djs

Members
  • Content Count

    76
  • Joined

  • Last visited

Community Reputation

0 Neutral

About djs

  • Rank
    Advanced Member
  1. Hi - I have an issue with my cpt constantly having pops ups trying to sell me some antivirus software I do not recognize. Seems to be some sort of virus/malware. I ran adaware which didn't find anything. Here are the log reports. I appriciate your assistance. . DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29 Run by Sara Mason at 22:10:58 on 2012-06-28 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.1030 [GMT -4:00] . AV: Lavasoft Ad-Aware *Enabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800} AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} SP: Lavasoft Ad-Aware *Enabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS c:\Program Files\Microsoft Security Client\MsMpEng.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Program Files\IDT\WDM\STacSV64.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\Hpservice.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\WLANExt.exe C:\Windows\system32\conhost.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe C:\Program Files\IDT\WDM\AESTSr64.exe C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe C:\Program Files\Intel\WiFi\bin\EvtEng.exe C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\System32\svchost.exe -k HPZ12 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe C:\Program Files (x86)\Secunia\PSI\PSIA.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\System32\rundll32.exe C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Users\Sara Mason\AppData\Local\Google\Update\GoogleUpdate.exe C:\ProgramData\GameXN\GameXNGO.exe C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe C:\PROGRA~2\AD-AWA~1\AdAware.exe C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\YCMMirage.exe C:\Program Files\PC Optimizer Pro\PCOptimizerPro.exe C:\Program Files (x86)\Secunia\PSI\sua.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Windows\system32\DllHost.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe C:\Windows\system32\svchost.exe -k HPService C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\cscript.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://start.funmoods.com/?f=1&a=axl uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language uURLSearchHooks: H - No File mWinlogon: Userinit=userinit.exe, BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe uRun: [Google Update] "C:\Users\Sara Mason\AppData\Local\Google\Update\GoogleUpdate.exe" /c uRun: [GameXN GO] "C:\ProgramData\GameXN\GameXNGO.exe" /startup mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" mRun: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" mRun: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f StartupFolder: C:\Users\SARAMA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105 IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab TCP: DhcpNameServer = 192.168.1.1 TCP: Interfaces\{D14495AD-1F6E-45C1-8AB2-466402EE5D02} : DhcpNameServer = 192.168.1.1 TCP: Interfaces\{D14495AD-1F6E-45C1-8AB2-466402EE5D02}\07162747973656E6472716C6 : DhcpNameServer = 192.168.1.1 192.168.1.1 TCP: Interfaces\{D14495AD-1F6E-45C1-8AB2-466402EE5D02}\3555D2F40756E6 : DhcpNameServer = 131.118.45.100 131.118.45.101 TCP: Interfaces\{D14495AD-1F6E-45C1-8AB2-466402EE5D02}\3555F57457563747 : DhcpNameServer = 131.118.45.100 131.118.45.101 TCP: Interfaces\{D14495AD-1F6E-45C1-8AB2-466402EE5D02}\46C696E6B602D6367796C6C69616D637 : DhcpNameServer = 192.168.0.1 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO-X64: AcroIEHelperStub - No File BHO-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll BHO-X64: Ad-Aware Security Toolbar - No File BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll BHO-X64: SkypeIEPluginBHO - No File BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL BHO-X64: URLRedirectionBHO - No File BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll TB-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File TB-X64: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File TB-X64: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe mRun-x64: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" mRun-x64: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" mRun-x64: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Sara Mason\AppData\Roaming\Mozilla\Firefox\Profiles\og0zzrl2.default\ FF - prefs.js: browser.search.selectedEngine - Search FF - prefs.js: browser.startup.homepage - www.google.com FF - prefs.js: network.proxy.type - 0 FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\coFFPlgn\components\coFFPlgn.dll FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\IPSFFPlgn\components\IPSFFPl.dll FF - component: C:\Users\Sara Mason\AppData\Roaming\Mozilla\Firefox\Profiles\og0zzrl2.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll FF - component: C:\Users\Sara Mason\AppData\Roaming\Mozilla\Firefox\Profiles\og0zzrl2.default\extensions\[email protected]\components\RadioWMPCoreGecko19.dll FF - component: C:\Users\Sara Mason\AppData\Roaming\Mozilla\Firefox\Profiles\og0zzrl2.default\extensions\[email protected]\components\plugins.dll FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll FF - plugin: C:\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\nphdplg.dll FF - plugin: C:\Users\Sara Mason\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll FF - plugin: C:\Users\Sara Mason\AppData\Roaming\Mozilla\Firefox\Profiles\og0zzrl2.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\plugins\np-mswmp.dll FF - plugin: C:\Users\Sara Mason\AppData\Roaming\Mozilla\Firefox\Profiles\og0zzrl2.default\extensions\[email protected]\plugins\npwidevinemediatransformer.dll FF - plugin: C:\Users\Sara Mason\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll FF - plugin: C:\Users\Sara Mason\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll . ---- FIREFOX POLICIES ---- FF - user.js: extensions.funmoods_i.hmpg - true FF - user.js: extensions.funmoods_i.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=axl FF - user.js: extensions.funmoods_i.dfltSrch - true FF - user.js: extensions.funmoods_i.srchPrvdr - Search FF - user.js: extensions.funmoods_i.dnsErr - true FF - user.js: extensions.funmoods_i.newTab - true FF - user.js: extensions.funmoods_i.newTabUrl - hxxp://start.funmoods.com/?f=2&a=axl FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=axl&q= FF - user.js: extensions.funmoods_i.id - dab0c8200000000000000026c7a7f583 FF - user.js: extensions.funmoods_i.instlDay - 15481 FF - user.js: extensions.funmoods_i.vrsn - 1.5.11.16 FF - user.js: extensions.funmoods_i.vrsni - 1.5.11.16 FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.11.1610:39:56 FF - user.js: extensions.funmoods_i.prtnrId - funmoods FF - user.js: extensions.funmoods_i.prdct - funmoods FF - user.js: extensions.funmoods_i.aflt - axl FF - user.js: extensions.funmoods_i.smplGrp - none FF - user.js: extensions.funmoods_i.tlbrId - base FF - user.js: extensions.funmoods_i.instlRef - FF - user.js: extensions.funmoods_i.dfltLng - FF - user.js: extensions.funmoods_i.excTlbr - false . ============= SERVICES / DRIVERS =============== . R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?] R1 SbFw;SbFw;C:\Windows\system32\drivers\SbFw.sys --> C:\Windows\system32\drivers\SbFw.sys [?] R1 SBRE;SBRE;C:\Windows\System32\drivers\SBREDrv.sys [2011-10-26 101112] R2 sbapifs;sbapifs;C:\Windows\system32\DRIVERS\sbapifs.sys --> C:\Windows\system32\DRIVERS\sbapifs.sys [?] R3 clwvd;HP Webcam Splitter;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?] R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?] R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?] R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?] R3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?] R3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?] R3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;C:\Windows\system32\DRIVERS\SBFWIM.sys --> C:\Windows\system32\DRIVERS\SBFWIM.sys [?] R3 sbhips;sbhips;C:\Windows\system32\drivers\sbhips.sys --> C:\Windows\system32\drivers\sbhips.sys [?] R3 sbwtis;sbwtis;C:\Windows\system32\DRIVERS\sbwtis.sys --> C:\Windows\system32\DRIVERS\sbwtis.sys [?] S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?] S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?] S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?] S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?] S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?] S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?] S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;C:\Windows\system32\DRIVERS\sbfwim.sys --> C:\Windows\system32\DRIVERS\sbfwim.sys [?] . =============== Created Last 30 ================ . 2012-06-29 00:46:47 -------- d-----w- C:\Users\Sara Mason\AppData\Local\adaware 2012-06-29 00:45:25 60536 ----a-w- C:\Windows\System32\drivers\sbhips.sys 2012-06-29 00:44:56 256632 ----a-w- C:\Windows\System32\drivers\SbFw.sys 2012-06-29 00:44:56 119416 ----a-w- C:\Windows\System32\drivers\SbFwIm.sys 2012-06-29 00:44:55 45936 ----a-w- C:\Windows\System32\sbbd.exe 2012-06-29 00:44:47 -------- d-----w- C:\Program Files (x86)\Ad-Aware Antivirus 2012-06-29 00:44:01 -------- d-----w- C:\Users\Sara Mason\AppData\Local\adawarebp 2012-06-29 00:44:00 -------- d-----w- C:\ProgramData\Ad-Aware Browsing Protection 2012-06-29 00:43:48 -------- d-----w- C:\Program Files (x86)\adawaretb 2012-06-29 00:42:57 -------- d-----w- C:\Users\Sara Mason\AppData\Roaming\Ad-Aware Antivirus 2012-06-29 00:35:14 -------- d-----w- C:\Users\Sara Mason\AppData\Roaming\go 2012-06-28 15:57:05 442368 ----a-w- C:\Windows\System32\AESTEC64.dll 2012-06-28 15:57:04 90624 ----a-w- C:\Windows\System32\AESTCo64.dll 2012-06-28 15:57:04 68608 ----a-w- C:\Windows\System32\AESTAR64.dll 2012-06-28 15:57:04 564224 ----a-w- C:\Windows\System32\idt64mp1.exe 2012-06-28 15:57:04 487424 ----a-w- C:\Windows\sttray64.exe 2012-06-28 15:57:04 3467264 ----a-w- C:\Windows\System32\stlang64.dll 2012-06-28 15:57:04 162304 ----a-w- C:\Windows\System32\AESTAC64.dll 2012-06-28 15:57:04 12800512 ----a-w- C:\Windows\System32\idtcpl64.cpl 2012-06-28 08:14:29 -------- d-----w- C:\ProgramData\Recovery 2012-06-28 04:01:17 -------- d-----w- C:\Program Files\Bonjour 2012-06-28 04:01:17 -------- d-----w- C:\Program Files (x86)\Bonjour 2012-06-28 03:51:58 -------- d-----w- C:\Program Files\IDT 2012-06-28 03:41:11 -------- d-----w- C:\Users\Sara Mason\AppData\Local\ElevatedDiagnostics 2012-06-28 03:12:48 9013136 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{47955498-1CAB-454C-BE26-5334B62E4285}\mpengine.dll 2012-06-21 03:06:57 9013136 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-06-19 02:55:00 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll 2012-06-19 02:55:00 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{81BC8B0A-1DBF-4AB8-A841-A64F8CB98308}\gapaengine.dll 2012-06-19 02:53:23 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe 2012-06-19 02:53:23 77312 ----a-w- C:\Windows\System32\rdpwsx.dll 2012-06-19 02:53:23 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll 2012-06-19 02:53:11 209920 ----a-w- C:\Windows\System32\profsvc.dll 2012-06-19 02:53:09 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe 2012-06-19 02:53:07 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe 2012-06-19 02:53:06 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe 2012-06-19 02:52:58 3146752 ----a-w- C:\Windows\System32\win32k.sys 2012-06-19 02:52:57 3216384 ----a-w- C:\Windows\System32\msi.dll 2012-06-19 02:52:57 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys 2012-06-19 02:52:56 2342400 ----a-w- C:\Windows\SysWow64\msi.dll 2012-06-19 02:52:49 1462272 ----a-w- C:\Windows\System32\crypt32.dll 2012-06-19 02:52:48 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll 2012-06-19 02:52:47 184320 ----a-w- C:\Windows\System32\cryptsvc.dll 2012-06-19 02:52:47 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll 2012-06-19 02:52:47 140288 ----a-w- C:\Windows\System32\cryptnet.dll 2012-06-19 02:52:47 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll 2012-06-19 02:32:34 2622464 ----a-w- C:\Windows\System32\wucltux.dll 2012-06-19 02:32:27 99840 ----a-w- C:\Windows\System32\wudriver.dll 2012-06-19 02:31:58 36864 ----a-w- C:\Windows\System32\wuapp.exe 2012-06-19 02:31:58 186752 ----a-w- C:\Windows\System32\wuwebv.dll 2012-06-06 20:25:58 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll 2012-06-06 20:25:58 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll . ==================== Find3M ==================== . 2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll 2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll 2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl 2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe 2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb 2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll 2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll 2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl 2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe 2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2012-05-17 05:52:51 0 ----a-w- C:\Windows\SysWow64\shoEE7D.tmp 2012-05-15 03:44:20 0 ----a-w- C:\Windows\SysWow64\sho46FB.tmp 2012-05-12 22:03:32 0 ----a-w- C:\Windows\SysWow64\shoD012.tmp 2012-05-07 05:56:40 0 ----a-w- C:\Windows\SysWow64\sho71FB.tmp 2012-05-05 07:52:44 0 ----a-w- C:\Windows\SysWow64\shoF362.tmp 2012-05-01 06:15:42 0 ----a-w- C:\Windows\SysWow64\shoC413.tmp 2012-04-03 06:14:59 0 ----a-w- C:\Windows\SysWow64\shoA335.tmp 2012-03-31 05:11:03 0 ----a-w- C:\Windows\SysWow64\shoD054.tmp . ============= FINISH: 22:12:55.14 =============== . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2011-08-26.01) . Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume1 Install Date: 10/18/2010 12:12:14 PM System Uptime: 6/28/2012 10:00:20 PM (0 hours ago) . Motherboard: Hewlett-Packard | | 144C Processor: Intel(R) Core(TM) i5 CPU M 460 @ 2.53GHz | CPU | 2534/1066mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 446 GiB total, 326.585 GiB free. D: is FIXED (NTFS) - 19 GiB total, 2.813 GiB free. E: is CDROM () . ==== Disabled Device Manager Items ============= . Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318} Description: Photosmart C4700 series Device ID: ROOT\MULTIFUNCTION\0000 Manufacturer: HP Name: Photosmart C4700 series PNP Device ID: ROOT\MULTIFUNCTION\0000 Service: . ==== System Restore Points =================== . RP263: 5/21/2012 6:18:33 PM - Removed Safari RP264: 5/24/2012 1:52:06 PM - Windows Update RP265: 5/28/2012 12:14:53 AM - Windows Update RP266: 6/3/2012 11:52:40 AM - Windows Update RP267: 6/6/2012 4:35:01 PM - Windows Update RP268: 6/7/2012 5:17:52 PM - Windows Update RP269: 6/10/2012 10:07:44 PM - Windows Update RP270: 6/18/2012 10:31:28 PM - Windows Update RP271: 6/18/2012 10:53:07 PM - Windows Update RP272: 6/19/2012 12:08:56 AM - Windows Update RP273: 6/27/2012 11:03:15 PM - Windows Update RP274: 6/27/2012 11:10:48 PM - Removed Netflix in Windows Media Center RP275: 6/27/2012 11:11:13 PM - Removed Safari RP276: 6/27/2012 11:11:54 PM - Removed Safari RP277: 6/27/2012 11:13:29 PM - Removed Ad-Aware RP278: 6/27/2012 11:16:49 PM - Removed Energy Star Digital Logo RP279: 6/27/2012 11:21:53 PM - Removed Apple Application Support RP280: 6/27/2012 11:22:52 PM - Removed Apple Mobile Device Support RP281: 6/27/2012 11:23:56 PM - Removed Apple Software Update RP282: 6/27/2012 11:24:25 PM - Removed Bonjour RP283: 6/27/2012 11:25:55 PM - Removed QuickTime RP284: 6/27/2012 11:29:12 PM - Removed HP MediaSmart/TouchSmart Netflix RP285: 6/27/2012 11:30:07 PM - Removed IDT Audio RP286: 6/27/2012 11:34:39 PM - Removed Internet TV for Windows Media Center RP287: 6/27/2012 11:34:57 PM - Removed Windows Media Center Add-in for Flash RP288: 6/27/2012 11:46:41 PM - Removed iTunes RP289: 6/27/2012 11:54:44 PM - Configured PowerStarter RP290: 6/27/2012 11:56:32 PM - Removed CinemaNow Media Manager. RP291: 6/28/2012 12:01:49 AM - Installed iTunes . ==== Installed Programs ====================== . Acrobat.com Ad-Aware Antivirus Ad-Aware Browsing Protection Ad-Aware Security Toolbar Adobe AIR Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 9.5.0 MUI Adobe Shockwave Player 11.6 BlackBerry Desktop Software 6.1 CinemaNow Media Manager CyberLink DVD Suite D3DX10 Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition DVD Menu Pack for HP MediaSmart Video ESU for Microsoft Windows 7 GameXN GO Google Chrome Google Talk Plugin Google Update Helper Hewlett-Packard ACLM.NET v1.1.2.0 HP Customer Experience Enhancements HP Documentation HP DVB-T TV Tuner 8.0.64.43 HP MediaSmart CinemaNow 2.0 HP MediaSmart DVD HP MediaSmart Photo HP MediaSmart Video HP MediaSmart Webcam HP Photo Creations HP Power Manager HP Quick Launch HP Setup HP Software Framework HP Support Assistant Intel(R) Control Center Intel(R) Graphics Media Accelerator Driver Intel(R) Management Engine Components Intel(R) Rapid Storage Technology Java Auto Updater Java(TM) 6 Update 29 Junk Mail filter update Mesh Runtime Messenger Companion Microsoft Office 2010 Service Pack 1 (SP1) Microsoft Office Access MUI (English) 2010 Microsoft Office Access Setup Metadata MUI (English) 2010 Microsoft Office Click-to-Run 2010 Microsoft Office Excel MUI (English) 2010 Microsoft Office Home and Student 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook Connector Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 Microsoft Office Proofing (English) 2010 Microsoft Office Publisher MUI (English) 2010 Microsoft Office Shared MUI (English) 2010 Microsoft Office Shared Setup Metadata MUI (English) 2010 Microsoft Office Single Image 2010 Microsoft Office Word MUI (English) 2010 Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft WSE 3.0 Runtime Movie Theme Pack for HP MediaSmart Video Mozilla Firefox 13.0.1 (x86 en-US) Mozilla Maintenance Service MSVCRT MSVCRT_amd64 MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML 4.0 SP3 Parser (KB973685) PS_AIO_06_C4700_SW_Min Realtek Ethernet Controller Driver For Windows 7 Realtek USB 2.0 Card Reader Recovery Manager Redist Roxio CinemaNow 2.0 Scan Secunia PSI (2.0.0.4003) Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841) Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2553091) Security Update for Microsoft Office 2010 (KB2553096) Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition Security Update for Microsoft SharePoint Workspace 2010 (KB2566445) Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition Skype Click to Call Skype™ 5.5 swMSM Times Reader Toolbox Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) Update for Microsoft Office 2010 (KB2494150) Update for Microsoft Office 2010 (KB2553065) Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition Update for Microsoft Office 2010 (KB2566458) Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition Windows Live Communications Platform Windows Live Essentials Windows Live Installer Windows Live Mail Windows Live Mesh Windows Live Mesh ActiveX Control for Remote Connections Windows Live Messenger Windows Live Messenger Companion Core Windows Live Movie Maker Windows Live Photo Common Windows Live Photo Gallery Windows Live PIMT Platform Windows Live SOXE Windows Live SOXE Definitions Windows Live Sync Windows Live UX Platform Windows Live UX Platform Language Pack Windows Live Writer Windows Live Writer Resources Yahoo! Detect . ==== Event Viewer Messages From Past Week ======== . 6/28/2012 9:59:49 PM, Error: Service Control Manager [7023] - The Server service terminated with the following error: The service has not been started. 6/28/2012 9:50:11 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HPWMISVC service. 6/28/2012 8:52:04 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MsMpSvc service. 6/28/2012 12:02:33 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1. 6/28/2012 12:00:30 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start. 6/28/2012 12:00:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E} 6/28/2012 12:00:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030} 6/28/2012 12:00:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} 6/28/2012 12:00:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89} 6/28/2012 12:00:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 6/28/2012 12:00:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} 6/28/2012 11:59:49 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf 6/28/2012 11:59:49 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 6/28/2012 11:59:49 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning. 6/28/2012 11:59:49 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning. 6/28/2012 11:59:49 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start. 6/28/2012 11:59:49 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start. 6/28/2012 11:59:49 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning. 6/28/2012 11:59:49 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 6/28/2012 11:59:49 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 6/28/2012 11:59:49 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning. 6/28/2012 11:59:49 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning. 6/28/2012 11:59:49 AM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start. 6/28/2012 1:07:54 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanServer service. 6/28/2012 1:07:54 PM, Error: Service Control Manager [7000] - The Server service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 6/28/2012 1:07:24 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the iphlpsvc service. 6/27/2012 11:57:59 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting. 6/27/2012 11:22:48 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect. 6/27/2012 11:22:48 PM, Error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 6/27/2012 11:15:54 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: Update Source: User Update Stage: Install Source Path: Signature Type: Update Type: User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:15:27 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.167.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.8502.0&avdelta=1.129.167.0&asdelta=1.129.167.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:15:27 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.167.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.8502.0&avdelta=1.129.167.0&asdelta=1.129.167.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:15:27 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.167.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.8502.0&avdelta=1.129.167.0&asdelta=1.129.167.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:15:27 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.167.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.8502.0&avdelta=1.129.167.0&asdelta=1.129.167.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:15:22 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: Update Source: User Update Stage: Install Source Path: Signature Type: Update Type: User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:15:09 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.167.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.8502.0&avdelta=1.129.167.0&asdelta=1.129.167.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:15:09 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.167.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.8502.0&avdelta=1.129.167.0&asdelta=1.129.167.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:15:09 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.167.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.8502.0&avdelta=1.129.167.0&asdelta=1.129.167.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:15:09 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.167.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.8502.0&avdelta=1.129.167.0&asdelta=1.129.167.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:15:05 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: Update Source: User Update Stage: Install Source Path: Signature Type: Update Type: User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:14:56 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.167.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.8502.0&avdelta=1.129.167.0&asdelta=1.129.167.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:14:56 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.167.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.8502.0&avdelta=1.129.167.0&asdelta=1.129.167.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:14:56 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.167.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.8502.0&avdelta=1.129.167.0&asdelta=1.129.167.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:14:56 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.167.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.8502.0&avdelta=1.129.167.0&asdelta=1.129.167.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:14:33 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: Update Source: User Update Stage: Install Source Path: Signature Type: Update Type: User: SaraHP\Sara Mason Current Engine Version: Previous Engine Version: Error code: 0x80070652 Error description: Another installation is already in progress. Complete that installation before proceeding with this install. 6/27/2012 11:02:12 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HomeGroupListener service. 6/21/2012 12:38:42 AM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion. 6/21/2012 12:38:37 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Application Virtualization Client service to connect. 6/21/2012 12:38:37 AM, Error: Service Control Manager [7000] - The Application Virtualization Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. . ==== End Of File ===========================
  2. Couldn't tell if the attachment worked...if not here it is again
  3. okay Combofix is uninstalled and attached is the screenshot requested. Thanks!
  4. OTL Log... OTL logfile created on: 1/7/2012 9:22:44 AM - Run 4 OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Richard\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1.44 Gb Total Physical Memory | 0.65 Gb Available Physical Memory | 45.12% Memory free 1.95 Gb Paging File | 1.41 Gb Available in Paging File | 72.17% Paging File free Paging file location(s): C:\pagefile.sys 672 1344 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 69.64 Gb Total Space | 5.97 Gb Free Space | 8.58% Space Free | Partition Type: NTFS Computer Name: LABTOP | User Name: Richard | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days [color=#E56717]========== Processes (SafeList) ==========[/color] PRC - [2011/12/31 19:27:40 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL(3).exe PRC - [2011/11/03 12:06:56 | 002,152,152 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe PRC - [2011/11/03 12:06:56 | 001,187,072 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe PRC - [2011/10/21 04:09:36 | 000,198,032 | ---- | M] (Lavasoft) -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe PRC - [2011/05/25 15:07:14 | 024,176,560 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Richard\Application Data\Dropbox\bin\Dropbox.exe PRC - [2011/04/19 01:44:40 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe PRC - [2011/04/19 01:44:40 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe PRC - [2011/04/19 01:44:40 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe PRC - [2010/08/23 13:50:32 | 000,020,480 | ---- | M] () -- C:\phpdev5\Apache\Apache.exe PRC - [2008/08/28 18:34:14 | 013,145,448 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2008/01/18 16:57:54 | 005,750,784 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe PRC - [2005/01/27 01:33:58 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\o2flash.exe [color=#E56717]========== Modules (No Company Name) ==========[/color] MOD - [2011/12/05 12:55:56 | 000,193,904 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libMachoUniv.dll MOD - [2011/12/05 12:54:51 | 000,210,288 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libBase64.dll MOD - [2011/11/03 12:06:56 | 000,591,232 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\RPAPI.dll MOD - [2011/11/03 12:06:56 | 000,430,568 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\Viprebridge.dll MOD - [2011/11/03 12:06:56 | 000,308,560 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\Vipre.dll MOD - [2011/06/07 04:44:50 | 000,508,776 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\thorax.aaw MOD - [2010/08/23 13:50:54 | 001,089,536 | ---- | M] () -- c:\phpdev5\php\sapi\php4ts.dll MOD - [2010/08/23 13:50:54 | 000,024,576 | ---- | M] () -- c:\phpdev5\php\sapi\php4apache.dll MOD - [2010/08/23 13:50:36 | 000,045,056 | ---- | M] () -- c:\phpdev5\Apache\modules\mod_rewrite.so MOD - [2010/08/23 13:50:36 | 000,028,672 | ---- | M] () -- c:\phpdev5\Apache\modules\mod_status.so MOD - [2010/08/23 13:50:36 | 000,020,480 | ---- | M] () -- C:\phpdev5\Apache\Win9xConHook.dll MOD - [2010/08/23 13:50:35 | 000,024,576 | ---- | M] () -- c:\phpdev5\Apache\modules\mod_info.so MOD - [2010/08/23 13:50:35 | 000,020,480 | ---- | M] () -- c:\phpdev5\Apache\modules\mod_headers.so MOD - [2010/08/23 13:50:32 | 000,335,872 | ---- | M] () -- C:\phpdev5\Apache\ApacheCore.dll MOD - [2010/08/23 13:50:32 | 000,020,480 | ---- | M] () -- C:\phpdev5\Apache\Apache.exe MOD - [2008/08/28 15:54:56 | 000,891,904 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\FileInfo.dll MOD - [2008/08/28 15:54:56 | 000,502,272 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\AdobeXMPFiles.dll MOD - [2008/08/28 15:54:56 | 000,424,960 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\AdobeXMP.dll MOD - [2008/08/28 15:53:58 | 000,073,728 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\Symlib.dll MOD - [2008/08/28 15:47:50 | 002,748,416 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\libmysqld.dll MOD - [2008/01/18 16:57:54 | 005,750,784 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe MOD - [2005/01/27 01:33:58 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\o2flash.exe [color=#E56717]========== Win32 Services (SafeList) ==========[/color] SRV - File not found [Auto | Stopped] -- -- (Roxio Upnp Server 9) SRV - File not found [On_Demand | Stopped] -- -- (Roxio UPnP Renderer 9) SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt) SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon) SRV - [2011/11/03 12:06:56 | 002,152,152 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service) SRV - [2011/04/19 01:44:40 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent) SRV - [2011/04/19 01:44:40 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent) SRV - [2010/08/23 13:50:32 | 000,020,480 | ---- | M] () [Auto | Running] -- C:\phpdev5\apache\Apache.exe -- (dev5_ap1) SRV - [2009/06/15 10:51:14 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service) SRV - [2008/08/15 04:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4) SRV - [2008/01/18 16:57:54 | 005,750,784 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -- (MySQL) SRV - [2005/01/27 01:33:58 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\o2flash.exe -- (O2Flash) [color=#E56717]========== Driver Services (SafeList) ==========[/color] DRV - [2011/11/03 12:06:56 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd) DRV - [2011/11/03 12:06:56 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer) DRV - [2010/09/01 03:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI) DRV - [2009/09/28 01:02:44 | 000,014,424 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter) DRV - [2007/09/29 02:06:00 | 002,456,064 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc) DRV - [2006/03/29 07:49:26 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc) DRV - [2006/02/27 00:00:50 | 000,034,880 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\o2media.sys -- (O2MDRDR) DRV - [2006/02/20 01:01:06 | 000,029,056 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\o2sd.sys -- (O2SDRDR) DRV - [2005/12/09 16:48:00 | 004,123,136 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM) DRV - [2005/10/27 14:06:30 | 000,356,096 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt61.sys -- (RT61) DRV - [2005/09/06 14:47:12 | 000,070,144 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGR1310_51.sys -- (AGR1310_51) DRV - [2005/08/24 16:24:00 | 001,120,352 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2005/04/20 16:47:28 | 000,024,704 | ---- | M] (Elantech Devices Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ktp3.sys -- (Ktp3) DRV - [1999/09/10 12:06:00 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (ASPI32) [color=#E56717]========== Standard Registry (SafeList) ==========[/color] [color=#E56717]========== Internet Explorer ==========[/color] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 [color=#E56717]========== FireFox ==========[/color] FF - prefs.js..browser.search.selectedEngine: "Search the Web" FF - prefs.js..browser.search.update: false FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "http://www.google.com/" FF - prefs.js..extensions.enabledItems: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9}:5.0 FF - prefs.js..extensions.enabledItems: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}:2.1.106 FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10 FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:2.12.21.1 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 FF - prefs.js..extensions.enabledItems: {87934c42-161d-45bc-8cef-ef18abe2a30c}:0.9 FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=utf-8&mssrc=ms_kwd&mstb=adawaretb&q=" FF - prefs.js..network.proxy.no_proxies_on: "*.local" FF - prefs.js..network.proxy.type: 1 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/26 18:19:54 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/22 08:14:27 | 000,000,000 | ---D | M] [2009/04/19 20:52:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Extensions [2011/12/01 17:26:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions [2011/05/04 11:48:31 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} [2010/12/28 12:30:28 | 000,000,000 | ---D | M] ("Delicious Bookmarks") -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} [2011/11/30 23:00:34 | 000,000,000 | ---D | M] (Ad-Aware Security Toolbar) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c} [2011/05/04 11:48:33 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f} [2011/11/30 23:10:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2010/03/16 09:27:46 | 000,000,000 | ---D | M] (Adobe Contribute Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} [2011/05/21 07:29:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [2008/09/10 00:09:32 | 000,079,216 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npContribute.dll [2011/05/21 07:29:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2011/10/17 13:14:28 | 000,002,149 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\adawaretb.xml O1 HOSTS File: ([2012/01/06 08:49:38 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll () O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKLM\..\Toolbar: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll () O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft) O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe (Adobe Systems, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia) O4 - Startup: C:\Documents and Settings\Richard\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Richard\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation) O15 - HKCU\..Trusted Domains: ([]msn in My Computer) O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab (Office Genuine Advantage Validation Tool) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} http://www.leadstoloans.com/activex/fafile.dll (First American File Control) O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} http://www.leadstoloans.com/activex/faprint.dll (First American Print Control) O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} http://www.leadstoloans.com/activex/fagrid.dll (First American Grid Control) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159818431983 (WUWebControl Class) O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159818421170 (MUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object) O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab (RIM AxLoader) O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.) O16 - DPF: Web-Based Email Tools http://email.secureserver.net/Download.CAB (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0D182252-A0DB-4D93-8F57-EA9893617957}: DhcpNameServer = 192.168.1.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O24 - Desktop WallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/11 10:43:27 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O34 - HKLM BootExecute: (lsdelete) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* [color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color] [2012/01/05 09:06:53 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2012/01/04 22:30:45 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Richard\Desktop\esetsmartinstaller_enu.exe [2012/01/04 10:18:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\Local Settings\Application Data\PCHealth [2012/01/03 07:36:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2012/01/03 07:36:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2012/01/03 07:36:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2012/01/03 07:36:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2012/01/03 07:35:19 | 000,000,000 | ---D | C] -- C:\Qoobox [2012/01/02 21:20:24 | 004,372,321 | R--- | C] (Swearware) -- C:\Documents and Settings\Richard\Desktop\ComboFix.exe [2012/01/02 16:02:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun [2011/12/31 19:27:37 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL(3).exe [2011/12/17 19:09:27 | 000,000,000 | ---D | C] -- C:\ERDNT [2011/12/17 19:06:33 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Richard\Desktop\winsockxpfix.exe [2011/12/14 21:58:09 | 004,702,720 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Richard\Desktop\aswMBR.exe [2011/12/14 18:51:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth [2011/12/11 17:30:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Richard\Start Menu\Programs\Administrative Tools [2011/12/09 19:08:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2011/12/09 19:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2011/12/09 17:36:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\adawaretb [2007/11/10 23:30:24 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Richard\Application Data\pcouffin.sys [color=#E56717]========== Files - Modified Within 30 Days ==========[/color] [2012/01/06 17:33:07 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2012/01/06 17:32:49 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [2012/01/06 17:32:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2012/01/06 08:49:38 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2012/01/06 08:08:57 | 004,372,321 | R--- | M] (Swearware) -- C:\Documents and Settings\Richard\Desktop\ComboFix.exe [2012/01/05 20:45:09 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\SystemLook.exe [2012/01/05 20:37:43 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat [2012/01/05 20:37:43 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat [2012/01/04 22:36:35 | 000,466,782 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2012/01/04 22:36:35 | 000,081,574 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2012/01/04 22:31:11 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Richard\Desktop\esetsmartinstaller_enu.exe [2012/01/03 16:28:28 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\MBR.dat [2012/01/03 16:21:07 | 004,702,720 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Richard\Desktop\aswMBR.exe [2012/01/03 16:13:53 | 001,558,406 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\tdsskiller.zip [2012/01/03 07:33:59 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2011/12/31 19:48:16 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\iExplore.exe [2011/12/31 19:46:12 | 000,001,205 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\FixNCR.reg [2011/12/31 19:27:40 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL(3).exe [2011/12/27 17:50:35 | 000,668,511 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\lotus.jpg [2011/12/27 17:50:15 | 020,518,736 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\lotus.psd [2011/12/27 10:27:25 | 000,157,696 | ---- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2011/12/27 10:24:34 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl [2011/12/20 22:57:03 | 002,848,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2011/12/20 10:41:54 | 000,296,303 | ---- | M] () -- C:\Documents and Settings\Richard\My Documents\don-and-alyson.jpg [2011/12/20 10:41:24 | 007,182,540 | ---- | M] () -- C:\Documents and Settings\Richard\My Documents\dona dn alyson.psd [2011/12/18 15:37:51 | 000,048,624 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\3978719-Womans-Day-felt-stockings-craft-template.pdf [2011/12/18 08:37:01 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak [2011/12/17 19:04:06 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Richard\Desktop\winsockxpfix.exe [2011/12/13 07:41:53 | 000,011,977 | ---- | M] () -- C:\Documents and Settings\Richard\all [2011/12/11 16:08:56 | 000,000,139 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\rk-proxy.reg [color=#E56717]========== Files Created - No Company Name ==========[/color] [2012/01/05 20:45:07 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\SystemLook.exe [2012/01/03 16:13:42 | 001,558,406 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\tdsskiller.zip [2012/01/03 07:36:18 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe [2012/01/03 07:36:18 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe [2012/01/03 07:36:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2012/01/03 07:36:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2012/01/03 07:36:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2011/12/31 19:48:14 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\iExplore.exe [2011/12/31 19:46:07 | 000,001,205 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\FixNCR.reg [2011/12/27 17:49:58 | 020,518,736 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\lotus.psd [2011/12/27 16:09:24 | 000,668,511 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\lotus.jpg [2011/12/20 10:41:51 | 000,296,303 | ---- | C] () -- C:\Documents and Settings\Richard\My Documents\don-and-alyson.jpg [2011/12/20 10:41:22 | 007,182,540 | ---- | C] () -- C:\Documents and Settings\Richard\My Documents\dona dn alyson.psd [2011/12/18 15:37:51 | 000,048,624 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\3978719-Womans-Day-felt-stockings-craft-template.pdf [2011/12/14 22:00:57 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\MBR.dat [2011/12/13 07:28:31 | 000,011,977 | ---- | C] () -- C:\Documents and Settings\Richard\all [2011/12/11 16:08:56 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\rk-proxy.reg [2011/12/01 07:26:06 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe [2011/05/27 11:06:06 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat [2011/05/27 11:06:06 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat [2010/10/21 20:49:22 | 000,207,982 | ---- | C] () -- C:\WINDOWS\hpoins43.dat [2010/10/21 20:49:22 | 000,000,601 | ---- | C] () -- C:\WINDOWS\hpomdl43.dat [2010/08/23 13:51:19 | 000,000,027 | ---- | C] () -- C:\WINDOWS\phpdev.ini [2010/08/05 09:57:49 | 000,134,272 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat [2010/03/22 11:25:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat [2009/10/08 07:52:17 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2009/07/27 14:35:07 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat [2009/04/30 15:08:59 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin [2009/04/24 13:27:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Font Book [2009/03/12 18:56:25 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\winscp.rnd [2008/10/09 15:25:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin [2008/10/09 11:27:00 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI [2008/08/30 08:29:49 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT [2008/08/30 08:29:49 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\Galaxy Swirl [2008/05/20 23:05:59 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll [2008/04/04 10:05:12 | 000,021,312 | ---- | C] () -- C:\WINDOWS\choice.exe [2008/01/06 14:13:49 | 000,000,054 | ---- | C] () -- C:\WINDOWS\winpoint.ini [2007/11/10 23:30:24 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\pcouffin.cat [2007/11/10 23:30:24 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\pcouffin.inf [2007/11/09 21:48:20 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll [2007/04/30 13:53:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CPC10Q.INI [2007/04/28 07:23:41 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat [2007/04/17 14:28:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI [2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL [2006/11/26 16:40:52 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2006/11/17 23:35:53 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\hndlt.ini [2006/11/17 23:34:41 | 000,000,057 | ---- | C] () -- C:\WINDOWS\System32\windll.ini [2006/11/08 19:59:54 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini [2006/10/09 11:00:34 | 000,157,696 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2006/10/04 11:35:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2006/10/02 19:50:46 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2006/10/02 19:33:26 | 000,000,030 | ---- | C] () -- C:\WINDOWS\atid.ini [2006/10/02 15:29:01 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat [2006/10/02 14:32:15 | 000,020,333 | ---- | C] () -- C:\WINDOWS\cmaudio.ini [2006/10/02 09:56:30 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\FASTWiz.html [2006/09/30 14:26:44 | 000,000,058 | ---- | C] () -- C:\WINDOWS\mchguid.ini [2006/09/29 19:10:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI [2006/07/18 13:31:20 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\fusioncache.dat [2006/07/12 15:26:06 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2006/07/12 15:20:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat [2006/07/12 07:41:10 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2006/07/12 07:40:05 | 002,848,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2005/01/27 01:33:58 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\o2flash.exe [2005/01/20 21:02:28 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\RMDevice.dll [2003/09/16 10:52:28 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll [2003/09/16 10:43:31 | 000,884,736 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll [2003/09/16 10:41:43 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll [2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI [2001/08/18 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin [2001/08/18 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat [2001/08/18 07:00:00 | 000,466,782 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat [2001/08/18 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat [2001/08/18 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat [2001/08/18 07:00:00 | 000,081,574 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat [2001/08/18 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin [2001/08/18 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat [2001/08/18 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat [2001/08/18 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin [2001/08/18 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat [color=#E56717]========== LOP Check ==========[/color] [2012/01/06 08:50:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection [2007/11/09 21:35:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus [2008/08/30 08:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp [2008/04/05 08:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Jes-Soft [2007/01/26 15:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir [2008/06/15 09:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OLYMPUS [2009/07/17 17:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters [2008/08/30 08:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15 [2010/06/15 08:56:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2007/11/11 07:29:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk [2009/06/01 10:29:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip [2011/02/05 11:11:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} [2008/03/24 16:53:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\acccore [2011/12/22 14:10:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\adawaretb [2008/01/06 12:12:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Aim [2011/03/22 08:08:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Amazon [2010/03/08 09:29:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Azureus [2009/05/17 10:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Blackberry Desktop [2010/09/23 10:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\com.adobe.ExMan [2010/11/16 16:45:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1 [2007/07/18 16:19:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\CTS [2012/01/06 17:40:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Dropbox [2009/03/12 18:43:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\FileZilla [2010/05/09 12:09:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\foobar2000 [2007/03/12 15:24:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Investintech [2007/06/24 09:57:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Leadertech [2008/08/30 08:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Nikon [2008/04/02 20:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\OfficeUpdate12 [2009/05/20 07:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Research In Motion [2010/05/28 11:41:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Subversion [2007/01/18 12:32:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Viewpoint [2011/10/06 18:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Vso [2012/01/06 17:32:49 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job [color=#E56717]========== Purity Check ==========[/color] < End of report >
  5. ESET Results... [email protected] as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=ed39eb1f15e8534f8da4287f0575bd09 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2012-01-05 06:23:32 # local_time=2012-01-05 01:23:32 (-0500, Eastern Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=184249 # found=10 # cleaned=0 # scan_time=14936 C:\Documents and Settings\Richard\Local Settings\Application Data\usrMainPlay\smpUserUsb.dll a variant of Win32/Sefnit.CC trojan (unable to clean) 00000000000000000000000000000000 I C:\Program Files\eMule\Incoming\Adobe Creative Suite CS3 Master Collection.iso probably a variant of Win32/TrojanDropper.Agent.FNFWXNO trojan (unable to clean) 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Local Settings\Application Data\mwq.exe.vir a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\Documents and Settings\Richard\My Documents\YaFqMaI.exe.vir a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003566.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003580.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003589.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003599.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP13\A0003725.exe a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I C:\WINDOWS\system32\drivers\netbt.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I [email protected] as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=ed39eb1f15e8534f8da4287f0575bd09 # end=finished # remove_checked=false # archives_checked=false # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2012-01-07 04:35:21 # local_time=2012-01-06 11:35:21 (-0500, Eastern Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=184811 # found=11 # cleaned=0 # scan_time=7006 C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Local Settings\Application Data\mwq.exe.vir a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Local Settings\Application Data\usrMainPlay\smpUserUsb.dll.vir a variant of Win32/Sefnit.CC trojan (unable to clean) 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\Documents and Settings\Richard\My Documents\YaFqMaI.exe.vir a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\netbt.sys.vir Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003566.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003580.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003589.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003599.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP13\A0003725.exe a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP16\A0005498.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP16\A0005504.dll a variant of Win32/Sefnit.CC trojan (unable to clean) 00000000000000000000000000000000 I
  6. Got it with netbt.sys. Here is the ComboFix log. ComboFix 12-01-05.04 - Richard 01/06/2012 8:31.9.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1471.972 [GMT -5:00] Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Richard\Desktop\CFScript.txt AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . FILE :: "c:\documents and settings\Richard\Local Settings\Application Data\usrMainPlay\smpUserUsb.dll" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Richard\Local Settings\Application Data\usrMainPlay\smpUserUsb.dll . . --------------- FCopy --------------- . c:\windows\ServicePackFiles\i386\netbt.sys --> c:\windows\system32\drivers\netbt.sys . ((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 ))))))))))))))))))))))))))))))) . . 2012-01-05 14:06 . 2012-01-05 14:06 -------- d-----w- c:\program files\ESET 2012-01-04 15:18 . 2012-01-04 15:18 -------- d-----w- c:\documents and settings\Richard\Local Settings\Application Data\PCHealth 2011-12-18 00:09 . 2011-12-18 00:09 -------- dc----w- C:\ERDNT 2011-12-14 23:51 . 2011-12-14 23:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2011-12-10 18:52 . 2011-12-10 19:03 -------- d-----w- c:\documents and settings\Administrator 2011-12-10 00:15 . 2011-12-10 00:15 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE 2011-12-09 22:36 . 2011-12-10 00:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\adawaretb . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-27 15:24 . 2011-05-21 12:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-12-02 18:27 . 2011-12-01 12:26 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-11-23 13:25 . 2001-08-18 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-04 19:20 . 2004-01-08 19:23 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20 . 2001-08-18 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec 2011-11-03 17:06 . 2011-05-20 17:19 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys 2011-11-01 16:07 . 2006-10-02 20:03 1288704 ----a-w- c:\windows\system32\ole32.dll 2011-10-28 05:31 . 2001-08-18 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-10-25 13:33 . 2001-08-18 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-10-25 12:52 . 2001-08-17 13:48 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-10-18 11:13 . 2004-08-04 07:56 186880 ------w- c:\windows\system32\encdec.dll 2011-10-10 14:22 . 2006-07-12 20:21 692736 ----a-w- c:\windows\system32\inetcomm.dll . . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\Richard\Local Settings\Application Data\usrMainPlay ---- . . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}] 2011-10-21 09:10 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-10-21 87440] . [HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-28 13145448] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . c:\documents and settings\Richard\Start Menu\Programs\Startup\ Dropbox.lnk - c:\documents and settings\Richard\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072] Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-1-18 41041] Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Documents and Settings\\Richard\\Desktop\\utorrent.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Richard\\Application Data\\Dropbox\\bin\\Dropbox.exe"= "c:\\Program Files\\adawaretb\\dtUser.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:*:Disabled:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:*:Disabled:Adobe Version Cue CS4 Server "5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4 "3306:TCP"= 3306:TCP:MySQL . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/20/2011 12:19 PM 64512] R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2/27/2006 12:00 AM 34880] R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2/20/2006 1:01 AM 29056] R2 dev5_ap1;dev5_ap1;c:\phpdev5\Apache\Apache.exe [8/23/2010 1:50 PM 20480] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [11/3/2011 12:06 PM 2152152] R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 1:44 AM 993848] R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 1:44 AM 399416] R3 AGR1310_51;Agere Systems ET-131x PCI-E Gigabit Ethernet Adapter XP Driver;c:\windows\system32\drivers\AGR1310_51.sys [12/14/2009 6:26 PM 70144] R3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [10/25/2006 7:16 PM 47360] S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [1/18/2008 12:37 AM 24635] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016] S3 Ktp3;Elantech TouchPad;c:\windows\system32\drivers\Ktp3.sys [4/20/2005 4:47 PM 24704] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/3/2011 12:06 PM 15232] S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [4/1/2010 9:37 AM 14424] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-01-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 17:06] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} - hxxp://www.leadstoloans.com/activex/fafile.dll DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} - hxxp://www.leadstoloans.com/activex/faprint.dll DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} - hxxp://www.leadstoloans.com/activex/fagrid.dll DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\ FF - prefs.js: browser.search.selectedEngine - Search the Web FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=utf-8&mssrc=ms_kwd&mstb=adawaretb&q= FF - prefs.js: network.proxy.type - 1 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f} FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} FF - Ext: Ad-Aware Security Toolbar: {87934c42-161d-45bc-8cef-ef18abe2a30c} - %profile%\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c} . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-06 08:50 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL] "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,d7,df,87,8a,8e,27,40,a2,1b,df,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,d7,df,87,8a,8e,27,40,a2,1b,df,\ . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*] "DisplayName"="???\17?\11\09" "DeviceDesc"="???\17?\11\09" "ProviderName"="???\11?\17?\11??" "MFG"="???????" "ReinstallString"=".10.1000.5" "DeviceInstanceIds"=multi:"c:\\docume~1\\richard\\locals~1\\temp\\wzse0.tmp\\sbdrv\\smbus\\smbusati.inf\00" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(500) c:\windows\system32\Ati2evxx.dll c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll . - - - - - - - > 'explorer.exe'(2764) c:\windows\system32\WININET.dll c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\WinSCP\DragExt.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe c:\windows\system32\o2flash.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\windows\System32\wbem\unsecapp.exe c:\program files\Lavasoft\Ad-Aware\AAWTray.exe c:\windows\system32\msiexec.exe c:\windows\System32\wbem\wmiapsrv.exe c:\windows\system32\MsiExec.exe . ************************************************************************** . Completion time: 2012-01-06 09:02:18 - machine was rebooted ComboFix-quarantined-files.txt 2012-01-06 14:02 ComboFix2.txt 2012-01-05 02:05 ComboFix3.txt 2012-01-04 03:49 ComboFix4.txt 2012-01-03 22:42 ComboFix5.txt 2012-01-06 13:09 . Pre-Run: 6,688,280,576 bytes free Post-Run: 6,694,871,040 bytes free . - - End Of File - - 98A88C25E8228114C0984151E7026F85
  7. And the SystemLook results: SystemLook 30.07.11 by jpshortstuff Log created at 20:50 on 05/01/2012 by Richard Administrator - Elevation successful ========== filefind ========== Searching for "netbt.sys" C:\WINDOWS\$NtServicePackUninstall$\netbt.sys -----c- 162816 bytes [12:05 11/10/2008] [06:14 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B C:\WINDOWS\ServicePackFiles\i386\netbt.sys -----c- 162816 bytes [06:14 04/08/2004] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D C:\WINDOWS\system32\drivers\netbt.sys --a---- 162816 bytes [12:00 18/08/2001] [19:21 13/04/2008] D826E005FB7006521A4C23855CD077EA ========== file ========== C:\WINDOWS\system32\drivers\netbt.sys - File found and opened. MD5: D826E005FB7006521A4C23855CD077EA Created at 12:00 on 18/08/2001 Modified at 19:21 on 13/04/2008 Size: 162816 bytes Attributes: --a---- No version information available. -= EOF =-
  8. Interesting that the file you mention as the culprit has been on my computer for over 5 years and it has never presented an issue until now. Here is the link to the virustotal results... http://www.virustotal.com/file-scan/report.html?id=453a7e793321781babeb5547c06cc63fabcfbd9c8840d891b932ca15271f92cd-1325813623
  9. Okay so ComboFix continued to say that the cpt was infected with RootKit.ZeroAccess and took a long time to run. Also, when I opened ComboFix it said that there was a newer version available and had me download it. Hope this was the correct thing to do. I also ran the eset scan, which too forever and produced the log below. [email protected] as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=ed39eb1f15e8534f8da4287f0575bd09 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2012-01-05 06:23:32 # local_time=2012-01-05 01:23:32 (-0500, Eastern Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=184249 # found=10 # cleaned=0 # scan_time=14936 C:\Documents and Settings\Richard\Local Settings\Application Data\usrMainPlay\smpUserUsb.dll a variant of Win32/Sefnit.CC trojan (unable to clean) 00000000000000000000000000000000 I C:\Program Files\eMule\Incoming\Adobe Creative Suite CS3 Master Collection.iso probably a variant of Win32/TrojanDropper.Agent.FNFWXNO trojan (unable to clean) 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Local Settings\Application Data\mwq.exe.vir a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\Documents and Settings\Richard\My Documents\YaFqMaI.exe.vir a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003566.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003580.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003589.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003599.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP13\A0003725.exe a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I C:\WINDOWS\system32\drivers\netbt.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
  10. I haven't been on it much today, however it seems to be running fine. No pop ups or warnings. When I ran ComboFix last time, it said that the machine was infected with "RootKit.ZeroAccess" and took a very long time to produce the log above. Please let me know the next steps.
  11. And here is the OTL log... OTL logfile created on: 1/4/2012 7:41:47 AM - Run 3 OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Richard\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1.44 Gb Total Physical Memory | 0.67 Gb Available Physical Memory | 46.56% Memory free 1.95 Gb Paging File | 1.40 Gb Available in Paging File | 71.94% Paging File free Paging file location(s): C:\pagefile.sys 672 1344 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 69.64 Gb Total Space | 6.57 Gb Free Space | 9.43% Space Free | Partition Type: NTFS Drive E: | 1862.56 Gb Total Space | 1821.43 Gb Free Space | 97.79% Space Free | Partition Type: FAT32 Computer Name: LABTOP | User Name: Richard | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days [color=#E56717]========== Processes (SafeList) ==========[/color] PRC - [2011/12/31 19:27:40 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL(3).exe PRC - [2011/11/03 12:06:56 | 002,152,152 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe PRC - [2011/11/03 12:06:56 | 001,187,072 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe PRC - [2011/10/21 04:09:36 | 000,198,032 | ---- | M] (Lavasoft) -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe PRC - [2011/05/25 15:07:14 | 024,176,560 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Richard\Application Data\Dropbox\bin\Dropbox.exe PRC - [2011/04/19 01:44:40 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe PRC - [2011/04/19 01:44:40 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe PRC - [2011/04/19 01:44:40 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe PRC - [2010/08/23 13:50:32 | 000,020,480 | ---- | M] () -- C:\phpdev5\Apache\Apache.exe PRC - [2008/08/28 18:34:14 | 013,145,448 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2008/01/18 16:57:54 | 005,750,784 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe PRC - [2005/01/27 01:33:58 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\o2flash.exe [color=#E56717]========== Modules (No Company Name) ==========[/color] MOD - [2011/12/05 12:55:56 | 000,193,904 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libMachoUniv.dll MOD - [2011/12/05 12:54:51 | 000,210,288 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libBase64.dll MOD - [2011/11/03 12:06:56 | 000,591,232 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\RPAPI.dll MOD - [2011/11/03 12:06:56 | 000,430,568 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\Viprebridge.dll MOD - [2011/11/03 12:06:56 | 000,308,560 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\Vipre.dll MOD - [2011/06/07 04:44:50 | 000,508,776 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\thorax.aaw MOD - [2010/08/23 13:50:54 | 001,089,536 | ---- | M] () -- c:\phpdev5\php\sapi\php4ts.dll MOD - [2010/08/23 13:50:54 | 000,024,576 | ---- | M] () -- c:\phpdev5\php\sapi\php4apache.dll MOD - [2010/08/23 13:50:36 | 000,045,056 | ---- | M] () -- c:\phpdev5\Apache\modules\mod_rewrite.so MOD - [2010/08/23 13:50:36 | 000,028,672 | ---- | M] () -- c:\phpdev5\Apache\modules\mod_status.so MOD - [2010/08/23 13:50:36 | 000,020,480 | ---- | M] () -- C:\phpdev5\Apache\Win9xConHook.dll MOD - [2010/08/23 13:50:35 | 000,024,576 | ---- | M] () -- c:\phpdev5\Apache\modules\mod_info.so MOD - [2010/08/23 13:50:35 | 000,020,480 | ---- | M] () -- c:\phpdev5\Apache\modules\mod_headers.so MOD - [2010/08/23 13:50:32 | 000,335,872 | ---- | M] () -- C:\phpdev5\Apache\ApacheCore.dll MOD - [2010/08/23 13:50:32 | 000,020,480 | ---- | M] () -- C:\phpdev5\Apache\Apache.exe MOD - [2008/08/28 15:54:56 | 000,891,904 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\FileInfo.dll MOD - [2008/08/28 15:54:56 | 000,502,272 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\AdobeXMPFiles.dll MOD - [2008/08/28 15:54:56 | 000,424,960 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\AdobeXMP.dll MOD - [2008/08/28 15:53:58 | 000,073,728 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\Symlib.dll MOD - [2008/08/28 15:47:50 | 002,748,416 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\libmysqld.dll MOD - [2008/01/18 16:57:54 | 005,750,784 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe MOD - [2005/01/27 01:33:58 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\o2flash.exe [color=#E56717]========== Win32 Services (SafeList) ==========[/color] SRV - File not found [Auto | Stopped] -- -- (Roxio Upnp Server 9) SRV - File not found [On_Demand | Stopped] -- -- (Roxio UPnP Renderer 9) SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt) SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon) SRV - [2011/11/03 12:06:56 | 002,152,152 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service) SRV - [2011/04/19 01:44:40 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent) SRV - [2011/04/19 01:44:40 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent) SRV - [2010/08/23 13:50:32 | 000,020,480 | ---- | M] () [Auto | Running] -- C:\phpdev5\apache\Apache.exe -- (dev5_ap1) SRV - [2009/06/15 10:51:14 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service) SRV - [2008/08/15 04:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4) SRV - [2008/01/18 16:57:54 | 005,750,784 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -- (MySQL) SRV - [2005/01/27 01:33:58 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\o2flash.exe -- (O2Flash) [color=#E56717]========== Driver Services (SafeList) ==========[/color] DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme) DRV - [2011/11/03 12:06:56 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd) DRV - [2011/11/03 12:06:56 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer) DRV - [2010/09/01 03:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI) DRV - [2009/09/28 01:02:44 | 000,014,424 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter) DRV - [2008/04/13 14:21:00 | 000,162,816 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\netbt.sys -- (NetBT) DRV - [2007/09/29 02:06:00 | 002,456,064 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc) DRV - [2006/03/29 07:49:26 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc) DRV - [2006/02/27 00:00:50 | 000,034,880 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\o2media.sys -- (O2MDRDR) DRV - [2006/02/20 01:01:06 | 000,029,056 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\o2sd.sys -- (O2SDRDR) DRV - [2005/12/09 16:48:00 | 004,123,136 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM) DRV - [2005/10/27 14:06:30 | 000,356,096 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt61.sys -- (RT61) DRV - [2005/09/06 14:47:12 | 000,070,144 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGR1310_51.sys -- (AGR1310_51) DRV - [2005/08/24 16:24:00 | 001,120,352 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2005/04/20 16:47:28 | 000,024,704 | ---- | M] (Elantech Devices Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ktp3.sys -- (Ktp3) DRV - [1999/09/10 12:06:00 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (ASPI32) [color=#E56717]========== Standard Registry (SafeList) ==========[/color] [color=#E56717]========== Internet Explorer ==========[/color] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 [color=#E56717]========== FireFox ==========[/color] FF - prefs.js..browser.search.selectedEngine: "Search the Web" FF - prefs.js..browser.search.update: false FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "http://www.google.com/" FF - prefs.js..extensions.enabledItems: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9}:5.0 FF - prefs.js..extensions.enabledItems: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}:2.1.106 FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10 FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:2.12.21.1 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 FF - prefs.js..extensions.enabledItems: {87934c42-161d-45bc-8cef-ef18abe2a30c}:0.9 FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=utf-8&mssrc=ms_kwd&mstb=adawaretb&q=" FF - prefs.js..network.proxy.no_proxies_on: "*.local" FF - prefs.js..network.proxy.type: 1 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/26 18:19:54 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/22 08:14:27 | 000,000,000 | ---D | M] [2009/04/19 20:52:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Extensions [2011/12/01 17:26:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions [2011/05/04 11:48:31 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} [2010/12/28 12:30:28 | 000,000,000 | ---D | M] ("Delicious Bookmarks") -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} [2011/11/30 23:00:34 | 000,000,000 | ---D | M] (Ad-Aware Security Toolbar) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c} [2011/05/04 11:48:33 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f} [2011/11/30 23:10:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2010/03/16 09:27:46 | 000,000,000 | ---D | M] (Adobe Contribute Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} [2011/05/21 07:29:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [2008/09/10 00:09:32 | 000,079,216 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npContribute.dll [2011/05/21 07:29:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2011/10/17 13:14:28 | 000,002,149 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\adawaretb.xml O1 HOSTS File: ([2012/01/03 22:37:43 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll () O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKLM\..\Toolbar: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll () O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft) O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe (Adobe Systems, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia) O4 - Startup: C:\Documents and Settings\Richard\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Richard\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation) O15 - HKCU\..Trusted Domains: ([]msn in My Computer) O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab (Office Genuine Advantage Validation Tool) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} http://www.leadstoloans.com/activex/fafile.dll (First American File Control) O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} http://www.leadstoloans.com/activex/faprint.dll (First American Print Control) O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} http://www.leadstoloans.com/activex/fagrid.dll (First American Grid Control) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159818431983 (WUWebControl Class) O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159818421170 (MUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object) O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab (RIM AxLoader) O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.) O16 - DPF: Web-Based Email Tools http://email.secureserver.net/Download.CAB (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0D182252-A0DB-4D93-8F57-EA9893617957}: DhcpNameServer = 192.168.1.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O24 - Desktop WallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/11 10:43:27 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O34 - HKLM BootExecute: (lsdelete) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* [color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color] [2012/01/03 07:36:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2012/01/03 07:36:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2012/01/03 07:36:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2012/01/03 07:36:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2012/01/03 07:35:19 | 000,000,000 | ---D | C] -- C:\Qoobox [2012/01/02 21:20:24 | 004,368,434 | R--- | C] (Swearware) -- C:\Documents and Settings\Richard\Desktop\ComboFix.exe [2012/01/02 16:02:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun [2011/12/31 19:27:37 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL(3).exe [2011/12/17 19:09:27 | 000,000,000 | ---D | C] -- C:\ERDNT [2011/12/17 19:06:33 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Richard\Desktop\winsockxpfix.exe [2011/12/14 21:58:09 | 004,702,720 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Richard\Desktop\aswMBR.exe [2011/12/14 18:51:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth [2011/12/11 17:30:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Richard\Start Menu\Programs\Administrative Tools [2011/12/09 19:08:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2011/12/09 19:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2011/12/09 17:36:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\adawaretb [2007/11/10 23:30:24 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Richard\Application Data\pcouffin.sys [color=#E56717]========== Files - Modified Within 30 Days ==========[/color] [2012/01/03 22:40:08 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2012/01/03 22:39:09 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [2012/01/03 22:37:43 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2012/01/03 22:37:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2012/01/03 17:07:29 | 004,368,434 | R--- | M] (Swearware) -- C:\Documents and Settings\Richard\Desktop\ComboFix.exe [2012/01/03 16:28:28 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\MBR.dat [2012/01/03 16:21:07 | 004,702,720 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Richard\Desktop\aswMBR.exe [2012/01/03 16:13:53 | 001,558,406 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\tdsskiller.zip [2012/01/03 07:33:59 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2011/12/31 19:48:16 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\iExplore.exe [2011/12/31 19:46:12 | 000,001,205 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\FixNCR.reg [2011/12/31 19:27:40 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL(3).exe [2011/12/30 10:33:55 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat [2011/12/30 10:33:55 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat [2011/12/27 17:50:35 | 000,668,511 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\lotus.jpg [2011/12/27 17:50:15 | 020,518,736 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\lotus.psd [2011/12/27 10:27:25 | 000,157,696 | ---- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2011/12/27 10:24:34 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl [2011/12/22 13:29:04 | 000,466,782 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2011/12/22 13:29:04 | 000,081,574 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2011/12/20 22:57:03 | 002,848,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2011/12/20 10:41:54 | 000,296,303 | ---- | M] () -- C:\Documents and Settings\Richard\My Documents\don-and-alyson.jpg [2011/12/20 10:41:24 | 007,182,540 | ---- | M] () -- C:\Documents and Settings\Richard\My Documents\dona dn alyson.psd [2011/12/18 15:37:51 | 000,048,624 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\3978719-Womans-Day-felt-stockings-craft-template.pdf [2011/12/18 08:37:01 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak [2011/12/17 19:04:06 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Richard\Desktop\winsockxpfix.exe [2011/12/13 07:41:53 | 000,011,977 | ---- | M] () -- C:\Documents and Settings\Richard\all [2011/12/11 16:08:56 | 000,000,139 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\rk-proxy.reg [color=#E56717]========== Files Created - No Company Name ==========[/color] [2012/01/03 16:13:42 | 001,558,406 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\tdsskiller.zip [2012/01/03 07:36:18 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe [2012/01/03 07:36:18 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe [2012/01/03 07:36:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2012/01/03 07:36:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2012/01/03 07:36:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2011/12/31 19:48:14 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\iExplore.exe [2011/12/31 19:46:07 | 000,001,205 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\FixNCR.reg [2011/12/27 17:49:58 | 020,518,736 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\lotus.psd [2011/12/27 16:09:24 | 000,668,511 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\lotus.jpg [2011/12/20 10:41:51 | 000,296,303 | ---- | C] () -- C:\Documents and Settings\Richard\My Documents\don-and-alyson.jpg [2011/12/20 10:41:22 | 007,182,540 | ---- | C] () -- C:\Documents and Settings\Richard\My Documents\dona dn alyson.psd [2011/12/18 15:37:51 | 000,048,624 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\3978719-Womans-Day-felt-stockings-craft-template.pdf [2011/12/14 22:00:57 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\MBR.dat [2011/12/13 07:28:31 | 000,011,977 | ---- | C] () -- C:\Documents and Settings\Richard\all [2011/12/11 16:08:56 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\rk-proxy.reg [2011/12/01 07:26:06 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe [2011/05/27 11:06:06 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat [2011/05/27 11:06:06 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat [2010/10/21 20:49:22 | 000,207,982 | ---- | C] () -- C:\WINDOWS\hpoins43.dat [2010/10/21 20:49:22 | 000,000,601 | ---- | C] () -- C:\WINDOWS\hpomdl43.dat [2010/08/23 13:51:19 | 000,000,027 | ---- | C] () -- C:\WINDOWS\phpdev.ini [2010/08/05 09:57:49 | 000,134,272 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat [2010/03/22 11:25:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat [2009/10/08 07:52:17 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2009/07/27 14:35:07 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat [2009/04/30 15:08:59 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin [2009/04/24 13:27:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Font Book [2009/03/12 18:56:25 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\winscp.rnd [2008/10/09 15:25:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin [2008/10/09 11:27:00 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI [2008/08/30 08:29:49 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT [2008/08/30 08:29:49 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\Galaxy Swirl [2008/05/20 23:05:59 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll [2008/04/04 10:05:12 | 000,021,312 | ---- | C] () -- C:\WINDOWS\choice.exe [2008/01/06 14:13:49 | 000,000,054 | ---- | C] () -- C:\WINDOWS\winpoint.ini [2007/11/10 23:30:24 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\pcouffin.cat [2007/11/10 23:30:24 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\pcouffin.inf [2007/11/09 21:48:20 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll [2007/04/30 13:53:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CPC10Q.INI [2007/04/28 07:23:41 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat [2007/04/17 14:28:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI [2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL [2006/11/26 16:40:52 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2006/11/17 23:35:53 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\hndlt.ini [2006/11/17 23:34:41 | 000,000,057 | ---- | C] () -- C:\WINDOWS\System32\windll.ini [2006/11/08 19:59:54 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini [2006/10/09 11:00:34 | 000,157,696 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2006/10/04 11:35:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2006/10/02 19:50:46 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2006/10/02 19:33:26 | 000,000,030 | ---- | C] () -- C:\WINDOWS\atid.ini [2006/10/02 15:29:01 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat [2006/10/02 14:32:15 | 000,020,333 | ---- | C] () -- C:\WINDOWS\cmaudio.ini [2006/10/02 09:56:30 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\FASTWiz.html [2006/09/30 14:26:44 | 000,000,058 | ---- | C] () -- C:\WINDOWS\mchguid.ini [2006/09/29 19:10:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI [2006/07/18 13:31:20 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\fusioncache.dat [2006/07/12 15:26:06 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2006/07/12 15:20:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat [2006/07/12 07:41:10 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2006/07/12 07:40:05 | 002,848,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2005/01/27 01:33:58 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\o2flash.exe [2005/01/20 21:02:28 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\RMDevice.dll [2003/09/16 10:52:28 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll [2003/09/16 10:43:31 | 000,884,736 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll [2003/09/16 10:41:43 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll [2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI [2001/08/18 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin [2001/08/18 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat [2001/08/18 07:00:00 | 000,466,782 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat [2001/08/18 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat [2001/08/18 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat [2001/08/18 07:00:00 | 000,162,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\netbt.sys [2001/08/18 07:00:00 | 000,081,574 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat [2001/08/18 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin [2001/08/18 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat [2001/08/18 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat [2001/08/18 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin [2001/08/18 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat [color=#E56717]========== LOP Check ==========[/color] [2012/01/03 22:39:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection [2007/11/09 21:35:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus [2008/08/30 08:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp [2008/04/05 08:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Jes-Soft [2007/01/26 15:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir [2008/06/15 09:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OLYMPUS [2009/07/17 17:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters [2008/08/30 08:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15 [2010/06/15 08:56:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2007/11/11 07:29:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk [2009/06/01 10:29:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip [2011/02/05 11:11:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} [2008/03/24 16:53:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\acccore [2011/12/22 14:10:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\adawaretb [2008/01/06 12:12:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Aim [2011/03/22 08:08:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Amazon [2010/03/08 09:29:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Azureus [2009/05/17 10:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Blackberry Desktop [2010/09/23 10:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\com.adobe.ExMan [2010/11/16 16:45:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1 [2007/07/18 16:19:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\CTS [2012/01/03 22:38:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Dropbox [2009/03/12 18:43:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\FileZilla [2010/05/09 12:09:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\foobar2000 [2007/03/12 15:24:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Investintech [2007/06/24 09:57:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Leadertech [2008/08/30 08:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Nikon [2008/04/02 20:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\OfficeUpdate12 [2009/05/20 07:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Research In Motion [2010/05/28 11:41:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Subversion [2007/01/18 12:32:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Viewpoint [2011/10/06 18:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Vso [2012/01/03 22:39:09 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job [color=#E56717]========== Purity Check ==========[/color] < End of report >
  12. Here is the ComboFix log that was generated from dropping CFScript on the ComboFix icon. I have no idea how the machine got infected. I go to many sites about graphic design, news, blogs, etc. It seems that it was infected by visiting a site, but I canot tell which one as I had many windows open when the malware presented itself in the form of popups. ComboFix 12-01-03.07 - Richard 01/03/2012 22:17:39.7.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1471.996 [GMT -5:00] Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Richard\Desktop\CFScript.txt AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . FILE :: "c:\documents and settings\All Users\Application Data\btr777hb8uyl34un5u205b7tmhyha7yq8dyly" "c:\documents and settings\Richard\Local Settings\Application Data\btr777hb8uyl34un5u205b7tmhyha7yq8dyly" "c:\documents and settings\Richard\Local Settings\Application Data\mwq.exe" "c:\documents and settings\Richard\My Documents\YaFqMaI.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\btr777hb8uyl34un5u205b7tmhyha7yq8dyly c:\documents and settings\Richard\Local Settings\Application Data\btr777hb8uyl34un5u205b7tmhyha7yq8dyly c:\documents and settings\Richard\My Documents\YaFqMaI.exe . . ((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 ))))))))))))))))))))))))))))))) . . 2011-12-18 00:09 . 2011-12-18 00:09 -------- dc----w- C:\ERDNT 2011-12-14 23:51 . 2011-12-14 23:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2011-12-10 18:52 . 2011-12-10 19:03 -------- d-----w- c:\documents and settings\Administrator 2011-12-10 00:15 . 2011-12-10 00:15 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE 2011-12-09 22:36 . 2011-12-10 00:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\adawaretb . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-27 15:24 . 2011-05-21 12:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-12-02 18:27 . 2011-12-01 12:26 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-11-23 13:25 . 2001-08-18 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-04 19:20 . 2004-01-08 19:23 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20 . 2001-08-18 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec 2011-11-03 17:06 . 2011-05-20 17:19 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys 2011-11-01 16:07 . 2006-10-02 20:03 1288704 ----a-w- c:\windows\system32\ole32.dll 2011-10-28 05:31 . 2001-08-18 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-10-25 13:33 . 2001-08-18 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-10-25 12:52 . 2001-08-17 13:48 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-10-18 11:13 . 2004-08-04 07:56 186880 ------w- c:\windows\system32\encdec.dll 2011-10-10 14:22 . 2006-07-12 20:21 692736 ----a-w- c:\windows\system32\inetcomm.dll . . ((((((((((((((((((((((((((((( [email protected]_22.39.05 ))))))))))))))))))))))))))))))))))))))))) . + 2012-01-04 03:38 . 2012-01-04 03:38 16384 c:\windows\Temp\Perflib_Perfdata_750.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}] 2011-10-21 09:10 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-10-21 87440] . [HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-28 13145448] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . c:\documents and settings\Richard\Start Menu\Programs\Startup\ Dropbox.lnk - c:\documents and settings\Richard\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072] Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-1-18 41041] Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Documents and Settings\\Richard\\Desktop\\utorrent.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Richard\\Application Data\\Dropbox\\bin\\Dropbox.exe"= "c:\\Program Files\\adawaretb\\dtUser.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:*:Disabled:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:*:Disabled:Adobe Version Cue CS4 Server "5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4 "3306:TCP"= 3306:TCP:MySQL . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/20/2011 12:19 PM 64512] R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2/27/2006 12:00 AM 34880] R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2/20/2006 1:01 AM 29056] R2 dev5_ap1;dev5_ap1;c:\phpdev5\Apache\Apache.exe [8/23/2010 1:50 PM 20480] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [11/3/2011 12:06 PM 2152152] R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 1:44 AM 993848] R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 1:44 AM 399416] R3 AGR1310_51;Agere Systems ET-131x PCI-E Gigabit Ethernet Adapter XP Driver;c:\windows\system32\drivers\AGR1310_51.sys [12/14/2009 6:26 PM 70144] R3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [10/25/2006 7:16 PM 47360] S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [1/18/2008 12:37 AM 24635] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016] S3 Ktp3;Elantech TouchPad;c:\windows\system32\drivers\Ktp3.sys [4/20/2005 4:47 PM 24704] S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [4/1/2010 9:37 AM 14424] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-01-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 17:06] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} - hxxp://www.leadstoloans.com/activex/fafile.dll DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} - hxxp://www.leadstoloans.com/activex/faprint.dll DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} - hxxp://www.leadstoloans.com/activex/fagrid.dll DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\ FF - prefs.js: browser.search.selectedEngine - Search the Web FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=utf-8&mssrc=ms_kwd&mstb=adawaretb&q= FF - prefs.js: network.proxy.type - 1 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f} FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} FF - Ext: Ad-Aware Security Toolbar: {87934c42-161d-45bc-8cef-ef18abe2a30c} - %profile%\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c} . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-03 22:39 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL] "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,d7,df,87,8a,8e,27,40,a2,1b,df,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,d7,df,87,8a,8e,27,40,a2,1b,df,\ . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*] "DisplayName"="???\17?\11\09" "DeviceDesc"="???\17?\11\09" "ProviderName"="???\11?\17?\11??" "MFG"="???????" "ReinstallString"=".10.1000.5" "DeviceInstanceIds"=multi:"c:\\docume~1\\richard\\locals~1\\temp\\wzse0.tmp\\sbdrv\\smbus\\smbusati.inf\00" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(540) c:\windows\system32\Ati2evxx.dll c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll . - - - - - - - > 'explorer.exe'(2024) c:\windows\system32\WININET.dll c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\WinSCP\DragExt.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe c:\windows\system32\o2flash.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\windows\System32\wbem\unsecapp.exe c:\windows\system32\msiexec.exe c:\windows\System32\wbem\wmiapsrv.exe c:\windows\system32\MsiExec.exe c:\program files\Lavasoft\Ad-Aware\AAWTray.exe . ************************************************************************** . Completion time: 2012-01-03 22:49:16 - machine was rebooted ComboFix-quarantined-files.txt 2012-01-04 03:49 ComboFix2.txt 2012-01-03 22:42 ComboFix3.txt 2012-01-03 13:27 . Pre-Run: 7,118,213,120 bytes free Post-Run: 7,108,083,712 bytes free . - - End Of File - - 98F1BE77D497B969A00334406272C957
  13. ComboFix picked up on the same Rootkit and took forever to run. Here is the log... ComboFix 12-01-03.07 - Richard 01/03/2012 17:18:22.6.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1471.1003 [GMT -5:00] Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 ))))))))))))))))))))))))))))))) . . 2011-12-18 00:09 . 2011-12-18 00:09 -------- dc----w- C:\ERDNT 2011-12-14 23:51 . 2011-12-14 23:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2011-12-10 18:52 . 2011-12-10 19:03 -------- d-----w- c:\documents and settings\Administrator 2011-12-10 00:15 . 2011-12-10 00:15 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE 2011-12-09 22:36 . 2011-12-10 00:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\adawaretb . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-27 15:24 . 2011-05-21 12:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-12-02 18:27 . 2011-12-01 12:26 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-11-23 13:25 . 2001-08-18 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-04 19:20 . 2004-01-08 19:23 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20 . 2001-08-18 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec 2011-11-03 17:06 . 2011-05-20 17:19 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys 2011-11-01 16:07 . 2006-10-02 20:03 1288704 ----a-w- c:\windows\system32\ole32.dll 2011-10-28 05:31 . 2001-08-18 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-10-25 13:33 . 2001-08-18 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-10-25 12:52 . 2001-08-17 13:48 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-10-18 11:13 . 2004-08-04 07:56 186880 ------w- c:\windows\system32\encdec.dll 2011-10-10 14:22 . 2006-07-12 20:21 692736 ----a-w- c:\windows\system32\inetcomm.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}] 2011-10-21 09:10 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-10-21 87440] . [HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-28 13145448] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . c:\documents and settings\Richard\Start Menu\Programs\Startup\ Dropbox.lnk - c:\documents and settings\Richard\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072] Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-1-18 41041] Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Documents and Settings\\Richard\\Desktop\\utorrent.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Richard\\Application Data\\Dropbox\\bin\\Dropbox.exe"= "c:\\Program Files\\adawaretb\\dtUser.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:*:Disabled:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:*:Disabled:Adobe Version Cue CS4 Server "5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4 "3306:TCP"= 3306:TCP:MySQL . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/20/2011 12:19 PM 64512] R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2/27/2006 12:00 AM 34880] R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2/20/2006 1:01 AM 29056] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [11/3/2011 12:06 PM 2152152] R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 1:44 AM 993848] R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 1:44 AM 399416] R3 AGR1310_51;Agere Systems ET-131x PCI-E Gigabit Ethernet Adapter XP Driver;c:\windows\system32\drivers\AGR1310_51.sys [12/14/2009 6:26 PM 70144] R3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [10/25/2006 7:16 PM 47360] S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [1/18/2008 12:37 AM 24635] S2 dev5_ap1;dev5_ap1;c:\phpdev5\Apache\Apache.exe [8/23/2010 1:50 PM 20480] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016] S3 Ktp3;Elantech TouchPad;c:\windows\system32\drivers\Ktp3.sys [4/20/2005 4:47 PM 24704] S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [4/1/2010 9:37 AM 14424] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-01-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 17:06] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} - hxxp://www.leadstoloans.com/activex/fafile.dll DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} - hxxp://www.leadstoloans.com/activex/faprint.dll DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} - hxxp://www.leadstoloans.com/activex/fagrid.dll DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\ FF - prefs.js: browser.search.selectedEngine - Search the Web FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=utf-8&mssrc=ms_kwd&mstb=adawaretb&q= FF - prefs.js: network.proxy.type - 1 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f} FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} FF - Ext: Ad-Aware Security Toolbar: {87934c42-161d-45bc-8cef-ef18abe2a30c} - %profile%\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c} . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-03 17:39 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL] "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,d7,df,87,8a,8e,27,40,a2,1b,df,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,d7,df,87,8a,8e,27,40,a2,1b,df,\ . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*] "DisplayName"="???\17?\11\09" "DeviceDesc"="???\17?\11\09" "ProviderName"="???\11?\17?\11??" "MFG"="???????" "ReinstallString"=".10.1000.5" "DeviceInstanceIds"=multi:"c:\\docume~1\\richard\\locals~1\\temp\\wzse0.tmp\\sbdrv\\smbus\\smbusati.inf\00" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(540) c:\windows\system32\Ati2evxx.dll c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll . Completion time: 2012-01-03 17:42:40 ComboFix-quarantined-files.txt 2012-01-03 22:42 ComboFix2.txt 2012-01-03 13:27 . Pre-Run: 7,095,324,672 bytes free Post-Run: 7,094,915,072 bytes free . - - End Of File - - 2AC781B00FA351D6BC754EFED647520B
  14. aswMBR log.... aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software Run date: 2012-01-03 16:25:56 ----------------------------- 16:25:56.718 OS Version: Windows 5.1.2600 Service Pack 3 16:25:56.718 Number of processors: 1 586 0x2C02 16:25:56.718 ComputerName: LABTOP UserName: 16:25:57.562 Initialize success 16:26:14.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 16:26:14.078 Disk 0 Vendor: HTS421280H9AT00 HA3OA70G Size: 76319MB BusType: 3 16:26:14.109 Disk 0 MBR read successfully 16:26:14.109 Disk 0 MBR scan 16:26:14.109 Disk 0 Windows XP default MBR code 16:26:14.109 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 71311 MB offset 63 16:26:14.140 Disk 0 Partition 2 00 49 5004 MB offset 146046915 16:26:14.140 Disk 0 scanning sectors +156296385 16:26:14.203 Disk 0 scanning C:\WINDOWS\system32\drivers 16:26:23.828 Service scanning 16:26:25.796 Modules scanning 16:26:47.109 Disk 0 trace - called modules: 16:26:47.125 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 16:26:47.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a615ab8] 16:26:47.453 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\00000080[0x8a6029e8] 16:26:47.453 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a5a8940] 16:26:47.453 Scan finished successfully 16:28:06.500 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Richard\Desktop\MBR.dat" 16:28:06.515 The log file has been saved successfully to "C:\Documents and Settings\Richard\Desktop\aswMBR.txt" 16:28:28.234 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Richard\Desktop\MBR.dat" 16:28:28.250 The log file has been saved successfully to "C:\Documents and Settings\Richard\Desktop\aswMBR2012.txt"