[Resolved] Fallout from "Smart Fortress 2012" cleanup.

  • 62 Replies
  • 11193 Views
*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #15 on: March 11, 2012, 01:38:55 AM »
Hi edw
Back with new instructions soon.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #16 on: March 11, 2012, 01:48:26 AM »
Hi edw

ComboFix is the easy way to start but often zero access causes problems with it.  We will go a different direction.

1.  Please download RogueKiller and save it to your USB flash memory and then transfer it to the desktop of the infected machine.

Now quit all running programs.  Double click RogueKiller.exe to run it.  For Vista/Seven, right click and select run as administrator, for XP simply run RogueKiller.exe. 

2.  When prompted, type 1 and hit Enter.
A RKreport.txt should appear on your desktop.

Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .

3.  Download OTL from any of the following links and save to the desktop on your infected machine.
OTL1
OTL2
OTL3

Rename the program google.exe.

4.  Disable all of your Anti-Virus, Anti-Spyware programs.  If you need help to disable them go to Disable Anti Malware, be sure to re-enable them before posting your reply.

5.   Double click on the google.exe icon to run it (Vista and Windows 7 users right click and select Run as  Administrator). Make sure all other windows are closed and to let it run uninterrupted. 

6.  In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".  On the upper right be sure Use Company-Name WhiteList and Skip Microsoft Files are checked.  Copy the code in the code box below and paste it into the Custom Scan box .

Code: [Select]
netsvcs
drivers32
CREATERESTOREPOINT
msconfig
%systemroot%\*. /rp /s


7.  Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.  When the scan completes, it will open two notepad windows.  OTL.Txt and Extras.Txt. These are saved in the same location as OTL.


As always please be sure Word Wrap is disabled in Notepad.  Also be sure to check that the data you posted was not cut off by the sites posting size limits.

Please post the following as a reply to this post:
RKreport.txt
OTL.txt
Extras.txt
Any problems following the instructions above
Any questions


Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #17 on: March 11, 2012, 02:35:12 AM »
   RogueKiller starts a scan - finds a suspicious registry key.  Very shortly thereafter it blue-screens.

   OTL (aka google)  blue-screens immediately.

  Both mention iastor.sys  (exe?) on the blue screen.

   Time for some sleep...

*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #18 on: March 11, 2012, 05:19:53 AM »
Hi edw
Iastor.sys is your raid driver.  Somehow the malware seems to have corrupted it.  Often files are corrupted by malware.  Try running both of these in safe mode.

I take it your infected PC does not have an internal floppy disk drive.   Have you looked at your bios to see if you can set the USB emulation mode to floppy.  That will allow you to use the F6 install of the raid drivers. 

If you get a BSOD error message, try to write it down and post it to me.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #19 on: March 11, 2012, 11:23:23 AM »
  No internal floppy drive on this machine.  Didn't find a BIOS option.  It can't boot from a USB drive either.

  In safe mode I had some success getting logs.  Roguekiller crashed while scanning the MBR, so I turned off that option and it ran to completion.

RogueKiller V7.3.1 [03/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode
User: williams [Admin rights]
Mode: Scan -- Date: 03/11/2012 10:12:50

Bad processes: 0

Registry Entries: 7
[] HKLM\[...]\Windows :  () -> ACCESS DENIED
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{5BCB5AC2-47E7-4067-BB2B-3D43F96FC119} : NameServer (8.8.8.8,68.87.76.182,68.87.78.134,8.8.8.8,8.8.4.4) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71} : NameServer (206.13.28.12,206.13.31.12) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71} : NameServer (206.13.28.12,206.13.31.12) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71} : NameServer (206.13.28.12,206.13.31.12) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[] HKLM\[...]\Windows :  () -> ACCESS DENIED

Particular Files / Folders:

Driver: [NOT LOADED]

Infection : ZeroAccess
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

HOSTS File:
127.0.0.1       localhost
::1             localhost


MBR Check:

Finished : << RKreport[1].txt >>
RKreport[1].txt




*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #20 on: March 11, 2012, 11:27:21 AM »
  OTL ran in safe mode OK:

   Here's the logs.  I'll be stopping by Fry's this morning to pick up a floppy drive...

OTL logfile created on: 3/11/2012 9:31:18 AM - Run 1
OTL by OldTimer - Version 3.2.36.3     Folder = C:\Documents and Settings\williams\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.99 Gb Total Physical Memory | 2.65 Gb Available Physical Memory | 88.68% Memory free
4.83 Gb Paging File | 4.69 Gb Available in Paging File | 96.91% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 634.76 Gb Total Space | 416.85 Gb Free Space | 65.67% Space Free | Partition Type: NTFS
Drive D: | 296.75 Gb Total Space | 143.30 Gb Free Space | 48.29% Space Free | Partition Type: NTFS
 
Computer Name: ASUS-I7-XP | User Name: williams | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012/03/11 01:05:14 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\williams\Desktop\google.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2011/05/05 00:02:44 | 000,355,432 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\nView\nvShell.dll
MOD - [2011/03/17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/10/20 15:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2011/11/15 10:20:26 | 000,095,608 | ---- | M] (Dyn, Inc.) [Auto | Stopped] -- C:\Program Files\DynDNS Updater\DynUpSvc.exe -- (Dyn Updater)
SRV - [2011/09/29 10:59:42 | 000,022,016 | ---- | M] (Altaro) [Auto | Stopped] -- C:\Program Files\Altaro\Oops!Backup\OopsBackup.Service.exe -- (OopsBackup.Service.exe)
SRV - [2011/09/19 19:29:43 | 000,597,281 | ---- | M] () [Auto | Stopped] -- C:\Program Files\emailrelay\emailrelay-service.exe -- (emailrelay)
SRV - [2011/05/21 06:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/11/05 23:54:22 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel(R)
SRV - [2010/06/25 10:07:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/11/23 15:28:28 | 000,683,008 | ---- | M] (Synametrics Technologies) [Auto | Stopped] -- C:\Programs\DeltaCopy\DCServce.exe -- (DeltaCopyService)
SRV - [2008/04/17 10:08:46 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/01/05 00:06:02 | 000,163,840 | ---- | M] (Alex Feinman) [On_Demand | Stopped] -- C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe -- (Imapi Helper)
SRV - [2005/11/28 14:02:54 | 000,172,032 | ---- | M] (Acronis) [Auto | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Auto | Stopped] --  -- (SSPORT)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (IPSec)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Auto | Stopped] --  -- (DgiVecp)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Auto | Stopped] --  -- (ASPI32)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (ALSysIO)
DRV - [2012/01/29 13:22:55 | 000,121,208 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2010/10/14 07:48:52 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/06/25 10:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2010/02/01 13:10:50 | 000,024,344 | ---- | M] (SMART Modular) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\JeppDrive.sys -- (JEPPDRIVE)
DRV - [2009/12/18 10:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009/10/04 11:28:47 | 000,217,664 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\truecrypt.sys -- (truecrypt)
DRV - [2009/08/29 19:46:44 | 000,249,152 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/08/29 19:46:44 | 000,030,688 | ---- | M] (Acronis) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/08/29 19:46:43 | 000,096,320 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/03/27 02:16:28 | 000,012,672 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\cpuz132_x32.sys -- (cpuz132)
DRV - [2008/11/18 12:27:58 | 000,083,296 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\jraid.sys -- (JRAID)
DRV - [2008/07/03 17:03:14 | 004,745,216 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/17 10:07:52 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2008/03/29 18:36:28 | 000,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2008/02/09 20:58:00 | 000,066,736 | R--- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\pnp680.sys -- (Pnp680)
DRV - [2007/12/17 18:14:06 | 000,012,400 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2007/05/31 07:19:22 | 000,096,896 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/01/18 18:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/11/22 06:20:00 | 000,072,704 | ---- | M] (WIBU-SYSTEMS AG) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\WibuKey.sys -- (WIBUKEY)
DRV - [2006/11/09 06:20:00 | 000,016,384 | ---- | M] (WIBU-SYSTEMS AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Wibukey2.sys -- (Wibukey2)
DRV - [2005/07/25 10:04:08 | 000,048,640 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2004/08/13 11:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\SearchScopes,DefaultScope = {65497A31-B9C8-47B3-A77C-A65B6E43BF95}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{65497A31-B9C8-47B3-A77C-A65B6E43BF95}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.2
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {aff87fa2-a58e-4edd-b852-0a20203c1e17}:0.8
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..network.proxy.http: "192.168.1.4"
FF - prefs.js..network.proxy.http_port: 9999
FF - prefs.js..network.proxy.type: 4
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/24 20:10:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/12 08:54:25 | 000,000,000 | ---D | M]
 
[2009/09/03 22:44:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\williams\Application Data\Mozilla\Extensions
[2009/09/03 22:44:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\williams\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2012/02/16 08:56:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\williams\Application Data\Mozilla\Firefox\Profiles\9g2mvweg.default\extensions
[2011/09/13 23:39:15 | 000,000,000 | ---D | M] (Garmin Communicator) -- C:\Documents and Settings\williams\Application Data\Mozilla\Firefox\Profiles\9g2mvweg.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/05/11 21:23:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\williams\Application Data\Mozilla\Firefox\Profiles\9g2mvweg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/30 09:26:14 | 000,002,399 | ---- | M] () -- C:\Documents and Settings\williams\Application Data\Mozilla\Firefox\Profiles\9g2mvweg.default\searchplugins\daemon-search.xml
[2012/01/10 10:02:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\WILLIAMS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9G2MVWEG.DEFAULT\EXTENSIONS\{AFF87FA2-A58E-4EDD-B852-0A20203C1E17}.XPI
[2011/06/16 07:08:09 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/02/24 20:10:15 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/03 05:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/07 20:13:56 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
[2012/02/24 20:10:12 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/24 20:10:12 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - Extension: Entanglement = C:\Documents and Settings\williams\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.1.1_0\
CHR - Extension: Poppit = C:\Documents and Settings\williams\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\
 
O1 HOSTS File: ([2012/02/29 09:04:58 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AirPort Base Station Agent] C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe ()
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe (Acronis)
O4 - HKCU..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe (SlySoft, Inc.)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Oops!Backup] C:\Program Files\Altaro\Oops!Backup\OopsBackup.exe (Altaro)
O4 - HKCU..\Run: [Seattle Avionics Data Manager] C:\Program Files\Seattle Avionics\Data Manager\DataManager.exe (Seattle Avionics, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dyn Updater Tray Icon.lnk = C:\Program Files\DynDNS Updater\DynTray.exe (Dyn, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Evernote Clipper.lnk = C:\WINDOWS\Installer\{F761359C-9CED-45AE-9A51-9D6605CD55C4}\Evernote.ico ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico ()
O4 - Startup: C:\Documents and Settings\williams\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\williams\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Documents and Settings\williams\Start Menu\Programs\Startup\Shortcut to CAPEXP.lnk = C:\Program Files\Capture Express\CAPEXP.EXE (Insight Software Solutions, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: Add to Evernote 4.0 - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://lumahai.dyndns.org/activex/AMC.cab (AxisMediaControlEmb Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5BCB5AC2-47E7-4067-BB2B-3D43F96FC119}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71}: NameServer = 206.13.28.12,206.13.31.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\williams\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\williams\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\eudora51\EuShlExt.dll (Qualcomm Inc.)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/07 19:58:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{a7828ae7-ce75-11df-b6ac-00248c37a1d3}\Shell - "" = AutoRun
O33 - MountPoints2\{a7828ae7-ce75-11df-b6ac-00248c37a1d3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a7828ae7-ce75-11df-b6ac-00248c37a1d3}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
O33 - MountPoints2\L\Shell - "" = AutoRun
O33 - MountPoints2\L\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\L\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
NetSvcs: 6to4 -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: WmdmPmSp -  File not found
 
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
 
CREATERESTOREPOINT
Error creating restore point.
 
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012/03/11 01:16:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\williams\Desktop\RK_Quarantine
[2012/03/11 01:15:13 | 000,594,944 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\williams\Desktop\google.exe
[2012/03/10 21:04:13 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/03/10 20:49:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2012/03/10 19:50:46 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/10 19:50:46 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/10 19:50:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/10 19:50:46 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/10 19:50:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/03/10 19:50:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/10 19:49:30 | 004,432,970 | R--- | C] (Swearware) -- C:\Documents and Settings\williams\Desktop\ComboFix.exe
[2012/03/09 23:49:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2012/03/09 09:22:19 | 000,000,000 | R--D | C] -- C:\Documents and Settings\williams\Start Menu\Programs\Administrative Tools
[2012/03/09 03:04:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2012/03/08 20:20:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/03/08 19:48:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Core Temp
[2012/03/08 19:48:45 | 000,000,000 | ---D | C] -- C:\Program Files\Core Temp
[2012/03/08 10:15:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\williams\Application Data\Malwarebytes
[2012/03/08 10:15:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/08 10:15:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/03/08 10:15:30 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/03/08 10:15:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/03/08 09:52:50 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/03/08 09:35:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\williams\Start Menu\Programs\Smart Fortress 2012
[2012/03/08 09:31:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\99058D500033A0A4005FA5A6D151FC4E
[2012/02/29 23:07:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/02/29 23:07:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/02/15 10:39:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\williams\My Documents\Dropbox
[2012/02/15 10:36:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\williams\Start Menu\Programs\Dropbox
[2012/02/15 10:36:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\williams\Application Data\Dropbox
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012/03/11 09:26:01 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/03/11 09:25:00 | 000,462,576 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/11 09:25:00 | 000,078,904 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/11 09:21:07 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/11 09:20:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/11 01:30:08 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2012/03/11 01:30:07 | 000,002,349 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Evernote Clipper.lnk
[2012/03/11 01:29:55 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/11 01:29:53 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\SDMsgUpdate (TE).job
[2012/03/11 01:25:09 | 000,016,256 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/03/11 01:05:14 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\williams\Desktop\google.exe
[2012/03/11 01:03:14 | 001,219,072 | ---- | M] () -- C:\Documents and Settings\williams\Desktop\RogueKiller.exe
[2012/03/11 00:19:10 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/10 00:36:22 | 004,432,970 | R--- | M] (Swearware) -- C:\Documents and Settings\williams\Desktop\ComboFix.exe
[2012/03/08 23:35:23 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/08 20:21:44 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2012/03/08 19:48:46 | 000,000,818 | ---- | M] () -- C:\Documents and Settings\williams\Desktop\Core Temp.lnk
[2012/03/08 10:26:52 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2012/03/08 10:15:32 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/08 10:01:41 | 000,000,633 | ---- | M] () -- C:\Documents and Settings\williams\My Documents\fixexe.zip
[2012/03/08 09:59:06 | 000,000,633 | ---- | M] () -- C:\Documents and Settings\williams\Desktop\fixexe.zip
[2012/03/01 00:56:42 | 000,001,027 | ---- | M] () -- C:\Documents and Settings\williams\Start Menu\Programs\Startup\Dropbox.lnk
[2012/03/01 00:56:42 | 000,001,027 | ---- | M] () -- C:\Documents and Settings\williams\Desktop\Dropbox.lnk
[2012/03/01 00:10:00 | 000,000,361 | ---- | M] () -- C:\Documents and Settings\williams\My Documents\fixexe.inf
[2012/03/01 00:10:00 | 000,000,326 | ---- | M] () -- C:\Documents and Settings\williams\My Documents\fixexe.reg
[2012/02/29 09:04:58 | 000,000,761 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/02/27 12:36:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/02/21 09:56:14 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AnyDVD.lnk
[2012/02/18 13:56:29 | 000,001,480 | ---- | M] () -- C:\WINDOWS\AUTOLNCH.REG
[2012/02/16 08:55:19 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/16 04:01:33 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/02/12 11:11:24 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012/03/11 01:16:00 | 000,016,256 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/03/11 01:15:09 | 001,219,072 | ---- | C] () -- C:\Documents and Settings\williams\Desktop\RogueKiller.exe
[2012/03/10 19:50:46 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/10 19:50:46 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/10 19:50:46 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/10 19:50:46 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/10 19:50:46 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/08 19:48:46 | 000,000,818 | ---- | C] () -- C:\Documents and Settings\williams\Desktop\Core Temp.lnk
[2012/03/08 10:26:52 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2012/03/08 10:15:32 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/08 10:02:48 | 000,000,361 | ---- | C] () -- C:\Documents and Settings\williams\My Documents\fixexe.inf
[2012/03/08 10:02:48 | 000,000,326 | ---- | C] () -- C:\Documents and Settings\williams\My Documents\fixexe.reg
[2012/03/08 10:01:41 | 000,000,633 | ---- | C] () -- C:\Documents and Settings\williams\My Documents\fixexe.zip
[2012/03/08 09:58:56 | 000,000,633 | ---- | C] () -- C:\Documents and Settings\williams\Desktop\fixexe.zip
[2012/02/21 09:56:14 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AnyDVD.lnk
[2012/02/15 10:39:35 | 000,001,027 | ---- | C] () -- C:\Documents and Settings\williams\Desktop\Dropbox.lnk
[2012/02/15 10:37:17 | 000,001,027 | ---- | C] () -- C:\Documents and Settings\williams\Start Menu\Programs\Startup\Dropbox.lnk
[2012/02/15 04:42:51 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 04:42:51 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2011/10/23 15:05:30 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/10/23 15:05:30 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/10/23 15:05:30 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/05/21 06:01:00 | 002,123,582 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2011/04/10 08:36:50 | 000,423,520 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/04/04 23:05:42 | 000,000,183 | ---- | C] () -- C:\Documents and Settings\williams\Application Data\PropCalc Preferences
[2010/10/14 07:56:57 | 008,977,408 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\toolboxDatabase
[2010/10/10 19:17:42 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\williams\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/13 18:55:36 | 000,022,723 | R--- | C] () -- C:\WINDOWS\System32\ml285pl3.dll
[2010/06/25 10:03:12 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2010/05/02 23:18:12 | 000,000,748 | ---- | C] () -- C:\WINDOWS\GARMINWT.INI
[2010/04/29 08:30:09 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/29 08:18:45 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
 
========== LOP Check ==========
 
[2012/03/08 09:31:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\99058D500033A0A4005FA5A6D151FC4E
[2011/01/25 23:48:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Altaro
[2010/10/14 07:48:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2011/10/22 14:09:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dyn
[2009/12/31 12:13:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DynDNS
[2009/08/30 23:50:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
[2010/01/01 11:24:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2012/03/11 01:30:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OopsBackup
[2010/04/25 17:36:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/08/30 23:38:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2010/01/01 11:27:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/09/18 14:21:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tomvale Aviation Calculator
[2011/05/09 23:00:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/04/14 22:09:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/04 11:47:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/15 18:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2011/05/28 09:09:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Amazon
[2011/04/05 19:51:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\calibre
[2009/04/12 12:37:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\DAEMON Tools
[2009/08/30 09:27:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\DAEMON Tools Lite
[2009/04/12 12:37:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\DAEMON Tools Pro
[2012/03/11 01:30:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Dropbox
[2011/06/16 08:02:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\ElevatedDiagnostics
[2010/01/07 20:06:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Foxit
[2010/07/26 22:15:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Foxit Software
[2010/05/15 09:23:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\GARMIN
[2010/10/14 07:51:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\GetRightToGo
[2010/05/23 11:02:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\GPS Utility
[2011/03/22 22:26:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\gtk-2.0
[2010/10/17 17:28:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\MechanicToolboxPreferences
[2009/08/30 14:08:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Milestone
[2010/01/01 11:27:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Nuance
[2009/08/15 13:31:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Publish Providers
[2009/09/02 20:16:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Qualcomm
[2010/04/25 17:36:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\ScanSoft
[2010/08/26 22:59:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Seattle Avionics
[2011/06/04 12:41:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\SmartDraw
[2009/08/15 13:31:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Sony
[2010/01/07 20:41:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\SSH
[2011/03/25 22:52:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\SystemRequirementsLab
[2011/09/28 09:10:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Taunton
[2009/10/04 11:32:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\TrueCrypt
[2010/01/03 14:30:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\UDC Profiles
[2011/10/23 15:04:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Windows Desktop Search
[2011/11/13 19:24:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\williams\Application Data\Windows Search
[2012/03/11 09:26:01 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2012/03/11 01:29:53 | 000,000,478 | ---- | M] () -- C:\WINDOWS\Tasks\SDMsgUpdate (TE).job
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %systemroot%\*. /rp /s >
 
========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB5333$] -> Error: Cannot create file handle -> Unknown point type
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 72 bytes -> C:\WINDOWS:F13A76C4FF555B6A
@Alternate Data Stream - 514 bytes -> C:\WINDOWS\System32\drivers\svkrnvma.sys:changelist
@Alternate Data Stream - 428 bytes -> C:\WINDOWS\System32\drivers\haktfvqm.sys:changelist
@Alternate Data Stream - 40 bytes -> C:\WINDOWS\system32:596b7314.zreglib

< End of report >

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #21 on: March 11, 2012, 11:28:25 AM »

OTL Extras logfile created on: 3/11/2012 9:31:18 AM - Run 1
OTL by OldTimer - Version 3.2.36.3     Folder = C:\Documents and Settings\williams\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.99 Gb Total Physical Memory | 2.65 Gb Available Physical Memory | 88.68% Memory free
4.83 Gb Paging File | 4.69 Gb Available in Paging File | 96.91% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 634.76 Gb Total Space | 416.85 Gb Free Space | 65.67% Space Free | Partition Type: NTFS
Drive D: | 296.75 Gb Total Space | 143.30 Gb Free Space | 48.29% Space Free | Partition Type: NTFS
 
Computer Name: ASUS-I7-XP | User Name: williams | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\svc]
"AntiVirusDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallDisableNotify" = 1
"FirewallOverride" = 1
"UpdatesDisableNotify" = 1
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5900:TCP" = 5900:TCP:*:Enabled:vnc5900
"5800:TCP" = 5800:TCP:*:Enabled:vnc5800
"5353:UDP" = 5353:UDP:*:Enabled:Bonjour
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Games\Flight Simulator 9\fs9.exe" = C:\Program Files\Microsoft Games\Flight Simulator 9\fs9.exe:*:Enabled:Microsoft Flight Simulator -- (Microsoft Corporation)
"C:\WINDOWS\system32\dpnsvr.exe" = C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server -- (Microsoft Corporation)
"C:\Documents and Settings\williams\Desktop\X-Plane 9\X-Plane.exe" = C:\Documents and Settings\williams\Desktop\X-Plane 9\X-Plane.exe:*:Enabled:X-Plane
"C:\Program Files\X-Plane 9\X-Plane.exe" = C:\Program Files\X-Plane 9\X-Plane.exe:*:Enabled:X-Plane -- ()
"C:\Program Files\NETGEAR ReadyNAS\RAIDar.exe" = C:\Program Files\NETGEAR ReadyNAS\RAIDar.exe:*:Enabled:Monitor ReadyNAS device -- (Netgear Inc.)
"D:\Drivesavers\1st_Partition_C\HP DS9100C\Link\hpnsjtr.exe" = D:\Drivesavers\1st_Partition_C\HP DS9100C\Link\hpnsjtr.exe:*:Enabled:HP Digital Sender Link -- (Hewlett Packard)
"C:\HPDS9100C\Link\hpnsjtr.exe" = C:\HPDS9100C\Link\hpnsjtr.exe:*:Enabled:HP Digital Sender Link -- (Hewlett Packard)
"D:\Drivesavers\2nd_Partition_D\Programs\Cessna NAVIII G1000 Trainer v8.01\CDUSIMv2.exe" = D:\Drivesavers\2nd_Partition_D\Programs\Cessna NAVIII G1000 Trainer v8.01\CDUSIMv2.exe:*:Enabled:CDUSIMv2 -- ()
"C:\Garmin_simulators\Cessna NAVIII G1000 Trainer v8.01\CDUSIMv2.exe" = C:\Garmin_simulators\Cessna NAVIII G1000 Trainer v8.01\CDUSIMv2.exe:*:Enabled:CDUSIMv2 -- ()
"C:\Program Files\AirPort\APUtil.exe" = C:\Program Files\AirPort\APUtil.exe:*:Enabled:AirPort Utility -- (Apple Inc.)
"C:\Program Files\Garmin\G600 Trainer\GNS\G530SIM.exe" = C:\Program Files\Garmin\G600 Trainer\GNS\G530SIM.exe:*:Enabled:G530SIM -- ()
"C:\Program Files\Garmin\G600 Trainer\GNS\hsi400wx.exe" = C:\Program Files\Garmin\G600 Trainer\GNS\hsi400wx.exe:*:Enabled:hsi400wx -- ()
"C:\Program Files\Garmin\G600 Trainer\GDU\CDUSIMv2.exe" = C:\Program Files\Garmin\G600 Trainer\GDU\CDUSIMv2.exe:*:Enabled:CDUSIMv2 -- ()
"C:\Program Files\Garmin\G600 Trainer\GSM\gsim_server.exe" = C:\Program Files\Garmin\G600 Trainer\GSM\gsim_server.exe:*:Enabled:gsim_server -- ()
"C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office14\GROOVE.EXE:*:Enabled:Microsoft SharePoint Workspace -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft OneNote -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\AirPort\APAgent.exe" = C:\Program Files\AirPort\APAgent.exe:*:Enabled:AirPort -- (Apple Inc.)
"C:\Program Files\emailrelay\emailrelay.exe" = C:\Program Files\emailrelay\emailrelay.exe:*:Enabled:E-MailRelay Application -- ( )
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe" = C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe:*:Enabled:Daemonu.exe -- (NVIDIA Corporation)
"C:\Documents and Settings\williams\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\williams\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00060000-0000-1004-8002-0000C06B5161}" = WIBU-KEY Setup (WIBU-KEY Remove)
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1" = Core Temp 1.0 RC3
"{0C2BFDB2-CB04-497D-86F7-005FA43D5B1B}" = Milestone XProtect Smart Client 3.6f
"{11106FF1-0604-4267-A150-8A7F70FE3E28}" = Jeppesen Services Update Manager
"{15C77FC3-8137-4A5E-8F81-F559045DD6B0}" = Shipping Assistant 3.6
"{1EFC18C2-73F0-4B51-A407-2EE3A54CBB8E}" = Jeppesen Services Update Manager
"{20207CCE-A8FA-44A7-AA3D-1E43EB307B27}" = Sony Sound Forge Audio Studio 9.0
"{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java(TM) 6 Update 29
"{29ED20C9-5E15-4969-9279-25BF3727A3DA}" = iTunes
"{2B0DF49C-FC06-4B2B-934A-92E2DCE20C4C}" = Jeppesen Services
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{356053FD-29D0-4E25-9B20-11128238575A}" = Jeppesen Services Update Manager
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMicron JMB36X Driver
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{40184457-4514-4B18-84A8-6BB8A3AB6A81}" = AirPort
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A5A427F-BA39-4BF0-9A47-9999FBE60C9F}" = Visual C++ Runtime for Dragon NaturallySpeaking
"{4C271126-C295-4828-A901-5910AE0C258B}" = Cisco Systems VPN Client 5.0.03.0530
"{529125EF-E3AC-4B74-97E6-F688A7C0F1BF}" = Paint.NET v3.5.10
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{597E70FF-7C46-4EED-8092-91B7C2E0529D}" = Google SketchUp 7
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{67B301C4-0846-4244-AF98-A3C054518EE9}" = Eudora
"{6ED0DD63-2AD2-4D6B-99A4-1B3DEFD2ACE2}" = Jeppesen Services Update Manager
"{709CFAAF-D084-4612-9E73-79E4B82FBFE0}" = Jeppesen Services Update Manager
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{735619D4-B42A-437A-958C-199BFCAEDB38}" = Safari
"{76CE5B47-F5A4-4E5C-99A0-CEFF6146EA4A}" = System Requirements Lab for Intel
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{779DECD7-E072-4B56-9B6B-BEB5973EEEB5}" = MobileMe Control Panel
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A0696EB-C0F9-4B36-B0BC-71CC704FA768}" = Crazy Machines II + Demo
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders  (English) 12
"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders  (English) 14
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUSR_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUSR_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90AABED0-25A8-41FC-B738-224889E31033}" = Nero 8
"{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{93099B48-E36A-46C9-A03F-C85201D9B1C1}" = Foxit PDF IFilter
"{9465F5D7-8083-49E5-993B-0DCA77EFAFD9}" = SolarPathfinder Assistant 1.1
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96F1071D-E222-46A6-98B9-5E2C50F1B145}" = Fine Woodworking Archive
"{9930D15E-94E7-4F3E-9203-15BCC66799F3}" = Digital Aviation Reference Library
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D210D79-AEC5-453B-960C-4DD2C73931E1}" = Bonjour Print Services
"{A00B9A50-3090-4CFF-9CDA-82DA0BEDAA21}" = Apple Mobile Device Support
"{A0494B41-EBD7-4C0D-91B7-DC39741B27BB}" = Express Gate
"{A05087CE-188A-4461-B04E-334FEA7B8661}" = Fine Homebuilding Archive
"{A0B70E96-CFD8-4DCF-ACAE-E8B532A52C74}" = IP Trainer
"{A1B6612C-FB17-4D59-8083-CE3FBFDED274}" = Jeppesen Services Update Manager
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5085E4F-2FC8-4D4B-9FD6-F5F4F28E5483}" = Oops!Backup
"{A62F50D4-EED7-4417-A382-E89ABCF11BAC}" = SketchUp DWG Importer
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC40F618-F3DD-4284-B32E-3DA5817FBC9B}" = Jeppesen Services Update Manager
"{AC76BA86-1033-0000-BA7E-000000000001}" = Adobe Acrobat 6.0 Standard
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{AFE499B5-FCC4-45E6-A1A5-3C51AE0E539B}" = Mobipocket Creator 4.2
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView" = NVIDIA nView 135.85
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.3.5
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B8B6A1AB-AB5E-4821-B151-5D1E4B654395}" = On Top 9.5 Demo
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C59E019B-0952-4B72-A382-68A72224F88F}" = GNS400W-500W Trainer
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CA83357B-931E-44DC-AD43-9996FEEB8116}" = Acronis True Image
"{CAD6906B-F881-443E-847A-8745B76F7ADA}" = Voyager 4 Flight Software System
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D17111CB-C992-42A9-9D56-C19395102AAA}" = Garmin WebUpdater
"{D22002ED-EE2A-4CB1-A63D-430E62A2E8D8}" = Google SketchUp 8
"{D5CB2462-B8BD-46D7-9C12-9C505090A418}" = Investment Account Manager 2
"{D6E5F58F-C879-4EC1-90F7-BA31BABF10C9}" = DeltaCopy
"{DFC6573E-124D-4026-BFA4-B433C9D3FF21}" = ISO Recorder
"{DFF135C9-274E-443B-B2D1-FF0FD93EE790}" = calibre
"{E6AC954B-80A2-434B-A9DD-3D9DCE5E024D}" = G600 Trainer
"{E7712E53-7A7F-46EB-AA13-70D5987D30F2}" = Dragon NaturallySpeaking 10
"{EAB81128-4E37-4BE1-84EF-B051EFA9182B}" = HP Digital Sender 9100C
"{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}" = PL-2303 USB-to-Serial
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F251B999-08A9-4704-999C-9962F0DFD88E}" = Virtual Desktop Manager Powertoy for Windows XP
"{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II
"{F761359C-9CED-45AE-9A51-9D6605CD55C4}" = Evernote v. 4.1
"3EB2535D-418E-4247-A117-D3846AA1B2F6_is1" = HP iPAQ 31x Map Update (NAENG) (03/22/2008 map datum)
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices  (06/03/2009 2.3.0.0)
"7-Zip" = 7-Zip 9.20
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.12
"AnyDVD" = AnyDVD
"Audacity_is1" = Audacity 1.2.6
"AXIS Media Control Embedded" = AXIS Media Control Embedded
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon MOV Decoder" = Canon MOV Decoder
"Canon MOV Encoder" = Canon MOV Encoder
"Cessna G1000 Trainer v6.01" = Cessna G1000 Trainer v6.01
"CloneDVD2" = CloneDVD2
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.53.1
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"DiskCheckup_is1" = DiskCheckup v3.0.1006
"DynUpdater" = Dyn Updater
"Flight Simulator 9.0" = Microsoft Flight Simulator 2004 A Century of Flight
"FolderMatch_is1" = FolderMatch v3.5.5
"Foxit Creator" = Foxit Creator
"Foxit Reader" = Foxit Reader
"GA IFR Panel Demo Setup_is1" = GA IFR Panel Demo Setup
"GARMIN 400 Series Trainer" = GARMIN 400 Series Trainer
"Google Chrome" = Google Chrome
"GPS Utility_is1" = GPSU version 5.05
"HP Scanning Software" = HP PrecisionScan Pro and Utilities
"Hugin" = Hugin 2011.0.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"iGolf Neo Sync" = iGolf Neo Sync Application v3.0.2
"LADSPA_plugins-win_is1" = LADSPA_plugins-win-0.4.15
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Lexmark Printer Software Uninstall" = Lexmark Printer Software Uninstall
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Mechanic's Toolbox" = Mechanic's Toolbox
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox 10.0.2 (x86 en-US)" = Mozilla Firefox 10.0.2 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"mv61xxDriver" = marvell 61xx
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Office14.PROPLUSR" = Microsoft Office Professional Plus 2010
"OpenAL" = OpenAL
"oZone3D.Net FurMark_is1" = oZone3D.Net FurMark v1.6.5
"Personal Printing Guide" = Canon Personal Printing Guide
"PhotoStitch" = Canon Utilities PhotoStitch
"Picasa 3" = Picasa 3
"RAIDar 4.1.3" = RAIDar 4.1.3
"Reality XP Garmin GNS WAAS for X-Plane 9_is1" = Reality XP Garmin GNS WAAS for X-Plane 9
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Savings Bond Wizard" = Savings Bond Wizard
"Sketchpad" = Sketchpad
"SmartDraw VP" = SmartDraw VP
"SoftwareStarterGuide-DCSD40_46" = Canon Digital Camera Solution Disk 40-46 Software Starter Guide
"Tomvale Aviation Calculator" = Tomvale Aviation Calculator
"TrueCrypt" = TrueCrypt
"Tweak UI 2.10" = Tweak UI
"Universal Document Converter_is1" = Universal Document Converter (Demo)
"VLC media player" = VLC media player 1.0.5
"VST Bridge_is1" = VST Bridge 1.1
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinGimp-2.0_is1" = GIMP 2.6.8
"WinPcapInst" = WinPcap 4.1.2
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yorick_is1" = Yorick 2.1.05
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ADDS Flight Path Tool" = ADDS Flight Path Tool
"Dropbox" = Dropbox
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 3/11/2012 3:26:23 AM | Computer Name = ASUS-I7-XP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
 P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
 P8 NIL, P9 NIL, P10 NIL.
 
Error - 3/11/2012 3:50:45 AM | Computer Name = ASUS-I7-XP | Source = JavaQuickStarterService | ID = 1
Description =
 
Error - 3/11/2012 3:50:45 AM | Computer Name = ASUS-I7-XP | Source = emailrelay | ID = 1003
Description = emailrelay: error: cannot bind the listening port: 192.168.1.8:25
 
Error - 3/11/2012 4:14:03 AM | Computer Name = ASUS-I7-XP | Source = JavaQuickStarterService | ID = 1
Description =
 
Error - 3/11/2012 4:14:03 AM | Computer Name = ASUS-I7-XP | Source = emailrelay | ID = 1003
Description = emailrelay: error: cannot bind the listening port: 192.168.1.8:25
 
Error - 3/11/2012 4:23:02 AM | Computer Name = ASUS-I7-XP | Source = JavaQuickStarterService | ID = 1
Description =
 
Error - 3/11/2012 4:23:02 AM | Computer Name = ASUS-I7-XP | Source = emailrelay | ID = 1003
Description = emailrelay: error: cannot bind the listening port: 192.168.1.8:25
 
Error - 3/11/2012 4:30:19 AM | Computer Name = ASUS-I7-XP | Source = JavaQuickStarterService | ID = 1
Description =
 
Error - 3/11/2012 4:30:19 AM | Computer Name = ASUS-I7-XP | Source = emailrelay | ID = 1003
Description = emailrelay: error: cannot bind the listening port: 192.168.1.8:25
 
Error - 3/11/2012 12:31:03 PM | Computer Name = ASUS-I7-XP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
 P8 NIL, P9 NIL, P10 NIL.
 
[ Application Events ]
Error - 3/11/2012 3:26:23 AM | Computer Name = ASUS-I7-XP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
 P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
 P8 NIL, P9 NIL, P10 NIL.
 
Error - 3/11/2012 3:50:45 AM | Computer Name = ASUS-I7-XP | Source = JavaQuickStarterService | ID = 1
Description =
 
Error - 3/11/2012 3:50:45 AM | Computer Name = ASUS-I7-XP | Source = emailrelay | ID = 1003
Description = emailrelay: error: cannot bind the listening port: 192.168.1.8:25
 
Error - 3/11/2012 4:14:03 AM | Computer Name = ASUS-I7-XP | Source = JavaQuickStarterService | ID = 1
Description =
 
Error - 3/11/2012 4:14:03 AM | Computer Name = ASUS-I7-XP | Source = emailrelay | ID = 1003
Description = emailrelay: error: cannot bind the listening port: 192.168.1.8:25
 
Error - 3/11/2012 4:23:02 AM | Computer Name = ASUS-I7-XP | Source = JavaQuickStarterService | ID = 1
Description =
 
Error - 3/11/2012 4:23:02 AM | Computer Name = ASUS-I7-XP | Source = emailrelay | ID = 1003
Description = emailrelay: error: cannot bind the listening port: 192.168.1.8:25
 
Error - 3/11/2012 4:30:19 AM | Computer Name = ASUS-I7-XP | Source = JavaQuickStarterService | ID = 1
Description =
 
Error - 3/11/2012 4:30:19 AM | Computer Name = ASUS-I7-XP | Source = emailrelay | ID = 1003
Description = emailrelay: error: cannot bind the listening port: 192.168.1.8:25
 
Error - 3/11/2012 12:31:03 PM | Computer Name = ASUS-I7-XP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
 P8 NIL, P9 NIL, P10 NIL.
 
[ System Events ]
Error - 3/9/2012 3:02:12 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
 which failed to start because of the following error:   %%1075
 
Error - 3/9/2012 3:02:13 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7003
Description = The TCP/IP Protocol Driver service depends on the following nonexistent
 service: IPSec
 
Error - 3/9/2012 3:02:13 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
 which failed to start because of the following error:   %%1075
 
Error - 3/9/2012 3:02:15 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7003
Description = The TCP/IP Protocol Driver service depends on the following nonexistent
 service: IPSec
 
Error - 3/9/2012 3:02:15 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
 which failed to start because of the following error:   %%1075
 
Error - 3/9/2012 3:02:17 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7003
Description = The TCP/IP Protocol Driver service depends on the following nonexistent
 service: IPSec
 
Error - 3/9/2012 3:02:17 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
 which failed to start because of the following error:   %%1075
 
Error - 3/9/2012 3:02:19 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7003
Description = The TCP/IP Protocol Driver service depends on the following nonexistent
 service: IPSec
 
Error - 3/9/2012 3:02:19 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
 which failed to start because of the following error:   %%1075
 
Error - 3/9/2012 3:02:21 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7003
Description = The TCP/IP Protocol Driver service depends on the following nonexistent
 service: IPSec
 
[ System Events ]
Error - 3/9/2012 3:02:12 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
 which failed to start because of the following error:   %%1075
 
Error - 3/9/2012 3:02:13 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7003
Description = The TCP/IP Protocol Driver service depends on the following nonexistent
 service: IPSec
 
Error - 3/9/2012 3:02:13 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
 which failed to start because of the following error:   %%1075
 
Error - 3/9/2012 3:02:15 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7003
Description = The TCP/IP Protocol Driver service depends on the following nonexistent
 service: IPSec
 
Error - 3/9/2012 3:02:15 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
 which failed to start because of the following error:   %%1075
 
Error - 3/9/2012 3:02:17 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7003
Description = The TCP/IP Protocol Driver service depends on the following nonexistent
 service: IPSec
 
Error - 3/9/2012 3:02:17 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
 which failed to start because of the following error:   %%1075
 
Error - 3/9/2012 3:02:19 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7003
Description = The TCP/IP Protocol Driver service depends on the following nonexistent
 service: IPSec
 
Error - 3/9/2012 3:02:19 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
 which failed to start because of the following error:   %%1075
 
Error - 3/9/2012 3:02:21 AM | Computer Name = ASUS-I7-XP | Source = Service Control Manager | ID = 7003
Description = The TCP/IP Protocol Driver service depends on the following nonexistent
 service: IPSec
 
 
< End of report >

*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #22 on: March 11, 2012, 04:09:47 PM »
Hi edw

Hopefully you've got the floppy installed.  Lets run OTL again in safe mode first.  Then let's try to fix the raid drivers.  And if all that works we'll go back and run CF again.

1.   Double click on the OTL icon to run it (Vista and Windows 7 users right click and select Run as  Administrator). Make sure all other windows are closed and to let it run uninterrupted. 

2.  In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".  On the upper right be sure Use Company-Name WhiteList and Skip Microsoft Files are checked.  Copy the code in the code box below and paste it into the Custom Scan box .

Code: [Select]
:OTL
O1 - Hosts: ::1 localhost
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
[2012/03/08 09:31:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\99058D500033A0A4005FA5A6D151FC4E
[C:\WINDOWS\$NtUninstallKB5333$] -> Error: Cannot create file handle -> Unknown point type
@Alternate Data Stream - 72 bytes -> C:\WINDOWS:F13A76C4FF555B6A
@Alternate Data Stream - 514 bytes -> C:\WINDOWS\System32\drivers\svkrnvma.sys:changelist
@Alternate Data Stream - 428 bytes -> C:\WINDOWS\System32\drivers\haktfvqm.sys:changelist
@Alternate Data Stream - 40 bytes -> C:\WINDOWS\system32:596b7314.zreglib


:FILES
c:\windows\NtUpdateKB*.*

:Commands
[REBOOT]
[REBOOT]
[EMPTYTEMP]
[RESETHOSTS]
[EMPTYJAVA]



3.  Click on the Run Fix button.  The fix log is saved on your C: drive under OTL\Moved Files as date-some number.log.  Reboot you PC.



As always please check to be sure Word Wrap is NOT turned on in any Notepad files you post and please be sure to check that all the data you entered was posted.  If not, use multiple posts.

Now please post the following to me as a reply to this post:
OTL Fix Log
Let me know how your computer is operating and if you have internet connection
If you have any questions or problems, let me know that as well

Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #23 on: March 12, 2012, 01:45:23 AM »
   I finally got the recovery console installed.  Turned out my F6 floppy with the raid drivers was unreadable.  Made a new one and the install appeared to work.

   I ran the ACL commands:

    It hung with the message "Cannot create file C:\WINDOWS\System32\drivers\etc\Hosts"
    I rebooted and reset the permissions for the hosts file and reran ACL.  It completed and requested a reboot.  I rebooted back into safe mode.

   Here's the log.

   BTW I struggle with the safe mode desktop.  It only shows a fraction of my icons and I struggle to get to the rest of them...


��A

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #24 on: March 12, 2012, 01:49:08 AM »
    Some crazy control characters prevented the log from posting.  Here it is:


A

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #25 on: March 12, 2012, 01:51:18 AM »

   Maybe this time:


All processes killed
========== OTL ==========
::1 localhost removed from HOSTS file successfully
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Folder C:\Documents and Settings\All Users\Application Data\99058D500033A0A4005FA5A6D151FC4E\ not found.
Unable to remove Unknown point type C:\WINDOWS\$NtUninstallKB5333$
ADS C:\WINDOWS:F13A76C4FF555B6A deleted successfully.
ADS C:\WINDOWS\System32\drivers\svkrnvma.sys:changelist deleted successfully.
ADS C:\WINDOWS\System32\drivers\haktfvqm.sys:changelist deleted successfully.
ADS C:\WINDOWS\system32:596b7314.zreglib deleted successfully.
========== FILES ==========
File\Folder c:\windows\NtUpdateKB*.* not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes
 
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: marlene
->Temp folder emptied: 604500 bytes
->Temporary Internet Files folder emptied: 509763 bytes
->Java cache emptied: 37562594 bytes
->FireFox cache emptied: 50221986 bytes
->Flash cache emptied: 405 bytes
 
User: NetworkService
->Temp folder emptied: 2200820 bytes
->Temporary Internet Files folder emptied: 122005942 bytes
->Java cache emptied: 13276 bytes
->Flash cache emptied: 32513 bytes
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes
 
User: williams
->Temp folder emptied: 4592508903 bytes
->Temporary Internet Files folder emptied: 74148113 bytes
->Java cache emptied: 36486747 bytes
->FireFox cache emptied: 50480632 bytes
->Google Chrome cache emptied: 6958143 bytes
->Flash cache emptied: 158451 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2557692 bytes
%systemroot%\System32 .tmp files removed: 1162769 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 555548832 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 384625368 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 5,644.00 mb
 
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYJAVA]
 
User: Administrator
 
User: All Users
 
User: Default User
 
User: LocalService
 
User: marlene
->Java cache emptied: 0 bytes
 
User: NetworkService
->Java cache emptied: 0 bytes
 
User: UpdatusUser
 
User: williams
->Java cache emptied: 0 bytes
 
Total Java Files Cleaned = 0.00 mb
 
 
OTL by OldTimer - Version 3.2.36.3 log created on 03122012_003039

*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #26 on: March 12, 2012, 02:47:39 AM »
Hi edw

Great, we are making some progress.

Please go back and run ComboFix per instructions in post # 2. 
First uninstall the existing copy of ComboFix:

Copy the code in the code box below.

Code: [Select]

combofix /uninstall


Now click on start/run and paste the copied code into the input box.
Click OK.  Reboot your PC.

Now install a fresh copy and rename it to gotcha.exe, the follow the instructions on running it.  Run it in normal operating mode if you can, else safe mode.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #27 on: March 12, 2012, 02:12:29 PM »
  Tried to boot in Normal mode  - BSOD

  Booted in Safe Mode  - combofix complained about the recovery console not being up-to-date

  Shut down, rebooted in safe mode with networking and ran combofix - It reported I have the Zero Access rootkit, inserted into the TCP/IP stack.  It then detected rootkit activity and requested a reboot.  I still have no network, but let combofix run anyway.

  Rebooted in safe mode w/o networking - combofix continued to run through at least 30 stages.  It rebooted itself while I wasn't watching and came back in normal mode.  Combofix reported it was preparing a log file and had a BSOD.

  Rebooted into Safe Mode - couldn't find any combofix.txt log file. Sigh...

   Should I rerun it or what?


*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #28 on: March 12, 2012, 04:56:25 PM »
HI edw

Like I said, Zero Access is a Bear and they keep making it harder to remove.  The guys that develope these viruses aren't kids, they are some of the highest paid programmers in the world.  They sell these things to criminals who use them to mine data, redirect, etc.  They sell them for millions of dollars.  Our next step is to run RogueKiller again and see if it works.  I'm sure CF removed some things, we just don't know what at this point.  Follow the instructions on post 16.  See if we can get a look at the MBR this time.  That's where ZA hides its brains.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline edw

  • Bronze Member
  • 38
Re: [In Progress B] Fallout from "Smart Fortress 2012" cleanup.
« Reply #29 on: March 12, 2012, 08:10:20 PM »
  Cashed again scanning the MBR.  Here's what else it had to say: - not much I think

RogueKiller V7.3.1 [03/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode
User: williams [Admin rights]
Mode: Scan -- Date: 03/12/2012 19:05:25

Bad processes: 0

Registry Entries: 8
[SUSP PATH] HKLM\[...]\RunOnce : OTL ("C:\Documents and Settings\williams\Desktop\google.exe") -> FOUND
[] HKLM\[...]\Windows :  () -> ACCESS DENIED
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{5BCB5AC2-47E7-4067-BB2B-3D43F96FC119} : NameServer (8.8.8.8,68.87.76.182,68.87.78.134,8.8.8.8,8.8.4.4) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71} : NameServer (206.13.28.12,206.13.31.12) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71} : NameServer (206.13.28.12,206.13.31.12) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71} : NameServer (206.13.28.12,206.13.31.12) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[] HKLM\[...]\Windows :  () -> ACCESS DENIED

Particular Files / Folders:

Driver: [NOT LOADED]

Infection : 

HOSTS File:
127.0.0.1       localhost


MBR Check:

Finished : << RKreport[1].txt >>
RKreport[1].txt