[RESOLVED] JS/Iframe Trojan removal - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 43

Thread: [RESOLVED] JS/Iframe Trojan removal

  1. #16
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Broni.. Sorry.. here it is below:


    ComboFix 12-04-03.02 - Administrator 04/03/2012 16:31:02.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2330 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\searchplugins\bing-zugo.xml
    c:\documents and settings\Administrator\g2mdlhlpx.exe
    c:\documents and settings\Administrator\Local Settings\Application Data\{E570ACC0-095D-4DAD-BCA6-15EA0BAA8282}
    c:\documents and settings\Administrator\Local Settings\Application Data\{E570ACC0-095D-4DAD-BCA6-15EA0BAA8282}\chrome\content\overlay.xul
    c:\documents and settings\Administrator\Local Settings\Application Data\{E570ACC0-095D-4DAD-BCA6-15EA0BAA8282}\install.rdf
    c:\documents and settings\Administrator\System
    c:\documents and settings\Administrator\System\win_qs8.jqx
    c:\documents and settings\All Users\Application Data\TEMP
    c:\program files\Search Toolbar
    c:\program files\Search Toolbar\icon.ico
    c:\program files\Search Toolbar\SearchToolbarUninstall.exe
    c:\program files\Search Toolbar\SearchToolbarUpdater.exe
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-03 to 2012-04-03 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-03 20:34 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-04-03 20:34 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-04-03 20:34 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-04-03 20:34 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-04-03 20:34 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-04-03 20:34 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-04-03 20:34 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-04-03 20:34 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-04-03 20:33 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
    2012-04-03 20:33 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-04-03 20:33 . 2012-04-03 20:33 -------- d-----w- c:\program files\AVAST Software
    2012-04-03 20:33 . 2012-04-03 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
    2012-03-11 02:03 . 2012-03-11 02:03 -------- d-----w- c:\program files\Common Files\Java
    2012-03-11 02:02 . 2012-03-11 02:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-11 02:02 . 2011-03-11 23:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-02-03 09:22 . 2008-04-14 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44 . 2011-03-20 23:14 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-11 19:06 . 2012-02-15 17:04 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20 . 2009-08-17 04:35 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2009-12-22 22:29 . 2009-12-22 22:29 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2009-12-22 22:29 . 2009-12-22 22:29 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2009-12-22 22:29 . 2009-12-22 22:29 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-09-13 06:05 . 2009-09-13 06:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2009-09-13 06:06 . 2009-09-13 06:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2009-09-13 06:06 . 2009-09-13 06:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2009-09-13 06:06 . 2009-09-13 06:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2009-09-13 06:06 . 2009-09-13 06:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2009-09-13 06:07 . 2009-09-13 06:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2009-09-13 06:06 . 2009-09-13 06:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2009-09-13 06:06 . 2009-09-13 06:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2009-12-22 22:29 . 2009-12-22 22:29 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
    2009-08-14 20:33 . 2009-08-14 20:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2009-09-13 06:06 . 2009-09-13 06:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2011-08-22 17:35 . 2011-03-22 18:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-08-17 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
    "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2008-08-08 524288]
    "RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-03 113024]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
    "4100:UDP"= 4100:UDP:uPNP Router Control Port
    "5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
    .
    R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [8/16/2009 8:26 PM 119808]
    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [5/3/2010 3:45 PM 40560]
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/17/2011 3:39 PM 13496]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/3/2012 1:34 PM 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/3/2012 1:34 PM 337880]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/7/2010 10:02 AM 116608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2012 1:34 PM 20696]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/16/2009 7:37 AM 652360]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\Logishrd\LVMVFM\UMVPFSrv.exe [8/19/2011 10:26 AM 450848]
    R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [9/21/2010 10:03 AM 36224]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/16/2009 7:37 AM 20464]
    S1 dpzizbof;dpzizbof;\??\c:\windows\system32\drivers\dpzizbof.sys --> c:\windows\system32\drivers\dpzizbof.sys [?]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
    S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [9/29/2010 5:07 PM 1527900]
    S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service --> c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]
    S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [9/21/2010 10:03 AM 134912]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - ArcRec
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://sfbay.craigslist.org/
    uInternet Settings,ProxyOverride = localhost
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\
    FF - prefs.js: browser.startup.homepage - www.sfbay.craigslist.org
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    SafeBoot-SolutoService
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-03 16:34
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_sugo3_FUService]
    "ImagePath"="\"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-117609710-764733703-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,56,27,b4,78,92,0e,43,9c,2a,93,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,56,27,b4,78,92,0e,43,9c,2a,93,\
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
    @DACL=(02 0000)
    @="Wireless"
    "ProcessGroupPolicy"="ProcessWIRELESSPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
    @DACL=(02 0000)
    @="Folder Redirection"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
    "DllName"=expand:"fdeploy.dll"
    "NoMachinePolicy"=dword:00000001
    "NoSlowLink"=dword:00000001
    "PerUserLocalSettings"=dword:00000001
    "NoGPOListChanges"=dword:00000000
    "NoBackgroundPolicy"=dword:00000000
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "EventSources"=multi:"(Folder Redirection,Application)\00\00"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
    @DACL=(02 0000)
    "Status"=dword:00000000
    "RsopStatus"=dword:00000000
    "LastPolicyTime"=dword:00edd619
    "PrevSlowLink"=dword:00000000
    "PrevRsopLogging"=dword:00000001
    "ForceRefreshFG"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
    @DACL=(02 0000)
    @="Microsoft Disk Quota"
    "NoMachinePolicy"=dword:00000000
    "NoUserPolicy"=dword:00000001
    "NoSlowLink"=dword:00000001
    "NoBackgroundPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "PerUserLocalSettings"=dword:00000000
    "RequiresSuccessfulRegistry"=dword:00000001
    "EnableAsynchronousProcessing"=dword:00000000
    "DllName"=expand:"dskquota.dll"
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
    @DACL=(02 0000)
    @="QoS Packet Scheduler"
    "ProcessGroupPolicy"="ProcessPSCHEDPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
    @DACL=(02 0000)
    @="Scripts"
    "ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
    "ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
    "GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
    "DllName"=expand:"gptext.dll"
    "NoSlowLink"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "NotifyLinkTransition"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
    @DACL=(02 0000)
    @="Internet Explorer Zonemapping"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
    "NoGPOListChanges"=dword:00000001
    "RequiresSucessfulRegistry"=dword:00000001
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
    @DACL=(02 0000)
    @="Internet Explorer User Accelerators"
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "NoGPOListChanges"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
    @DACL=(02 0000)
    "ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
    "GenerateGroupPolicy"="SceGenerateGroupPolicy"
    "ExtensionRsopPlanningDebugLevel"=dword:00000001
    "ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
    "ExtensionDebugLevel"=dword:00000001
    "DllName"=expand:"scecli.dll"
    @="Security"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "EnableAsynchronousProcessing"=dword:00000001
    "MaxNoGPOListChangesInterval"=dword:000003c0
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
    @DACL=(02 0000)
    "ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    @="Internet Explorer Branding"
    "NoSlowLink"=dword:00000001
    "NoBackgroundPolicy"=dword:00000000
    "NoGPOListChanges"=dword:00000001
    "NoMachinePolicy"=dword:00000001
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
    @DACL=(02 0000)
    "ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
    "DllName"=expand:"scecli.dll"
    @="EFS recovery"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "RequiresSuccessfulRegistry"=dword:00000001
    "Status"=dword:00000000
    "RsopStatus"=dword:80070032
    "LastPolicyTime"=dword:00edd619
    "PrevSlowLink"=dword:00000000
    "PrevRsopLogging"=dword:00000001
    "ForceRefreshFG"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
    @DACL=(02 0000)
    @="802.3 Group Policy"
    "DisplayName"=expand:"@dot3gpclnt.dll,-100"
    "ProcessGroupPolicyEx"="ProcessLANPolicyEx"
    "GenerateGroupPolicy"="GenerateLANPolicy"
    "DllName"=expand:"dot3gpclnt.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
    @DACL=(02 0000)
    @="Microsoft Offline Files"
    "DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
    "EnableAsynchronousProcessing"=dword:00000000
    "NoBackgroundPolicy"=dword:00000000
    "NoGPOListChanges"=dword:00000000
    "NoMachinePolicy"=dword:00000000
    "NoSlowLink"=dword:00000000
    "NoUserPolicy"=dword:00000001
    "PerUserLocalSettings"=dword:00000000
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
    @DACL=(02 0000)
    @="Software Installation"
    "DllName"=expand:"appmgmts.dll"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "NoBackgroundPolicy"=dword:00000000
    "RequiresSucessfulRegistry"=dword:00000000
    "NoSlowLink"=dword:00000001
    "PerUserLocalSettings"=dword:00000001
    "EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
    @DACL=(02 0000)
    @="Internet Explorer Machine Accelerators"
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "NoGPOListChanges"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
    @DACL=(02 0000)
    @="IP Security"
    "ProcessGroupPolicy"="ProcessIPSECPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    @DACL=(02 0000)
    "DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
    "Logon"="SABWINLOLogon"
    "Logoff"="SABWINLOLogoff"
    "Startup"="SABWINLOStartup"
    "Shutdown"="SABWINLOShutdown"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    @DACL=(02 0000)
    "DLLName"="Ati2evxx.dll"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000001
    "Lock"="AtiLockEvent"
    "Logoff"="AtiLogoffEvent"
    "Logon"="AtiLogonEvent"
    "Disconnect"="AtiDisConnectEvent"
    "Reconnect"="AtiReConnectEvent"
    "Safe"=dword:00000000
    "Shutdown"="AtiShutdownEvent"
    "StartScreenSaver"="AtiStartScreenSaverEvent"
    "StartShell"="AtiStartShellEvent"
    "Startup"="AtiStartupEvent"
    "StopScreenSaver"="AtiStopScreenSaverEvent"
    "Unlock"="AtiUnLockEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=expand:"crypt32.dll"
    "Logoff"="ChainWlxLogoffEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=expand:"cryptnet.dll"
    "Logoff"="CryptnetWlxLogoffEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    @DACL=(02 0000)
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000001
    "DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
    "Startup"="WlDimsStartup"
    "Shutdown"="WlDimsShutdown"
    "Logon"="WlDimsLogon"
    "Logoff"="WlDimsLogoff"
    "StartShell"="WlDimsStartShell"
    "Lock"="WlDimsLock"
    "Unlock"="WlDimsUnlock"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
    @DACL=(02 0000)
    "DLLName"="c:\\program files\\common files\\logishrd\\bluetooth\\LBTWlgn.dll"
    "Asynchronous"=dword:00000000
    "Startup"="OnStartup"
    "Logon"="OnLogon"
    "StartShell"="OnStartShell"
    "Logoff"="OnLogoff"
    "Shutdown"="OnShutdown"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"LMIinit.dll"
    "Impersonate"=dword:00000000
    "Lock"="WLEventLock"
    "Logoff"="WLEventLogoff"
    "Logon"="WLEventLogon"
    "Shutdown"="WLEventShutdown"
    "StartScreenSaver"="WLEventStartScreenSaver"
    "StartShell"="WLEventStartShell"
    "Startup"="WLEventStartup"
    "StopScreenSaver"="WLEventStopScreenSaver"
    "Unlock"="WLEventUnlock"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    @DACL=(02 0000)
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"wlnotify.dll"
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    @DACL=(02 0000)
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=expand:"sclgntfy.dll"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    @DACL=(02 0000)
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"wlnotify.dll"
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    @DACL=(02 0000)
    "Logon"="WLEventLogon"
    "Logoff"="WLEventLogoff"
    "Startup"="WLEventStartup"
    "Shutdown"="WLEventShutdown"
    "StartScreenSaver"="WLEventStartScreenSaver"
    "StopScreenSaver"="WLEventStopScreenSaver"
    "Lock"="WLEventLock"
    "Unlock"="WLEventUnlock"
    "StartShell"="WLEventStartShell"
    "PostShell"="WLEventPostShell"
    "Disconnect"="WLEventDisconnect"
    "Reconnect"="WLEventReconnect"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000000
    "SafeMode"=dword:00000001
    "MaxWait"=dword:ffffffff
    "DllName"=expand:"WgaLogon.dll"
    "Event"=dword:00000000
    "InstallEvent"="1.9.0040.0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    @DACL=(02 0000)
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
    @DACL=(02 0000)
    "HelpAssistant"=dword:00000000
    "TsInternetUser"=dword:00000000
    "SQLAgentCmdExec"=dword:00000000
    "NetShowServices"=dword:00000000
    "IWAM_"=dword:00010000
    "IUSR_"=dword:00010000
    "VUSR_"=dword:00010000
    "LogMeInRemoteUser"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1988)
    c:\windows\system32\LMIRfsClientNP.dll
    c:\windows\system32\l3codeca.acm
    .
    Completion time: 2012-04-03 16:36:13
    ComboFix-quarantined-files.txt 2012-04-03 23:36
    .
    Pre-Run: 283,015,110,656 bytes free
    Post-Run: 283,411,382,272 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
    .
    - - End Of File - - 112E0F0B8A32EC6E9E76C60CA4A5E568

  2. #17
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    As you can see Combofix removed number of infections and there is still more.

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Driver::
    dpzizbof
    
    Rootkit::
    c:\windows\system32\drivers\dpzizbof.sys
    
    Registry::
    
    ClearJavaCache::

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt

  3. #18
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Broni..

    OK.. completed the process and the log is below:


    ComboFix 12-04-03.02 - Administrator 04/03/2012 17:21:01.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2315 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_dpzizbof
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-04 to 2012-04-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-03 20:34 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-04-03 20:34 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-04-03 20:34 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-04-03 20:34 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-04-03 20:34 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-04-03 20:34 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-04-03 20:34 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-04-03 20:34 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-04-03 20:33 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
    2012-04-03 20:33 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-04-03 20:33 . 2012-04-03 20:33 -------- d-----w- c:\program files\AVAST Software
    2012-04-03 20:33 . 2012-04-03 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
    2012-03-11 02:03 . 2012-03-11 02:03 -------- d-----w- c:\program files\Common Files\Java
    2012-03-11 02:02 . 2012-03-11 02:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-11 02:02 . 2011-03-11 23:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-02-03 09:22 . 2008-04-14 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44 . 2011-03-20 23:14 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-11 19:06 . 2012-02-15 17:04 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20 . 2009-08-17 04:35 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2009-12-22 22:29 . 2009-12-22 22:29 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2009-12-22 22:29 . 2009-12-22 22:29 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2009-12-22 22:29 . 2009-12-22 22:29 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-09-13 06:05 . 2009-09-13 06:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2009-09-13 06:06 . 2009-09-13 06:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2009-09-13 06:06 . 2009-09-13 06:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2009-09-13 06:06 . 2009-09-13 06:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2009-09-13 06:06 . 2009-09-13 06:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2009-09-13 06:07 . 2009-09-13 06:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2009-09-13 06:06 . 2009-09-13 06:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2009-09-13 06:06 . 2009-09-13 06:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2009-12-22 22:29 . 2009-12-22 22:29 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
    2009-08-14 20:33 . 2009-08-14 20:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2009-09-13 06:06 . 2009-09-13 06:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2011-08-22 17:35 . 2011-03-22 18:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-08-17 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-03_23.34.53 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-04-04 00:26 . 2012-04-04 00:26 16384 c:\windows\Temp\Perflib_Perfdata_6e4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
    "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2008-08-08 524288]
    "RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-03 113024]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
    "4100:UDP"= 4100:UDP:uPNP Router Control Port
    "5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
    .
    R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [8/16/2009 8:26 PM 119808]
    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [5/3/2010 3:45 PM 40560]
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/17/2011 3:39 PM 13496]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/3/2012 1:34 PM 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/3/2012 1:34 PM 337880]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/7/2010 10:02 AM 116608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2012 1:34 PM 20696]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/16/2009 7:37 AM 652360]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\Logishrd\LVMVFM\UMVPFSrv.exe [8/19/2011 10:26 AM 450848]
    R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [9/21/2010 10:03 AM 36224]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/16/2009 7:37 AM 20464]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
    S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [9/29/2010 5:07 PM 1527900]
    S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service --> c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]
    S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [9/21/2010 10:03 AM 134912]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - ArcRec
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://sfbay.craigslist.org/
    uInternet Settings,ProxyOverride = localhost
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\
    FF - prefs.js: browser.startup.homepage - www.sfbay.craigslist.org
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.homepage.dontask - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-03 17:27
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_sugo3_FUService]
    "ImagePath"="\"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-117609710-764733703-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,56,27,b4,78,92,0e,43,9c,2a,93,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,56,27,b4,78,92,0e,43,9c,2a,93,\
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
    @DACL=(02 0000)
    @="Wireless"
    "ProcessGroupPolicy"="ProcessWIRELESSPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
    @DACL=(02 0000)
    @="Folder Redirection"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
    "DllName"=expand:"fdeploy.dll"
    "NoMachinePolicy"=dword:00000001
    "NoSlowLink"=dword:00000001
    "PerUserLocalSettings"=dword:00000001
    "NoGPOListChanges"=dword:00000000
    "NoBackgroundPolicy"=dword:00000000
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "EventSources"=multi:"(Folder Redirection,Application)\00\00"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
    @DACL=(02 0000)
    "Status"=dword:00000000
    "RsopStatus"=dword:00000000
    "LastPolicyTime"=dword:00edd619
    "PrevSlowLink"=dword:00000000
    "PrevRsopLogging"=dword:00000001
    "ForceRefreshFG"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
    @DACL=(02 0000)
    @="Microsoft Disk Quota"
    "NoMachinePolicy"=dword:00000000
    "NoUserPolicy"=dword:00000001
    "NoSlowLink"=dword:00000001
    "NoBackgroundPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "PerUserLocalSettings"=dword:00000000
    "RequiresSuccessfulRegistry"=dword:00000001
    "EnableAsynchronousProcessing"=dword:00000000
    "DllName"=expand:"dskquota.dll"
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
    @DACL=(02 0000)
    @="QoS Packet Scheduler"
    "ProcessGroupPolicy"="ProcessPSCHEDPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
    @DACL=(02 0000)
    @="Scripts"
    "ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
    "ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
    "GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
    "DllName"=expand:"gptext.dll"
    "NoSlowLink"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "NotifyLinkTransition"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
    @DACL=(02 0000)
    @="Internet Explorer Zonemapping"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
    "NoGPOListChanges"=dword:00000001
    "RequiresSucessfulRegistry"=dword:00000001
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
    @DACL=(02 0000)
    @="Internet Explorer User Accelerators"
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "NoGPOListChanges"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
    @DACL=(02 0000)
    "ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
    "GenerateGroupPolicy"="SceGenerateGroupPolicy"
    "ExtensionRsopPlanningDebugLevel"=dword:00000001
    "ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
    "ExtensionDebugLevel"=dword:00000001
    "DllName"=expand:"scecli.dll"
    @="Security"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "EnableAsynchronousProcessing"=dword:00000001
    "MaxNoGPOListChangesInterval"=dword:000003c0
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
    @DACL=(02 0000)
    "ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    @="Internet Explorer Branding"
    "NoSlowLink"=dword:00000001
    "NoBackgroundPolicy"=dword:00000000
    "NoGPOListChanges"=dword:00000001
    "NoMachinePolicy"=dword:00000001
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
    @DACL=(02 0000)
    "ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
    "DllName"=expand:"scecli.dll"
    @="EFS recovery"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "RequiresSuccessfulRegistry"=dword:00000001
    "Status"=dword:00000000
    "RsopStatus"=dword:80070032
    "LastPolicyTime"=dword:00edd619
    "PrevSlowLink"=dword:00000000
    "PrevRsopLogging"=dword:00000001
    "ForceRefreshFG"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
    @DACL=(02 0000)
    @="802.3 Group Policy"
    "DisplayName"=expand:"@dot3gpclnt.dll,-100"
    "ProcessGroupPolicyEx"="ProcessLANPolicyEx"
    "GenerateGroupPolicy"="GenerateLANPolicy"
    "DllName"=expand:"dot3gpclnt.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
    @DACL=(02 0000)
    @="Microsoft Offline Files"
    "DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
    "EnableAsynchronousProcessing"=dword:00000000
    "NoBackgroundPolicy"=dword:00000000
    "NoGPOListChanges"=dword:00000000
    "NoMachinePolicy"=dword:00000000
    "NoSlowLink"=dword:00000000
    "NoUserPolicy"=dword:00000001
    "PerUserLocalSettings"=dword:00000000
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
    @DACL=(02 0000)
    @="Software Installation"
    "DllName"=expand:"appmgmts.dll"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "NoBackgroundPolicy"=dword:00000000
    "RequiresSucessfulRegistry"=dword:00000000
    "NoSlowLink"=dword:00000001
    "PerUserLocalSettings"=dword:00000001
    "EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
    @DACL=(02 0000)
    @="Internet Explorer Machine Accelerators"
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "NoGPOListChanges"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
    @DACL=(02 0000)
    @="IP Security"
    "ProcessGroupPolicy"="ProcessIPSECPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    @DACL=(02 0000)
    "DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
    "Logon"="SABWINLOLogon"
    "Logoff"="SABWINLOLogoff"
    "Startup"="SABWINLOStartup"
    "Shutdown"="SABWINLOShutdown"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    @DACL=(02 0000)
    "DLLName"="Ati2evxx.dll"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000001
    "Lock"="AtiLockEvent"
    "Logoff"="AtiLogoffEvent"
    "Logon"="AtiLogonEvent"
    "Disconnect"="AtiDisConnectEvent"
    "Reconnect"="AtiReConnectEvent"
    "Safe"=dword:00000000
    "Shutdown"="AtiShutdownEvent"
    "StartScreenSaver"="AtiStartScreenSaverEvent"
    "StartShell"="AtiStartShellEvent"
    "Startup"="AtiStartupEvent"
    "StopScreenSaver"="AtiStopScreenSaverEvent"
    "Unlock"="AtiUnLockEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=expand:"crypt32.dll"
    "Logoff"="ChainWlxLogoffEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=expand:"cryptnet.dll"
    "Logoff"="CryptnetWlxLogoffEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    @DACL=(02 0000)
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000001
    "DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
    "Startup"="WlDimsStartup"
    "Shutdown"="WlDimsShutdown"
    "Logon"="WlDimsLogon"
    "Logoff"="WlDimsLogoff"
    "StartShell"="WlDimsStartShell"
    "Lock"="WlDimsLock"
    "Unlock"="WlDimsUnlock"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
    @DACL=(02 0000)
    "DLLName"="c:\\program files\\common files\\logishrd\\bluetooth\\LBTWlgn.dll"
    "Asynchronous"=dword:00000000
    "Startup"="OnStartup"
    "Logon"="OnLogon"
    "StartShell"="OnStartShell"
    "Logoff"="OnLogoff"
    "Shutdown"="OnShutdown"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"LMIinit.dll"
    "Impersonate"=dword:00000000
    "Lock"="WLEventLock"
    "Logoff"="WLEventLogoff"
    "Logon"="WLEventLogon"
    "Shutdown"="WLEventShutdown"
    "StartScreenSaver"="WLEventStartScreenSaver"
    "StartShell"="WLEventStartShell"
    "Startup"="WLEventStartup"
    "StopScreenSaver"="WLEventStopScreenSaver"
    "Unlock"="WLEventUnlock"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    @DACL=(02 0000)
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"wlnotify.dll"
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    @DACL=(02 0000)
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=expand:"sclgntfy.dll"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    @DACL=(02 0000)
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"wlnotify.dll"
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    @DACL=(02 0000)
    "Logon"="WLEventLogon"
    "Logoff"="WLEventLogoff"
    "Startup"="WLEventStartup"
    "Shutdown"="WLEventShutdown"
    "StartScreenSaver"="WLEventStartScreenSaver"
    "StopScreenSaver"="WLEventStopScreenSaver"
    "Lock"="WLEventLock"
    "Unlock"="WLEventUnlock"
    "StartShell"="WLEventStartShell"
    "PostShell"="WLEventPostShell"
    "Disconnect"="WLEventDisconnect"
    "Reconnect"="WLEventReconnect"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000000
    "SafeMode"=dword:00000001
    "MaxWait"=dword:ffffffff
    "DllName"=expand:"WgaLogon.dll"
    "Event"=dword:00000000
    "InstallEvent"="1.9.0040.0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    @DACL=(02 0000)
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
    @DACL=(02 0000)
    "HelpAssistant"=dword:00000000
    "TsInternetUser"=dword:00000000
    "SQLAgentCmdExec"=dword:00000000
    "NetShowServices"=dword:00000000
    "IWAM_"=dword:00010000
    "IUSR_"=dword:00010000
    "VUSR_"=dword:00010000
    "LogMeInRemoteUser"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(892)
    c:\windows\system32\LMIRfsClientNP.dll
    c:\windows\system32\l3codeca.acm
    .
    - - - - - - - > 'explorer.exe'(3952)
    c:\windows\system32\WININET.dll
    c:\windows\system32\msi.dll
    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
    c:\program files\Logitech\iTouch\iTchHk.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-04-03 17:30:01 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-04 00:29
    ComboFix2.txt 2012-04-03 23:36
    .
    Pre-Run: 283,410,624,512 bytes free
    Post-Run: 283,302,948,864 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
    .
    - - End Of File - - 09D2C911455027A11437CFF1E7A35919

  4. #19
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Broni..

    OK.. completed the process and the log is below:


    ComboFix 12-04-03.02 - Administrator 04/03/2012 17:21:01.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2315 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_dpzizbof
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-04 to 2012-04-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-03 20:34 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-04-03 20:34 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-04-03 20:34 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-04-03 20:34 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-04-03 20:34 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-04-03 20:34 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-04-03 20:34 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-04-03 20:34 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-04-03 20:33 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
    2012-04-03 20:33 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-04-03 20:33 . 2012-04-03 20:33 -------- d-----w- c:\program files\AVAST Software
    2012-04-03 20:33 . 2012-04-03 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
    2012-03-11 02:03 . 2012-03-11 02:03 -------- d-----w- c:\program files\Common Files\Java
    2012-03-11 02:02 . 2012-03-11 02:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-11 02:02 . 2011-03-11 23:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-02-03 09:22 . 2008-04-14 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44 . 2011-03-20 23:14 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-11 19:06 . 2012-02-15 17:04 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20 . 2009-08-17 04:35 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2009-12-22 22:29 . 2009-12-22 22:29 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2009-12-22 22:29 . 2009-12-22 22:29 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2009-12-22 22:29 . 2009-12-22 22:29 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-09-13 06:05 . 2009-09-13 06:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2009-09-13 06:06 . 2009-09-13 06:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2009-09-13 06:06 . 2009-09-13 06:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2009-09-13 06:06 . 2009-09-13 06:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2009-09-13 06:06 . 2009-09-13 06:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2009-09-13 06:07 . 2009-09-13 06:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2009-09-13 06:06 . 2009-09-13 06:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2009-09-13 06:06 . 2009-09-13 06:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2009-12-22 22:29 . 2009-12-22 22:29 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
    2009-08-14 20:33 . 2009-08-14 20:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2009-09-13 06:06 . 2009-09-13 06:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2011-08-22 17:35 . 2011-03-22 18:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-08-17 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-03_23.34.53 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-04-04 00:26 . 2012-04-04 00:26 16384 c:\windows\Temp\Perflib_Perfdata_6e4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
    "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2008-08-08 524288]
    "RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-03 113024]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
    "4100:UDP"= 4100:UDP:uPNP Router Control Port
    "5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
    .
    R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [8/16/2009 8:26 PM 119808]
    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [5/3/2010 3:45 PM 40560]
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/17/2011 3:39 PM 13496]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/3/2012 1:34 PM 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/3/2012 1:34 PM 337880]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/7/2010 10:02 AM 116608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2012 1:34 PM 20696]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/16/2009 7:37 AM 652360]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\Logishrd\LVMVFM\UMVPFSrv.exe [8/19/2011 10:26 AM 450848]
    R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [9/21/2010 10:03 AM 36224]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/16/2009 7:37 AM 20464]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
    S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [9/29/2010 5:07 PM 1527900]
    S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service --> c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]
    S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [9/21/2010 10:03 AM 134912]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - ArcRec
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://sfbay.craigslist.org/
    uInternet Settings,ProxyOverride = localhost
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\
    FF - prefs.js: browser.startup.homepage - www.sfbay.craigslist.org
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.homepage.dontask - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-03 17:27
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_sugo3_FUService]
    "ImagePath"="\"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-117609710-764733703-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,56,27,b4,78,92,0e,43,9c,2a,93,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,56,27,b4,78,92,0e,43,9c,2a,93,\
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
    @DACL=(02 0000)
    @="Wireless"
    "ProcessGroupPolicy"="ProcessWIRELESSPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
    @DACL=(02 0000)
    @="Folder Redirection"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
    "DllName"=expand:"fdeploy.dll"
    "NoMachinePolicy"=dword:00000001
    "NoSlowLink"=dword:00000001
    "PerUserLocalSettings"=dword:00000001
    "NoGPOListChanges"=dword:00000000
    "NoBackgroundPolicy"=dword:00000000
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "EventSources"=multi:"(Folder Redirection,Application)\00\00"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
    @DACL=(02 0000)
    "Status"=dword:00000000
    "RsopStatus"=dword:00000000
    "LastPolicyTime"=dword:00edd619
    "PrevSlowLink"=dword:00000000
    "PrevRsopLogging"=dword:00000001
    "ForceRefreshFG"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
    @DACL=(02 0000)
    @="Microsoft Disk Quota"
    "NoMachinePolicy"=dword:00000000
    "NoUserPolicy"=dword:00000001
    "NoSlowLink"=dword:00000001
    "NoBackgroundPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "PerUserLocalSettings"=dword:00000000
    "RequiresSuccessfulRegistry"=dword:00000001
    "EnableAsynchronousProcessing"=dword:00000000
    "DllName"=expand:"dskquota.dll"
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
    @DACL=(02 0000)
    @="QoS Packet Scheduler"
    "ProcessGroupPolicy"="ProcessPSCHEDPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
    @DACL=(02 0000)
    @="Scripts"
    "ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
    "ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
    "GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
    "DllName"=expand:"gptext.dll"
    "NoSlowLink"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "NotifyLinkTransition"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
    @DACL=(02 0000)
    @="Internet Explorer Zonemapping"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
    "NoGPOListChanges"=dword:00000001
    "RequiresSucessfulRegistry"=dword:00000001
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
    @DACL=(02 0000)
    @="Internet Explorer User Accelerators"
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "NoGPOListChanges"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
    @DACL=(02 0000)
    "ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
    "GenerateGroupPolicy"="SceGenerateGroupPolicy"
    "ExtensionRsopPlanningDebugLevel"=dword:00000001
    "ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
    "ExtensionDebugLevel"=dword:00000001
    "DllName"=expand:"scecli.dll"
    @="Security"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "EnableAsynchronousProcessing"=dword:00000001
    "MaxNoGPOListChangesInterval"=dword:000003c0
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
    @DACL=(02 0000)
    "ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    @="Internet Explorer Branding"
    "NoSlowLink"=dword:00000001
    "NoBackgroundPolicy"=dword:00000000
    "NoGPOListChanges"=dword:00000001
    "NoMachinePolicy"=dword:00000001
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
    @DACL=(02 0000)
    "ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
    "DllName"=expand:"scecli.dll"
    @="EFS recovery"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "RequiresSuccessfulRegistry"=dword:00000001
    "Status"=dword:00000000
    "RsopStatus"=dword:80070032
    "LastPolicyTime"=dword:00edd619
    "PrevSlowLink"=dword:00000000
    "PrevRsopLogging"=dword:00000001
    "ForceRefreshFG"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
    @DACL=(02 0000)
    @="802.3 Group Policy"
    "DisplayName"=expand:"@dot3gpclnt.dll,-100"
    "ProcessGroupPolicyEx"="ProcessLANPolicyEx"
    "GenerateGroupPolicy"="GenerateLANPolicy"
    "DllName"=expand:"dot3gpclnt.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
    @DACL=(02 0000)
    @="Microsoft Offline Files"
    "DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
    "EnableAsynchronousProcessing"=dword:00000000
    "NoBackgroundPolicy"=dword:00000000
    "NoGPOListChanges"=dword:00000000
    "NoMachinePolicy"=dword:00000000
    "NoSlowLink"=dword:00000000
    "NoUserPolicy"=dword:00000001
    "PerUserLocalSettings"=dword:00000000
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
    @DACL=(02 0000)
    @="Software Installation"
    "DllName"=expand:"appmgmts.dll"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "NoBackgroundPolicy"=dword:00000000
    "RequiresSucessfulRegistry"=dword:00000000
    "NoSlowLink"=dword:00000001
    "PerUserLocalSettings"=dword:00000001
    "EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
    @DACL=(02 0000)
    @="Internet Explorer Machine Accelerators"
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "NoGPOListChanges"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
    @DACL=(02 0000)
    @="IP Security"
    "ProcessGroupPolicy"="ProcessIPSECPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    @DACL=(02 0000)
    "DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
    "Logon"="SABWINLOLogon"
    "Logoff"="SABWINLOLogoff"
    "Startup"="SABWINLOStartup"
    "Shutdown"="SABWINLOShutdown"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    @DACL=(02 0000)
    "DLLName"="Ati2evxx.dll"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000001
    "Lock"="AtiLockEvent"
    "Logoff"="AtiLogoffEvent"
    "Logon"="AtiLogonEvent"
    "Disconnect"="AtiDisConnectEvent"
    "Reconnect"="AtiReConnectEvent"
    "Safe"=dword:00000000
    "Shutdown"="AtiShutdownEvent"
    "StartScreenSaver"="AtiStartScreenSaverEvent"
    "StartShell"="AtiStartShellEvent"
    "Startup"="AtiStartupEvent"
    "StopScreenSaver"="AtiStopScreenSaverEvent"
    "Unlock"="AtiUnLockEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=expand:"crypt32.dll"
    "Logoff"="ChainWlxLogoffEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=expand:"cryptnet.dll"
    "Logoff"="CryptnetWlxLogoffEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    @DACL=(02 0000)
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000001
    "DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
    "Startup"="WlDimsStartup"
    "Shutdown"="WlDimsShutdown"
    "Logon"="WlDimsLogon"
    "Logoff"="WlDimsLogoff"
    "StartShell"="WlDimsStartShell"
    "Lock"="WlDimsLock"
    "Unlock"="WlDimsUnlock"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
    @DACL=(02 0000)
    "DLLName"="c:\\program files\\common files\\logishrd\\bluetooth\\LBTWlgn.dll"
    "Asynchronous"=dword:00000000
    "Startup"="OnStartup"
    "Logon"="OnLogon"
    "StartShell"="OnStartShell"
    "Logoff"="OnLogoff"
    "Shutdown"="OnShutdown"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"LMIinit.dll"
    "Impersonate"=dword:00000000
    "Lock"="WLEventLock"
    "Logoff"="WLEventLogoff"
    "Logon"="WLEventLogon"
    "Shutdown"="WLEventShutdown"
    "StartScreenSaver"="WLEventStartScreenSaver"
    "StartShell"="WLEventStartShell"
    "Startup"="WLEventStartup"
    "StopScreenSaver"="WLEventStopScreenSaver"
    "Unlock"="WLEventUnlock"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    @DACL=(02 0000)
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"wlnotify.dll"
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    @DACL=(02 0000)
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=expand:"sclgntfy.dll"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    @DACL=(02 0000)
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"wlnotify.dll"
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    @DACL=(02 0000)
    "Logon"="WLEventLogon"
    "Logoff"="WLEventLogoff"
    "Startup"="WLEventStartup"
    "Shutdown"="WLEventShutdown"
    "StartScreenSaver"="WLEventStartScreenSaver"
    "StopScreenSaver"="WLEventStopScreenSaver"
    "Lock"="WLEventLock"
    "Unlock"="WLEventUnlock"
    "StartShell"="WLEventStartShell"
    "PostShell"="WLEventPostShell"
    "Disconnect"="WLEventDisconnect"
    "Reconnect"="WLEventReconnect"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000000
    "SafeMode"=dword:00000001
    "MaxWait"=dword:ffffffff
    "DllName"=expand:"WgaLogon.dll"
    "Event"=dword:00000000
    "InstallEvent"="1.9.0040.0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    @DACL=(02 0000)
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
    @DACL=(02 0000)
    "HelpAssistant"=dword:00000000
    "TsInternetUser"=dword:00000000
    "SQLAgentCmdExec"=dword:00000000
    "NetShowServices"=dword:00000000
    "IWAM_"=dword:00010000
    "IUSR_"=dword:00010000
    "VUSR_"=dword:00010000
    "LogMeInRemoteUser"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(892)
    c:\windows\system32\LMIRfsClientNP.dll
    c:\windows\system32\l3codeca.acm
    .
    - - - - - - - > 'explorer.exe'(3952)
    c:\windows\system32\WININET.dll
    c:\windows\system32\msi.dll
    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
    c:\program files\Logitech\iTouch\iTchHk.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-04-03 17:30:01 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-04 00:29
    ComboFix2.txt 2012-04-03 23:36
    .
    Pre-Run: 283,410,624,512 bytes free
    Post-Run: 283,302,948,864 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
    .
    - - End Of File - - 09D2C911455027A11437CFF1E7A35919

  5. #20
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Good.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:



    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

  6. #21
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Broni.. I ran the full instead of Quick Scan.. Sorry. And the log is very long so I have to post it in two replies:

    OTL Extras logfile created on: 4/3/2012 6:02:03 PM - Run 1
    OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.87 Gb Total Physical Memory | 2.35 Gb Available Physical Memory | 81.72% Memory free
    4.72 Gb Paging File | 4.41 Gb Available in Paging File | 93.46% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 298.08 Gb Total Space | 263.84 Gb Free Space | 88.51% Space Free | Partition Type: NTFS
    Drive E: | 111.78 Gb Total Space | 101.36 Gb Free Space | 90.68% Space Free | Partition Type: NTFS

    Computer Name: COMPUTER | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-117609710-764733703-682003330-500\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    https [open] -- Reg Error: Key error.
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 1
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNetisabled:@xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNetisabled:@xpsp2res.dll,-22008
    "1935:TCP" = 1935:TCP:*:Enabled:BroadCam Video Streaming Server Flash Video Server
    "4100:UDP" = 4100:UDP:*:Enabled:uPNP Router Control Port
    "5985:TCP" = 5985:TCP:*isabled:Windows Remote Management

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
    "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe:*:Enabled:Google Chrome -- (Google Inc.)
    "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
    "C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
    "C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe:*:Enabledropbox -- (Dropbox, Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{036AA4D4-6D32-11D4-9875-00105ACE7734}" = Logitech iTouch Software
    "{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
    "{0BCA9EFD-F2D6-4638-B053-8693BA0404BE}" = Citrix online plug-in (Web)
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{4324BC93-C82F-ED16-BA86-5E34B9E05303}" = ccc-core-static
    "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
    "{485DF5E7-8379-4BFA-BAE1-9B8DBFE0D6B4}" = Paragon Drive Backup™ 9.5 Professional Edition
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4ED118EE-785C-CC18-5D2E-D5CA4BAA03F0}" = Catalyst Control Center Graphics Full New
    "{539475B7-44B7-8B0A-134C-F01B9C8B7569}" = ccc-core-preinstall
    "{55392E52-1AAD-44C4-BE49-258FFE72434F}" = Citrix online plug-in (USB)
    "{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.70
    "{5AC7AE54-55DF-1126-076C-623F008D40B6}" = Catalyst Control Center Graphics Full Existing
    "{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
    "{6351D217-3EE3-1967-29BE-6A77635FE485}" = Skins
    "{6AB9CD3A-F91F-233B-923B-6C59BA63524D}" = Catalyst Control Center HydraVision Full
    "{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{76EFAC4F-1712-401F-B2AE-590B170C9BCE}" = StartupMonitor
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
    "{812424AC-A8B5-44E6-8D48-07E939D1AD9A}" = Citrix online plug-in (HDX)
    "{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
    "{85A91C22-C369-FCFB-5F1F-D59EB21AD0E1}" = CCC Help English
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{885F5AC6-4413-4D30-99A9-F4494BFA4923}" = Logitech Harmony Remote Software 7
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8FBDE446-66F7-4AD5-82D3-74E46D462425}" = Encompass360 NetBranch Installation Manager
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9EDE7573-F2B0-4FAC-8928-A7E9381BCB91}" = ArcSoft MediaImpression for Kodak
    "{9FD6F1A8-5550-46AF-8509-271DF0E768B5}" = Dual-Core Optimizer
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
    "{A6D0140F-E62F-9D1E-2408-9CFF91FF6FC8}" = ccc-utility
    "{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
    "{A89DEBCA-F743-3412-97F6-B2E489194551}" = Google Talk Plugin
    "{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
    "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.4
    "{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
    "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
    "{C44A7422-E380-44BE-79FE-1C032D8A03A7}" = Catalyst Control Center Core Implementation
    "{CA72A82C-7DBC-4814-8CCB-E5BFAC59FAEF}" = ArcSoft MediaImpression for Kodak
    "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CF53CF7C-D996-43EB-9904-DBED57C25625}" = Citrix online plug-in (DV)
    "{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
    "{E5D24929-91A4-B0A1-DE00-AFC453921EF7}" = Catalyst Control Center Graphics Light
    "{E6C09BFB-BA75-15C7-5B18-A2CE31C4F42B}" = Catalyst Control Center Graphics Previews Common
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F2FF2CFB-CA3A-438D-ABF5-B99013DFB72A}" = MindMaster
    "4Media ISO Creator" = 4Media ISO Creator

  7. #22
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Here's the second half:


    "ActiveTouchMeetingClient" = WebEx
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "All ATI Software" = ATI - Software Uninstall Utility
    "ATI Display Driver" = ATI Display Driver
    "avast" = avast! Free Antivirus
    "BurnAware Free_is1" = BurnAware Free 3.0 beta 9
    "Cablenut" = Cablenut 4.08
    "CAL" = Canon Camera Access Library
    "CameraWindowDC" = Canon Utilities CameraWindow DC
    "CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
    "CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    "CameraWindowLauncher" = Canon Utilities CameraWindow
    "Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
    "CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
    "Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
    "CCleaner" = CCleaner
    "CitrixOnlinePluginPackWeb" = Citrix online plug-in - web
    "CSCLIB" = Canon Camera Support Core Library
    "CutePDF Writer Installation" = CutePDF Writer 2.8
    "EOS Utility" = Canon Utilities EOS Utility
    "Firebird SQL Server UK" = Firebird SQL Server - MAGIX Edition
    "Flash Saving Plugin" = Flash Saving Plugin
    "Foxit Reader" = Foxit Reader
    "ie8" = Windows Internet Explorer 8
    "ImgBurn" = ImgBurn
    "IrfanView" = IrfanView (remove only)
    "jZip" = jZip
    "lvdrivers_12.10" = Logitech Webcam Software Driver Package
    "MAGIX 3D Maker UK" = MAGIX 3D Maker (embeded)
    "MAGIX Movie Edit Pro 15 Plus Download version UK" = MAGIX Movie Edit Pro 15 Plus Download version 8.0.5.8 (UK)
    "MAGIX Screenshare UK" = MAGIX Screenshare 4.3.6.1987 (UK)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
    "MeridianLink Site Security Certificate" = MeridianLink Site Security Certificate
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
    "Mozilla Firefox 6.0 (x86 en-US)" = Mozilla Firefox 6.0 (x86 en-US)
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "MyCamera" = Canon Utilities MyCamera
    "MyCameraDC" = Canon Utilities MyCamera DC
    "PhotoScape" = PhotoScape
    "PhotoStitch" = Canon Utilities PhotoStitch
    "Picasa 3" = Picasa 3
    "PlexUtil" = SmartPack 1.19.0
    "RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
    "RemoteCaptureDC" = Canon Utilities RemoteCapture DC
    "RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
    "Revo Uninstaller" = Revo Uninstaller 1.93
    "Samsung CLP-310 Series" = Samsung CLP-310 Series
    "Samsung ML-2510 Series" = Samsung ML-2510 Series
    "Smart Defrag 2_is1" = Smart Defrag 2
    "SP6" = Logitech SetPoint 6.15
    "VLC media player" = VLC media player 1.1.11
    "Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
    "ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-117609710-764733703-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "bddd472159704f26" = macProVideo.com NED Player
    "Dropbox" = Dropbox
    "Google Chrome" = Google Chrome
    "GoToMeeting" = GoToMeeting 4.5.0.457
    "XBMC" = XBMC Media Center

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 10/12/2011 1:35:54 PM | Computer Name = COMPUTER | Source = MPSampleSubmission | ID = 5000
    Description =

    Error - 10/19/2011 12:53:42 PM | Computer Name = COMPUTER | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This operation returned because the timeout period expired.

    Error - 10/23/2011 8:23:43 PM | Computer Name = COMPUTER | Source = MPSampleSubmission | ID = 5000
    Description =

    Error - 12/11/2011 4:07:38 PM | Computer Name = COMPUTER | Source = MPSampleSubmission | ID = 5000
    Description =

    Error - 1/24/2012 6:13:20 PM | Computer Name = COMPUTER | Source = MPSampleSubmission | ID = 5000
    Description =

    Error - 2/28/2012 2:21:12 PM | Computer Name = COMPUTER | Source = SecurityCenter | ID = 1802
    Description = The Windows Security Center Service was unable to establish event
    queries with WMI to monitor third party AntiVirus and Firewall.

    Error - 3/11/2012 7:28:55 PM | Computer Name = COMPUTER | Source = MPSampleSubmission | ID = 5000
    Description =

    Error - 3/14/2012 4:32:20 PM | Computer Name = COMPUTER | Source = MPSampleSubmission | ID = 5000
    Description =

    Error - 3/14/2012 4:40:41 PM | Computer Name = COMPUTER | Source = MPSampleSubmission | ID = 5000
    Description =

    Error - 4/2/2012 8:23:40 PM | Computer Name = COMPUTER | Source = MPSampleSubmission | ID = 5000
    Description =

    [ System Events ]
    Error - 4/3/2012 5:42:47 PM | Computer Name = COMPUTER | Source = ACPI | ID = 327692
    Description = AMLI: ACPI BIOS is attempting to create an illegal memory OpRegion,
    starting at address 0x0, with a length of 0x1000. This region lies in the Operating
    system's protected memory address range (0x0 - 0x9f800). This could lead to system
    instability. Please contact your system vendor for technical assistance.

    Error - 4/3/2012 7:08:54 PM | Computer Name = COMPUTER | Source = ACPI | ID = 327692
    Description = AMLI: ACPI BIOS is attempting to create an illegal memory OpRegion,
    starting at address 0x0, with a length of 0x1000. This region lies in the Operating
    system's protected memory address range (0x0 - 0x9f800). This could lead to system
    instability. Please contact your system vendor for technical assistance.

    Error - 4/3/2012 7:09:02 PM | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000
    Description = The LogMeIn Kernel Information Provider service failed to start due
    to the following error: &#37;%3

    Error - 4/3/2012 7:09:02 PM | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000
    Description = The SSPORT service failed to start due to the following error: %%2

    Error - 4/3/2012 7:38:45 PM | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000
    Description = The LogMeIn Kernel Information Provider service failed to start due
    to the following error: %%3

    Error - 4/3/2012 7:38:46 PM | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000
    Description = The SSPORT service failed to start due to the following error: %%2

    Error - 4/3/2012 7:38:54 PM | Computer Name = COMPUTER | Source = ACPI | ID = 327692
    Description = AMLI: ACPI BIOS is attempting to create an illegal memory OpRegion,
    starting at address 0x0, with a length of 0x1000. This region lies in the Operating
    system's protected memory address range (0x0 - 0x9f800). This could lead to system
    instability. Please contact your system vendor for technical assistance.

    Error - 4/3/2012 8:26:34 PM | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000
    Description = The LogMeIn Kernel Information Provider service failed to start due
    to the following error: %%3

    Error - 4/3/2012 8:26:34 PM | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7000
    Description = The SSPORT service failed to start due to the following error: %%2

    Error - 4/3/2012 8:26:43 PM | Computer Name = COMPUTER | Source = ACPI | ID = 327692
    Description = AMLI: ACPI BIOS is attempting to create an illegal memory OpRegion,
    starting at address 0x0, with a length of 0x1000. This region lies in the Operating
    system's protected memory address range (0x0 - 0x9f800). This could lead to system
    instability. Please contact your system vendor for technical assistance.


    < End of report >

  8. #23
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    I still need OTL.txt log.

  9. #24
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    duplicate...
    Last edited by Broni; April 4th, 2012 at 01:44 PM.

  10. #25
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    I am sure that what you're seeing is the OTL.txt log, but here's what I find when I search for it:

    Part I:


    OTL logfile created on: 4/3/2012 6:02:03 PM - Run 1
    OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.87 Gb Total Physical Memory | 2.35 Gb Available Physical Memory | 81.72% Memory free
    4.72 Gb Paging File | 4.41 Gb Available in Paging File | 93.46% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 298.08 Gb Total Space | 263.84 Gb Free Space | 88.51% Space Free | Partition Type: NTFS
    Drive E: | 111.78 Gb Total Space | 101.36 Gb Free Space | 90.68% Space Free | Partition Type: NTFS

    Computer Name: COMPUTER | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/04/03 17:59:39 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\My Documents\Downloads\OTL.exe
    PRC - [2012/03/06 16:15:17 | 004,241,512 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2012/03/06 16:15:14 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    PRC - [2012/01/13 15:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2011/08/19 10:26:50 | 000,450,848 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logishrd\LVMVFM\UMVPFSrv.exe
    PRC - [2011/08/18 10:22:46 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    PRC - [2010/06/25 17:15:32 | 001,311,312 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPointP\SetPoint.exe
    PRC - [2010/06/22 12:09:20 | 000,112,208 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL3\KHALMNPR.exe
    PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    PRC - [2008/08/07 22:03:41 | 000,524,288 | ---- | M] () -- C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
    PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
    PRC - [2004/03/18 09:33:26 | 000,892,928 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\iTouch\iTouch.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/04/03 13:27:10 | 001,753,088 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12040302\algo.dll
    MOD - [2011/02/28 15:37:32 | 000,180,624 | ---- | M] () -- C:\WINDOWS\system32\Primomonnt.dll
    MOD - [2009/11/05 08:39:40 | 000,087,552 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll
    MOD - [2008/08/07 22:03:41 | 000,524,288 | ---- | M] () -- C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
    MOD - [2007/08/13 02:39:15 | 000,022,723 | ---- | M] () -- C:\WINDOWS\system32\cl31cl3.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2012/03/06 16:15:14 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2012/01/13 15:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2011/08/19 10:26:50 | 000,450,848 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\Logishrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
    SRV - [2011/08/18 10:22:46 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
    SRV - [2010/05/06 02:29:12 | 000,293,456 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
    SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
    SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
    SRV - [2005/11/17 14:18:52 | 001,527,900 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance)
    SRV - [2005/03/10 21:09:12 | 000,176,128 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc.exe -- (SM_sugo3_FUService)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
    DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\Drivers\SSPORT.sys -- (SSPORT)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys -- (mbr)
    DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\LogMeIn\x86\RaInfo.sys -- (LMIInfo)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - [2012/03/06 16:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2012/03/06 16:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2012/03/06 16:02:00 | 000,035,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
    DRV - [2012/03/06 16:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2012/03/06 16:01:39 | 000,095,704 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2012/03/06 16:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2012/03/06 15:58:29 | 000,024,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2011/12/10 16:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2011/08/19 10:26:50 | 004,334,624 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech Webcam 250(UVC)
    DRV - [2011/08/03 15:05:04 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2011/08/03 15:05:04 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
    DRV - [2011/02/23 17:04:32 | 000,013,496 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SmartDefragDriver.sys -- (SmartDefragDriver)
    DRV - [2010/05/07 18:43:30 | 000,025,824 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
    DRV - [2010/04/21 17:00:32 | 000,385,544 | ---- | M] (Paragon) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Uim_IM.sys -- (Uim_IM)
    DRV - [2010/04/21 17:00:32 | 000,034,392 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\UimBus.sys -- (UimBus)
    DRV - [2010/04/21 17:00:30 | 000,040,560 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\hotcore3.sys -- (hotcore3)
    DRV - [2010/03/18 02:02:08 | 000,037,328 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
    DRV - [2010/03/18 02:01:52 | 000,038,864 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
    DRV - [2009/10/07 01:49:50 | 000,023,832 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
    DRV - [2009/10/07 01:47:54 | 000,266,008 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
    DRV - [2009/10/07 01:46:12 | 000,114,712 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvpopflt.sys -- (lvpopflt)
    DRV - [2009/09/28 20:34:48 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
    DRV - [2009/09/08 18:13:16 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
    DRV - [2009/08/19 14:49:22 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
    DRV - [2009/08/16 20:26:57 | 000,119,808 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ahcix86.sys -- (ahcix86)
    DRV - [2009/06/17 09:56:32 | 000,028,560 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
    DRV - [2009/06/17 09:55:18 | 000,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
    DRV - [2009/03/09 05:03:24 | 000,121,984 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
    DRV - [2009/02/25 15:58:57 | 003,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2009/01/20 19:53:06 | 005,027,840 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2008/12/25 18:32:32 | 003,721,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtKHDMI.sys -- (RTHDMIAzAudService)
    DRV - [2008/08/11 13:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
    DRV - [2007/11/06 13:22:00 | 000,036,224 | ---- | M] (ArcSoft Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\ArcCD.sys -- (ArcCD)
    DRV - [2007/10/11 18:40:00 | 000,009,096 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\amdide.sys -- (amdide)
    DRV - [2007/08/12 19:48:57 | 000,041,984 | ---- | M] (Samsung Electronics Co., Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\DGIVECP.SYS -- (DgiVecp)
    DRV - [2007/06/29 14:47:34 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AmdLLD.sys -- (AmdLLD)
    DRV - [2007/04/25 08:55:02 | 000,134,912 | ---- | M] (ArcSoft Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\ArcUdfs.sys -- (ArcUdfs)
    DRV - [2007/04/24 11:33:50 | 000,007,680 | ---- | M] (ArcSoft Inc.) [Recognizer | System | Unknown] -- C:\WINDOWS\System32\drivers\ArcRec.sys -- (ArcRec)
    DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
    DRV - [2006/07/01 22:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
    DRV - [2004/03/10 13:42:24 | 000,012,953 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\itchfltr.sys -- (itchfltr)
    DRV - [2004/03/03 09:50:00 | 000,037,887 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidUsb.sys -- (LHidUsb)
    DRV - [2004/03/03 09:50:00 | 000,014,095 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LCcfltr.sys -- (LCcFltr)
    DRV - [2002/07/02 09:20:51 | 000,070,382 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFlt2.sys -- (LMouFlt2)
    DRV - [2002/07/02 09:20:51 | 000,023,854 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFlt2.sys -- (LHidFlt2)
    DRV - [2002/07/02 09:20:51 | 000,006,030 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LKbdFlt2.sys -- (LKbdFlt2)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-117609710-764733703-682003330-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://sfbay.craigslist.org/
    IE - HKU\S-1-5-21-117609710-764733703-682003330-500\..\SearchScopes,DefaultScope = {76E9350E-0392-9C19-F83A-99BC015260AF}
    IE - HKU\S-1-5-21-117609710-764733703-682003330-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=IE8SRC&src=IE-SearchBox
    IE - HKU\S-1-5-21-117609710-764733703-682003330-500\..\SearchScopes\{1758AC42-D7A3-4E0D-80A4-71C901D9D89F}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
    IE - HKU\S-1-5-21-117609710-764733703-682003330-500\..\SearchScopes\{72BAC6E4-76D5-49FE-8C1E-D1C81F88F309}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&type=302398&p={searchTerms}
    IE - HKU\S-1-5-21-117609710-764733703-682003330-500\..\SearchScopes\{76E9350E-0392-9C19-F83A-99BC015260AF}: "URL" = http://www.bing.com/search?q={searchTerms}&pc=Z039&form=ZGAIDF
    IE - HKU\S-1-5-21-117609710-764733703-682003330-500\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2704262
    IE - HKU\S-1-5-21-117609710-764733703-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-117609710-764733703-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

    ========== FireFox ==========

    FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=302398"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "www.sfbay.craigslist.org"
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.1
    FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:3.9.2
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
    FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=Z039&form=ZGAADF&q="
    FF - prefs.js..network.proxy.no_proxies_on: "localhost,*.local"


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
    FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/04/03 13:34:07 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/06 17:37:32 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/06 17:38:20 | 000,000,000 | ---D | M]

    [2009/08/28 07:33:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
    [2011/12/12 15:06:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\extensions
    [2009/08/28 07:36:21 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/12/12 15:06:55 | 000,000,000 | ---D | M] (FreeSoundRecorder) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\extensions\{32b29df0-2237-4370-9a29-37cebb730e9b}
    [2011/08/22 10:35:26 | 000,000,000 | ---D | M] (WebMail Notifier) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
    [2011/08/22 10:34:48 | 000,000,000 | ---D | M] (Awesome screenshot: Capture and Annotate) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\extensions\jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack
    [2011/06/01 12:36:22 | 000,000,000 | ---D | M] (Search Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\extensions\searchtoolbar@zugo.com
    [2010/01/21 14:45:28 | 000,002,172 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\searchplugins\bing.xml
    [2012/03/10 19:02:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/03/10 19:02:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
    [2012/03/10 19:02:45 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2011/08/22 10:35:12 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2009/12/22 15:29:22 | 000,028,488 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
    [2009/12/22 15:29:22 | 000,185,240 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
    [2009/12/22 15:29:26 | 000,046,408 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\atmccli.dll
    [2009/09/12 23:05:42 | 000,124,240 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CCMSDK.dll
    [2009/09/12 23:06:22 | 000,070,488 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
    [2009/09/12 23:06:32 | 000,091,480 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\confmgr.dll
    [2009/09/12 23:06:28 | 000,022,360 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
    [2009/12/22 15:29:28 | 000,099,224 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
    [2008/06/19 02:16:24 | 000,118,784 | ---- | M] (CANON INC.) -- C:\Program Files\mozilla firefox\plugins\MyCamera.dll
    [2009/12/22 15:29:21 | 000,061,848 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
    [2008/06/19 02:16:24 | 000,053,248 | ---- | M] (CANON INC.) -- C:\Program Files\mozilla firefox\plugins\NPCIG.dll
    [2012/03/10 19:02:43 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2009/08/19 21:38:16 | 000,072,960 | ---- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    [2009/09/12 23:08:36 | 000,406,864 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npicaN.dll
    [2009/09/12 23:06:24 | 000,023,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
    [2011/08/22 10:35:08 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2011/03/22 11:27:49 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml.old

    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{googleriginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.142\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.142\pdf.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.142\gcswf32.dll
    CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
    CHR - plugin: Screen Capture Plugin (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\alelhddbbhepgpmgidjdcjakblofbmce\3.3.3_0\plugins/screen_capture.dll
    CHR - plugin: Google Talk Plugin (Enabled) = C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
    CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Java Deployment Toolkit 6.0.310.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
    CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
    CHR - plugin: ActiveTouch General Plugin Container (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
    CHR - plugin: Canon Online Photo Plugin Module (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPCIG.dll
    CHR - plugin: Foxit Reader Plugin for Mozilla (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
    CHR - plugin: Microsoft Office 2003 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
    CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
    CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
    CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
    CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll
    CHR - plugin: Picasa (Enabled) = C:\Program Files\Google\Picasa3\npPicasa3.dll
    CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
    CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    CHR - Extension: Awesome Screenshot: Capture & Annotate = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\alelhddbbhepgpmgidjdcjakblofbmce\3.3.3_0\
    CHR - Extension: PriceBlink = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aoiidodopnnhiflaflbfeblnojefhigh\3.0_0\
    CHR - Extension: Auto Copy = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bijpdibkloghppkbmhcklkogpjaenfkg\2.1.1_0\
    CHR - Extension: James White = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bkeidgmehkdjmpjodpjkepolokanalkm\3_0\
    CHR - Extension: 1-ClickWeather for Chrome = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fgmbighdoomjmebfbgplfmhcdbomjkoa\1.1.0.3_0\
    CHR - Extension: TweetDeck = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hbdpomandigafcibbmofojjchbcdagbl\1.3_0\
    CHR - Extension: goo.gl URL Shortener = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\iblijlcdoidgdpfknkckljiocdbnlagk\0.7.2_0\
    CHR - Extension: avast! WebRep = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\
    CHR - Extension: Google Voice (by Google) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kcnhkahnjcbndmmehfkdnkjomaanaooo\2.3.6.8_0\
    CHR - Extension: Google Play Books = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mmimngoggfoobjdlefbcabngfnmieonb\1.1.3_0\
    CHR - Extension: SlideRocket = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\omeengfjefdmhnkojnfmncpfdbhnecea\1.0.4_0\

  11. #26
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    As you can see it looks identical.. Here's Part II:


    O1 HOSTS File: ([2012/04/03 17:27:08 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe ()
    O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc.)
    O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (Adobe Systems, Inc.)
    O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (Adobe Systems, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\__avast! sandbox\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-117609710-764733703-682003330-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-117609710-764733703-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-117609710-764733703-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutorun = 67108863
    O7 - HKU\S-1-5-21-117609710-764733703-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O7 - HKU\S-1-5-21-117609710-764733703-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} http://www.comcastsupport.com/sdccom...ad/tgctlsr.cab (SupportSoft Script Runner Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsof...?1250772743734 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9883A5CB-8C28-4770-BD90-15721BE5DF86}: DhcpNameServer = 192.168.1.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\AtiExtEvent: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\crypt32chain: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\cryptnet: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\cscdll: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\dimsntfy: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\LBTWlgn: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\LMIinit: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\ScCertProp: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\Schedule: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\sclgntfy: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\SensLogn: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\termsrv: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\WgaLogon: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\wlballoon: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
    O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2005/10/03 02:01:43 | 000,000,000 | -H-- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O34 - HKLM BootExecute: (SmartDefragBootTime.exe)
    O35 - HKLM\..comfile [open] -- "&#37;1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.I420 - C:\WINDOWS\System32\lvcodec2.dll (Logitech Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/04/03 17:19:48 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012/04/03 16:28:14 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/04/03 16:28:14 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/04/03 16:28:14 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/04/03 16:28:14 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/04/03 16:28:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2012/04/03 16:28:05 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/04/03 13:34:21 | 000,020,696 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2012/04/03 13:34:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
    [2012/04/03 13:34:20 | 000,337,880 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2012/04/03 13:34:19 | 000,053,848 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2012/04/03 13:34:19 | 000,035,672 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2012/04/03 13:34:18 | 000,612,184 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
    [2012/04/03 13:34:18 | 000,095,704 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2012/04/03 13:34:18 | 000,089,048 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2012/04/03 13:34:18 | 000,024,920 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2012/04/03 13:33:58 | 000,041,184 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2012/04/03 13:33:57 | 000,201,352 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2012/04/03 13:33:44 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2012/04/03 13:33:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
    [2012/04/02 16:59:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Downloads
    [2012/03/22 12:12:12 | 004,435,968 | ---- | C] (Google Inc.) -- C:\WINDOWS\System32\GPhotos.scr
    [2012/03/10 19:03:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2012/03/10 19:02:57 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
    [2012/03/10 19:02:57 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
    [2012/03/10 19:02:57 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
    [2012/03/10 19:02:57 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Documents and Settings\Administrator\Desktop\*.tmp files -> C:\Documents and Settings\Administrator\Desktop\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/04/03 17:27:08 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2012/04/03 17:26:32 | 000,008,180 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
    [2012/04/03 17:26:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/04/03 17:26:20 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
    [2012/04/03 17:26:19 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
    [2012/04/03 17:19:54 | 000,000,339 | RHS- | M] () -- C:\boot.ini
    [2012/04/03 17:18:23 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to ComboFix.exe.lnk
    [2012/04/03 16:30:02 | 000,000,339 | ---- | M] () -- C:\Boot.bak
    [2012/04/03 13:34:18 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2012/04/03 13:32:06 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
    [2012/04/01 08:44:10 | 000,002,513 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2003.lnk
    [2012/03/28 10:28:05 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/03/27 14:51:02 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
    [2012/03/22 12:12:12 | 004,435,968 | ---- | M] (Google Inc.) -- C:\WINDOWS\System32\GPhotos.scr
    [2012/03/14 13:27:33 | 000,294,072 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/03/14 13:24:45 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/03/11 11:12:58 | 000,466,140 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/03/11 11:12:58 | 000,081,038 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/03/10 19:02:42 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
    [2012/03/10 19:02:42 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
    [2012/03/10 19:02:41 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
    [2012/03/10 19:02:41 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
    [2012/03/10 19:02:41 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
    [2012/03/06 16:15:19 | 000,041,184 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2012/03/06 16:15:14 | 000,201,352 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2012/03/06 16:03:51 | 000,612,184 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
    [2012/03/06 16:03:38 | 000,337,880 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2012/03/06 16:02:00 | 000,035,672 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2012/03/06 16:01:53 | 000,053,848 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2012/03/06 16:01:39 | 000,095,704 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2012/03/06 16:01:35 | 000,089,048 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2012/03/06 16:01:30 | 000,020,696 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2012/03/06 15:58:29 | 000,024,920 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Documents and Settings\Administrator\Desktop\*.tmp files -> C:\Documents and Settings\Administrator\Desktop\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/04/03 17:18:23 | 000,000,798 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to ComboFix.exe.lnk
    [2012/04/03 16:30:02 | 000,000,339 | ---- | C] () -- C:\Boot.bak
    [2012/04/03 16:29:59 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2012/04/03 16:28:14 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/04/03 16:28:14 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/04/03 16:28:14 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/04/03 16:28:14 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/04/03 16:28:14 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/02/15 10:04:19 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2011/12/23 18:59:09 | 000,020,312 | ---- | C] () -- C:\WINDOWS\System32\RegistryDefragBootTime.exe
    [2011/05/05 15:59:30 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
    [2011/05/05 14:52:20 | 000,180,624 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
    [2011/04/17 15:39:33 | 000,029,520 | ---- | C] () -- C:\WINDOWS\System32\SmartDefragBootTime.exe
    [2011/04/17 15:39:33 | 000,013,496 | ---- | C] () -- C:\WINDOWS\System32\drivers\SmartDefragDriver.sys
    [2011/03/21 10:33:15 | 000,180,480 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2011/03/21 10:32:06 | 000,000,193 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
    [2010/12/03 12:32:17 | 000,022,723 | ---- | C] () -- C:\WINDOWS\System32\cl31cl3.dll
    [2010/11/30 14:18:44 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Hnarimonobapuyu.dat
    [2010/11/30 14:18:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Hzenesiqaquzu.bin
    [2010/11/30 14:16:51 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\start
    [2010/09/29 17:05:11 | 000,120,200 | ---- | C] () -- C:\WINDOWS\System32\DLLDEV32i.dll
    [2010/09/29 17:04:40 | 000,006,211 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
    [2010/08/31 10:08:30 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
    [2010/08/03 12:53:57 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/07/27 08:03:20 | 010,898,456 | ---- | C] () -- C:\WINDOWS\System32\LogiDPP.dll
    [2010/07/27 08:03:20 | 000,104,472 | ---- | C] () -- C:\WINDOWS\System32\LogiDPPApp.exe
    [2010/07/27 08:03:18 | 000,336,408 | ---- | C] () -- C:\WINDOWS\System32\DevManagerCore.dll
    [2010/05/28 13:35:20 | 000,000,305 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2010/05/14 15:29:00 | 000,028,418 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
    [2010/05/07 18:43:30 | 000,025,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys

    ========== Custom Scans ==========

    < %SYSTEMDRIVE%\*.* >
    [2009/12/19 10:16:30 | 000,001,024 | ---- | M] () -- C:\.rnd
    [2012/04/03 16:30:02 | 000,000,339 | ---- | M] () -- C:\Boot.bak
    [2012/04/03 17:19:54 | 000,000,339 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2012/04/03 17:30:02 | 000,030,453 | ---- | M] () -- C:\ComboFix.txt
    [2010/10/18 11:47:30 | 000,039,222 | ---- | M] () -- C:\DEBUG.TXT
    [2009/08/16 21:39:08 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2009/08/28 07:16:41 | 000,000,000 | ---- | M] () -- C:\itouch_config_crash_info.txt
    [2009/08/28 07:14:31 | 000,000,000 | ---- | M] () -- C:\itouch_crash_info.txt
    [2010/04/26 09:21:26 | 977,108,992 | ---- | M] () -- C:\LOGICAL VOLUME IDENTIFIER.ISO
    [2010/04/26 09:21:26 | 000,004,314 | ---- | M] () -- C:\LOGICAL VOLUME IDENTIFIER.MDS
    [2010/05/07 11:25:03 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
    [2009/08/16 21:39:08 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2008/04/14 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/04/14 05:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2012/04/03 17:26:19 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

    < %systemroot%\Fonts\*.com >
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/08/16 21:38:48 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2007/08/13 02:40:19 | 000,019,968 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\cl31cpc.dll
    [2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2009/09/28 20:34:40 | 000,047,416 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LMIproc.dll
    [2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 03:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2012/03/06 16:15:19 | 000,041,184 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2009/08/16 14:30:11 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2009/08/16 14:30:11 | 001,089,536 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2009/08/16 14:30:11 | 000,917,504 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2009/08/16 21:39:10 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009/08/16 22:10:10 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2009/08/16 22:10:10 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\tasks\*.* >
    [2008/04/14 05:00:00 | 000,000,065 | RH-- | M] () -- C:\WINDOWS\tasks\desktop.ini
    [2012/04/03 17:26:29 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2009/08/16 22:10:10 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Administrator\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2012/04/03 17:26:32 | 000,008,180 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2012/04/03 17:59:30 | 000,049,152 | -HS- | M] () -- C:\Documents and Settings\Administrator\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/14 05:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2008/04/14 05:00:00 | 000,004,821 | R--- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2007/04/02 23:37:24 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 07:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 23:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 05:42:30 | 001,695,232 | -HS- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2008/04/14 05:00:00 | 000,009,306 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2008/04/14 05:00:00 | 000,018,052 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2008/04/14 05:00:00 | 000,009,306 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2007/04/02 23:37:28 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2007/04/02 23:34:02 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
    "NoAutoUpdate" = 0

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-03-14 20:26:34

    < End of report >

  12. #27
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    duplicate....
    Last edited by Broni; April 4th, 2012 at 01:45 PM.

  13. #28
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    I'm not sure what you mean by identical since you never posted it before...

    In any case...

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKU\S-1-5-21-117609710-764733703-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
      O20 - Winlogon\Notify\!SASWinLogon: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.


    =========================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.



    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.



    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.

  14. #29
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    I'll see about running these additional diagnostics, etc. when time allows. Thanks for all your help and once I have all the logs you seek, I'll post them.

    Thanks again.

  15. #30
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    OK.. I ran the OTL fix. When the system rebooted to the desktop, the Run application appeared before the desktop, so I clicked Run and the log file appeared for a second and then disappeared. When I search for OTL.txt files the only one is the one I just posted, so I can't find a log after the fix to post for you.. Does it have a different file name or path?

    Also, since I did all the various operations you requested yesterday, I notice that when the system boots at the beginning, there's a black screen that shows for a second or so with several selections such as Windows XP Home, Professional etc that I never saw before doing these operations. It doesn't interfere with anything but I had never seen it before. And the system seems to take longer to shut down than previously, though that could be due to changing from MSE to Avast.. No big deal. Everything seems to operating fine and I'm not seeing any infection warnings from Avast. And as I said yesterday, Avast found 63 infections and cleaned them that MSE obviously missed.

    Thanks.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •