Jump to content

kensob

Members
  • Content Count

    19
  • Joined

  • Last visited

About kensob

  • Rank
    Member
  1. It is running much much better. Thank you. Here are the logs you requested. ========== OTL ========== C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\w1vjs2h771 moved successfully. C:\Documents and Settings\All Users\Application Data\w1vjs2h771 moved successfully. C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\q841 moved successfully. C:\Documents and Settings\All Users\Application Data\q841 moved successfully. C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\34f60 moved successfully. C:\Documents and Settings\All Users\Application Data\34f60 moved successfully. C:\Documents and Settings\All Users\Documents\My Documents\s0p17h4102T.docx moved successfully. File C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\w1vjs2h771 not found. File C:\Documents and Settings\All Users\Application Data\w1vjs2h771 not found. File C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\q841 not found. File C:\Documents and Settings\All Users\Application Data\q841 not found. File C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\34f60 not found. File C:\Documents and Settings\All Users\Application Data\34f60 not found. OTL by OldTimer - Version 3.2.2.0 log created on 05012010_222539 OTL logfile created on: 5/1/2010 10:27:11 PM - Run 4 OTL by OldTimer - Version 3.2.2.0 Folder = C:\Documents and Settings\KSOBECKI\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 40.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 73.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 231.87 Gb Total Space | 198.75 Gb Free Space | 85.72% Space Free | Partition Type: NTFS Drive D: | 1.00 Gb Total Space | 0.97 Gb Free Space | 97.23% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: KENHPLT Current User Name: KSOBECKI Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\KSOBECKI\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (Symantec Corporation) PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation) PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation) PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation) PRC - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe (Hewlett-Packard Development Company, L.P) PRC - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe (SafeBoot International) PRC - c:\Program Files\Hewlett-Packard\IAM\Bin\asghost.exe (Bioscrypt Inc.) PRC - c:\Program Files\Fingerprint Sensor\AtService.exe (AuthenTec, Inc.) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\WINDOWS\system32\agrsmsvc.exe (Agere Systems) PRC - c:\Program Files\ActivIdentity\ActivClient\accoca.exe (ActivIdentity) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\KSOBECKI\Desktop\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\system32\APSHook.dll (Bioscrypt Inc.) ========== Win32 Services (SafeList) ========== SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company) SRV - (SmcService) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation) SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation) SRV - (SNAC) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE (Symantec Corporation) SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation) SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation) SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation) SRV - (HP ProtectTools Service) -- c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe (Hewlett-Packard Development Company, L.P) SRV - (HpFkCryptService) -- c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe (SafeBoot International) SRV - (ASBroker) -- c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Bioscrypt Inc.) SRV - (ASChannel) -- c:\Program Files\Hewlett-Packard\IAM\Bin\ASChnl.dll (Bioscrypt Inc.) SRV - (ATService) -- c:\Program Files\Fingerprint Sensor\AtService.exe (AuthenTec, Inc.) SRV - (AgereModemAudio) -- C:\WINDOWS\system32\agrsmsvc.exe (Agere Systems) SRV - (accoca) -- c:\Program Files\ActivIdentity\ActivClient\accoca.exe (ActivIdentity) SRV - (Pml Driver HPH11) -- C:\WINDOWS\system32\hphipm11.exe (HP) ========== Driver Services (SafeList) ========== DRV - (catchme) -- File not found DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100430.036\NAVEX15.SYS (Symantec Corporation) DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100430.036\NAVENG.SYS (Symantec Corporation) DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation) DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation) DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation) DRV - (SRTSPL) -- C:\WINDOWS\system32\drivers\srtspl.sys (Symantec Corporation) DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\srtsp.sys (Symantec Corporation) DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\srtspx.sys (Symantec Corporation) DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation) DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation) DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation) DRV - (SbAlg) -- C:\WINDOWS\system32\drivers\SbAlg.sys (SafeBoot N.V.) DRV - (SbFsLock) -- C:\WINDOWS\system32\drivers\SbFsLock.sys (SafeBoot International) DRV - (RsvLock) -- C:\WINDOWS\system32\drivers\rsvlock.sys (SafeBoot International) DRV - (SafeBoot) -- C:\WINDOWS\system32\drivers\SafeBoot.sys () DRV - (ahcix86) -- C:\WINDOWS\System32\DRIVERS\ahcix86.sys (AMD Technologies Inc.) DRV - (hpdskflt) -- C:\WINDOWS\system32\DRIVERS\hpdskflt.sys (Hewlett-Packard Corporation) DRV - (Accelerometer) -- C:\WINDOWS\system32\drivers\Accelerometer.sys (Hewlett-Packard Corporation) DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.) DRV - (ATSwpWDF) -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys (AuthenTec, Inc.) DRV - (RMCAST) -- C:\WINDOWS\system32\drivers\rmcast.sys (Microsoft Corporation) DRV - (HBtnKey) -- C:\WINDOWS\system32\drivers\CPQBttn.sys (Hewlett-Packard Development Company, L.P.) DRV - (Changer) -- C:\WINDOWS\system32\drivers\changer.sys (Microsoft Corporation) DRV - (tffsport) -- C:\WINDOWS\system32\DRIVERS\tffsport.sys (M-Systems) DRV - (lbrtfdc) -- C:\WINDOWS\system32\drivers\lbrtfdc.sys (Toshiba Corp.) DRV - (MQAC) -- C:\WINDOWS\system32\drivers\mqac.sys (Microsoft Corporation) DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider) DRV - (ADIHdAudAddService) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.) DRV - (SNP2UVC) USB2.0 PC Camera (SNP2UVC) -- C:\WINDOWS\system32\drivers\snp2uvc.sys () DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.) DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation) DRV - (Amddfltr) -- C:\WINDOWS\system32\DRIVERS\Amddfltr.sys (Advanced Micro Devices) DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems) DRV - (b57w2k) Broadcom NetLink -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation) DRV - (HpqKbFiltr) -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.) DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices) DRV - (IFXTPM) -- C:\WINDOWS\system32\drivers\ifxtpm.sys (Infineon Technologies AG) DRV - (Dot4Usb HPH11) -- C:\WINDOWS\system32\drivers\hphius11.sys (HP) DRV - (Dot4Print HPH11) -- C:\WINDOWS\system32\drivers\hphipr11.sys (HP) DRV - (Dot4 HPH11) -- C:\WINDOWS\system32\drivers\hphid411.sys (HP) DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC) DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.) ========== Standard Registry (All) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Search Bar = http://search.msn.com/spbasic.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/24 22:30:06 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/05/01 22:21:45 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/27 09:28:05 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/01 22:22:03 | 000,000,000 | ---D | M] [2010/04/26 08:33:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\Mozilla\Extensions [2010/04/26 08:33:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\KSOBECKI\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2010/01/05 13:08:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\Mozilla\Extensions\[email protected] [2010/04/30 15:47:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\Mozilla\Firefox\Profiles\220ltht1.default\extensions [2010/04/27 09:10:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\KSOBECKI\Application Data\Mozilla\Firefox\Profiles\220ltht1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/05/01 22:22:05 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/04/26 08:33:07 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2010/05/01 22:22:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010/04/01 13:58:18 | 000,023,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll [2010/04/01 13:58:19 | 000,138,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll [2010/05/01 22:21:44 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll [2010/04/01 13:58:20 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll [2010/04/01 11:56:18 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml [2010/04/01 11:56:18 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml [2010/04/01 11:56:18 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml [2010/04/01 11:56:18 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml [2010/04/01 11:56:18 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml [2010/04/01 11:56:18 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml [2010/04/01 11:56:18 | 000,001,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml O1 HOSTS File: ([2010/04/27 22:00:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NofolderOptions = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.) O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/betapit/PCPitStop.CAB (PCPitstop Utility) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1237572595955 (MUWebControl Class) O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 72.240.13.6 72.240.13.5 72.240.1.206 O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation) O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation) O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation) O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation) O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\WINDOWS\system32\APSHook.dll) - C:\WINDOWS\system32\APSHook.dll (Bioscrypt Inc.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\Userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation) O20 - Winlogon\Notify\ackpbsc: DllName - c:\WINDOWS\system32\ackpbsc.dll - C:\WINDOWS\system32\ackpbsc.dll (ActivIdentity) O20 - Winlogon\Notify\acunlock: DllName - c:\Program Files\ActivIdentity\ActivClient\acunlock.dll - c:\Program Files\ActivIdentity\ActivClient\acunlock.dll (ActivIdentity) O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation) O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation) O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation) O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation) O20 - Winlogon\Notify\OneCard: DllName - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Bioscrypt Inc.) O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation) O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation) O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O24 - Desktop Components:0 (My Current Home Page) - About:Home O24 - Desktop BackupWallPaper: C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation) O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation) O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation) O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation) O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/05/01 22:25:39 | 000,000,000 | ---D | C] -- C:\_OTL [2010/05/01 22:22:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun [2010/05/01 22:22:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2010/05/01 22:22:03 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll [2010/05/01 22:22:03 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe [2010/05/01 22:22:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe [2010/05/01 22:22:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe [2010/05/01 22:22:03 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl [2010/05/01 22:20:22 | 016,295,712 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\KSOBECKI\Desktop\jre-6u20-windows-i586.exe [2010/05/01 06:59:58 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2010/04/30 23:19:13 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\KSOBECKI\Recent [2010/04/30 08:45:28 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2010/04/28 22:19:48 | 000,000,000 | ---D | C] -- C:\schrauber [2010/04/27 21:53:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pdf995 [2010/04/26 13:48:28 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys [2010/04/26 13:48:28 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys [2010/04/26 13:48:23 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys [2010/04/26 13:48:23 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys [2010/04/26 13:48:20 | 000,008,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys [2010/04/26 08:33:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\Mozilla [2010/04/26 08:33:05 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2010/04/25 18:21:26 | 000,024,064 | ---- | C] (Sonic Focus, Inc) -- C:\WINDOWS\System32\drivers\sfaudio.sys [2010/04/25 18:18:53 | 000,000,000 | RHSD | C] -- C:\cmdcons [2010/04/25 18:17:13 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/04/25 18:17:12 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/04/25 18:17:12 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/04/25 18:17:12 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/04/25 18:16:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010/04/25 17:36:43 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/04/24 22:12:12 | 000,562,688 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\KSOBECKI\Desktop\OTL.exe [2010/04/23 10:23:51 | 000,409,600 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\EKIJ5000MON.dll [2010/04/23 10:23:51 | 000,131,072 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\EKIJCOINST07.dll [2010/04/23 10:22:08 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0 [2010/04/22 10:50:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer [2010/04/22 08:28:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Application Data\Malwarebytes [2010/04/22 08:27:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/04/22 08:27:51 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/04/22 08:27:51 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/04/22 08:27:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010/04/22 08:15:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe [2010/04/21 08:46:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun [2010/04/20 15:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2010/04/20 15:10:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2010/04/20 15:05:58 | 000,082,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ws2_32.dll [2010/04/12 15:50:39 | 000,249,856 | ---- | C] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll [2009/03/20 20:16:56 | 000,180,224 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll [2007/07/05 04:28:52 | 000,176,128 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/05/01 22:21:43 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe [2010/05/01 22:21:43 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe [2010/05/01 22:21:43 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe [2010/05/01 22:21:43 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl [2010/05/01 22:21:42 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll [2010/05/01 22:21:03 | 016,295,712 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\KSOBECKI\Desktop\jre-6u20-windows-i586.exe [2010/05/01 09:48:09 | 000,022,371 | ---- | M] () -- C:\Documents and Settings\KSOBECKI\Desktop\April.docx [2010/05/01 08:22:55 | 007,077,888 | -H-- | M] () -- C:\Documents and Settings\KSOBECKI\NTUSER.DAT [2010/04/30 08:54:56 | 000,053,248 | ---- | M] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/04/30 07:08:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/04/30 07:06:09 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2010/04/30 06:59:17 | 003,924,193 | R--- | M] () -- C:\Documents and Settings\KSOBECKI\Desktop\schrauber.exe [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/04/29 06:32:10 | 000,006,591 | ---- | M] () -- C:\Documents and Settings\KSOBECKI\Application Data\PrimoPDFSet.xml [2010/04/27 22:00:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2010/04/27 22:00:18 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/04/27 21:53:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/04/27 21:53:16 | 1875,759,104 | -HS- | M] () -- C:\hiberfil.sys [2010/04/27 21:51:41 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\KSOBECKI\ntuser.ini [2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe [2010/04/26 13:56:51 | 005,364,298 | -H-- | M] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\IconCache.db [2010/04/26 11:15:13 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/04/26 08:06:14 | 000,000,791 | ---- | M] () -- C:\WINDOWS\orun32.ini [2010/04/25 18:19:04 | 000,000,293 | RHS- | M] () -- C:\boot.ini [2010/04/25 17:33:01 | 000,024,064 | ---- | M] (Sonic Focus, Inc) -- C:\WINDOWS\System32\drivers\sfaudio.sys [2010/04/24 22:16:06 | 000,293,376 | ---- | M] () -- C:\nvmx55zj.exe [2010/04/24 22:12:17 | 000,562,688 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\KSOBECKI\Desktop\OTL.exe [2010/04/23 10:26:44 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk [2010/04/22 08:27:56 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/04/22 08:15:40 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat [2010/04/21 02:48:33 | 000,000,094 | ---- | M] () -- C:\WINDOWS\wininit.ini [2010/04/20 16:58:28 | 000,001,661 | ---- | M] () -- C:\WINDOWS\lsrslt.ini [2010/04/20 15:42:26 | 000,571,308 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/04/20 15:42:26 | 000,477,702 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010/04/20 15:42:26 | 000,082,990 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010/04/13 16:31:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2010/04/12 15:54:43 | 000,000,028 | ---- | M] () -- C:\WINDOWS\pdf995.ini [2010/04/12 15:50:39 | 000,249,856 | ---- | M] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll [2010/04/12 15:50:39 | 000,051,716 | ---- | M] () -- C:\WINDOWS\System32\pdf995mon.dll [2010/04/08 19:53:37 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/04/25 18:19:04 | 000,000,223 | ---- | C] () -- C:\Boot.bak [2010/04/25 18:18:57 | 000,260,272 | ---- | C] () -- C:\cmldr [2010/04/25 18:17:13 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010/04/25 18:17:12 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010/04/25 18:17:12 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010/04/25 18:17:12 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010/04/25 18:17:12 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2010/04/25 17:28:07 | 003,924,193 | R--- | C] () -- C:\Documents and Settings\KSOBECKI\Desktop\schrauber.exe [2010/04/24 22:16:03 | 000,293,376 | ---- | C] () -- C:\nvmx55zj.exe [2010/04/23 10:26:44 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk [2010/04/23 10:14:02 | 000,035,634 | ---- | C] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\c4u.log [2010/04/22 08:27:56 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/04/22 08:17:00 | 1875,759,104 | -HS- | C] () -- C:\hiberfil.sys [2010/04/22 08:15:40 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat [2010/04/20 17:38:45 | 000,000,094 | ---- | C] () -- C:\WINDOWS\wininit.ini [2010/04/20 16:58:28 | 000,001,661 | ---- | C] () -- C:\WINDOWS\lsrslt.ini [2010/04/12 15:54:43 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini [2010/04/12 15:50:40 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv [2010/04/12 15:50:39 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll [2010/04/08 19:53:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2010/01/21 22:49:12 | 000,000,044 | ---- | C] () -- C:\WINDOWS\SMWizard.INI [2009/09/17 19:09:54 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini [2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll [2009/04/29 12:46:02 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini [2009/04/29 12:40:27 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll [2009/04/10 12:37:43 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll [2008/06/22 00:28:19 | 000,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini [2008/05/30 12:36:58 | 000,108,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\SafeBoot.sys [2008/04/28 12:13:33 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini [2008/04/10 13:27:34 | 001,804,160 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys [2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini [2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini [2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini [2007/05/10 02:16:40 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncduvc.sys [2006/05/19 22:39:58 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2uvc.ini [2005/04/03 18:30:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\scardsyn.dll [2004/08/07 09:19:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2004/08/07 09:12:40 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini [1998/05/06 23:10:00 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll < End of report >
  2. C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\PRAGMAsbcofvcpci\PRAGMAd.sys.vir a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\tafqgkzvxu.exe.vir Win32/Adware.GooochiBiz.AE.Gen application deleted - quarantined C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1\A0000110.dll probably a variant of Win32/Agent trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1\A0000129.sys a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1\A0000130.dll a variant of Win32/Wimpixo.AA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1\A0000135.exe Win32/Adware.GooochiBiz.AE.Gen application deleted - quarantined OTL logfile created on: 5/1/2010 8:51:52 AM - Run 3 OTL by OldTimer - Version 3.2.2.0 Folder = C:\Documents and Settings\KSOBECKI\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 40.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 231.87 Gb Total Space | 198.90 Gb Free Space | 85.78% Space Free | Partition Type: NTFS Drive D: | 1.00 Gb Total Space | 0.97 Gb Free Space | 97.24% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: KENHPLT Current User Name: KSOBECKI Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2010/04/24 22:12:17 | 000,562,688 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\KSOBECKI\Desktop\OTL.exe PRC - [2009/02/26 15:07:10 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe PRC - [2009/02/26 15:07:08 | 001,799,496 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe PRC - [2009/02/01 23:37:00 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe PRC - [2008/12/18 16:46:30 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe PRC - [2008/06/02 13:32:16 | 000,018,944 | ---- | M] (Hewlett-Packard Development Company, L.P) -- c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe PRC - [2008/05/30 12:36:20 | 000,256,512 | ---- | M] (SafeBoot International) -- c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe PRC - [2008/05/20 20:47:18 | 000,065,296 | ---- | M] (Bioscrypt Inc.) -- c:\Program Files\Hewlett-Packard\IAM\Bin\asghost.exe PRC - [2008/05/15 18:11:12 | 001,176,824 | ---- | M] (AuthenTec, Inc.) -- c:\Program Files\Fingerprint Sensor\AtService.exe PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2007/12/11 15:15:04 | 000,012,800 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe PRC - [2007/05/15 19:08:40 | 000,182,576 | ---- | M] (ActivIdentity) -- c:\Program Files\ActivIdentity\ActivClient\accoca.exe ========== Modules (SafeList) ========== MOD - [2010/04/24 22:12:17 | 000,562,688 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\KSOBECKI\Desktop\OTL.exe MOD - [2008/03/25 08:17:04 | 000,076,048 | ---- | M] (Bioscrypt Inc.) -- C:\WINDOWS\system32\APSHook.dll ========== Win32 Services (SafeList) ========== SRV - [2010/02/11 15:36:12 | 000,300,400 | ---- | M] (Eastman Kodak Company) [Auto | Stopped] -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe -- (Kodak AiO Network Discovery Service) SRV - [2009/02/26 15:07:08 | 001,799,496 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService) SRV - [2009/02/01 23:37:00 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus) SRV - [2009/02/01 21:43:02 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC) SRV - [2008/12/18 16:46:30 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr) SRV - [2008/12/18 16:46:30 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr) SRV - [2008/12/10 15:46:58 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate) SRV - [2008/06/02 13:32:16 | 000,018,944 | ---- | M] (Hewlett-Packard Development Company, L.P) [Auto | Running] -- c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe -- (HP ProtectTools Service) SRV - [2008/05/30 12:36:20 | 000,256,512 | ---- | M] (SafeBoot International) [Auto | Running] -- c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe -- (HpFkCryptService) SRV - [2008/05/20 20:42:40 | 000,111,888 | ---- | M] (Bioscrypt Inc.) [Auto | Running] -- c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll -- (ASBroker) SRV - [2008/05/20 20:42:34 | 000,137,488 | ---- | M] (Bioscrypt Inc.) [Auto | Running] -- c:\Program Files\Hewlett-Packard\IAM\Bin\ASChnl.dll -- (ASChannel) SRV - [2008/05/15 18:11:12 | 001,176,824 | ---- | M] (AuthenTec, Inc.) [Auto | Running] -- c:\Program Files\Fingerprint Sensor\AtService.exe -- (ATService) SRV - [2007/12/11 15:15:04 | 000,012,800 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio) SRV - [2007/05/15 19:08:40 | 000,182,576 | ---- | M] (ActivIdentity) [Auto | Running] -- c:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca) SRV - [2006/01/06 15:07:26 | 000,077,824 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\hphipm11.exe -- (Pml Driver HPH11) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme) DRV - [2010/02/16 05:00:00 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100430.036\NAVEX15.SYS -- (NAVEX15) DRV - [2010/02/16 05:00:00 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100430.036\NAVENG.SYS -- (NAVENG) DRV - [2009/08/27 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl) DRV - [2009/08/27 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2009/03/23 12:32:31 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent) DRV - [2008/12/19 15:08:12 | 000,319,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL) DRV - [2008/12/19 15:08:12 | 000,280,112 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP) DRV - [2008/12/19 15:08:12 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX) DRV - [2008/09/09 14:54:42 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv) DRV - [2008/08/21 11:13:56 | 000,191,536 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI) DRV - [2008/08/21 11:13:56 | 000,027,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV) DRV - [2008/05/30 12:37:06 | 000,051,376 | ---- | M] (SafeBoot N.V.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SbAlg.sys -- (SbAlg) DRV - [2008/05/30 12:37:02 | 000,012,928 | ---- | M] (SafeBoot International) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SbFsLock.sys -- (SbFsLock) DRV - [2008/05/30 12:37:00 | 000,012,496 | ---- | M] (SafeBoot International) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\rsvlock.sys -- (RsvLock) DRV - [2008/05/30 12:36:58 | 000,108,752 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SafeBoot.sys -- (SafeBoot) DRV - [2008/05/27 09:55:48 | 000,174,600 | ---- | M] (AMD Technologies Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ahcix86.sys -- (ahcix86) DRV - [2008/05/23 09:51:02 | 000,024,624 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\hpdskflt.sys -- (hpdskflt) DRV - [2008/05/23 09:50:16 | 000,028,592 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Accelerometer.sys -- (Accelerometer) DRV - [2008/05/15 20:33:44 | 002,881,536 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2008/05/15 16:29:32 | 000,475,520 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF) DRV - [2008/05/08 10:02:52 | 000,203,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rmcast.sys -- (RMCAST) DRV - [2008/04/28 18:22:10 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey) DRV - [2008/04/13 14:40:58 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\changer.sys -- (Changer) DRV - [2008/04/13 14:40:50 | 000,149,376 | ---- | M] (M-Systems) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tffsport.sys -- (tffsport) DRV - [2008/04/13 14:40:26 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\lbrtfdc.sys -- (lbrtfdc) DRV - [2008/04/13 14:39:44 | 000,092,544 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mqac.sys -- (MQAC) DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus) DRV - [2008/04/11 12:19:42 | 000,338,944 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService) DRV - [2008/04/10 17:27:34 | 001,804,160 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2uvc.sys -- (SNP2UVC) USB2.0 PC Camera (SNP2UVC) DRV - [2008/03/27 14:14:06 | 000,224,672 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP) DRV - [2008/03/21 14:35:14 | 001,287,552 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX) DRV - [2008/03/12 11:43:26 | 000,015,416 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Amddfltr.sys -- (Amddfltr) DRV - [2008/02/29 19:13:38 | 001,202,560 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2007/11/29 14:35:44 | 000,163,328 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k) Broadcom NetLink DRV - [2007/06/18 20:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr) DRV - [2007/04/16 19:46:34 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM) DRV - [2007/04/04 15:16:20 | 000,041,216 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM) DRV - [2006/01/06 15:07:27 | 000,018,928 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphius11.sys -- (Dot4Usb HPH11) DRV - [2006/01/06 15:07:27 | 000,016,112 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphipr11.sys -- (Dot4Print HPH11) DRV - [2006/01/06 15:07:26 | 000,050,896 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphid411.sys -- (Dot4 HPH11) DRV - [2001/08/17 15:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA) DRV - [2001/08/17 11:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Search Bar = http://search.msn.com/spbasic.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/27 09:28:05 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/26 08:33:07 | 000,000,000 | ---D | M] [2010/04/26 08:33:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\Mozilla\Extensions [2010/01/05 13:08:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\Mozilla\Extensions\[email protected] [2010/04/30 15:47:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\Mozilla\Firefox\Profiles\220ltht1.default\extensions [2010/04/27 09:10:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\KSOBECKI\Application Data\Mozilla\Firefox\Profiles\220ltht1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/04/26 08:33:07 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions O1 HOSTS File: ([2010/04/27 22:00:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.) O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/betapit/PCPitStop.CAB (PCPitstop Utility) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1237572595955 (MUWebControl Class) O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\WINDOWS\system32\APSHook.dll) - C:\WINDOWS\system32\APSHook.dll (Bioscrypt Inc.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\ackpbsc: DllName - c:\WINDOWS\system32\ackpbsc.dll - C:\WINDOWS\system32\ackpbsc.dll (ActivIdentity) O20 - Winlogon\Notify\acunlock: DllName - c:\Program Files\ActivIdentity\ActivClient\acunlock.dll - c:\Program Files\ActivIdentity\ActivClient\acunlock.dll (ActivIdentity) O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O20 - Winlogon\Notify\OneCard: DllName - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Bioscrypt Inc.) O24 - Desktop BackupWallPaper: C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/05/01 06:59:58 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2010/04/30 23:19:13 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\KSOBECKI\Recent [2010/04/30 08:45:28 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2010/04/28 22:19:48 | 000,000,000 | ---D | C] -- C:\schrauber [2010/04/27 21:53:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pdf995 [2010/04/26 13:48:28 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys [2010/04/26 13:48:28 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys [2010/04/26 13:48:23 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys [2010/04/26 13:48:23 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys [2010/04/26 13:48:20 | 000,008,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys [2010/04/26 08:33:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\Mozilla [2010/04/26 08:33:05 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2010/04/25 18:21:26 | 000,024,064 | ---- | C] (Sonic Focus, Inc) -- C:\WINDOWS\System32\drivers\sfaudio.sys [2010/04/25 18:18:53 | 000,000,000 | RHSD | C] -- C:\cmdcons [2010/04/25 18:17:13 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/04/25 18:17:12 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/04/25 18:17:12 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/04/25 18:17:12 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/04/25 18:16:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010/04/25 17:36:43 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/04/24 22:12:12 | 000,562,688 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\KSOBECKI\Desktop\OTL.exe [2010/04/23 10:23:51 | 000,409,600 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\EKIJ5000MON.dll [2010/04/23 10:23:51 | 000,131,072 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\EKIJCOINST07.dll [2010/04/23 10:22:08 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0 [2010/04/22 10:50:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer [2010/04/22 08:28:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Application Data\Malwarebytes [2010/04/22 08:27:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/04/22 08:27:51 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/04/22 08:27:51 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/04/22 08:27:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010/04/22 08:15:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe [2010/04/21 08:46:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun [2010/04/20 15:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2010/04/20 15:10:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2010/04/20 15:05:58 | 000,082,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ws2_32.dll [2010/04/12 15:50:39 | 000,249,856 | ---- | C] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll [2009/03/20 20:16:56 | 000,180,224 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll [2007/07/05 04:28:52 | 000,176,128 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/05/01 08:22:55 | 007,077,888 | -H-- | M] () -- C:\Documents and Settings\KSOBECKI\NTUSER.DAT [2010/04/30 08:54:56 | 000,053,248 | ---- | M] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/04/30 07:08:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/04/30 07:06:09 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2010/04/30 06:59:17 | 003,924,193 | R--- | M] () -- C:\Documents and Settings\KSOBECKI\Desktop\schrauber.exe [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/04/29 07:39:11 | 000,048,745 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\My Documents\s0p17h4102T.docx [2010/04/29 07:35:17 | 000,056,293 | ---- | M] () -- C:\Documents and Settings\KSOBECKI\Desktop\April.docx [2010/04/29 06:32:10 | 000,006,591 | ---- | M] () -- C:\Documents and Settings\KSOBECKI\Application Data\PrimoPDFSet.xml [2010/04/27 22:00:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2010/04/27 22:00:18 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/04/27 21:53:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/04/27 21:53:16 | 1875,759,104 | -HS- | M] () -- C:\hiberfil.sys [2010/04/27 21:51:41 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\KSOBECKI\ntuser.ini [2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe [2010/04/26 13:56:51 | 005,364,298 | -H-- | M] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\IconCache.db [2010/04/26 13:49:20 | 000,007,600 | -HS- | M] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\w1vjs2h771 [2010/04/26 13:49:20 | 000,007,600 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\w1vjs2h771 [2010/04/26 11:15:13 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/04/26 08:06:14 | 000,000,791 | ---- | M] () -- C:\WINDOWS\orun32.ini [2010/04/25 18:19:04 | 000,000,293 | RHS- | M] () -- C:\boot.ini [2010/04/25 17:33:01 | 000,024,064 | ---- | M] (Sonic Focus, Inc) -- C:\WINDOWS\System32\drivers\sfaudio.sys [2010/04/24 22:16:06 | 000,293,376 | ---- | M] () -- C:\nvmx55zj.exe [2010/04/24 22:12:17 | 000,562,688 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\KSOBECKI\Desktop\OTL.exe [2010/04/23 13:24:13 | 000,013,426 | -HS- | M] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\q841 [2010/04/23 13:24:13 | 000,013,426 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\q841 [2010/04/23 10:26:44 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk [2010/04/22 08:27:56 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/04/22 08:19:01 | 000,011,868 | -HS- | M] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\34f60 [2010/04/22 08:19:01 | 000,011,868 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\34f60 [2010/04/22 08:15:40 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat [2010/04/21 02:48:33 | 000,000,094 | ---- | M] () -- C:\WINDOWS\wininit.ini [2010/04/20 16:58:28 | 000,001,661 | ---- | M] () -- C:\WINDOWS\lsrslt.ini [2010/04/20 15:42:26 | 000,571,308 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/04/20 15:42:26 | 000,477,702 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010/04/20 15:42:26 | 000,082,990 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010/04/13 16:31:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2010/04/12 15:54:43 | 000,000,028 | ---- | M] () -- C:\WINDOWS\pdf995.ini [2010/04/12 15:50:39 | 000,249,856 | ---- | M] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll [2010/04/12 15:50:39 | 000,051,716 | ---- | M] () -- C:\WINDOWS\System32\pdf995mon.dll [2010/04/08 19:53:37 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/04/29 07:39:11 | 000,048,745 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\My Documents\s0p17h4102T.docx [2010/04/26 13:48:03 | 000,007,600 | -HS- | C] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\w1vjs2h771 [2010/04/26 13:48:03 | 000,007,600 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\w1vjs2h771 [2010/04/25 18:19:04 | 000,000,223 | ---- | C] () -- C:\Boot.bak [2010/04/25 18:18:57 | 000,260,272 | ---- | C] () -- C:\cmldr [2010/04/25 18:17:13 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010/04/25 18:17:12 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010/04/25 18:17:12 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010/04/25 18:17:12 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010/04/25 18:17:12 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2010/04/25 17:28:07 | 003,924,193 | R--- | C] () -- C:\Documents and Settings\KSOBECKI\Desktop\schrauber.exe [2010/04/24 22:16:03 | 000,293,376 | ---- | C] () -- C:\nvmx55zj.exe [2010/04/23 10:26:44 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk [2010/04/23 10:14:02 | 000,035,634 | ---- | C] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\c4u.log [2010/04/23 07:52:23 | 000,013,426 | -HS- | C] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\q841 [2010/04/23 07:52:23 | 000,013,426 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\q841 [2010/04/22 08:27:56 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/04/22 08:17:00 | 1875,759,104 | -HS- | C] () -- C:\hiberfil.sys [2010/04/22 08:15:40 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat [2010/04/21 21:49:19 | 000,011,868 | -HS- | C] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\34f60 [2010/04/21 21:49:19 | 000,011,868 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\34f60 [2010/04/20 17:38:45 | 000,000,094 | ---- | C] () -- C:\WINDOWS\wininit.ini [2010/04/20 16:58:28 | 000,001,661 | ---- | C] () -- C:\WINDOWS\lsrslt.ini [2010/04/12 15:54:43 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini [2010/04/12 15:50:40 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv [2010/04/12 15:50:39 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll [2010/04/08 19:53:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2010/01/21 22:49:12 | 000,000,044 | ---- | C] () -- C:\WINDOWS\SMWizard.INI [2009/09/17 19:09:54 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini [2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll [2009/04/29 12:46:02 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini [2009/04/29 12:40:27 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll [2009/04/10 12:37:43 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll [2008/06/22 00:28:19 | 000,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini [2008/05/30 12:36:58 | 000,108,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\SafeBoot.sys [2008/04/28 12:13:33 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini [2008/04/10 13:27:34 | 001,804,160 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys [2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini [2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini [2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini [2007/05/10 02:16:40 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncduvc.sys [2006/05/19 22:39:58 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2uvc.ini [2005/04/03 18:30:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\scardsyn.dll [2004/08/07 09:19:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2004/08/07 09:12:40 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini [1998/05/06 23:10:00 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll < End of report > OTL Extras logfile created on: 5/1/2010 8:51:56 AM - Run 3 OTL by OldTimer - Version 3.2.2.0 Folder = C:\Documents and Settings\KSOBECKI\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 40.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 231.87 Gb Total Space | 198.90 Gb Free Space | 85.78% Space Free | Partition Type: NTFS Drive D: | 1.00 Gb Total Space | 0.97 Gb Free Space | 97.24% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: KENHPLT Current User Name: KSOBECKI Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusOverride" = 0 "FirewallOverride" = 0 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 0 "DoNotAllowExceptions" = 0 "DisableNotifications" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1723:TCP" = 1723:TCP:*:Enabled:VPN "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 "3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009 "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "9322:TCP" = 9322:TCP:*:Enabled:EKDiscovery ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation) "C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation) "C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation) "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation) "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.) "C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC) "C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL LLC) "C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation) "C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe" = C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe:*:Enabled:Kodak.AiO.HomeCenter -- (Eastman Kodak Company) "C:\Program Files\Kodak\AiO\Center\Kodak.Statistics.exe" = C:\Program Files\Kodak\AiO\Center\Kodak.Statistics.exe:*:Enabled:Kodak.AiO.Statistics -- (Eastman Kodak Company) "C:\Program Files\Kodak\AiO\Center\NetworkPrinterDiscovery.exe" = C:\Program Files\Kodak\AiO\Center\NetworkPrinterDiscovery.exe:*:Enabled:Kodak.AiO.SetupUtility -- (Eastman Kodak Company) "C:\Program Files\Kodak\AiO\Firmware\KodakAiOUpdater.exe" = C:\Program Files\Kodak\AiO\Firmware\KodakAiOUpdater.exe:*:Enabled:Kodak.AiO.FwUpdater -- (Eastman Kodak Company) "C:\Documents and Settings\All Users\Application Data\Kodak\Installer\Setup.exe" = C:\Documents and Settings\All Users\Application Data\Kodak\Installer\Setup.exe:*:Enabled:Kodak.AiO.Installer -- (Eastman Kodak Company) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{04788045-DEF3-4911-91B5-384A6915F21B}" = TaxCut Ohio 2008 "{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center "{05B62241-5495-46EF-5086-DBE0F37F052C}" = Catalyst Control Center Localization Korean "{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour "{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer "{0F98662A-EA83-414F-8766-3FCE46A32641}" = Credential Manager for HP ProtectTools "{10934A28-0CC6-4B98-A14F-76B3546003AF}" = ksDIP "{154E4F71-DFC0-4B31-8D99-F97615031B02}" = HP Webcam Application "{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0 "{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java 6 Update 14 "{27FE77BD-2E0A-385C-C2CC-8367D877356F}" = CCC Help Norwegian "{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com "{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime "{2CD54AED-740B-1418-464E-CC8E15AD1E4F}" = Catalyst Control Center Localization Swedish "{2D0EE88B-8720-50A7-7F31-503B4300A8C5}" = Catalyst Control Center Localization French "{2D87E961-577B-492B-AD54-1368680FB9A7}" = Bing Maps 3D "{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 E1 "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{35EB3E58-F46C-CB48-C623-16A455C37C5D}" = CCC Help Turkish "{36C491D0-A196-F49C-C63C-3509D7A2B91D}" = CCC Help Finnish "{37AF26EB-ACCD-4F9C-A13E-81483F932203}" = Catalyst Control Center - Branding "{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = HP Webcam "{45E6BF4C-6DC8-B1BB-517C-5F2C1D055A9B}" = CCC Help Hungarian "{48072101-4DFE-9DC2-9F5D-DE0EF7193C98}" = CCC Help Korean "{48B41C3A-9A92-4B81-B653-C97FEB85C910}" = C4USelfUpdater "{49798684-CC48-AF5C-E513-9FFF61EFD3A6}" = CCC Help Japanese "{4BFA6EEB-AAED-4334-8E98-A907DE4DD5CF}" = AMD Driver Support for HP 3D DriverGuard "{4CF11D44-43B7-1359-B438-972C69D7AD6F}" = CCC Help Spanish "{4ED20E34-D511-A85B-D7E5-755AE64D5F6C}" = CCC Help Portuguese "{53A19323-917A-4822-B27E-A57D1EF6E9FC}" = H&R Block Deluxe + Efile + State 2009 "{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support "{56BA241F-580C-43D2-8403-947241AAE633}" = center "{57B186F6-E6A7-A997-92E6-3E8C6189F497}" = Catalyst Control Center Localization Japanese "{5AB422C9-E804-1331-233E-E44D8BBC1862}" = CCC Help German "{5ED80CF6-D54D-5F9B-2B9C-E3B6F927879D}" = CCC Help Czech "{60AFC32A-B82F-3818-E90B-A71446BBCCD6}" = Catalyst Control Center Localization Greek "{6162653F-D1AB-6708-C73B-8411296900AE}" = Catalyst Control Center Localization Portuguese "{6179EAEB-0C72-0241-DC0B-0258E86B982A}" = ccc-core-preinstall "{64FBF438-35D1-8A01-FB00-36911B07FC72}" = Catalyst Control Center Graphics Light "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{6B4469FE-20FA-9E1D-6634-CF971706BD24}" = Catalyst Control Center Localization Chinese Traditional "{6C17DE97-6A5A-FA9C-0F4C-8B027E6AC014}" = CCC Help Russian "{6FCA773E-903A-5C83-D379-DD53F9EFD794}" = Catalyst Control Center Localization Turkish "{70CEFEBA-F757-4DBE-8A21-027C326137CE}" = HP Software Setup 5.00.A.7 "{747626CF-7958-290F-A7D8-6EE6549C8614}" = Catalyst Control Center Localization Hungarian "{75D7BB3A-9AB7-4ad1-AD5E-0059B90C624B}" = HP ProtectTools Security Manager Suite "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7B459B8C-D870-2C14-9BA7-ABFFBCE7CD34}" = CCC Help Italian "{7BE1B3CE-5476-B847-4719-4421AEC5C663}" = CCC Help Thai "{7FD8231E-3991-48D7-A2C8-2C42A7075FB1}" = HP User Guide Bluetooth Addendum 0062 "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{8595812B-9104-4196-B629-FD298D819399}" = HP User Guides 0097 "{875FDD1A-4259-9361-572C-780AC637C81A}" = Catalyst Control Center Localization Czech "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8F676C36-74D3-9B7B-00FC-733EE5AFDA95}" = CCC Help Chinese Traditional "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12 "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007 "{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007 "{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007 "{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007 "{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007 "{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007 "{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007 "{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007 "{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007 "{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581) "{97F4D62E-5AEB-4649-BABF-4712C6EF6845}" = DeductionPro 2009 "{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR "{A2CB5EC7-E64F-5E35-2A23-63CB198649F5}" = CCC Help Greek "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser "{A777845E-F260-4572-787B-2BD08E560C78}" = Catalyst Control Center Localization Spanish "{A7A1BCB9-B9EE-3DBB-6F1C-570C532B9190}" = CCC Help French "{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support "{A9884559-F231-7727-95F4-41FDB052A536}" = Catalyst Control Center Localization Russian "{AB785290-EA80-7A10-B2C6-98919E514A68}" = Catalyst Control Center Graphics Full New "{AC194855-F7AC-4D04-B4C9-07BA46FCB697}" = ActivClient 6.1 x86 "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2 "{AEA355A4-997D-A49D-A57A-CF537FFFEC84}" = Skins "{B18A542F-C99B-73C9-6552-73E1216E8834}" = CCC Help Dutch "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0 "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{B5764B71-4BCE-206A-DE15-2E05469AA74C}" = Catalyst Control Center Localization Polish "{B817499D-2D52-2F37-DF6F-40735748FA88}" = CCC Help English "{BBB33AD6-BCF7-4002-B6A0-6DC679AE5C18}" = TaxCut Premium + State + Efile 2008 "{BC66641A-3279-BB5E-BEAB-99B39D13B3BD}" = CCC Help Polish "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver "{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}" = Symantec Endpoint Protection "{C3D86DED-91D7-A890-5E9E-D14D993B5E9E}" = Catalyst Control Center Localization Dutch "{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries "{C4BEF3C4-9DF1-6D99-6C46-BBBF8E4B07A5}" = ccc-core-static "{C616F2BE-6A02-4E90-ABC8-B468E8575072}" = H&R Block Ohio 2009 "{C6BB4BD5-15D5-0B2D-CF4A-49BDCD7B3AC3}" = Catalyst Control Center Localization Norwegian "{C90BE263-E9B8-AD82-C517-3197FA4DA9C4}" = CCC Help Danish "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CBC24502-5EB5-45B6-9E56-E6A2F6AFA367}" = HP JavaCard for HP ProtectTools "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D405A9E1-5D02-46FB-A2B3-796F1F218B32}" = HP ProtectTools Security Manager "{D9C94F63-6B2C-9BFA-F37C-E48E1B6133E1}" = CCC Help Swedish "{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq "{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw "{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK AiO Home Center "{E19DF3EF-351E-EE5E-623B-1A99C8C3EB5F}" = Catalyst Control Center Graphics Full Existing "{E2EF1380-9963-C7F9-3478-1046EC008C02}" = Catalyst Control Center Localization Chinese Standard "{E5C1C126-1687-4868-A3DD-B807176E4970}" = HP 3D DriveGuard "{E78D8DE3-E3CD-E89C-D5A0-D8FFE5F6E7F9}" = CCC Help Chinese Standard "{EA7D5022-7744-4D28-0E83-2DF9678C27B6}" = Catalyst Control Center Core Implementation "{EDD0A584-1ABB-8E7B-97AB-743C7E35EEA7}" = Catalyst Control Center Localization German "{EFBC8D78-75EA-4BB1-0CC6-172BFDF4B70F}" = Catalyst Control Center Localization Danish "{F01701B8-2C94-282D-9339-23AFBEDBE3E2}" = Catalyst Control Center Localization Italian "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX "{F0BE302E-6B30-B816-4EA3-23CD6A23B08D}" = ccc-utility "{F173C2B3-296F-458C-98FF-1676A42EBA02}" = HP Wallpaper "{F657EF23-08BB-4C8D-B688-78C20FA657EA}" = Drive Encryption for HP ProtectTools "{F940B4EC-8504-CEE5-F36C-C2F5471D9E87}" = Catalyst Control Center Localization Thai "{FBAA2B2F-002D-45BB-291
  3. I am sorry but it went to a second page and when I scrolled down there I just saw your last post and thought that was the end. I will post the requested logs in separate replies with the first one here. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4052 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 5/1/2010 7:05:43 AM mbam-log-2010-05-01 (07-05-43).txt Scan type: Quick scan Objects scanned: 124278 Time elapsed: 11 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  4. ComboFix 10-04-29.05 - KSOBECKI 04/30/2010 7:00.5.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.771 [GMT -4:00] Running from: c:\documents and settings\KSOBECKI\Desktop\schrauber.exe Command switches used :: c:\documents and settings\KSOBECKI\Desktop\CFScript.txt AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-30 ))))))))))))))))))))))))))))))) . 2010-04-29 02:19 . 2010-04-29 02:27 -------- d-----w- C:\schrauber 2010-04-28 01:53 . 2010-04-28 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995 2010-04-26 17:48 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-26 17:48 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-26 17:48 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-26 17:48 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys 2010-04-26 17:48 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-26 17:48 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-26 12:33 . 2010-04-26 12:33 -------- d-----w- c:\documents and settings\KSOBECKI\Local Settings\Application Data\Mozilla 2010-04-25 22:21 . 2010-04-25 21:33 24064 ----a-w- c:\windows\system32\drivers\sfaudio.sys 2010-04-25 02:16 . 2010-04-25 02:16 293376 ----a-w- C:\nvmx55zj.exe 2010-04-23 14:23 . 2010-02-08 16:06 409600 ----a-w- c:\windows\system32\EKIJ5000MON.dll 2010-04-23 14:23 . 2010-02-08 16:06 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll 2010-04-23 14:23 . 2010-02-08 16:05 131072 ----a-w- c:\windows\system32\EKIJCOINST07.dll 2010-04-23 14:22 . 2010-04-23 14:22 -------- d-----w- c:\program files\MSXML 6.0 2010-04-23 14:15 . 2010-02-22 16:01 53248 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Serializable.XmlSerializers.dll 2010-04-23 14:15 . 2010-02-22 16:01 19968 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Serializable.dll 2010-04-23 14:15 . 2010-02-22 16:01 36864 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Interop.WindowsInstaller.dll 2010-04-22 14:50 . 2010-04-22 14:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer 2010-04-22 12:28 . 2010-04-22 12:28 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Malwarebytes 2010-04-22 12:27 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-22 12:27 . 2010-04-22 12:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-22 12:27 . 2010-04-22 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-22 12:27 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-22 12:15 . 2010-04-22 12:15 552 ----a-w- c:\windows\system32\d3d8caps.dat 2010-04-22 12:15 . 2010-04-22 12:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-04-20 19:05 . 2008-04-14 00:12 82432 ----a-w- c:\windows\system32\dllcache\ws2_32.dll 2010-04-12 19:50 . 2007-08-24 16:13 142 ----a-w- c:\windows\wpd99.drv 2010-04-12 19:50 . 2010-04-12 19:50 51716 ----a-w- c:\windows\system32\pdf995mon.dll 2010-04-12 19:50 . 2010-04-12 19:50 249856 ----a-w- c:\windows\system32\pdfmona.dll 2010-04-09 02:03 . 2010-04-09 02:03 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe 2010-04-08 23:53 . 2010-04-08 23:53 0 ----a-w- c:\windows\nsreg.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-29 02:20 . 2010-03-30 20:37 -------- d-----w- c:\program files\QuickTime 2010-04-29 02:20 . 2009-03-23 16:31 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-04-28 02:13 . 2010-01-01 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-28 01:53 . 2009-04-14 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak 2010-04-26 15:15 . 2009-12-30 23:12 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-04-23 16:37 . 2009-09-17 21:33 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Temp 2010-04-23 14:26 . 2010-03-01 12:54 -------- d-----w- c:\program files\Kodak 2010-04-15 12:48 . 2009-04-03 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-04-15 02:36 . 2008-06-22 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-04-13 00:48 . 2009-04-07 00:26 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\TaxCut 2010-04-12 19:50 . 2009-04-06 16:12 -------- d-----w- c:\program files\PDF995 2010-04-06 15:29 . 2009-05-14 23:32 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Skype 2010-04-02 02:17 . 2009-04-02 00:57 -------- d-----w- c:\program files\CCleaner 2010-03-30 20:37 . 2010-03-30 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2010-03-23 22:59 . 2010-03-23 22:59 2934896 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockOH.exe 2010-03-23 22:41 . 2010-03-08 01:16 -------- d-----w- c:\program files\DeductionPro 2009 2010-03-23 20:24 . 2010-03-23 20:24 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901xupd.exe 2010-03-21 21:44 . 2010-03-21 21:44 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Apple Computer 2010-03-21 12:50 . 2010-03-21 12:50 -------- d-----w- c:\program files\Common Files\Apple 2010-03-21 12:50 . 2010-03-21 12:50 -------- d-----w- c:\program files\Apple Software Update 2010-03-11 12:38 . 2004-08-04 08:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 08:00 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-08-04 08:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-03-08 01:18 . 2010-03-08 01:17 19486488 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026501xupd.exe 2010-03-08 01:16 . 2008-06-22 03:38 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-03-08 01:15 . 2010-03-08 01:14 -------- d-----w- c:\program files\HRBlock2009 2010-03-08 01:13 . 2009-04-06 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-03-01 13:03 . 2009-09-17 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\kds_kodak 2010-03-01 13:02 . 2009-09-17 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Eastman Kodak Company 2010-02-24 13:11 . 2004-08-04 08:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-08-04 08:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-04 08:00 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33 . 2004-08-04 08:00 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 2004-08-04 08:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys . ((((((((((((((((((((((((((((( [email protected]_02.00.41 ))))))))))))))))))))))))))))))))))))))))) . + 2010-04-28 02:17 . 2010-04-28 02:17 16384 c:\windows\Temp\Perflib_Perfdata_290.dat + 2010-04-23 14:23 . 2010-02-08 16:09 1634304 c:\windows\system32\spool\drivers\w32x86\3\ekij5000mui.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc] 2007-05-15 23:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock] 2007-05-15 23:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2008-05-21 00:42 111888 ----a-w- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\APSHook.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\adobearm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"= "c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:VPN "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "9322:TCP"= 9322:TCP:EKDiscovery R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/21/2008 11:24 PM 174600] R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [6/21/2008 11:49 PM 15416] R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [5/30/2008 12:36 PM 108752] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [5/30/2008 12:37 PM 51376] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [5/30/2008 12:37 PM 12928] R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [4/25/2009 8:54 PM 149376] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [5/30/2008 12:37 PM 12496] R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 7:08 PM 182576] R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336] R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336] R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [5/15/2008 6:11 PM 1176824] R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [6/2/2008 1:32 PM 18944] R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [5/30/2008 12:36 PM 256512] R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/15/2008 4:29 PM 475520] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/20/2010 7:22 AM 102448] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/4/2007 3:16 PM 41216] S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2/11/2010 3:36 PM 300400] S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/22/2008 12:50 AM 193840] S3 memchek;memchek;c:\windows\system32\memchek.sys [8/4/2004 4:00 AM 2432] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Cognizance REG_MULTI_SZ ASBroker ASChannel . Contents of the 'Scheduled Tasks' folder 2010-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\KSOBECKI\Application Data\Mozilla\Firefox\Profiles\220ltht1.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-30 07:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(952) c:\windows\system32\ackpbsc.dll c:\windows\system32\aclog.dll c:\windows\system32\ACLIBEAY.dll c:\windows\system32\acevtsub.dll c:\windows\system32\asphat32.dll c:\windows\system32\acerrmes.dll c:\windows\system32\aspcom.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll c:\windows\system32\Ati2evxx.dll c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll c:\program files\ActivIdentity\ActivClient\acunlock.dll c:\windows\system32\aipingui.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll - - - - - - - > 'explorer.exe'(41656) c:\windows\system32\WININET.dll c:\windows\system32\APSHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-04-30 07:08:19 ComboFix-quarantined-files.txt 2010-04-30 11:08 ComboFix2.txt 2010-04-29 02:27 ComboFix3.txt 2010-04-28 02:05 ComboFix4.txt 2010-04-26 18:38 Pre-Run: 213,766,815,744 bytes free Post-Run: 213,722,521,600 bytes free - - End Of File - - 1034606270ED3937E6A2D1D29436EAE4
  5. ComboFix 10-04-28.03 - KSOBECKI 04/28/2010 22:20:42.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.921 [GMT -4:00] Running from: c:\documents and settings\KSOBECKI\Desktop\schrauber.exe Command switches used :: c:\documents and settings\KSOBECKI\Desktop\CFScript.txt AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 ))))))))))))))))))))))))))))))) . 2010-04-28 01:53 . 2010-04-28 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995 2010-04-26 17:48 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-26 17:48 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-26 17:48 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-26 17:48 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys 2010-04-26 17:48 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-26 17:48 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-26 12:33 . 2010-04-26 12:33 -------- d-----w- c:\documents and settings\KSOBECKI\Local Settings\Application Data\Mozilla 2010-04-25 22:21 . 2010-04-25 21:33 24064 ----a-w- c:\windows\system32\drivers\sfaudio.sys 2010-04-25 02:16 . 2010-04-25 02:16 293376 ----a-w- C:\nvmx55zj.exe 2010-04-23 14:23 . 2010-02-08 16:06 409600 ----a-w- c:\windows\system32\EKIJ5000MON.dll 2010-04-23 14:23 . 2010-02-08 16:06 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll 2010-04-23 14:23 . 2010-02-08 16:05 131072 ----a-w- c:\windows\system32\EKIJCOINST07.dll 2010-04-23 14:22 . 2010-04-23 14:22 -------- d-----w- c:\program files\MSXML 6.0 2010-04-23 14:15 . 2010-02-22 16:01 53248 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Serializable.XmlSerializers.dll 2010-04-23 14:15 . 2010-02-22 16:01 19968 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Serializable.dll 2010-04-23 14:15 . 2010-02-22 16:01 36864 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Interop.WindowsInstaller.dll 2010-04-22 14:50 . 2010-04-22 14:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer 2010-04-22 12:28 . 2010-04-22 12:28 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Malwarebytes 2010-04-22 12:27 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-22 12:27 . 2010-04-22 12:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-22 12:27 . 2010-04-22 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-22 12:27 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-22 12:15 . 2010-04-22 12:15 552 ----a-w- c:\windows\system32\d3d8caps.dat 2010-04-22 12:15 . 2010-04-22 12:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-04-20 19:05 . 2008-04-14 00:12 82432 ----a-w- c:\windows\system32\dllcache\ws2_32.dll 2010-04-12 19:50 . 2007-08-24 16:13 142 ----a-w- c:\windows\wpd99.drv 2010-04-12 19:50 . 2010-04-12 19:50 51716 ----a-w- c:\windows\system32\pdf995mon.dll 2010-04-12 19:50 . 2010-04-12 19:50 249856 ----a-w- c:\windows\system32\pdfmona.dll 2010-04-09 02:03 . 2010-04-09 02:03 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe 2010-04-08 23:53 . 2010-04-08 23:53 0 ----a-w- c:\windows\nsreg.dat 2010-03-30 20:37 . 2010-04-29 02:20 -------- d-----w- c:\program files\QuickTime 2010-03-30 20:37 . 2010-03-30 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-29 02:20 . 2009-03-23 16:31 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-04-28 02:13 . 2010-01-01 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-28 01:53 . 2009-04-14 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak 2010-04-26 15:15 . 2009-12-30 23:12 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-04-23 16:37 . 2009-09-17 21:33 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Temp 2010-04-23 14:26 . 2010-03-01 12:54 -------- d-----w- c:\program files\Kodak 2010-04-15 12:48 . 2009-04-03 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-04-15 02:36 . 2008-06-22 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-04-13 00:48 . 2009-04-07 00:26 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\TaxCut 2010-04-12 19:50 . 2009-04-06 16:12 -------- d-----w- c:\program files\PDF995 2010-04-06 15:29 . 2009-05-14 23:32 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Skype 2010-04-02 02:17 . 2009-04-02 00:57 -------- d-----w- c:\program files\CCleaner 2010-03-23 22:59 . 2010-03-23 22:59 2934896 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockOH.exe 2010-03-23 22:41 . 2010-03-08 01:16 -------- d-----w- c:\program files\DeductionPro 2009 2010-03-23 20:24 . 2010-03-23 20:24 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901xupd.exe 2010-03-21 21:44 . 2010-03-21 21:44 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Apple Computer 2010-03-21 12:50 . 2010-03-21 12:50 -------- d-----w- c:\program files\Common Files\Apple 2010-03-21 12:50 . 2010-03-21 12:50 -------- d-----w- c:\program files\Apple Software Update 2010-03-11 12:38 . 2004-08-04 08:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 08:00 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-08-04 08:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-03-08 01:18 . 2010-03-08 01:17 19486488 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026501xupd.exe 2010-03-08 01:16 . 2008-06-22 03:38 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-03-08 01:15 . 2010-03-08 01:14 -------- d-----w- c:\program files\HRBlock2009 2010-03-08 01:13 . 2009-04-06 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-03-01 13:03 . 2009-09-17 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\kds_kodak 2010-03-01 13:02 . 2009-09-17 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Eastman Kodak Company 2010-02-24 13:11 . 2004-08-04 08:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-08-04 08:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-04 08:00 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33 . 2004-08-04 08:00 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 2004-08-04 08:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys . ((((((((((((((((((((((((((((( [email protected]_02.00.41 ))))))))))))))))))))))))))))))))))))))))) . + 2010-04-28 02:17 . 2010-04-28 02:17 16384 c:\windows\Temp\Perflib_Perfdata_290.dat + 2010-04-23 14:23 . 2010-02-08 16:09 1634304 c:\windows\system32\spool\drivers\w32x86\3\ekij5000mui.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc] 2007-05-15 23:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock] 2007-05-15 23:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2008-05-21 00:42 111888 ----a-w- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\APSHook.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\adobearm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"= "c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:VPN "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "9322:TCP"= 9322:TCP:EKDiscovery R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/21/2008 11:24 PM 174600] R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [6/21/2008 11:49 PM 15416] R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [5/30/2008 12:36 PM 108752] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [5/30/2008 12:37 PM 51376] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [5/30/2008 12:37 PM 12928] R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [4/25/2009 8:54 PM 149376] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [5/30/2008 12:37 PM 12496] R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 7:08 PM 182576] R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336] R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336] R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [5/15/2008 6:11 PM 1176824] R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [6/2/2008 1:32 PM 18944] R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [5/30/2008 12:36 PM 256512] R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/15/2008 4:29 PM 475520] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/20/2010 7:22 AM 102448] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/4/2007 3:16 PM 41216] S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2/11/2010 3:36 PM 300400] S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/22/2008 12:50 AM 193840] S3 memchek;memchek;c:\windows\system32\memchek.sys [8/4/2004 4:00 AM 2432] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Cognizance REG_MULTI_SZ ASBroker ASChannel . Contents of the 'Scheduled Tasks' folder 2010-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\KSOBECKI\Application Data\Mozilla\Firefox\Profiles\220ltht1.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(952) c:\windows\system32\ackpbsc.dll c:\windows\system32\aclog.dll c:\windows\system32\ACLIBEAY.dll c:\windows\system32\acevtsub.dll c:\windows\system32\asphat32.dll c:\windows\system32\acerrmes.dll c:\windows\system32\aspcom.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll c:\windows\system32\Ati2evxx.dll c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll c:\program files\ActivIdentity\ActivClient\acunlock.dll c:\windows\system32\aipingui.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll - - - - - - - > 'explorer.exe'(23844) c:\windows\system32\WININET.dll c:\windows\system32\APSHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-04-28 22:27:27 ComboFix-quarantined-files.txt 2010-04-29 02:27 ComboFix2.txt 2010-04-28 02:05 ComboFix3.txt 2010-04-26 18:38 Pre-Run: 213,855,825,920 bytes free Post-Run: 213,819,035,648 bytes free - - End Of File - - 2B8558AD49A8D08963D255200BE7A525
  6. ComboFix 10-04-26.05 - KSOBECKI 04/27/2010 21:46:40.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.999 [GMT -4:00] Running from: c:\documents and settings\KSOBECKI\Desktop\schrauber.exe Command switches used :: c:\documents and settings\KSOBECKI\Desktop\CFScript.txt AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} file zipped: c:\windows\Jcirejifigocixa.dat file zipped: c:\windows\Psapewisurase.bin . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\pdf995 c:\documents and settings\All Users\Application Data\pdf995\pdfsync.ini c:\documents and settings\All Users\Application Data\pdf995\queue.ini c:\documents and settings\KSOBECKI\Application Data\pdf995 c:\documents and settings\KSOBECKI\Application Data\pdf995\pdf995server.ini c:\documents and settings\KSOBECKI\Application Data\pdf995\res\pdf995.ini c:\documents and settings\KSOBECKI\Application Data\pdf995\temp.ps c:\documents and settings\KSOBECKI\Local Settings\Application Data\Windows Server C:\feed.txt c:\windows\Jcirejifigocixa.dat c:\windows\Psapewisurase.bin c:\windows\system32\ctfmon .exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SCSICHK -------\Service_scsichk ((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 ))))))))))))))))))))))))))))))) . 2010-04-28 01:53 . 2010-04-28 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995 2010-04-26 17:48 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-26 17:48 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-26 17:48 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-26 17:48 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys 2010-04-26 17:48 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-26 17:48 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-26 12:33 . 2010-04-26 12:33 -------- d-----w- c:\documents and settings\KSOBECKI\Local Settings\Application Data\Mozilla 2010-04-25 22:21 . 2010-04-25 21:33 24064 ----a-w- c:\windows\system32\drivers\sfaudio.sys 2010-04-25 02:16 . 2010-04-25 02:16 293376 ----a-w- C:\nvmx55zj.exe 2010-04-23 14:23 . 2010-02-08 16:06 409600 ----a-w- c:\windows\system32\EKIJ5000MON.dll 2010-04-23 14:23 . 2010-02-08 16:06 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll 2010-04-23 14:23 . 2010-02-08 16:05 131072 ----a-w- c:\windows\system32\EKIJCOINST07.dll 2010-04-23 14:22 . 2010-04-23 14:22 -------- d-----w- c:\program files\MSXML 6.0 2010-04-23 14:15 . 2010-02-22 16:01 53248 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Serializable.XmlSerializers.dll 2010-04-23 14:15 . 2010-02-22 16:01 19968 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Serializable.dll 2010-04-23 14:15 . 2010-02-22 16:01 36864 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Interop.WindowsInstaller.dll 2010-04-22 14:50 . 2010-04-22 14:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer 2010-04-22 12:28 . 2010-04-22 12:28 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Malwarebytes 2010-04-22 12:27 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-22 12:27 . 2010-04-22 12:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-22 12:27 . 2010-04-22 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-22 12:27 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-22 12:15 . 2010-04-22 12:15 552 ----a-w- c:\windows\system32\d3d8caps.dat 2010-04-22 12:15 . 2010-04-22 12:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-04-20 19:05 . 2008-04-14 00:12 82432 ----a-w- c:\windows\system32\dllcache\ws2_32.dll 2010-04-12 19:50 . 2007-08-24 16:13 142 ----a-w- c:\windows\wpd99.drv 2010-04-12 19:50 . 2010-04-12 19:50 51716 ----a-w- c:\windows\system32\pdf995mon.dll 2010-04-12 19:50 . 2010-04-12 19:50 249856 ----a-w- c:\windows\system32\pdfmona.dll 2010-04-09 02:03 . 2010-04-09 02:03 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe 2010-04-08 23:53 . 2010-04-08 23:53 0 ----a-w- c:\windows\nsreg.dat 2010-03-30 20:37 . 2010-04-27 11:53 -------- d-----w- c:\program files\QuickTime 2010-03-30 20:37 . 2010-03-30 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-28 01:53 . 2009-04-14 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak 2010-04-28 01:10 . 2009-03-23 16:31 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-04-28 01:02 . 2010-01-01 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-26 15:15 . 2009-12-30 23:12 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-04-23 16:37 . 2009-09-17 21:33 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Temp 2010-04-23 14:26 . 2010-03-01 12:54 -------- d-----w- c:\program files\Kodak 2010-04-15 12:48 . 2009-04-03 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-04-15 02:36 . 2008-06-22 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-04-13 00:48 . 2009-04-07 00:26 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\TaxCut 2010-04-12 19:50 . 2009-04-06 16:12 -------- d-----w- c:\program files\PDF995 2010-04-06 15:29 . 2009-05-14 23:32 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Skype 2010-04-02 02:17 . 2009-04-02 00:57 -------- d-----w- c:\program files\CCleaner 2010-03-23 22:59 . 2010-03-23 22:59 2934896 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockOH.exe 2010-03-23 22:41 . 2010-03-08 01:16 -------- d-----w- c:\program files\DeductionPro 2009 2010-03-23 20:24 . 2010-03-23 20:24 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901xupd.exe 2010-03-21 21:44 . 2010-03-21 21:44 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Apple Computer 2010-03-21 12:50 . 2010-03-21 12:50 -------- d-----w- c:\program files\Common Files\Apple 2010-03-21 12:50 . 2010-03-21 12:50 -------- d-----w- c:\program files\Apple Software Update 2010-03-11 12:38 . 2004-08-04 08:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 08:00 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-08-04 08:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-03-08 01:18 . 2010-03-08 01:17 19486488 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026501xupd.exe 2010-03-08 01:16 . 2008-06-22 03:38 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-03-08 01:15 . 2010-03-08 01:14 -------- d-----w- c:\program files\HRBlock2009 2010-03-08 01:13 . 2009-04-06 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-03-01 13:03 . 2009-09-17 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\kds_kodak 2010-03-01 13:02 . 2009-09-17 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Eastman Kodak Company 2010-02-24 13:11 . 2004-08-04 08:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-08-04 08:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-04 08:00 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33 . 2004-08-04 08:00 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 2004-08-04 08:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys . <pre> c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe c:\program files\Analog Devices\Core\smax4pnp .exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe c:\program files\Common Files\Symantec Shared\ccapp .exe c:\program files\Hewlett-Packard\Default Settings\cpqset .exe c:\program files\Hewlett-Packard\HP Wireless Assistant\hpwamain .exe c:\program files\QuickTime\qttask .exe c:\program files\Synaptics\SynTP\syntpenh .exe c:\windows\system32\spool\drivers\w32x86\3\ekij5000mui .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [N/A] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc] 2007-05-15 23:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock] 2007-05-15 23:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2008-05-21 00:42 111888 ----a-w- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\APSHook.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-04-27 11:53 36864 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\adobearm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-04-27 11:53 36864 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"= "c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:VPN "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "9322:TCP"= 9322:TCP:EKDiscovery R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/21/2008 11:24 PM 174600] R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [6/21/2008 11:49 PM 15416] R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [5/30/2008 12:36 PM 108752] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [5/30/2008 12:37 PM 51376] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [5/30/2008 12:37 PM 12928] R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [4/25/2009 8:54 PM 149376] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [5/30/2008 12:37 PM 12496] R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 7:08 PM 182576] R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336] R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336] R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [5/15/2008 6:11 PM 1176824] R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [6/2/2008 1:32 PM 18944] R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [5/30/2008 12:36 PM 256512] R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2/11/2010 3:36 PM 300400] R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/15/2008 4:29 PM 475520] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/20/2010 7:22 AM 102448] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/4/2007 3:16 PM 41216] S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/22/2008 12:50 AM 193840] S3 memchek;memchek;c:\windows\system32\memchek.sys [8/4/2004 4:00 AM 2432] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Cognizance REG_MULTI_SZ ASBroker ASChannel . Contents of the 'Scheduled Tasks' folder 2010-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\KSOBECKI\Application Data\Mozilla\Firefox\Profiles\220ltht1.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-27 22:00 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe???????????????????????|?M?|?????M?|[email protected] scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(952) c:\windows\system32\ackpbsc.dll c:\windows\system32\aclog.dll c:\windows\system32\ACLIBEAY.dll c:\windows\system32\acevtsub.dll c:\windows\system32\asphat32.dll c:\windows\system32\acerrmes.dll c:\windows\system32\aspcom.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll c:\windows\system32\Ati2evxx.dll c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll c:\program files\ActivIdentity\ActivClient\acunlock.dll c:\windows\system32\aipingui.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll - - - - - - - > 'explorer.exe'(5748) c:\windows\system32\WININET.dll c:\windows\system32\APSHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\windows\System32\SCardSvr.exe c:\windows\system32\msdtc.exe c:\windows\system32\agrsmsvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe c:\windows\system32\SearchIndexer.exe c:\windows\system32\mqsvc.exe c:\windows\system32\mqtgsvc.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe c:\windows\system32\rundll32.exe c:\windows\system32\SearchProtocolHost.exe c:\windows\system32\SearchFilterHost.exe . ************************************************************************** . Completion time: 2010-04-27 22:05:33 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-28 02:05 ComboFix2.txt 2010-04-26 18:38 Pre-Run: 213,911,220,224 bytes free Post-Run: 213,889,757,184 bytes free - - End Of File - - 33FF553A7358152F5918AE3FDF248486
  7. I tried to shut off the Symantec EndPoint but every time I did.....it locked the computer. I ran it while it was on. ComboFix 10-04-21.01 - KSOBECKI 04/25/2010 18:25:41.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1084 [GMT -4:00] Running from: c:\documents and settings\KSOBECKI\Desktop\schrauber.exe AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Documents\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ken\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ken\My Pictures\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Berkley Square\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Cedar Point 2010\Cedar Point 2007\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Cedar Point 2010\Cedar Point 2008\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Cedar Point 2010\Cedar Point 2009\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Cedar Point 2010\Geauga Lake 2007\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Clark County Schools\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Holiday World 2008\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Holiday World 2008\Holiday World 2007\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Others\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Toledo Public Schools 2010-2011\Toledo Public Schools 2009-2010\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Toledo Public Schools 2010-2011\Toledo Public Schools 2009-2010\Toledo Public Schools 2008-2009\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Toledo Public Schools 2010-2011\Toledo Public Schools 2009-2010\Toledo Public Schools 2008-2009\Toledo Public Schools 2007-08\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Toledo Zoo 2010\Toledo Zoo 2007\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Toledo Zoo 2010\Toledo Zoo 2008\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Toledo Zoo 2010\Toledo Zoo 2009\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Washington Local 2009-2010\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Washington Local 2009-2010\Washington Local 2008-09\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Washington Local 2009-2010\Washington Local 2008-09\Washington Local 2007-08\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Western Michigan 09-10\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Western Michigan 09-10\Western Michigan 08-09\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Bid Forms\Western Michigan 09-10\Western Michigan 08-09\Western Michigan 07-08\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Cavendish\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Command\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Durable Foil\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Heartland\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\HOR\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\LaPreferida\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Liguria Foods\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Lipari\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Naturally Fresh\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Graphics Packaging\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Lance\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\LBP\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\LBP\CARRABBA'S PHOTOS\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\LBP\HURRICANE\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\Archive\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kandj120\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kandj120\Archive\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kandj120\Archive\Messages\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kandj120\Archive\Messages\cat_fezz13x\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kandj120\Archive\Messages\khalkru\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Conferences\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\bluelady488\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\grobak130\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\kitten_pd\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\lmhallengren\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\mojohands2\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\monarchtoo\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\notcattrell\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\ohioskipatroller\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\salongoddess2004\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\spookyjill2\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\ts07563\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Messages\victoria02256\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Mobile Messages\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\Archive\Mobile Messages\+14193059845\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\ayoungsenior\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\bacardi350\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\bluelady488\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\grobak130\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\just4lisaa\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\kitten_pd\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\lmhallengren\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\mojohands2\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\monarchtoo\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\notcattrell\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\ohioskipatroller\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\search469\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\spookyjill2\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\twiztid32\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Messages\victoria02256\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Mobile Messages\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Mobile Messages\+14193059845\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\Archive\Mobile Messages\+16143320333\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\kensob99\My Icons\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\kensob99\My Icons\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\Archive\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\Archive\Messages\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\Archive\Messages\cmhguitarist\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\Archive\Messages\ohiocpl2008\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\Archive\Messages\sidneyfunguy63\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\My Icons\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\shellyh44\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\shellyh44\Archive\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\shellyh44\Archive\Messages\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\shellyh44\Archive\Messages\bob_45036\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\shellyh44\Archive\Messages\cmhguitarist\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\shellyh44\Archive\Messages\greeneyedbabe111\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\shellyh44\Archive\Messages\jlshoe1963\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\shellyh44\Archive\Messages\sidneyfunguy63\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\Archive\Profiles\shellyh44\shellyh44\My Icons\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\kandj120\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\kandj120\My Icons\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\kensob99\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\kensob99\Archive\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\kensob99\Archive\Mobile Messages\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\kensob99\Archive\Mobile Messages\+16143320333\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Profiles\kensob99\My Icons\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Riverside\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Sanfacon\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Others\Tennessee Pride\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Pastorelli\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Ritchie\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Smith Family\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Smithfield\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Sofo Foods\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Sofo Foods\2006 Show\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Sofo Foods\2007 Show\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Sofo Foods\2008 Show\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Sofo Foods\2009 Show\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Tradex\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Upstate Farms\_desktop.ini c:\documents and settings\All Users\Documents\My Documents\Ritchie\Vincent Giordano\_desktop.ini c:\documents and settings\All Users\Documents\My Music\_desktop.ini c:\documents and settings\All Users\Documents\My Music\My Playlists\_desktop.ini c:\documents and settings\All Users\Documents\My Music\Sample Music\_desktop.ini c:\documents and settings\All Users\Documents\My Music\Sample Playlists\_desktop.ini c:\documents and settings\All Users\Documents\My Music\Sample Playlists\0009B52B\_desktop.ini c:\documents and settings\All Users\Documents\My Music\Sync Playlists\_desktop.ini c:\documents and settings\All Users\Documents\My Music\Sync Playlists\14EDBA\_desktop.ini c:\documents and settings\All Users\Documents\My Pictures\_desktop.ini c:\documents and settings\All Users\Documents\My Pictures\Sample Pictures\_desktop.ini c:\documents and settings\All Users\Documents\My Videos\_desktop.ini c:\documents and settings\KSOBECKI\Application Data\F0C8A70282C3527304FD7E600530EA1C c:\documents and settings\KSOBECKI\Application Data\F0C8A70282C3527304FD7E600530EA1C\enemies-names.txt c:\documents and settings\KSOBECKI\Application Data\F0C8A70282C3527304FD7E600530EA1C\lsrslt.ini c:\documents and settings\KSOBECKI\Local Settings\Application Data\{E3278AD6-FAF3-496F-906E-18B81B7B083E} c:\documents and settings\KSOBECKI\Local Settings\Application Data\{E3278AD6-FAF3-496F-906E-18B81B7B083E}\chrome.manifest c:\documents and settings\KSOBECKI\Local Settings\Application Data\{E3278AD6-FAF3-496F-906E-18B81B7B083E}\chrome\content\_cfg.js c:\documents and settings\KSOBECKI\Local Settings\Application Data\{E3278AD6-FAF3-496F-906E-18B81B7B083E}\chrome\content\overlay.xul c:\documents and settings\KSOBECKI\Local Settings\Application Data\{E3278AD6-FAF3-496F-906E-18B81B7B083E}\install.rdf c:\recycler\S-1-5-21-1708537768-602609370-725345543-500 c:\recycler\S-1-5-21-625955303-583744707-3302112861-500 Infected copy of c:\windows\system32\drivers\sfaudio.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 ((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 ))))))))))))))))))))))))))))))) . 2010-04-25 22:21 . 2010-04-25 21:33 24064 ----a-w- c:\windows\system32\drivers\sfaudio.sys 2010-04-25 02:16 . 2010-04-25 02:16 293376 ----a-w- C:\nvmx55zj.exe 2010-04-23 14:23 . 2010-02-08 16:06 409600 ----a-w- c:\windows\system32\EKIJ5000MON.dll 2010-04-23 14:23 . 2010-02-08 16:06 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll 2010-04-23 14:23 . 2010-02-08 16:05 131072 ----a-w- c:\windows\system32\EKIJCOINST07.dll 2010-04-23 14:22 . 2010-04-23 14:22 -------- d-----w- c:\program files\MSXML 6.0 2010-04-23 14:15 . 2010-02-22 16:01 53248 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Serializable.XmlSerializers.dll 2010-04-23 14:15 . 2010-02-22 16:01 19968 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Serializable.dll 2010-04-23 14:15 . 2010-02-22 16:01 36864 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Interop.WindowsInstaller.dll 2010-04-22 14:50 . 2010-04-22 14:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer 2010-04-22 12:28 . 2010-04-22 12:28 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Malwarebytes 2010-04-22 12:27 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-22 12:27 . 2010-04-22 12:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-22 12:27 . 2010-04-22 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-22 12:27 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-22 12:15 . 2010-04-22 12:15 552 ----a-w- c:\windows\system32\d3d8caps.dat 2010-04-22 12:15 . 2010-04-22 12:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-04-20 19:40 . 2010-04-20 21:43 120 ----a-w- c:\windows\Jcirejifigocixa.dat 2010-04-20 19:40 . 2010-04-20 19:40 0 ----a-w- c:\windows\Psapewisurase.bin 2010-04-20 19:05 . 2008-04-14 00:12 82432 ----a-w- c:\windows\system32\dllcache\ws2_32.dll 2010-04-12 19:54 . 2010-04-12 19:54 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\pdf995 2010-04-12 19:50 . 2010-04-13 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995 2010-04-12 19:50 . 2007-08-24 16:13 142 ----a-w- c:\windows\wpd99.drv 2010-04-12 19:50 . 2010-04-12 19:50 51716 ----a-w- c:\windows\system32\pdf995mon.dll 2010-04-12 19:50 . 2010-04-12 19:50 249856 ----a-w- c:\windows\system32\pdfmona.dll 2010-04-09 02:03 . 2010-04-09 02:03 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe 2010-04-08 23:53 . 2010-04-08 23:53 0 ----a-w- c:\windows\nsreg.dat 2010-04-08 23:53 . 2010-04-08 23:53 -------- d-----w- c:\documents and settings\KSOBECKI\Local Settings\Application Data\Mozilla 2010-03-30 20:37 . 2010-03-30 20:37 -------- d-----w- c:\program files\QuickTime 2010-03-30 20:37 . 2010-03-30 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-25 22:36 . 2009-04-14 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak 2010-04-23 16:37 . 2009-09-17 21:33 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Temp 2010-04-23 16:29 . 2010-01-01 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-23 14:26 . 2010-03-01 12:54 -------- d-----w- c:\program files\Kodak 2010-04-23 13:27 . 2009-12-30 23:12 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-04-15 12:48 . 2009-04-03 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-04-15 02:36 . 2008-06-22 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-04-13 00:48 . 2009-04-07 00:26 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\TaxCut 2010-04-12 19:50 . 2009-04-06 16:12 -------- d-----w- c:\program files\PDF995 2010-04-06 15:29 . 2009-05-14 23:32 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Skype 2010-04-02 02:17 . 2009-04-02 00:57 -------- d-----w- c:\program files\CCleaner 2010-03-23 22:59 . 2010-03-23 22:59 2934896 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockOH.exe 2010-03-23 22:41 . 2010-03-08 01:16 -------- d-----w- c:\program files\DeductionPro 2009 2010-03-23 20:24 . 2010-03-23 20:24 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901xupd.exe 2010-03-21 21:44 . 2010-03-21 21:44 -------- d-----w- c:\documents and settings\KSOBECKI\Application Data\Apple Computer 2010-03-21 12:50 . 2010-03-21 12:50 -------- d-----w- c:\program files\Common Files\Apple 2010-03-21 12:50 . 2010-03-21 12:50 -------- d-----w- c:\program files\Apple Software Update 2010-03-11 12:38 . 2004-08-04 08:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 08:00 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-08-04 08:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-03-08 01:18 . 2010-03-08 01:17 19486488 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026501xupd.exe 2010-03-08 01:16 . 2008-06-22 03:38 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-03-08 01:15 . 2010-03-08 01:14 -------- d-----w- c:\program files\HRBlock2009 2010-03-08 01:13 . 2009-04-06 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-03-01 13:03 . 2009-09-17 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\kds_kodak 2010-03-01 13:02 . 2009-09-17 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Eastman Kodak Company 2010-02-24 13:11 . 2004-08-04 08:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-08-04 08:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-04 08:00 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33 . 2004-08-04 08:00 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 2004-08-04 08:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1040384] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2008-05-14 61440] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768] "Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648] "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-02-08 1634304] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc] 2007-05-15 23:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock] 2007-05-15 23:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2008-05-21 00:42 111888 ----a-w- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\APSHook.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"= "c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:VPN "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "9322:TCP"= 9322:TCP:EKDiscovery R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/21/2008 11:24 PM 174600] R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [6/21/2008 11:49 PM 15416] R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [5/30/2008 12:36 PM 108752] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [5/30/2008 12:37 PM 51376] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [5/30/2008 12:37 PM 12928] R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [4/25/2009 8:54 PM 149376] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [5/30/2008 12:37 PM 12496] R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 7:08 PM 182576] R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336] R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336] R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [5/15/2008 6:11 PM 1176824] R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [6/2/2008 1:32 PM 18944] R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [5/30/2008 12:36 PM 256512] R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2/11/2010 3:36 PM 300400] R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/15/2008 4:29 PM 475520] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/20/2010 7:22 AM 102448] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/4/2007 3:16 PM 41216] S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/22/2008 12:50 AM 193840] S3 scsichk;scsichk;\??\c:\windows\system32\scsichk.sys --> c:\windows\system32\scsichk.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Cognizance REG_MULTI_SZ ASBroker ASChannel . Contents of the 'Scheduled Tasks' folder 2010-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) SafeBoot-Symantec Antvirus ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-25 18:37 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe???????????????????????|?M?|?????M?|[email protected] scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(948) c:\windows\system32\ackpbsc.dll c:\windows\system32\aclog.dll c:\windows\system32\ACLIBEAY.dll c:\windows\system32\acevtsub.dll c:\windows\system32\asphat32.dll c:\windows\system32\acerrmes.dll c:\windows\system32\aspcom.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll c:\windows\system32\Ati2evxx.dll c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll c:\program files\ActivIdentity\ActivClient\acunlock.dll c:\windows\system32\aipingui.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll - - - - - - - > 'explorer.exe'(6316) c:\windows\system32\WININET.dll c:\windows\system32\APSHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\windows\System32\SCardSvr.exe c:\windows\system32\msdtc.exe c:\windows\system32\agrsmsvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe c:\windows\system32\SearchIndexer.exe c:\windows\system32\mqsvc.exe c:\windows\system32\mqtgsvc.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe c:\program files\Hewlett-Packard\Shared\HpqToaster.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe . ************************************************************************** . Completion time: 2010-04-25 18:42:22 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-25 22:42 Pre-Run: 213,825,617,920 bytes free Post-Run: 213,846,351,872 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer - - End Of File - - 13554D69C40CCAC8B8FB83B3FAD336E1
  8. GMER 1.0.15.15281 - http://www.gmer.net Rootkit quick scan 2010-04-24 23:17:32 Windows 5.1.2600 Service Pack 3 Running: nvmx55zj.exe; Driver: C:\DOCUME~1\KSOBECKI\LOCALS~1\Temp\uwldqpow.sys ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device -> \Driver\ahcix86 \Device\Harddisk0\DR0 89BF1AC8 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\ahcix86.sys suspicious modification ---- EOF - GMER 1.0.15 ----
  9. OTL logfile created on: 4/24/2010 10:33:53 PM - Run 1 OTL by OldTimer - Version 3.2.2.0 Folder = C:\Documents and Settings\KSOBECKI\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 78.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 231.87 Gb Total Space | 199.23 Gb Free Space | 85.92% Space Free | Partition Type: NTFS Drive D: | 1.00 Gb Total Space | 0.97 Gb Free Space | 97.24% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: KENHPLT Current User Name: KSOBECKI Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 90 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010/04/24 22:12:17 | 000,562,688 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\KSOBECKI\Desktop\OTL.exe PRC - [2010/02/11 15:36:12 | 000,300,400 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe PRC - [2010/02/08 12:09:00 | 001,634,304 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe PRC - [2009/02/26 15:07:10 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe PRC - [2009/02/26 15:07:08 | 001,799,496 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe PRC - [2009/02/01 23:37:00 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe PRC - [2008/12/18 16:47:22 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe PRC - [2008/12/18 16:46:30 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe PRC - [2008/06/02 13:32:16 | 000,018,944 | ---- | M] (Hewlett-Packard Development Company, L.P) -- c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe PRC - [2008/05/30 12:36:20 | 000,256,512 | ---- | M] (SafeBoot International) -- c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe PRC - [2008/05/20 20:47:18 | 000,065,296 | ---- | M] (Bioscrypt Inc.) -- c:\Program Files\Hewlett-Packard\IAM\Bin\asghost.exe PRC - [2008/05/15 18:11:12 | 001,176,824 | ---- | M] (AuthenTec, Inc.) -- c:\Program Files\Fingerprint Sensor\AtService.exe PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2008/04/04 11:09:56 | 001,044,480 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe PRC - [2007/12/11 15:15:04 | 000,012,800 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe PRC - [2007/05/15 19:08:40 | 000,182,576 | ---- | M] (ActivIdentity) -- c:\Program Files\ActivIdentity\ActivClient\accoca.exe ========== Modules (SafeList) ========== MOD - [2010/04/24 22:12:17 | 000,562,688 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\KSOBECKI\Desktop\OTL.exe MOD - [2008/03/25 08:17:04 | 000,076,048 | ---- | M] (Bioscrypt Inc.) -- C:\WINDOWS\system32\APSHook.dll ========== Win32 Services (SafeList) ========== SRV - [2010/02/11 15:36:12 | 000,300,400 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe -- (Kodak AiO Network Discovery Service) SRV - [2009/02/26 15:07:08 | 001,799,496 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService) SRV - [2009/02/01 23:37:00 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus) SRV - [2009/02/01 21:43:02 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC) SRV - [2008/12/18 16:46:30 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (EraserSvc10923) SRV - [2008/12/18 16:46:30 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr) SRV - [2008/12/18 16:46:30 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr) SRV - [2008/12/10 15:46:58 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate) SRV - [2008/06/02 13:32:16 | 000,018,944 | ---- | M] (Hewlett-Packard Development Company, L.P) [Auto | Running] -- c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe -- (HP ProtectTools Service) SRV - [2008/05/30 12:36:20 | 000,256,512 | ---- | M] (SafeBoot International) [Auto | Running] -- c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe -- (HpFkCryptService) SRV - [2008/05/20 20:42:40 | 000,111,888 | ---- | M] (Bioscrypt Inc.) [Auto | Running] -- c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll -- (ASBroker) SRV - [2008/05/20 20:42:34 | 000,137,488 | ---- | M] (Bioscrypt Inc.) [Auto | Running] -- c:\Program Files\Hewlett-Packard\IAM\Bin\ASChnl.dll -- (ASChannel) SRV - [2008/05/15 18:11:12 | 001,176,824 | ---- | M] (AuthenTec, Inc.) [Auto | Running] -- c:\Program Files\Fingerprint Sensor\AtService.exe -- (ATService) SRV - [2007/12/11 15:15:04 | 000,012,800 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio) SRV - [2007/05/15 19:08:40 | 000,182,576 | ---- | M] (ActivIdentity) [Auto | Running] -- c:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca) SRV - [2006/01/06 15:07:26 | 000,077,824 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\hphipm11.exe -- (Pml Driver HPH11) ========== Driver Services (SafeList) ========== DRV - [2010/04/24 22:29:16 | 000,024,064 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfaudio.sys -- (SFAUDIO) DRV - [2010/02/16 05:00:00 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100424.020\NAVEX15.SYS -- (NAVEX15) DRV - [2010/02/16 05:00:00 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100424.020\NAVENG.SYS -- (NAVENG) DRV - [2009/08/27 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl) DRV - [2009/08/27 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2009/03/23 12:32:31 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent) DRV - [2008/12/19 15:08:12 | 000,319,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL) DRV - [2008/12/19 15:08:12 | 000,280,112 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP) DRV - [2008/12/19 15:08:12 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX) DRV - [2008/09/09 14:54:42 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv) DRV - [2008/08/21 11:13:56 | 000,191,536 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI) DRV - [2008/08/21 11:13:56 | 000,027,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV) DRV - [2008/05/30 12:37:06 | 000,051,376 | ---- | M] (SafeBoot N.V.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SbAlg.sys -- (SbAlg) DRV - [2008/05/30 12:37:02 | 000,012,928 | ---- | M] (SafeBoot International) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SbFsLock.sys -- (SbFsLock) DRV - [2008/05/30 12:37:00 | 000,012,496 | ---- | M] (SafeBoot International) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\rsvlock.sys -- (RsvLock) DRV - [2008/05/30 12:36:58 | 000,108,752 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SafeBoot.sys -- (SafeBoot) DRV - [2008/05/27 09:55:48 | 000,174,600 | ---- | M] (AMD Technologies Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ahcix86.sys -- (ahcix86) DRV - [2008/05/23 09:51:02 | 000,024,624 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\hpdskflt.sys -- (hpdskflt) DRV - [2008/05/23 09:50:16 | 000,028,592 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Accelerometer.sys -- (Accelerometer) DRV - [2008/05/15 20:33:44 | 002,881,536 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2008/05/15 16:29:32 | 000,475,520 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF) DRV - [2008/05/08 10:02:52 | 000,203,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rmcast.sys -- (RMCAST) DRV - [2008/04/28 18:22:10 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey) DRV - [2008/04/13 14:40:50 | 000,149,376 | ---- | M] (M-Systems) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tffsport.sys -- (tffsport) DRV - [2008/04/13 14:39:44 | 000,092,544 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mqac.sys -- (MQAC) DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus) DRV - [2008/04/11 12:19:42 | 000,338,944 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService) DRV - [2008/04/10 17:27:34 | 001,804,160 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2uvc.sys -- (SNP2UVC) USB2.0 PC Camera (SNP2UVC) DRV - [2008/03/27 14:14:06 | 000,224,672 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP) DRV - [2008/03/21 14:35:14 | 001,287,552 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX) DRV - [2008/03/12 11:43:26 | 000,015,416 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Amddfltr.sys -- (Amddfltr) DRV - [2008/02/29 19:13:38 | 001,202,560 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2007/11/29 14:35:44 | 000,163,328 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k) Broadcom NetLink DRV - [2007/06/18 20:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr) DRV - [2007/04/16 19:46:34 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM) DRV - [2007/04/04 15:16:20 | 000,041,216 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM) DRV - [2006/01/06 15:07:27 | 000,018,928 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphius11.sys -- (Dot4Usb HPH11) DRV - [2006/01/06 15:07:27 | 000,016,112 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphipr11.sys -- (Dot4Print HPH11) DRV - [2006/01/06 15:07:26 | 000,050,896 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphid411.sys -- (Dot4 HPH11) DRV - [2001/08/17 15:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA) DRV - [2001/08/17 11:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\software\mozilla\Firefox\Extensions\\{E3278AD6-FAF3-496F-906E-18B81B7B083E}: C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\{E3278AD6-FAF3-496F-906E-18B81B7B083E} [2010/04/20 15:40:35 | 000,000,000 | ---D | M] [2010/04/22 10:12:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\Mozilla\Extensions [2010/01/05 13:08:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\Mozilla\Extensions\[email protected] O1 HOSTS File: ([2010/04/22 10:32:41 | 000,392,702 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 008i.com O1 - Hosts: 127.0.0.1 www.008k.com O1 - Hosts: 127.0.0.1 008k.com O1 - Hosts: 127.0.0.1 www.00hq.com O1 - Hosts: 127.0.0.1 00hq.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.0scan.com O1 - Hosts: 127.0.0.1 0scan.com O1 - Hosts: 127.0.0.1 1000gratisproben.com O1 - Hosts: 127.0.0.1 www.1000gratisproben.com O1 - Hosts: 127.0.0.1 1001namen.com O1 - Hosts: 127.0.0.1 www.1001namen.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 www.1-2005-search.com O1 - Hosts: 127.0.0.1 1-2005-search.com O1 - Hosts: 13564 more lines... O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation) O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation) O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\Cpqset.exe () O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company) O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.) O4 - HKLM..\Run: [startCCC] c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.) O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/betapit/PCPitStop.CAB (PCPitstop Utility) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1237572595955 (MUWebControl Class) O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager) O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (APSHook.dll) - C:\WINDOWS\System32\APSHook.dll (Bioscrypt Inc.) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\ackpbsc: DllName - c:\WINDOWS\system32\ackpbsc.dll - C:\WINDOWS\system32\ackpbsc.dll (ActivIdentity) O20 - Winlogon\Notify\acunlock: DllName - c:\Program Files\ActivIdentity\ActivClient\acunlock.dll - c:\Program Files\ActivIdentity\ActivClient\acunlock.dll (ActivIdentity) O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O20 - Winlogon\Notify\OneCard: DllName - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Bioscrypt Inc.) O24 - Desktop BackupWallPaper: C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/06/21 23:26:35 | 000,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: SSHNAS - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point (69256455022182400) ========== Files/Folders - Created Within 90 Days ========== [2010/04/24 22:12:12 | 000,562,688 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\KSOBECKI\Desktop\OTL.exe [2010/04/24 22:07:13 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\KSOBECKI\Recent [2010/04/23 10:23:51 | 000,409,600 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\EKIJ5000MON.dll [2010/04/23 10:23:51 | 000,131,072 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\EKIJCOINST07.dll [2010/04/23 10:22:08 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0 [2010/04/22 10:50:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer [2010/04/22 08:28:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Application Data\Malwarebytes [2010/04/22 08:27:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/04/22 08:27:51 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/04/22 08:27:51 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/04/22 08:27:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010/04/22 08:15:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe [2010/04/21 08:46:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun [2010/04/20 15:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2010/04/20 15:40:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\{E3278AD6-FAF3-496F-906E-18B81B7B083E} [2010/04/20 15:10:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2010/04/20 15:05:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Application Data\F0C8A70282C3527304FD7E600530EA1C [2010/04/12 15:54:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Application Data\pdf995 [2010/04/12 15:50:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pdf995 [2010/04/12 15:50:39 | 000,249,856 | ---- | C] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll [2010/04/08 19:53:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\Mozilla [2010/03/30 16:37:08 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime [2010/03/30 16:37:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer [2010/03/21 17:44:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Application Data\Apple Computer [2010/03/21 08:50:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple [2010/03/21 08:50:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\Apple [2010/03/21 08:50:21 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update [2010/03/21 08:50:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\Apple Computer [2010/03/07 21:16:43 | 000,000,000 | ---D | C] -- C:\Program Files\DeductionPro 2009 [2010/03/07 21:14:36 | 000,000,000 | ---D | C] -- C:\Program Files\HRBlock2009 [2010/03/01 09:02:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\Eastman_Kodak_Company [2010/03/01 08:56:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\KODAK [2010/03/01 08:56:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\Eastman Kodak Company [2010/03/01 08:54:17 | 000,000,000 | ---D | C] -- C:\Program Files\Kodak [2009/03/20 20:16:56 | 000,180,224 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll [2007/07/05 04:28:52 | 000,176,128 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 90 Days ========== [2010/04/24 22:31:02 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/04/24 22:30:16 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/04/24 22:30:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/04/24 22:29:44 | 1875,759,104 | -HS- | M] () -- C:\hiberfil.sys [2010/04/24 22:29:16 | 000,024,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\sfaudio.sys [2010/04/24 22:16:06 | 000,293,376 | ---- | M] () -- C:\nvmx55zj.exe [2010/04/24 22:12:17 | 000,562,688 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\KSOBECKI\Desktop\OTL.exe [2010/04/23 17:43:16 | 006,815,744 | -H-- | M] () -- C:\Documents and Settings\KSOBECKI\NTUSER.DAT [2010/04/23 16:56:40 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\KSOBECKI\ntuser.ini [2010/04/23 16:56:33 | 004,299,956 | -H-- | M] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\IconCache.db [2010/04/23 13:24:13 | 000,013,426 | -HS- | M] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\q841 [2010/04/23 13:24:13 | 000,013,426 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\q841 [2010/04/23 12:22:07 | 000,407,552 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\My Documents\Order Sofo Foods Samples 4-23-10.xls [2010/04/23 12:21:55 | 001,349,120 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\My Documents\Copy of National Account Price list for orders shipping 03 22 10 - 04 02 10.xls [2010/04/23 10:26:44 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk [2010/04/23 09:27:48 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/04/22 20:57:16 | 000,020,686 | ---- | M] () -- C:\Documents and Settings\KSOBECKI\Desktop\March.docx [2010/04/22 10:32:41 | 000,392,702 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2010/04/22 08:27:56 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/04/22 08:19:01 | 000,011,868 | -HS- | M] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\34f60 [2010/04/22 08:19:01 | 000,011,868 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\34f60 [2010/04/22 08:15:40 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat [2010/04/21 02:48:33 | 000,000,094 | ---- | M] () -- C:\WINDOWS\wininit.ini [2010/04/20 17:43:14 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Jcirejifigocixa.dat [2010/04/20 16:58:28 | 000,001,661 | ---- | M] () -- C:\WINDOWS\lsrslt.ini [2010/04/20 15:42:26 | 000,571,308 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/04/20 15:42:26 | 000,477,702 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010/04/20 15:42:26 | 000,082,990 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010/04/20 15:40:36 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Psapewisurase.bin [2010/04/19 21:44:37 | 000,306,176 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\My Documents\Copy of House of Raeford Contract Request Form Final.xls [2010/04/13 16:31:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2010/04/12 15:54:43 | 000,000,028 | ---- | M] () -- C:\WINDOWS\pdf995.ini [2010/04/12 15:50:39 | 000,249,856 | ---- | M] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll [2010/04/12 15:50:39 | 000,051,716 | ---- | M] () -- C:\WINDOWS\System32\pdf995mon.dll [2010/04/08 19:53:37 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat [2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/03/22 11:51:13 | 000,046,592 | ---- | M] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/03/07 21:16:58 | 000,001,479 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DeductionPro 2009.lnk [2010/03/07 21:16:03 | 000,001,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\H&R Block 2009.lnk [2010/02/18 14:53:07 | 000,000,560 | ---- | M] () -- C:\hpfr5550.xml [2010/02/16 18:25:35 | 000,011,396 | ---- | M] () -- C:\Documents and Settings\KSOBECKI\Desktop\Year to year Sofo.docx [2010/02/16 17:51:29 | 000,034,602 | ---- | M] () -- C:\Documents and Settings\KSOBECKI\Desktop\2008 Cases Sofo.docx [2010/02/16 17:40:35 | 000,035,521 | ---- | M] () -- C:\Documents and Settings\KSOBECKI\Desktop\2009 Cases Sofo.docx [2010/02/08 15:17:51 | 000,028,408 | ---- | M] () -- C:\Documents and Settings\KSOBECKI\Desktop\s0p17h4102T.docx [2010/02/08 12:06:00 | 000,409,600 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\System32\EKIJ5000MON.dll [2010/02/08 12:05:00 | 000,131,072 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\System32\EKIJCOINST07.dll [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/04/24 22:16:03 | 000,293,376 | ---- | C] () -- C:\nvmx55zj.exe [2010/04/23 12:21:53 | 001,349,120 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\My Documents\Copy of National Account Price list for orders shipping 03 22 10 - 04 02 10.xls [2010/04/23 10:26:44 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk [2010/04/23 10:14:02 | 000,035,634 | ---- | C] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\c4u.log [2010/04/23 08:23:59 | 000,407,552 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\My Documents\Order Sofo Foods Samples 4-23-10.xls [2010/04/23 07:52:23 | 000,013,426 | -HS- | C] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\q841 [2010/04/23 07:52:23 | 000,013,426 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\q841 [2010/04/22 08:27:56 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/04/22 08:17:00 | 1875,759,104 | -HS- | C] () -- C:\hiberfil.sys [2010/04/22 08:15:40 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat [2010/04/21 21:49:19 | 000,011,868 | -HS- | C] () -- C:\Documents and Settings\KSOBECKI\Local Settings\Application Data\34f60 [2010/04/21 21:49:19 | 000,011,868 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\34f60 [2010/04/20 17:38:45 | 000,000,094 | ---- | C] () -- C:\WINDOWS\wininit.ini [2010/04/20 16:58:28 | 000,001,661 | ---- | C] () -- C:\WINDOWS\lsrslt.ini [2010/04/20 15:40:36 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Jcirejifigocixa.dat [2010/04/20 15:40:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Psapewisurase.bin [2010/04/19 21:44:32 | 000,306,176 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\My Documents\Copy of House of Raeford Contract Request Form Final.xls [2010/04/12 15:54:43 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini [2010/04/12 15:50:40 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv [2010/04/12 15:50:39 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll [2010/04/08 19:53:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2010/03/21 08:50:26 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2010/03/07 21:22:47 | 000,002,414 | ---- | C] () -- C:\Documents and Settings\KSOBECKI\DeductionPro2009.log [2010/03/07 21:16:58 | 000,001,479 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DeductionPro 2009.lnk [2010/03/07 21:16:03 | 000,001,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\H&R Block 2009.lnk [2010/02/16 18:25:35 | 000,011,396 | ---- | C] () -- C:\Documents and Settings\KSOBECKI\Desktop\Year to year Sofo.docx [2010/02/16 17:51:29 | 000,034,602 | ---- | C] () -- C:\Documents and Settings\KSOBECKI\Desktop\2008 Cases Sofo.docx [2010/02/16 17:40:35 | 000,035,521 | ---- | C] () -- C:\Documents and Settings\KSOBECKI\Desktop\2009 Cases Sofo.docx [2010/02/08 15:17:51 | 000,028,408 | ---- | C] () -- C:\Documents and Settings\KSOBECKI\Desktop\s0p17h4102T.docx [2010/01/21 22:49:12 | 000,000,044 | ---- | C] () -- C:\WINDOWS\SMWizard.INI [2009/09/17 19:09:54 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini [2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll [2009/04/29 12:46:02 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini [2009/04/29 12:40:27 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll [2009/04/10 12:37:43 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll [2008/06/22 00:28:19 | 000,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini [2008/05/30 12:36:58 | 000,108,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\SafeBoot.sys [2008/04/28 12:13:33 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini [2008/04/10 13:27:34 | 001,804,160 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys [2008/03/28 06:14:02 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\sfaudio.sys [2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini [2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini [2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini [2007/05/10 02:16:40 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncduvc.sys [2006/05/19 22:39:58 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2uvc.ini [2005/04/03 18:30:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\scardsyn.dll [2004/08/07 09:19:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2004/08/07 09:12:40 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini [1998/05/06 23:10:00 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll ========== LOP Check ========== [2009/10/13 21:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM [2010/03/01 09:02:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company [2010/03/01 09:03:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kds_kodak [2010/04/12 20:48:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995 [2009/12/31 18:54:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard [2010/01/01 13:03:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla! [2010/03/07 21:13:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut [2010/01/06 14:02:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2008/06/22 00:33:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3} [2009/10/13 21:13:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\acccore [2009/04/03 11:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 [2010/04/21 21:21:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\F0C8A70282C3527304FD7E600530EA1C [2010/01/05 13:08:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\Flickr [2010/01/07 19:50:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\MSNInstaller [2010/04/12 15:54:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\pdf995 [2010/04/12 20:48:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\TaxCut [2010/04/23 12:37:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\Temp [2009/04/30 18:13:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\Windows Desktop Search [2009/08/02 08:40:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KSOBECKI\Application Data\Windows Search ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > [2010/04/24 22:16:06 | 000,293,376 | ---- | M] () -- C:\nvmx55zj.exe < MD5 for: AGP440.SYS > [2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys [2004/08/04 04:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys [2009/03/20 14:31:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys [2009/03/20 14:31:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys [2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys < MD5 for: AHCIX86.SYS > [2008/05/27 09:55:48 | 000,174,600 | ---- | M] (AMD Technologies Inc.) MD5=15DA079FF09BE5FA6602041EE286DE80 -- C:\SwSetup\HDD1\ahcix86.sys [2008/05/27 09:55:48 | 000,174,600 | ---- | M] (AMD Technologies Inc.) MD5=15DA079FF09BE5FA6602041EE286DE80 -- C:\SwSetup\HDD1\RAID7xx\x86\ahcix86.sys [2008/05/27 09:55:48 | 000,174,600 | ---- | M] (AMD Technologies Inc.) MD5=15DA079FF09BE5FA6602041EE286DE80 -- C:\WINDOWS\system32\drivers\ahcix86.sys < MD5 for: ATAPI.SYS > [2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys [2004/08/04 04:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2009/03/20 14:31:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2009/03/20 14:31:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys < MD5 for: EVENTLOG.DLL > [2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll [2004/08/04 04:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll < MD5 for: NETLOGON.DLL > [2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll [2004/08/04 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll < MD5 for: SCECLI.DLL > [2004/08/04 04:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll < %systemroot%\*. /mp /s > < End of report > OTL Extras logfile created on: 4/24/2010 10:33:53 PM - Run 1 OTL by OldTimer - Version 3.2.2.0 Folder = C:\Documents and Settings\KSOBECKI\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 78.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 231.87 Gb Total Space | 199.23 Gb Free Space | 85.92% Space Free | Partition Type: NTFS Drive D: | 1.00 Gb Total Space | 0.97 Gb Free Space | 97.24% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: KENHPLT Current User Name: KSOBECKI Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 90 Days Output = Standard Quick Scan ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusOverride" = 0 "FirewallOverride" = 0 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 0 "DoNotAllowExceptions" = 0 "DisableNotifications" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1723:TCP" = 1723:TCP:*:Enabled:VPN "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 "3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009 "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "9322:TCP" = 9322:TCP:*:Enabled:EKDiscovery ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation) "C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation) "C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation) "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation) "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.) "C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC) "C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found "C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL LLC) "C:\Program Files\Ares\Ares.exe" = C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows -- File not found "C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation) "C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe" = C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe:*:Enabled:Kodak.AiO.HomeCenter -- (Eastman Kodak Company) "C:\Program Files\Kodak\AiO\Center\Kodak.Statistics.exe" = C:\Program Files\Kodak\AiO\Center\Kodak.Statistics.exe:*:Enabled:Kodak.AiO.Statistics -- (Eastman Kodak Company) "C:\Program Files\Kodak\AiO\Center\NetworkPrinterDiscovery.exe" = C:\Program Files\Kodak\AiO\Center\NetworkPrinterDiscovery.exe:*:Enabled:Kodak.AiO.SetupUtility -- (Eastman Kodak Company) "C:\Program Files\Kodak\AiO\Firmware\KodakAiOUpdater.exe" = C:\Program Files\Kodak\AiO\Firmware\KodakAiOUpdater.exe:*:Enabled:Kodak.AiO.FwUpdater -- (Eastman Kodak Company) "C:\Documents and Settings\All Users\Application Data\Kodak\Installer\Setup.exe" = C:\Documents and Settings\All Users\Application Data\Kodak\Installer\Setup.exe:*:Enabled:Kodak.AiO.Installer -- (Eastman Kodak Company) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{04788045-DEF3-4911-91B5-384A6915F21B}" = TaxCut Ohio 2008 "{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center "{05B62241-5495-46EF-5086-DBE0F37F052C}" = Catalyst Control Center Localization Korean "{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour "{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer "{0F98662A-EA83-414F-8766-3FCE46A32641}" = Credential Manager for HP ProtectTools "{10934A28-0CC6-4B98-A14F-76B3546003AF}" = ksDIP "{154E4F71-DFC0-4B31-8D99-F97615031B02}" = HP Webcam Application "{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0 "{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java 6 Update 14 "{27FE77BD-2E0A-385C-C2CC-8367D877356F}" = CCC Help Norwegian "{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com "{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime "{2CD54AED-740B-1418-464E-CC8E15AD1E4F}" = Catalyst Control Center Localization Swedish "{2D0EE88B-8720-50A7-7F31-503B4300A8C5}" = Catalyst Control Center Localization French "{2D87E961-577B-492B-AD54-1368680FB9A7}" = Bing Maps 3D "{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 E1 "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{35EB3E58-F46C-CB48-C623-16A455C37C5D}" = CCC Help Turkish "{36C491D0-A196-F49C-C63C-3509D7A2B91D}" = CCC Help Finnish "{37AF26EB-ACCD-4F9C-A13E-81483F932203}" = Catalyst Control Center - Branding "{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = HP Webcam "{45E6BF4C-6DC8-B1BB-517C-5F2C1D055A9B}" = CCC Help Hungarian "{48072101-4DFE-9DC2-9F5D-DE0EF7193C98}" = CCC Help Korean "{48B41C3A-9A92-4B81-B653-C97FEB85C910}" = C4USelfUpdater "{49798684-CC48-AF5C-E513-9FFF61EFD3A6}" = CCC Help Japanese "{4BFA6EEB-AAED-4334-8E98-A907DE4DD5CF}" = AMD Driver Support for HP 3D DriverGuard "{4CF11D44-43B7-1359-B438-972C69D7AD6F}" = CCC Help Spanish "{4ED20E34-D511-A85B-D7E5-755AE64D5F6C}" = CCC Help Portuguese "{53A19323-917A-4822-B27E-A57D1EF6E9FC}" = H&R Block Deluxe + Efile + State 2009 "{553255F3-78FD-4
  10. Jon Tom said Hello kensob You had some very nasty stuff on your machine (Backdoors and Rootkits). It may be the case that there are still a few things that need to be taken care of. If I were you I would create a thread in the HJT forum and ask the good people there to check your system: http://forums.pcpitstop.com/index.php?showforum=25 Include a link to this thread or alternatively post the MBAM log in the new thread. Then wait for a Trusted HJT Advisor to get in touch. They will ask you to perform some system scans and then advise you if anything else needs to be done. JonTom Here are the results of the scan. Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4021 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 4/22/2010 8:38:59 AM mbam-log-2010-04-22 (08-38-59).txt Scan type: Quick scan Objects scanned: 113818 Time elapsed: 8 minute(s), 41 second(s) Memory Processes Infected: 1 Memory Modules Infected: 1 Registry Keys Infected: 8 Registry Values Infected: 2 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: C:\Documents and Settings\MYNAME\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> Unloaded process successfully. Memory Modules Infected: c:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{98279c38-de4b-4bcf-93c9-8ec26069d6f4} (Adware.SelectRebates) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\B1RQJ7YJ0U (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{98279c38-de4b-4bcf-93c9-8ec26069d6f4} (Adware.SelectRebates) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.185,93.188.161.153 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{252e4288-fd55-4506-a456-9208c6be7cc8}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.185,93.188.161.153 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6bef952-dc8f-4435-8004-795aa3183414}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.185,93.188.161.153 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> Delete on reboot. C:\Program Files\Internet Explorer\ws2_32.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\scsichk.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Jpadia.exe (Trojan.CodecPack) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\MYNAME\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully. C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
  11. Here are the results of the scan. Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4021 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 4/22/2010 8:38:59 AM mbam-log-2010-04-22 (08-38-59).txt Scan type: Quick scan Objects scanned: 113818 Time elapsed: 8 minute(s), 41 second(s) Memory Processes Infected: 1 Memory Modules Infected: 1 Registry Keys Infected: 8 Registry Values Infected: 2 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: C:\Documents and Settings\MYNAME\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> Unloaded process successfully. Memory Modules Infected: c:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{98279c38-de4b-4bcf-93c9-8ec26069d6f4} (Adware.SelectRebates) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\B1RQJ7YJ0U (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{98279c38-de4b-4bcf-93c9-8ec26069d6f4} (Adware.SelectRebates) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.185,93.188.161.153 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{252e4288-fd55-4506-a456-9208c6be7cc8}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.185,93.188.161.153 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c6bef952-dc8f-4435-8004-795aa3183414}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.185,93.188.161.153 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> Delete on reboot. C:\Program Files\Internet Explorer\ws2_32.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\scsichk.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Jpadia.exe (Trojan.CodecPack) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\MYNAME\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully. C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
  12. I checked into a hotel and got the wireless internet. Almost immediately I got messages from Antimalware Doctor that Iam infected. I know this is the virus but want to stop it. It seems as though there is an endless loop where I cannot open Firefox either. I tried to open Task Manager or to look at the Hidden Files but both options seem to be blocked. I find Packed.Mystic!gen3 is found by Symantec Endpoint which it says is quarantined. How can I get rid of this bug?
×
×
  • Create New...