimized

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [nwiz] nwiz.exe /install

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [NWTRAY] NWTRAY.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

IE: &Dial with CTI DATA CONNECTOR ENTERPRISE EDITION - file://c:\documents and settings\jokream\application data\cdc\CDCWebDial.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Open PDF in Word (PDF Converter 2.0) - c:\program files\scansoft\pdf converter 2.0 professional\pdfconv\IEShellExt.dll /100

IE: Open with WordPerfect - c:\program files\corelx4\wordperfect office x4\programs\WPLauncher.hta

IE:

LOGS.zip

extremeboy · May 18, 2010

Please DO NOT run Combofix. ComboFix is an extremely powerful tool and you should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Since you already ran Combofix, I would like to see the log file. Please also attach the TDSSKiller log.

You have been infected with one of the newer TDL3 rootkit it appears.

JKREAM · May 18, 2010

Yeah, I guess I deserve that.

I got desperate and caved to my fear I'd lose my machine. I'll wait for your instructions before I do anything else. Nothing I do seems to work anyway.

Thanks for your help by the way.

It seems I didn't run ComboFix on this PC - I can't find the Qoobox directory there. I must have run it on a Laptop I was playing with ideas on.

Here is the TDSSKiller log:

12:03:25:437 3144 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

12:03:25:437 3144 ================================================================================

12:03:25:437 3144 SystemInfo:

12:03:25:437 3144 OS Version: 5.1.2600 ServicePack: 3.0

12:03:25:437 3144 Product type: Workstation

12:03:25:437 3144 ComputerName: JKREAM

12:03:25:437 3144 UserName: jokream

12:03:25:437 3144 Windows directory: C:\WINDOWS

12:03:25:437 3144 Processor architecture: Intel x86

12:03:25:437 3144 Number of processors: 4

12:03:25:437 3144 Page size: 0x1000

12:03:25:437 3144 Boot type: Normal boot

12:03:25:437 3144 ================================================================================

12:03:25:437 3144 UnloadDriverW: NtUnloadDriver error 2

12:03:25:437 3144 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

12:03:25:515 3144 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

12:03:25:515 3144 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

12:03:25:515 3144 wfopen_ex: Trying to KLMD file open

12:03:25:515 3144 wfopen_ex: File opened ok (Flags 2)

12:03:25:515 3144 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

12:03:25:515 3144 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

12:03:25:515 3144 wfopen_ex: Trying to KLMD file open

12:03:25:515 3144 wfopen_ex: File opened ok (Flags 2)

12:03:25:515 3144 Initialize success

12:03:25:515 3144

12:03:25:515 3144 Scanning Services ...

12:03:25:953 3144 Raw services enum returned 381 services

12:03:25:968 3144

12:03:25:968 3144 Scanning Kernel memory ...

12:03:25:968 3144 Devices to scan: 4

12:03:25:968 3144

12:03:25:968 3144 Driver Name: Disk

12:03:25:968 3144 IRP_MJ_CREATE : F763DBB0

12:03:25:968 3144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759

12:03:25:968 3144 IRP_MJ_CLOSE : F763DBB0

12:03:25:968 3144 IRP_MJ_READ : F7637D1F

12:03:25:968 3144 IRP_MJ_WRITE : F7637D1F

12:03:25:968 3144 IRP_MJ_QUERY_INFORMATION : 804F9759

12:03:25:968 3144 IRP_MJ_SET_INFORMATION : 804F9759

12:03:25:968 3144 IRP_MJ_QUERY_EA : 804F9759

12:03:25:968 3144 IRP_MJ_SET_EA : 804F9759

12:03:25:968 3144 IRP_MJ_FLUSH_BUFFERS : F76382E2

12:03:25:968 3144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759

12:03:25:968 3144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759

12:03:25:984 3144 IRP_MJ_DIRECTORY_CONTROL : 804F9759

12:03:25:984 3144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759

12:03:25:984 3144 IRP_MJ_DEVICE_CONTROL : F76383BB

12:03:25:984 3144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28

12:03:25:984 3144 IRP_MJ_SHUTDOWN : F76382E2

12:03:25:984 3144 IRP_MJ_LOCK_CONTROL : 804F9759

12:03:25:984 3144 IRP_MJ_CLEANUP : 804F9759

12:03:25:984 3144 IRP_MJ_CREATE_MAILSLOT : 804F9759

12:03:25:984 3144 IRP_MJ_QUERY_SECURITY : 804F9759

12:03:25:984 3144 IRP_MJ_SET_SECURITY : 804F9759

12:03:25:984 3144 IRP_MJ_POWER : F7639C82

12:03:25:984 3144 IRP_MJ_SYSTEM_CONTROL : F763E99E

12:03:25:984 3144 IRP_MJ_DEVICE_CHANGE : 804F9759

12:03:25:984 3144 IRP_MJ_QUERY_QUOTA : 804F9759

12:03:25:984 3144 IRP_MJ_SET_QUOTA : 804F9759

12:03:26:015 3144 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

12:03:26:015 3144

12:03:26:015 3144 Driver Name: USBSTOR

12:03:26:015 3144 IRP_MJ_CREATE : F77B4218

12:03:26:015 3144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759

12:03:26:015 3144 IRP_MJ_CLOSE : F77B4218

12:03:26:015 3144 IRP_MJ_READ : F77B423C

12:03:26:015 3144 IRP_MJ_WRITE : F77B423C

12:03:26:015 3144 IRP_MJ_QUERY_INFORMATION : 804F9759

12:03:26:015 3144 IRP_MJ_SET_INFORMATION : 804F9759

12:03:26:015 3144 IRP_MJ_QUERY_EA : 804F9759

12:03:26:015 3144 IRP_MJ_SET_EA : 804F9759

12:03:26:015 3144 IRP_MJ_FLUSH_BUFFERS : 804F9759

12:03:26:015 3144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759

12:03:26:015 3144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759

12:03:26:015 3144 IRP_MJ_DIRECTORY_CONTROL : 804F9759

12:03:26:015 3144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759

12:03:26:015 3144 IRP_MJ_DEVICE_CONTROL : F77B4180

12:03:26:015 3144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77AF9E6

12:03:26:015 3144 IRP_MJ_SHUTDOWN : 804F9759

12:03:26:015 3144 IRP_MJ_LOCK_CONTROL : 804F9759

12:03:26:015 3144 IRP_MJ_CLEANUP : 804F9759

12:03:26:015 3144 IRP_MJ_CREATE_MAILSLOT : 804F9759

12:03:26:015 3144 IRP_MJ_QUERY_SECURITY : 804F9759

12:03:26:015 3144 IRP_MJ_SET_SECURITY : 804F9759

12:03:26:015 3144 IRP_MJ_POWER : F77B35F0

12:03:26:015 3144 IRP_MJ_SYSTEM_CONTROL : F77B1A6E

12:03:26:015 3144 IRP_MJ_DEVICE_CHANGE : 804F9759

12:03:26:015 3144 IRP_MJ_QUERY_QUOTA : 804F9759

12:03:26:015 3144 IRP_MJ_SET_QUOTA : 804F9759

12:03:26:031 3144 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

12:03:26:031 3144

12:03:26:031 3144 Driver Name: Disk

12:03:26:031 3144 IRP_MJ_CREATE : F763DBB0

12:03:26:031 3144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759

12:03:26:031 3144 IRP_MJ_CLOSE : F763DBB0

12:03:26:031 3144 IRP_MJ_READ : F7637D1F

12:03:26:031 3144 IRP_MJ_WRITE : F7637D1F

12:03:26:031 3144 IRP_MJ_QUERY_INFORMATION : 804F9759

12:03:26:031 3144 IRP_MJ_SET_INFORMATION : 804F9759

12:03:26:031 3144 IRP_MJ_QUERY_EA : 804F9759

12:03:26:031 3144 IRP_MJ_SET_EA : 804F9759

12:03:26:031 3144 IRP_MJ_FLUSH_BUFFERS : F76382E2

12:03:26:031 3144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759

12:03:26:031 3144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759

12:03:26:031 3144 IRP_MJ_DIRECTORY_CONTROL : 804F9759

12:03:26:031 3144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759

12:03:26:031 3144 IRP_MJ_DEVICE_CONTROL : F76383BB

12:03:26:031 3144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28

12:03:26:031 3144 IRP_MJ_SHUTDOWN : F76382E2

12:03:26:031 3144 IRP_MJ_LOCK_CONTROL : 804F9759

12:03:26:031 3144 IRP_MJ_CLEANUP : 804F9759

12:03:26:031 3144 IRP_MJ_CREATE_MAILSLOT : 804F9759

12:03:26:031 3144 IRP_MJ_QUERY_SECURITY : 804F9759

12:03:26:031 3144 IRP_MJ_SET_SECURITY : 804F9759

12:03:26:031 3144 IRP_MJ_POWER : F7639C82

12:03:26:031 3144 IRP_MJ_SYSTEM_CONTROL : F763E99E

12:03:26:031 3144 IRP_MJ_DEVICE_CHANGE : 804F9759

12:03:26:031 3144 IRP_MJ_QUERY_QUOTA : 804F9759

12:03:26:031 3144 IRP_MJ_SET_QUOTA : 804F9759

12:03:26:031 3144 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

12:03:26:031 3144

12:03:26:031 3144 Driver Name: atapi

12:03:26:031 3144 IRP_MJ_CREATE : 8A149EE4

12:03:26:031 3144 IRP_MJ_CREATE_NAMED_PIPE : 8A149EE4

12:03:26:031 3144 IRP_MJ_CLOSE : 8A149EE4

12:03:26:031 3144 IRP_MJ_READ : 8A149EE4

12:03:26:031 3144 IRP_MJ_WRITE : 8A149EE4

12:03:26:031 3144 IRP_MJ_QUERY_INFORMATION : 8A149EE4

12:03:26:031 3144 IRP_MJ_SET_INFORMATION : 8A149EE4

12:03:26:031 3144 IRP_MJ_QUERY_EA : 8A149EE4

12:03:26:031 3144 IRP_MJ_SET_EA : 8A149EE4

12:03:26:031 3144 IRP_MJ_FLUSH_BUFFERS : 8A149EE4

12:03:26:031 3144 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A149EE4

12:03:26:031 3144 IRP_MJ_SET_VOLUME_INFORMATION : 8A149EE4

12:03:26:031 3144 IRP_MJ_DIRECTORY_CONTROL : 8A149EE4

12:03:26:031 3144 IRP_MJ_FILE_SYSTEM_CONTROL : 8A149EE4

12:03:26:031 3144 IRP_MJ_DEVICE_CONTROL : 8A149EE4

12:03:26:031 3144 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A149EE4

12:03:26:031 3144 IRP_MJ_SHUTDOWN : 8A149EE4

12:03:26:031 3144 IRP_MJ_LOCK_CONTROL : 8A149EE4

12:03:26:031 3144 IRP_MJ_CLEANUP : 8A149EE4

12:03:26:031 3144 IRP_MJ_CREATE_MAILSLOT : 8A149EE4

12:03:26:031 3144 IRP_MJ_QUERY_SECURITY : 8A149EE4

12:03:26:031 3144 IRP_MJ_SET_SECURITY : 8A149EE4

12:03:26:031 3144 IRP_MJ_POWER : 8A149EE4

12:03:26:031 3144 IRP_MJ_SYSTEM_CONTROL : 8A149EE4

12:03:26:031 3144 IRP_MJ_DEVICE_CHANGE : 8A149EE4

12:03:26:031 3144 IRP_MJ_QUERY_QUOTA : 8A149EE4

12:03:26:031 3144 IRP_MJ_SET_QUOTA : 8A149EE4

12:03:26:031 3144 Driver "atapi" infected by TDSS rootkit!

12:03:26:062 3144 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1

12:03:26:062 3144 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 12:03:26:062 3144 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys

12:03:26:062 3144 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3

12:03:26:343 3144 vfvi6

12:03:26:453 3144 !dsvbh1

12:03:27:046 3144 dsvbh2

12:03:27:046 3144 fdfb2

12:03:27:046 3144 Backup copy found, using it..

12:03:27:093 3144 will be cured on next reboot

12:03:27:109 3144 Reboot required for cure complete..

12:03:27:140 3144 Cure on reboot scheduled successfully

12:03:27:140 3144

12:03:27:140 3144 Completed

12:03:27:140 3144

12:03:27:140 3144 Results:

12:03:27:140 3144 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

12:03:27:140 3144 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

12:03:27:140 3144 File objects infected / cured / cured on reboot: 1 / 0 / 1

12:03:27:140 3144

12:03:27:140 3144 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

12:03:27:140 3144 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

12:03:27:156 3144 UnloadDriverW: NtUnloadDriver error 1

12:03:27:156 3144 KLMD(ARK) unloaded successfully

Thanks again for any help you can provide,

Jon

extremeboy · May 18, 2010

See if there's a file called Combofix.txt in your C:\ drive.

First, I need another scan from you.

We need to create an OTL Report

Please download OTL from one of the following mirrors:
- This is THE Mirror

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.

[*]Copy and Paste the following code into the textbox. Do not include the word "Code"

/md5start
kbdhid.sys
atapi.sys   
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT

[*]Push

[*]A report will open. Copy and Paste that report in your next reply.

[*]Two reports will open, copy and paste them in a reply here:

OTListIt.txt <-- Will be opened
Extra.txt <-- Will be minimized

JKREAM · May 19, 2010

OTL.txt

OTL logfile created on: 5/18/2010 8:17:02 PM - Run 1

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\jokream\Desktop\UNI

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free

7.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free

Paging file location(s): C:\pagefile.sys 3500 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.50 Gb Total Space | 37.47 Gb Free Space | 50.29% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 832.08 Gb Total Space | 775.94 Gb Free Space | 93.25% Space Free | Partition Type: NWFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive N: | 832.08 Gb Total Space | 775.94 Gb Free Space | 93.25% Space Free | Partition Type: NWFS

Drive Z: | 832.08 Gb Total Space | 775.94 Gb Free Space | 93.25% Space Free | Partition Type: NWFS

Computer Name: JKREAM

Current User Name: jokream

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/18 20:15:16 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jokream\Desktop\UNI\OTL.exe

PRC - [2010/04/14 07:56:08 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2010/02/21 06:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe

PRC - [2009/12/09 19:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

PRC - [2009/12/09 19:02:36 | 000,202,776 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe

PRC - [2009/11/08 10:59:50 | 001,053,184 | ---- | M] (Codeode) -- C:\Program Files\Cactus Spam Filter 3.00\cactusspamfilter.exe

PRC - [2009/10/07 08:25:15 | 000,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe

PRC - [2009/10/07 08:25:02 | 000,378,176 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe

PRC - [2009/03/05 17:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

PRC - [2008/08/25 10:04:22 | 002,510,848 | ---- | M] () -- N:\CLSINC\WBWIN\WB32.Exe

PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/04/17 14:03:50 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

PRC - [2007/04/17 14:03:50 | 000,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe

PRC - [2005/04/27 15:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe

PRC - [2004/07/21 17:28:02 | 000,413,807 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

PRC - [2004/07/21 17:26:36 | 000,176,241 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

PRC - [2002/09/19 09:24:14 | 000,049,152 | ---- | M] (PEERNET Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\PNSrv6.exe

PRC - [2002/03/12 11:37:28 | 000,028,672 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\nwtray.exe

========== Modules (SafeList) ==========

MOD - [2010/05/18 20:15:16 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jokream\Desktop\UNI\OTL.exe

MOD - [2009/10/07 08:25:03 | 000,083,288 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\LMIRfsClientNP.dll

MOD - [2008/08/27 11:26:18 | 000,536,658 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\novnpnt.dll

MOD - [2008/08/27 11:26:18 | 000,184,320 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\nls\ENGLISH\novnpntr.dll

MOD - [2008/08/27 11:25:08 | 000,245,842 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\mapbase.dll

MOD - [2008/08/27 11:25:08 | 000,106,496 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\nls\ENGLISH\mapbaser.dll

MOD - [2008/08/27 11:23:52 | 000,262,227 | ---- | M] () -- C:\WINDOWS\system32\nwshlxnt.dll

MOD - [2008/08/27 11:23:52 | 000,110,592 | ---- | M] () -- C:\WINDOWS\system32\nls\ENGLISH\nwshlxnr.dll

MOD - [2008/04/13 20:12:10 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wsock32.dll

MOD - [2008/04/13 20:12:02 | 000,245,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui1.dll

MOD - [2008/04/13 20:12:02 | 000,080,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui0.dll

MOD - [2008/04/13 20:12:02 | 000,044,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntlanman.dll

MOD - [2008/04/13 20:12:01 | 000,011,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netrap.dll

MOD - [2008/04/13 20:11:52 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drprov.dll

MOD - [2008/04/13 20:11:51 | 000,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\davclnt.dll

MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

MOD - [2007/05/08 07:51:04 | 000,061,440 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\clxwin32.dll

MOD - [2007/05/08 07:50:48 | 000,217,088 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\netwin32.dll

MOD - [2007/05/08 07:48:32 | 000,208,896 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\calwin32.dll

MOD - [2007/05/08 07:45:56 | 000,212,992 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\ncpwin32.dll

MOD - [2007/05/08 07:45:52 | 000,086,016 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\clnwin32.dll

MOD - [2007/05/08 07:42:38 | 000,143,360 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\locwin32.dll

MOD - [2004/08/02 21:03:00 | 001,437,696 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nview.dll

MOD - [2004/08/02 21:03:00 | 001,019,904 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwimg.dll

MOD - [2004/08/02 21:03:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwddi.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (iPod Service)

SRV - [2010/05/17 13:02:17 | 001,291,544 | ---- | M] (Lavasoft) [Disabled | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)

SRV - [2009/12/09 19:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)

SRV - [2009/10/09 14:53:26 | 000,103,032 | ---- | M] (PGP Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\PGPserv.exe -- (PGPserv)

SRV - [2009/10/07 08:25:15 | 000,116,032 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)

SRV - [2009/05/27 04:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe -- (MSSQLSERVER) SQL Server (MSSQLSERVER)

SRV - [2009/05/27 04:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)

SRV - [2008/11/25 02:31:07 | 000,239,968 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)

SRV - [2008/11/25 02:31:07 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)

SRV - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)

SRV - [2008/08/04 15:59:00 | 000,053,339 | ---- | M] (Novell, Inc.) [Disabled | Stopped] -- C:\WINDOWS\system32\cusrvc.exe -- (cusrvc)

SRV - [2008/04/13 20:12:36 | 000,033,280 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)

SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)

SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)

SRV - [2008/04/13 20:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)

SRV - [2007/09/12 17:39:52 | 000,028,672 | ---- | M] (Hewlett-Packard Company) [Disabled | Stopped] -- C:\Program Files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe -- (HPWJAService)

SRV - [2007/04/17 14:03:50 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)

SRV - [2007/02/28 15:54:42 | 000,041,026 | ---- | M] (CA) [Disabled | Stopped] -- C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe -- (CASMsgEngine)

SRV - [2007/02/10 09:29:54 | 029,178,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$HPWJA) SQL Server (HPWJA)

SRV - [2005/04/27 15:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)

SRV - [2004/07/21 17:26:36 | 000,176,241 | ---- | M] (American Power Conversion Corporation) [Auto | Running] -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)

========== Driver Services (SafeList) ==========

DRV - [2010/05/06 17:10:20 | 000,068,168 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)

DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)

DRV - [2010/02/04 11:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)

DRV - [2009/12/02 16:23:40 | 000,149,040 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)

DRV - [2009/10/09 14:53:30 | 000,246,392 | ---- | M] (PGP Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PGPdisk.sys -- (PGPdisk)

DRV - [2009/10/09 14:53:30 | 000,041,080 | ---- | M] (PGP Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PGPsdk.sys -- (PGPsdkDriver)

DRV - [2009/10/09 14:53:26 | 000,215,672 | ---- | M] (PGP Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PGPwded.sys -- (PGPwded)

DRV - [2009/10/09 14:53:26 | 000,136,312 | ---- | M] (PGP Corporation) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\PGPfsfd.sys -- (pgpfs)

DRV - [2009/10/07 08:25:03 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\LMIRfsClientNP.dll -- (LMIRfsClientNP)

DRV - [2008/10/18 09:31:56 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)

DRV - [2008/08/28 15:00:14 | 000,553,216 | ---- | M] (Novell, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\NetWare\nwfs.sys -- (NetwareWorkstation)

DRV - [2008/08/04 17:17:14 | 000,185,216 | ---- | M] (Novell, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\NetWare\srvloc.sys -- (SRVLOC)

DRV - [2008/08/04 17:06:32 | 000,058,496 | ---- | M] (Novell, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\NetWare\nwsipx32.sys -- (NWSIPX32)

DRV - [2008/07/21 14:45:20 | 000,017,664 | ---- | M] (Novell, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\NetWare\nwfilter.sys -- (NWFILTER)

DRV - [2008/07/21 13:47:04 | 000,029,440 | ---- | M] (Novell, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\NetWare\resmgr.sys -- (RESMGR)

DRV - [2008/07/21 13:39:20 | 000,045,824 | ---- | M] (Novell, Inc.) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\NetWare\nwdns.sys -- (NWDNS)

DRV - [2008/04/13 14:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)

DRV - [2008/04/13 14:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hidbatt.sys -- (HidBatt)

DRV - [2008/04/04 15:32:46 | 000,020,208 | ---- | M] (Novell, Inc.) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\NetWare\nwslp.sys -- (NWSLP)

DRV - [2008/02/28 15:31:50 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)

DRV - [2008/02/20 21:19:56 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)

DRV - [2008/01/08 10:27:32 | 000,038,603 | ---- | M] (Novell, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nicm.sys -- (NICM)

DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)

DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)

DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)

DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)

DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)

DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)

DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)

DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)

DRV - [2006/08/11 11:05:58 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)

DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)

DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)

DRV - [2006/07/21 11:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)

DRV - [2005/11/22 10:51:22 | 000,018,353 | ---- | M] (Novell, Inc.) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\NetWare\nwdhcp.sys -- (NWDHCP)

DRV - [2005/10/12 13:12:18 | 000,009,297 | ---- | M] (Novell, Inc.) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\NetWare\nwhost.sys -- (NWHOST)

DRV - [2005/10/12 13:11:32 | 000,006,128 | ---- | M] (Novell, Inc.) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\NetWare\nwsns.sys -- (NWSNS) Novell Simple Naming Services (NWSNS)

DRV - [2005/08/10 07:48:26 | 000,329,072 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\windrvr6.sys -- (WinDriver6)

DRV - [2004/08/02 21:03:00 | 002,627,328 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)

DRV - [2004/08/02 21:03:00 | 000,007,012 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pmemnt.sys -- (pmem)

DRV - [2004/03/30 19:23:30 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aspi32.sys -- (ASPI32)

DRV - [2003/02/26 14:51:18 | 000,023,232 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\NetWare\nwsap.sys -- (NWSAP)

DRV - [2002/07/15 12:43:56 | 000,028,672 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\NHSUSB.dll -- (NHSUSB)

DRV - [2001/08/23 08:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)

DRV - [2001/08/23 08:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)

DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found

IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1644491937-492894223-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?hl=en&source=iglk"

FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6

FF - prefs.js..extensions.enabledItems: {B17C1C5A-04B1-11DB-9804-B622A1EF5492}:1.2

FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.68.0

FF - prefs.js..extensions.enabledItems: {E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}:1.4.5

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/14 07:56:20 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/14 07:56:20 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Pale Moon project 3.6.3\extensions\\Components: C:\Program Files\Pale Moon project\components [2010/04/14 12:52:09 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Pale Moon project 3.6.3\extensions\\Plugins: C:\Program Files\Pale Moon project\plugins [2010/04/14 12:52:08 | 000,000,000 | ---D | M]

[2009/12/03 13:38:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Mozilla\Extensions

[2010/03/03 11:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\5rnnus1f.default\extensions

[2009/12/03 13:15:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\5rnnus1f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2009/12/03 13:15:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\5rnnus1f.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

[2010/03/03 11:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\5rnnus1f.default\extensions\support@lastpass.com

[2010/05/18 09:56:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions

[2010/04/28 08:10:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/04/28 08:10:59 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2009/12/03 14:07:44 | 000,000,000 | ---D | M] (Password Exporter) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}

[2010/03/23 11:55:10 | 000,000,000 | ---D | M] (Memory Fox) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}

[2010/04/14 12:52:52 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

[2010/04/28 08:11:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\support@lastpass.com

[2010/05/14 11:55:29 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2008/01/17 13:17:00 | 002,609,152 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npRACtrl.dll

[2007/03/09 19:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll

[2007/08/09 13:08:00 | 000,008,784 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ractrlkeyhook.dll

[2007/08/09 13:10:00 | 000,245,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\unicows.dll

O1 HOSTS File: ([2010/05/14 11:27:37 | 000,394,487 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 13648 more lines...

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)

O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)

O4 - HKLM..\Run: [NWTRAY] C:\WINDOWS\System32\nwtray.exe (Novell, Inc.)

O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)

O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)

O4 - HKU\S-1-5-21-1644491937-492894223-682003330-1003..\Run: [com.codeode.cactusspamfilter] C:\Program Files\Cactus Spam Filter 3.00\cactusspamfilter.exe (Codeode)

O4 - HKU\S-1-5-21-1644491937-492894223-682003330-1003..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found

O4 - HKLM..\RunOnceEx: [Title] File not found

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: CompatibleRUPSecurity = 1

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: &Dial with CTI DATA CONNECTOR ENTERPRISE EDITION - C:\Documents and Settings\jokream\Application Data\CDC\CDCWebDial.html ()

O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)

O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - C:\Program Files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\IEShellExt.dll (ScanSoft, Inc.)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\NetWare\nwws2nds.dll (Novell, Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\NetWare\nwws2sap.dll (Novell, Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\WINDOWS\system32\NetWare\nwws2slp.dll (Novell, Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\PGPlsp.dll (PGP Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\System32\PGPlsp.dll (PGP Corporation)

O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: internet ([]about in Trusted sites)

O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: IVIEW-DDNS.COM ([MHL1.DDNS] https in Trusted sites)

O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: lexis.com ([]* in Trusted sites)

O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: lexisnexis.com ([]* in Trusted sites)

O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: lexis-nexis.com ([]* in Trusted sites)

O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: mcafee.com ([]http in Trusted sites)

O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Domains: mcafee.com ([]https in Trusted sites)

O15 - HKU\S-1-5-21-1644491937-492894223-682003330-1003\..Trusted Ranges: Range78 ([http] in Trusted sites)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} https://components.viewpoint.com/MTSInstall...w.viewpoint.com (Reg Error: Key error.)

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)

O16 - DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} http://65.254.18.46:100/RemoteWeb.cab (Remote200 Control)

O16 - DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} http://65.254.18.46:100/VideoViewer.cab (CViewerControl Object)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1170433613046 (MUWebControl Class)

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} https://www.vericheckonline.com/viewer/acti...tivexviewer.cab (Crystal Report Viewer Control)

O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)

O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} http://10.0.0.248/xplugLite.cab (Gif89 Lite Class)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)

O16 - DPF: {D5EBF06F-9BAF-11D0-B12D-00C04FC39CEA} http://www.imagemaster.org/PCA/pawrem.cab (pcANYWHERE Remote)

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1 10.0.0.1 10.0.0.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: GinaDLL - (NWGINA.DLL) - C:\WINDOWS\System32\nwgina.dll (Novell, Inc.)

O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)

O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

O30 - LSA: Authentication Packages - (nwv1_0) - C:\WINDOWS\System32\nwv1_0.dll (Novell, Inc.)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2005/12/08 15:24:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2010/03/12 15:26:48 | 000,042,496 | ---- | M] () - Z:\AutoLiaison3.1-Filed.xls -- [ NWFS ]

O32 - AutoRun File - [2010/04/23 10:45:30 | 000,011,593 | ---- | M] () - Z:\AutoLiason2.1-placed-KNKRESPONSE.xlsx -- [ NWFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (17183528496136192)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/17 13:03:29 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys

[2010/05/17 13:03:25 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2010/05/17 12:26:50 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

[2010/05/17 11:39:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\RestoreSafeDeleted

[2010/05/17 11:32:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\My Documents\RegRun2

[2010/05/17 11:32:08 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe

[2010/05/17 10:49:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Desktop\javara

[2010/05/17 08:15:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

[2010/05/17 08:15:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Application Data\SUPERAntiSpyware.com

[2010/05/17 08:15:24 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2010/05/17 08:15:03 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard

[2010/05/14 15:24:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro

[2010/05/14 15:24:06 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5

[2010/05/14 15:17:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Desktop\KILLER

[2010/05/14 11:16:40 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/05/14 11:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp

[2010/05/14 10:30:36 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/05/14 09:21:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/05/13 10:37:28 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/05/13 10:37:25 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/05/13 10:37:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/05/12 13:33:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia

[2010/05/12 13:33:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe

[2010/05/12 11:41:10 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\iijedsve.sys

[2010/05/12 08:15:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore

[2010/05/11 09:36:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/05/11 09:36:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/05/04 11:56:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Desktop\7600.16385.090713-1255_x86fre_enterprise_en-us_EVAL_Eval_Enterprise-GRMCENEVAL_EN_DVD

[2010/05/04 11:56:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Application Data\WinRAR

[2010/05/04 11:55:06 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR

[2010/05/04 09:31:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\Performance

[2010/05/04 09:31:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Local Settings\Application Data\Microsoft Corporation

[2010/05/04 09:31:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor

[2010/04/23 14:25:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Application Data\com.codeode

[2010/04/23 14:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\Cactus Spam Filter 3.00

[2010/04/23 14:05:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jokream\Application Data\MailWasherFree

[2010/04/21 11:54:08 | 000,257,088 | ---- | C] (Xceed Software Inc. 1-450-442-2626 info@xceedsoft.com www.xceedsoft.com) -- C:\Documents and Settings\jokream\Desktop\R82265.EXE

[2010/04/21 11:01:24 | 001,180,384 | ---- | C] (Dell, Inc.) -- C:\Documents and Settings\jokream\Desktop\RAID_DRVR_WIN_R99973.EXE

[2010/04/21 10:44:38 | 000,361,666 | ---- | C] (RegNow.com) -- C:\Documents and Settings\jokream\Desktop\Download_DriverDetective-6.3.1.5.exe

[2010/04/21 10:38:10 | 000,077,824 | ---- | C] (Dell, Inc.) -- C:\WINDOWS\System32\DellSPMsg.dll

[2010/04/21 10:35:06 | 001,225,144 | ---- | C] (Dell, Inc.) -- C:\Documents and Settings\jokream\Desktop\RAID_DRVR_WIN_R100373.EXE

[2010/04/21 10:19:24 | 000,161,592 | ---- | C] (Xceed Software Inc. 1-450-442-2626 info@xceedsoft.com www.xceedsoft.com) -- C:\Documents and Settings\jokream\Desktop\R76713.EXE

[2010/04/20 10:28:49 | 000,345,448 | ---- | C] (Corel Corporation) -- C:\Documents and Settings\jokream\Desktop\wplook.exe

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/18 16:03:01 | 000,000,044 | ---- | M] () -- C:\WINDOWS\hpmnwun.ini

[2010/05/18 12:35:03 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\PNTIF6

[2010/05/18 10:54:47 | 000,000,202 | ---- | M] () -- C:\WINDOWS\PrintCon.INI

[2010/05/18 08:39:24 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2010/05/17 15:11:22 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/05/17 15:09:00 | 000,004,598 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml

[2010/05/17 15:08:50 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/05/17 15:05:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/05/17 14:04:56 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\jokream\ntuser.ini

[2010/05/17 14:04:55 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\jokream\NTUSER.DAT

[2010/05/17 13:03:20 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2010/05/17 12:26:49 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk

[2010/05/17 11:33:24 | 000,002,577 | R--- | M] () -- C:\WINDOWS\System32\CONFIG.NT

[2010/05/17 11:33:24 | 000,001,688 | R--- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT

[2010/05/17 11:33:24 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat

[2010/05/17 10:06:33 | 000,005,697 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\LOGS.zip

[2010/05/17 08:15:33 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

[2010/05/14 21:26:28 | 000,102,904 | ---- | M] () -- C:\Documents and Settings\jokream\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/05/14 21:08:36 | 000,391,976 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/05/14 15:32:01 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys

[2010/05/14 15:31:33 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk

[2010/05/14 15:08:52 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\tdsskiller.zip

[2010/05/14 11:27:37 | 000,394,487 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/05/14 10:55:52 | 000,000,271 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/05/14 10:54:52 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100514-112737.backup

[2010/05/14 10:52:20 | 000,778,922 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/05/14 10:52:20 | 000,624,480 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/05/14 10:52:20 | 000,138,662 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/05/14 10:30:43 | 000,000,292 | RHS- | M] () -- C:\boot.ini

[2010/05/14 09:16:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\jokream\defogger_reenable

[2010/05/13 15:39:44 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\CCleaner.lnk

[2010/05/13 13:13:31 | 000,047,104 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\CHECK.xls

[2010/05/13 10:37:33 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/05/13 09:16:12 | 000,000,666 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\PrintConductor.lnk

[2010/05/12 18:45:43 | 000,000,750 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/05/12 18:45:43 | 000,000,222 | ---- | M] () -- C:\Boot.bak

[2010/05/12 11:41:10 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\iijedsve.sys

[2010/05/12 09:16:50 | 000,288,229 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-L.pdf

[2010/05/12 09:16:41 | 000,143,780 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-K.pdf

[2010/05/12 09:16:30 | 000,507,784 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-J.pdf

[2010/05/12 09:16:15 | 000,144,940 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-I.pdf

[2010/05/12 09:15:56 | 000,543,688 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-H.pdf

[2010/05/12 09:15:45 | 000,197,348 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-G.pdf

[2010/05/12 09:15:39 | 000,271,827 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-F.pdf

[2010/05/12 09:15:19 | 000,109,287 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-E.pdf

[2010/05/12 09:15:13 | 000,151,036 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-D.pdf

[2010/05/12 09:15:06 | 000,315,853 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-C.pdf

[2010/05/12 09:14:45 | 000,298,069 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-B.pdf

[2010/05/12 09:14:27 | 000,274,404 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042-A.pdf

[2010/05/12 09:13:28 | 000,509,747 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\A4042.pdf

[2010/05/12 03:04:10 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI

[2010/05/11 10:05:00 | 000,164,352 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\TRAK AMERICA 2010 ACH REPORT11111111111111111111121112 (3).xls

[2010/05/07 13:38:18 | 000,079,715 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\Part4-Agency Formats.pdf

[2010/05/07 13:36:00 | 000,011,870 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\MAP.100427.00002.NB.pdf

[2010/05/07 11:28:07 | 000,548,455 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\ygc.pdf

[2010/05/07 09:48:00 | 000,005,419 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\REKream050310.zip

[2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[2010/05/06 08:34:57 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\WordPerfect 10.lnk

[2010/05/04 11:55:54 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\WinRAR.lnk

[2010/05/04 09:31:17 | 000,001,900 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk

[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/04/28 13:30:32 | 000,001,942 | ---- | M] () -- C:\WINDOWS\KOFAX200.INI

[2010/04/27 14:48:16 | 000,016,983 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\gloria.pdf

[2010/04/27 12:47:20 | 000,304,611 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\digiacomo.pdf

[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe

[2010/04/26 10:27:23 | 002,915,608 | ---- | M] () -- C:\Documents and Settings\jokream\My Documents\SETTLEMENT DOCS.pdf

[2010/04/23 08:34:30 | 000,594,214 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\CU LISTING.pdf

[2010/04/22 14:40:58 | 002,902,052 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\c00189910.pdf

[2010/04/22 09:18:53 | 000,657,361 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\kreamwires2.pdf

[2010/04/22 08:54:19 | 000,046,592 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\Wire Exhibit.doc

[2010/04/21 14:56:00 | 000,130,159 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\win_xp_2k3_32-14.0.0.7a.zip

[2010/04/21 11:54:09 | 022,437,715 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\Bcom_LAN_14.2.0_W2K3_8_A00.exe

[2010/04/21 11:54:04 | 000,257,088 | ---- | M] (Xceed Software Inc. 1-450-442-2626 info@xceedsoft.com www.xceedsoft.com) -- C:\Documents and Settings\jokream\Desktop\R82265.EXE

[2010/04/21 11:01:20 | 001,180,384 | ---- | M] (Dell, Inc.) -- C:\Documents and Settings\jokream\Desktop\RAID_DRVR_WIN_R99973.EXE

[2010/04/21 10:44:35 | 000,361,666 | ---- | M] (RegNow.com) -- C:\Documents and Settings\jokream\Desktop\Download_DriverDetective-6.3.1.5.exe

[2010/04/21 10:35:04 | 001,225,144 | ---- | M] (Dell, Inc.) -- C:\Documents and Settings\jokream\Desktop\RAID_DRVR_WIN_R100373.EXE

[2010/04/21 10:19:23 | 000,161,592 | ---- | M] (Xceed Software Inc. 1-450-442-2626 info@xceedsoft.com www.xceedsoft.com) -- C:\Documents and Settings\jokream\Desktop\R76713.EXE

[2010/04/21 10:14:15 | 000,076,800 | ---- | M] () -- C:\Documents and Settings\jokream\Desktop\perc-cerc-w2k3-6.46.2.32-A05.exe

[2010/04/20 10:28:50 | 000,345,448 | ---- | M] (Corel Corporation) -- C:\Documents and Settings\jokream\Desktop\wplook.exe

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/17 13:09:09 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2010/05/17 12:26:49 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk

[2010/05/17 11:33:24 | 000,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat

[2010/05/17 09:16:14 | 000,005,697 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\LOGS.zip

[2010/05/17 08:15:33 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

[2010/05/14 15:32:00 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys

[2010/05/14 15:24:13 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk

[2010/05/14 15:17:23 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\tdsskiller.zip

[2010/05/14 10:30:42 | 000,000,222 | ---- | C] () -- C:\Boot.bak

[2010/05/14 10:30:37 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010/05/14 09:24:18 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/05/14 09:24:18 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/05/14 09:16:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\jokream\defogger_reenable

[2010/05/13 11:29:32 | 000,047,104 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\CHECK.xls

[2010/05/13 11:18:15 | 000,021,678 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\30004345.xltx

[2010/05/13 10:37:33 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/05/13 09:16:12 | 000,000,666 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\PrintConductor.lnk

[2010/05/12 09:16:50 | 000,288,229 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-L.pdf

[2010/05/12 09:16:41 | 000,143,780 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-K.pdf

[2010/05/12 09:16:30 | 000,507,784 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-J.pdf

[2010/05/12 09:16:15 | 000,144,940 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-I.pdf

[2010/05/12 09:15:56 | 000,543,688 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-H.pdf

[2010/05/12 09:15:45 | 000,197,348 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-G.pdf

[2010/05/12 09:15:39 | 000,271,827 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-F.pdf

[2010/05/12 09:15:19 | 000,109,287 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-E.pdf

[2010/05/12 09:15:13 | 000,151,036 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-D.pdf

[2010/05/12 09:15:06 | 000,315,853 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-C.pdf

[2010/05/12 09:14:45 | 000,298,069 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-B.pdf

[2010/05/12 09:14:27 | 000,274,404 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042-A.pdf

[2010/05/12 09:13:28 | 000,509,747 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\A4042.pdf

[2010/05/12 03:04:10 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI

[2010/05/11 10:05:20 | 000,164,352 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\TRAK AMERICA 2010 ACH REPORT11111111111111111111121112 (3).xls

[2010/05/07 13:38:18 | 000,079,715 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\Part4-Agency Formats.pdf

[2010/05/07 13:36:00 | 000,011,870 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\MAP.100427.00002.NB.pdf

[2010/05/07 11:28:07 | 000,548,455 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\ygc.pdf

[2010/05/07 09:48:00 | 000,005,419 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\REKream050310.zip

[2010/05/04 11:55:54 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\WinRAR.lnk

[2010/05/04 09:31:17 | 000,001,900 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk

[2010/04/27 14:48:16 | 000,016,983 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\gloria.pdf

[2010/04/27 12:47:20 | 000,304,611 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\digiacomo.pdf

[2010/04/26 10:27:23 | 002,915,608 | ---- | C] () -- C:\Documents and Settings\jokream\My Documents\SETTLEMENT DOCS.pdf

[2010/04/22 14:40:58 | 002,902,052 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\c00189910.pdf

[2010/04/22 13:53:23 | 000,594,214 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\CU LISTING.pdf

[2010/04/22 09:18:40 | 000,657,361 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\kreamwires2.pdf

[2010/04/21 14:56:00 | 000,130,159 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\win_xp_2k3_32-14.0.0.7a.zip

[2010/04/21 11:53:27 | 022,437,715 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\Bcom_LAN_14.2.0_W2K3_8_A00.exe

[2010/04/21 10:14:19 | 000,076,800 | ---- | C] () -- C:\Documents and Settings\jokream\Desktop\perc-cerc-w2k3-6.46.2.32-A05.exe

[2009/11/13 14:54:44 | 000,000,997 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini

[2009/11/09 13:16:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CorelDrw.INI

[2009/10/09 14:53:26 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\PGPsdk.dll.sig

[2008/12/01 10:35:25 | 000,004,184 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys

[2008/08/27 11:23:52 | 000,262,227 | ---- | C] () -- C:\WINDOWS\System32\nwshlxnt.dll

[2008/08/13 10:10:20 | 000,225,356 | ---- | C] () -- C:\WINDOWS\System32\lgnwnt32.dll

[2008/03/18 10:43:49 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig

[2008/02/04 18:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL

[2008/01/17 14:12:10 | 000,000,044 | ---- | C] () -- C:\WINDOWS\hpmnwun.ini

[2007/10/31 10:25:48 | 000,000,991 | ---- | C] () -- C:\WINDOWS\System32\hpipxmon.ini

[2007/10/31 10:25:48 | 000,000,121 | ---- | C] () -- C:\WINDOWS\System32\AddPortX.ini

[2007/08/20 10:09:14 | 000,000,301 | ---- | C] () -- C:\WINDOWS\hpqcopy.INI

[2007/05/21 09:36:16 | 000,111,616 | ---- | C] () -- C:\WINDOWS\System32\FF_CORE.dll

[2007/04/13 08:08:53 | 000,000,202 | ---- | C] () -- C:\WINDOWS\PrintCon.INI

[2007/03/26 14:16:50 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\custmon32.dll

[2007/03/16 18:00:00 | 000,003,403 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

[2007/03/15 08:42:02 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL

[2007/03/15 08:42:01 | 000,000,168 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2007/02/26 13:40:09 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini

[2007/02/23 14:52:12 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini

[2007/02/23 14:52:12 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini

[2007/02/23 14:51:19 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini

[2007/02/23 14:51:18 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini

[2007/02/23 14:51:16 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini

[2007/02/21 16:00:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Vcdem32p.INI

[2007/02/12 18:43:54 | 000,065,619 | ---- | C] () -- C:\WINDOWS\System32\setupw2k.dll

[2007/01/08 17:17:18 | 000,000,153 | ---- | C] () -- C:\WINDOWS\FOXPRO.INI

[2007/01/08 12:05:33 | 002,285,568 | ---- | C] () -- C:\WINDOWS\System32\PdfEnc.dll

[2007/01/08 12:05:33 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\JJpxWriter.dll

[2007/01/08 12:05:33 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\CVPDFWriter.dll

[2007/01/08 12:05:32 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\JPXDecoder.dll

[2007/01/08 12:05:32 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\JpgReader.dll

[2007/01/08 12:05:32 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Jbig2Reader.dll

[2007/01/08 12:05:32 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\JBIG2Decoder.dll

[2007/01/08 12:05:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\CVPDFReader.dll

[2007/01/08 12:05:32 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JPGDecoder.dll

[2007/01/08 12:05:31 | 005,934,080 | ---- | C] () -- C:\WINDOWS\System32\CVPDFParser.dll

[2007/01/08 12:05:31 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\SX32W.DLL

[2007/01/08 12:05:31 | 000,000,106 | ---- | C] () -- C:\WINDOWS\JET311.ini

[2007/01/08 12:05:31 | 000,000,022 | ---- | C] () -- C:\WINDOWS\KofaxKim.ini

[2007/01/08 12:05:18 | 000,004,907 | ---- | C] () -- C:\WINDOWS\KPMSW.INI

[2007/01/08 12:05:18 | 000,001,142 | ---- | C] () -- C:\WINDOWS\KPMADR.INI

[2007/01/08 12:05:18 | 000,001,102 | ---- | C] () -- C:\WINDOWS\KPM.INI

[2007/01/08 12:05:11 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\KCVWrapper.dll

[2007/01/08 12:05:11 | 000,003,145 | ---- | C] () -- C:\WINDOWS\kpmcrtnt.ini

[2007/01/08 12:05:10 | 000,086,528 | ---- | C] () -- C:\WINDOWS\System32\KCL310.DLL

[2007/01/08 12:05:10 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\KDB310.DLL

[2007/01/08 12:05:10 | 000,001,942 | ---- | C] () -- C:\WINDOWS\KOFAX200.INI

[2006/11/29 15:08:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2006/09/30 10:08:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\caAdmin.INI

[2006/09/20 23:02:32 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll

[2006/09/20 23:02:32 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll

[2006/08/16 09:53:55 | 000,000,240 | ---- | C] () -- C:\WINDOWS\pixcache.ini

[2006/08/13 12:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI

[2006/08/10 12:16:19 | 000,003,484 | ---- | C] () -- C:\WINDOWS\setscan.ini

[2006/03/27 13:08:34 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\nwslog32.dll

[2006/02/07 13:26:33 | 000,033,280 | ---- | C] () -- C:\WINDOWS\System32\SP32W.DLL

[2006/01/03 16:57:53 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\NHSUSB.dll

[2006/01/03 14:04:00 | 000,000,169 | ---- | C] () -- C:\WINDOWS\LDMPC.INI

[2005/12/12 11:10:22 | 000,000,122 | ---- | C] () -- C:\WINDOWS\WB.INI

[2005/12/12 10:28:07 | 000,000,036 | ---- | C] () -- C:\WINDOWS\iltwain.ini

[2005/12/12 10:11:23 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHealr.dll

[2005/12/08 17:11:00 | 000,000,686 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2005/12/05 14:37:50 | 000,007,912 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll

[2005/11/04 12:38:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll

[2005/11/04 12:38:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll

[2005/11/04 12:38:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll

[2004/11/12 09:49:30 | 000,000,559 | ---- | C] () -- C:\WINDOWS\BR.INI

[2004/08/02 21:03:00 | 000,102,441 | ---- | C] () -- C:\WINDOWS\System32\getvpd.dll

[2004/08/02 21:03:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\pmemw.dll

[2004/02/03 16:32:06 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\znlib6.dll

[2001/08/23 08:00:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\NSREG.DLL

[2000/01/20 09:15:14 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\lgncon32.dll

[1999/01/11 04:37:36 | 000,002,757 | ---- | C] () -- C:\WINDOWS\System32\rdrstats.ini

[1997/06/25 16:24:16 | 000,040,448 | --S- | C] () -- C:\WINDOWS\System32\regobj.dll

[1996/05/14 09:50:22 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\prtwin32.dll

[1995/08/22 08:36:12 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\nwpsrv32.dll

========== LOP Check ==========

[2009/09/17 15:53:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Borland

[2010/05/14 15:24:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro

[2010/05/04 14:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LDM

[2008/02/08 11:59:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Locktime

[2008/06/23 07:59:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn

[2008/08/07 14:01:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound

[2009/05/15 08:50:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Network Associates

[2007/01/08 12:04:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PEERNET

[2009/12/15 16:49:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PGP Corporation

[2009/09/17 16:01:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft

[2008/01/14 16:14:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2006/05/10 10:05:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

[2007/11/02 11:12:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip

[2005/12/12 10:41:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\zeon

[2010/05/17 12:26:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

[2007/10/25 14:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\BitTorrent

[2006/01/25 14:42:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\CDC

[2010/04/23 14:25:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\com.codeode

[2010/05/18 11:01:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\CoreFTP

[2006/12/06 10:16:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\DVD2AVI Ripper

[2009/05/13 09:00:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\GetRightToGo

[2009/10/26 13:18:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\gtk-2.0

[2009/12/03 13:13:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\id Software

[2008/10/08 09:01:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Livestation

[2008/02/08 11:59:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Locktime

[2010/04/23 14:10:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\MailWasherFree

[2008/08/07 14:00:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\NCH Swift Sound

[2008/08/08 11:13:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\OfficeUpdate12

[2007/12/06 10:37:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Participatory Culture Foundation

[2010/05/13 11:01:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\paywin

[2007/12/06 12:56:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\PCF-VLC

[2009/12/15 16:59:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\PGP Corporation

[2007/03/26 13:51:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\SmartDraw

[2006/12/19 09:36:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\Uniblue

[2007/10/17 15:07:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\URSE Games

[2005/12/12 10:41:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jokream\Application Data\zeon

[2010/05/18 08:39:24 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

[2010/05/17 15:11:22 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

[2009/06/26 08:23:08 | 000,000,262 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========

========== Custom Scans ==========

< MD5 for: ATAPI.SYS >

[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\slipstream\XP\I386\sp2.cab:atapi.sys

[2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\slipstream\XP\I386\sp3.cab:atapi.sys

[2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\slipstream\XP-SP3\i386\sp3.cab:atapi.sys

[2005/12/08 18:08:25 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys

[2008/09/18 10:35:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys

[2005/12/08 18:08:25 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys

[2008/09/18 10:35:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys

[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys

[2010/05/17 13:04:41 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

[2001/08/23 08:00:00 | 000,086,656 | ---- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: KBDHID.SYS >

[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\slipstream\XP\I386\sp2.cab:kbdhid.sys

[2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\slipstream\XP\I386\sp3.cab:kbdhid.sys

[2008/04/14 06:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\slipstream\XP-SP3\i386\sp3.cab:kbdhid.sys

[2005/12/08 18:08:25 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:kbdhid.sys

[2008/09/18 10:35:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:kbdhid.sys

[2005/12/08 18:08:25 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:kbdhid.sys

[2008/09/18 10:35:38 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:kbdhid.sys

[2008/04/13 14:39:48 | 000,014,592 | ---- | M] (Microsoft Corporation) MD5=9EF487A186DEA361AA06913A75B3FA99 -- C:\WINDOWS\ServicePackFiles\i386\kbdhid.sys

[2008/04/13 14:39:48 | 000,014,592 | ---- | M] (Microsoft Corporation) MD5=9EF487A186DEA361AA06913A75B3FA99 -- C:\WINDOWS\system32\drivers\kbdhid.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

[2008/04/13 20:11:52 | 000,357,888 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll

[2008/04/13 20:11:52 | 000,205,312 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

[2010/02/26 01:43:54 | 000,251,904 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll

[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\jokream\Desktop\trakam docs:Roxio EMC Stream

< End of report >

Extras.txt

OTL Extras logfile created on: 5/18/2010 8:17:02 PM - Run 1

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\jokream\Desktop\UNI

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free

7.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free

Paging file location(s): C:\pagefile.sys 3500 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.50 Gb Total Space | 37.47 Gb Free Space | 50.29% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 832.08 Gb Total Space | 775.94 Gb Free Space | 93.25% Space Free | Partition Type: NWFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive N: | 832.08 Gb Total Space | 775.94 Gb Free Space | 93.25% Space Free | Partition Type: NWFS

Drive Z: | 832.08 Gb Total Space | 775.94 Gb Free Space | 93.25% Space Free | Partition Type: NWFS

Computer Name: JKREAM

Current User Name: jokream

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Pale Moon project\palemoon.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-1644491937-492894223-682003330-1003\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Pale Moon project\palemoon.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)

https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Toshiba CTX TAPI Service Provider\NHSTAPIServer.exe" = C:\Program Files\Toshiba CTX TAPI Service Provider\NHSTAPIServer.exe:*:Enabled:NHSTAPIServer -- (Computer Telephony Solutions)

"C:\TSP for BPCI\program files\Toshiba BPCI TAPI Service Provider\NHSTAPIServer.exe" = C:\TSP for BPCI\program files\Toshiba BPCI TAPI Service Provider\NHSTAPIServer.exe:*:Enabled:NHSTAPIServer -- (Computer Telephony Solutions)

"C:\Program Files\Toshiba BPCI TAPI Service Provider\NHSTAPIServer.exe" = C:\Program Files\Toshiba BPCI TAPI Service Provider\NHSTAPIServer.exe:*:Enabled:NHSTAPIServer -- (Computer Telephony Solutions)

"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"_{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW® Graphics Suite X4 - Windows Shell Extension

"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools

"{058C8EB2-6DDB-4431-BBF4-C79A1E773C1C}" = HP LaserJet Fonts

"{08094E03-AFE4-4853-9D31-6D0743DF5328}" = QuickTime

"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data

"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1

"{1DF03ECE-6AF4-414E-B118-C316F151A9A2}" = Corel WordPerfect Office - iFilter

"{21F4789D-C4AD-4A88-A854-FFCD46123197}" = CA BrightStor ARCserve Backup for NetWare

"{2223FC2F-B862-4F83-BC9E-DDF2DADF2859}" = Intel® Network Connections 13.0.42.0

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition

"{29790AC7-AD34-4F3D-A92D-EBED66F49461}" = HP Web Registration

"{29D88826-2AB9-11D5-8854-00902761A46D}" = WordPerfect Office 2002

"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (HPWJA)

"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc

"{31B5E213-025A-47AA-B586-E41A60507DC5}" = WIA and Minimal TWAIN for hp Scanjet 5590

"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module

"{5305386A-B4A5-4F47-98CB-823301E495DA}" = ScanSoft PDF Converter 2.0

"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)

"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer

"{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition

"{5A8F669B-5BBE-4DD5-8F0C-89C93600BA1A}" = Toshiba BPCI TAPI Service Provider V1.4.3

"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy

"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.1

"{6870FD05-9324-4E8A-90EB-6DBDAC29B74F}" = ScanSoft PDF Create 2.0

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{6A034CA0-A2D1-4F34-82AE-643A822B2569}" = For and About Law

"{6DEF11C0-35FF-4160-A543-FDD336C4DAE5}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{747AD110-B7AA-449F-B0B3-098A9F717FA0}" = Collection-Master Client Install - 2.0

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{90110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9B427732-573E-4E78-B6FA-AC3E5A218BA2}" = NMAS Client

"{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor

"{AC76BA86-1033-F400-BA7E-100000000002}" = Adobe Acrobat 7.0 Standard - English, Fran

extremeboy · May 20, 2010

Hello.

We need to run Combofix, please read the instructions carefully below before continuing.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:

ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.

Link 1

Link 2

Please refer to this page for full instructions on how to run ComboFix.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
Double click ComboFix.exe to start the program. Agree to the prompts.
When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

JKREAM · May 21, 2010

Ok, Here is the ComboFix Log.

Thanks again for your help

Combo Fix insists that McAfee Virusscan Enterprise and MS Security Essentials were running - but I uninstalled McAfee months ago, and ran their cleaner removal tool to be sure, and I killed MS Security Essentials from the Services panel and then in Task Manager and I confirmed they were not actually running with Sysinternals Process Explorer, so I felt comfortable running ComboFix despite the warning to the contrary. ComboFix experienced no errors, and given that a catastrophic error means a format and rebuild which is what I'm looking at anyway, unless we're successful, I was comfortable with the risk. This PC really has very little actual data stored locally that I would lose under those circumstances.

ComboFix 10-05-20.A1 - jokream 05/21/2010 8:59.2.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2964 [GMT -4:00]

Running from: c:\documents and settings\jokream\Desktop\UNI\ComboFix.exe

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))

.

2010-05-17 17:03 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-05-17 17:03 . 2010-05-17 17:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-05-17 16:26 . 2010-05-17 16:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-17 16:26 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-05-17 15:39 . 2010-05-17 15:39 -------- d-----w- c:\windows\RestoreSafeDeleted

2010-05-17 15:33 . 2010-05-17 15:33 2 --shatr- c:\windows\winstart.bat

2010-05-17 15:32 . 2010-05-17 16:05 -------- d-----w- c:\program files\UnHackMe

2010-05-17 12:16 . 2010-05-17 12:16 63488 ----a-w- c:\documents and settings\jokream\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-05-17 12:16 . 2010-05-17 12:16 52224 ----a-w- c:\documents and settings\jokream\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-05-17 12:15 . 2010-05-17 12:16 117760 ----a-w- c:\documents and settings\jokream\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-05-17 12:15 . 2010-05-17 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-05-17 12:15 . 2010-05-17 12:15 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-05-17 12:15 . 2010-05-17 12:15 -------- d-----w- c:\documents and settings\jokream\Application Data\SUPERAntiSpyware.com

2010-05-17 12:15 . 2010-05-17 12:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-05-14 19:32 . 2010-05-14 19:32 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-05-14 19:24 . 2010-05-14 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-05-14 19:24 . 2010-05-14 19:24 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-05-13 14:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-13 14:37 . 2010-05-13 14:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-13 14:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-12 18:45 . 2010-05-12 18:45 -------- d-s---w- c:\documents and settings\LocalService\UserData

2010-05-12 15:41 . 2010-05-12 15:41 96512 ----a-w- c:\windows\system32\drivers\iijedsve.sys

2010-05-12 12:15 . 2010-05-12 16:14 -------- d-----w- c:\windows\system32\MpEngineStore

2010-05-11 14:10 . 2010-05-11 14:10 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-05-04 13:31 . 2010-05-04 13:31 -------- d-----w- c:\windows\Performance

2010-05-04 13:31 . 2010-05-04 13:31 -------- d-----w- c:\documents and settings\jokream\Local Settings\Application Data\Microsoft Corporation

2010-05-04 13:31 . 2010-05-04 13:31 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor

2010-04-28 12:11 . 2010-04-27 19:41 650240 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

2010-04-28 12:10 . 2010-03-26 14:33 43008 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2010-04-28 12:10 . 2010-03-26 14:33 339456 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2010-04-28 12:10 . 2010-03-26 14:33 1496064 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2010-04-28 12:10 . 2010-03-26 14:32 346112 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2010-04-23 18:25 . 2010-04-23 18:25 -------- d-----w- c:\documents and settings\jokream\Application Data\com.codeode

2010-04-23 18:09 . 2010-04-23 18:09 -------- d-----w- c:\program files\Cactus Spam Filter 3.00

2010-04-23 18:05 . 2010-04-23 18:10 -------- d-----w- c:\documents and settings\jokream\Application Data\MailWasherFree

2010-04-21 14:38 . 2006-05-05 20:56 77824 ----a-w- c:\windows\system32\DellSPMsg.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-21 12:36 . 2005-12-08 21:06 -------- d-----w- c:\program files\LogMeIn

2010-05-20 14:15 . 2010-01-05 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LDM

2010-05-20 13:54 . 2005-12-11 00:58 102904 ----a-w- c:\documents and settings\jokream\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-18 15:01 . 2009-04-23 17:20 -------- d-----w- c:\documents and settings\jokream\Application Data\CoreFTP

2010-05-17 17:04 . 2005-12-08 20:02 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-05-17 16:26 . 2005-12-08 20:58 -------- d-----w- c:\program files\Lavasoft

2010-05-17 16:26 . 2008-01-23 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-05-17 16:03 . 2005-12-08 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-17 14:47 . 2006-02-03 16:54 -------- d-----w- c:\program files\Java

2010-05-13 19:39 . 2006-08-09 13:03 -------- d-----w- c:\program files\CCleaner

2010-05-13 15:01 . 2009-12-14 15:59 -------- d-----w- c:\program files\PayWindow Payroll

2010-05-13 15:01 . 2006-03-27 14:30 -------- d-----w- c:\documents and settings\jokream\Application Data\paywin

2010-05-13 13:16 . 2007-04-12 19:41 -------- d-----w- c:\program files\PrintConductor

2010-05-06 14:36 . 2009-11-12 13:48 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-04 15:22 . 2008-08-06 16:21 -------- d-----w- c:\documents and settings\jokream\Application Data\Download Manager

2010-04-14 19:22 . 2005-12-12 14:32 -------- d-----w- c:\program files\Google

2010-04-14 16:52 . 2010-04-14 16:52 -------- d-----w- c:\program files\Pale Moon project

2010-04-07 16:35 . 2005-12-08 22:10 -------- d-----w- c:\program files\Corel

2010-04-07 15:56 . 2009-07-31 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel

2010-04-07 14:12 . 2008-12-01 14:35 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-03-17 21:39 . 2010-03-23 15:55 659456 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\pviz6o57.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe

2010-03-11 08:03 . 2010-03-11 08:03 103296 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-09 11:09 . 2001-08-23 12:00 430080 ------w- c:\windows\system32\vbscript.dll

2010-03-03 15:14 . 2010-03-03 15:14 651776 ----a-w- c:\documents and settings\jokream\Application Data\Mozilla\Firefox\Profiles\5rnnus1f.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

2010-02-26 05:43 . 2004-01-08 20:23 667136 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 05:43 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll

2010-02-24 13:11 . 2001-08-23 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2005-09-09 23:55 . 2006-01-27 16:33 7155864 ----a-w- c:\program files\NGhost10.msi

2005-09-09 23:55 . 2006-01-27 16:33 35 ----a-w- c:\program files\SCSSDist.ini

2005-09-09 23:55 . 2006-01-27 16:33 37766164 ----a-w- c:\program files\Data1.cab

2007-08-09 17:08 . 2007-04-11 11:54 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll

2007-08-09 17:10 . 2007-04-11 11:54 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]

@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"

[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]

2009-10-09 18:53 613496 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"com.codeode.cactusspamfilter"="c:\program files\Cactus Spam Filter 3.00\cactusspamfilter.exe" [2009-11-08 1053184]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]

"nwiz"="nwiz.exe" [2004-08-03 917504]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-08-03 4493312]

"NvMediaCenter"="NvMCTray.dll" [2004-08-03 86016]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-3-1 221295]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-10-07 12:25 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

Notification Packages REG_MULTI_SZ PGPpwflt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WZCSVC"=2 (0x2)

"WmdmPmSN"=3 (0x3)

"WebClient"=2 (0x2)

"TlntSvr"=3 (0x3)

"TermService"=3 (0x3)

"SysmonLog"=3 (0x3)

"srservice"=2 (0x2)

"SENS"=2 (0x2)

"SCardSvr"=3 (0x3)

"RemoteRegistry"=2 (0x2)

"RDSessMgr"=3 (0x3)

"RasMan"=3 (0x3)

"RasAuto"=3 (0x3)

"IDriverT"=3 (0x3)

"helpsvc"=2 (0x2)

"FastUserSwitchingCompatibility"=3 (0x3)

"Eventlog"=2 (0x2)

"ERSvc"=2 (0x2)

"cisvc"=3 (0x3)

"gusvc"=3 (0x3)

"W32Time"=2 (0x2)

"VSS"=3 (0x3)

"Themes"=2 (0x2)

"SwPrv"=3 (0x3)

"stllssvr"=3 (0x3)

"SQLWriter"=2 (0x2)

"SharedAccess"=2 (0x2)

"RoxWatch9"=2 (0x2)

"RoxMediaDB9"=3 (0x3)

"PSI_SVC_2"=2 (0x2)

"Pml Driver HPZ12"=2 (0x2)

"Net Driver HPZ12"=2 (0x2)

"MSSQLSERVER"=2 (0x2)

"MSSQL$SQLEXPRESS"=2 (0x2)

"mnmsrvc"=3 (0x3)

"LanmanServer"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"iPod Service"=3 (0x3)

"idsvc"=3 (0x3)

"FontCache3.0.0.0"=3 (0x3)

"cusrvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Toshiba CTX TAPI Service Provider\\NHSTAPIServer.exe"=

"c:\\TSP for BPCI\\program files\\Toshiba BPCI TAPI Service Provider\\NHSTAPIServer.exe"=

"c:\\Program Files\\Toshiba BPCI TAPI Service Provider\\NHSTAPIServer.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/17/2010 1:03 PM 64288]

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [10/9/2009 2:53 PM 136312]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/12/2007 8:41 AM 12856]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2010 3:22 PM 135664]

S2 NHSUSB;NHSUSB;c:\windows\system32\drivers\WINDRVR.SYS --> c:\windows\system32\drivers\WINDRVR.SYS [?]

S4 CASMsgEngine;CA BrightStor Message Engine;c:\program files\CA\BrightStor ARCserve Backup\msgeng.exe [2/28/2007 3:54 PM 41026]

S4 HPWJAService;HPWJA Service;c:\program files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe [9/12/2007 5:39 PM 28672]

S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1291544]

S4 MSSQL$HPWJA;SQL Server (HPWJA);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 9:29 AM 29178224]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:02]

2010-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cadc07ed895484.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 19:22]

2010-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-492894223-682003330-1003Core.job

- c:\documents and settings\jokream\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 15:36]

2010-05-21 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]

2009-06-26 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 02:18]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Dial with CTI DATA CONNECTOR ENTERPRISE EDITION - file://c:\documents and settings\jokream\Application Data\CDC\CDCWebDial.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Open PDF in Word (PDF Converter 2.0) - c:\program files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\IEShellExt.dll /100

IE: Open with WordPerfect - c:\program files\CorelX4\WordPerfect Office X4\Programs\WPLauncher.hta

IE:

extremeboy · May 22, 2010

Hello.

Combo Fix insists that McAfee Virusscan Enterprise and MS Security Essentials were running - but I uninstalled McAfee months ago, and ran their cleaner removal tool to be sure, and I killed MS Security Essentials from the Services panel and then in Task Manager and I confirmed they were not actually running with Sysinternals Process Explorer, so I felt comfortable running ComboFix despite the warning to the contrary. ComboFix experienced no errors, and given that a catastrophic error means a format and rebuild which is what I'm looking at anyway, unless we're successful, I was comfortable with the risk. This PC really has very little actual data stored locally that I would lose under those circumstances.

Yes, Combofix was just reporting what the Windows Management Instrumental "said". I think we can deal with this successfully, so we can probably avoid the format/reinstall path.

Combofix didn't deal with the infection successfully, but let's trigure something here and perform another "custom scan" with Combofix.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
```
TDL::
C:\WINDOWS\System32\DRIVERS\kbdhid.sys
```
Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Let me know how it goes.

JKREAM · May 24, 2010

Thanks, Here is the new ComboFix log:

ComboFix 10-05-22.01 - jokream 05/24/2010 8:17.3.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2837 [GMT -4:00]

Running from: c:\documents and settings\jokream\Desktop\UNI\ComboFix.exe

Command switches used :: c:\documents and settings\jokream\Desktop\UNI\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\System32\DRIVERS\kbdhid.sys was found and disinfected

Restored copy from - Kitty had a snack :blink:

.

((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))