1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Total Security infection (Solved)

Discussion in 'Malware Removal Help' started by Tony D, Sep 25, 2009.

  1. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,082
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Hi,

    I got a screen saying that I had 38 infections. It was from Total Security which I figured was some rogue application.

    I removed the infected drive and connected it to another machine and ran scans with SuperAntiSpyware, MalwareBytes AntiSpyware, NOD32 and ESET on-line scanners. I then put the machine back in the machine it came out of and it looked good. No more Total Security windows coming up when I booted.

    I then the same scans which found a number of threats. Now that the scans have been run, I did a HiJackThis run. If someone here is good at looking at these logs that would be great. Here goes

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:56:33 PM, on 09/25/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Kurt Popp CPA\Desktop\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MyStart by IncrediMail.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177601530515
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intuit Fuse Service - Unknown owner - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
     
  2. allheart55 (Cindy E)

    allheart55 (Cindy E) Administrator Administrator

    Joined:
    Jun 11, 2009
    Messages:
    10,517
    Location:
    Pennsylvania
    Operating System:
    Windows 10
    Computer Brand or Motherboard:
    ASUS M4A77TD AM3 AMD 770 ATX AMD
    CPU:
    AMD Phenom II X6 1090T-Thuban 3.2GHz
    Memory:
    Crucial-DDR3 SDRAM 1333-8GB
    Hard Drive:
    WD Caviar Black SE HDD 640 GB - WD Caviar Black SE HDD 500 GB
    Graphics Card:
    Sapphire Radeon HD-7870 2GB
    Power Supply:
    CORSAIR CMPSU-750W
    Re: Total Security infection

    Hello Dragnet,

    Our malware removal expert will examine your HJT log and give you instructions on the remaining issues as soon as possible.
     
  3. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,082
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Re: Total Security infection

    Great - I can't wait for that. After all the scans, i hope things are good.
     
  4. allheart55 (Cindy E)

    allheart55 (Cindy E) Administrator Administrator

    Joined:
    Jun 11, 2009
    Messages:
    10,517
    Location:
    Pennsylvania
    Operating System:
    Windows 10
    Computer Brand or Motherboard:
    ASUS M4A77TD AM3 AMD 770 ATX AMD
    CPU:
    AMD Phenom II X6 1090T-Thuban 3.2GHz
    Memory:
    Crucial-DDR3 SDRAM 1333-8GB
    Hard Drive:
    WD Caviar Black SE HDD 640 GB - WD Caviar Black SE HDD 500 GB
    Graphics Card:
    Sapphire Radeon HD-7870 2GB
    Power Supply:
    CORSAIR CMPSU-750W
    Re: Total Security infection

    D, They are better than they were..... Maximo will hook you up with the remaining problems....
     
  5. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Re: Total Security infection

    Hi Dragnet

    Ok, a couple of issues here.
    1st: Hjt is no longer the program it was, it doesn't give us enough information any more.
    2nd: this line...
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    tells us that you have entries stopped using msconfig, we need to know what has been stopped.

    This program will tell us a lot more:

    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
      Copy the lines in the codebox below.
      Code:
      msconfig
      
    • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

      .
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

    Thanks.
     
    Last edited by a moderator: Feb 2, 2014
  6. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,082
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Re: Total Security infection

    Hi Starbuck, Here's the info you requested and thanks for taking a peek.

    OTL logfile created on: 09/26/2009 8:39:53 PM - Run 1
    OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\Kurt Popp CPA\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

    509.98 Mb Total Physical Memory | 134.10 Mb Available Physical Memory | 26.29% Memory free
    1.22 Gb Paging File | 0.68 Gb Available in Paging File | 56.16% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 71.55 Gb Total Space | 52.05 Gb Free Space | 72.75% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: KURTPOPP
    Current User Name: I edited this out - Dragnet
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Minimal

    ========== Processes (SafeList) ==========

    PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
    PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
    PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
    PRC - C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
    PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
    PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
    PRC - C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
    PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
    PRC - C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
    PRC - C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
    PRC - C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
    PRC - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
    PRC - C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
    PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
    PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
    PRC - C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe ()
    PRC - C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe (Microsoft Corporation)
    PRC - C:\Documents and Settings\Kurt Popp CPA\Desktop\OTL.exe (OldTimer Tools)
    PRC - C:\WINDOWS\System32\wbem\wmiprvse.exe (Microsoft Corporation)
    PRC - C:\WINDOWS\System32\wbem\wmiprvse.exe (Microsoft Corporation)

    ========== Win32 Services (SafeList) ==========

    SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
    SRV - (avg8emc [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
    SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
    SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
    SRV - (DSBrokerService [On_Demand | Stopped]) -- C:\Program Files\DellSupport\brkrsvc.exe ()
    SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
    SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
    SRV - (idsvc [Unknown | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
    SRV - (Intuit Fuse Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe ()
    SRV - (LkWebLink [Disabled | Stopped]) -- C:\Documents and Settings\Kurt Popp CPA\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe (Inter-Tel (Delaware), Inc)
    SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
    SRV - (NetSvc [On_Demand | Stopped]) -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe (Intel(R) Corporation)
    SRV - (NetTcpPortSharing [Disabled | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
    SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
    SRV - (Pml Driver HPZ12 [On_Demand | Stopped]) -- C:\WINDOWS\System32\HPZipm12.exe (HP)
    SRV - (sprtsvc_dellsupportcenter [Auto | Running]) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
    SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

    ========== Driver Services (SafeList) ==========

    DRV - (AliIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
    DRV - (amdagp [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
    DRV - (asc [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
    DRV - (asc3550 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
    DRV - (ASCTRM [Auto | Running]) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows (R) 2000 DDK provider)
    DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
    DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
    DRV - (AvgTdiX [System | Running]) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
    DRV - (CmdIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
    DRV - (dac2w2k [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
    DRV - (drvmcdb [Boot | Running]) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
    DRV - (drvnddm [Auto | Running]) -- C:\WINDOWS\System32\drivers\drvnddm.sys (Sonic Solutions)
    DRV - (DSproct [On_Demand | Stopped]) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
    DRV - (dsunidrv [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\dsunidrv.sys (Gteko Ltd.)
    DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)
    DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)
    DRV - (IntelC51 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\IntelC51.sys (Intel Corporation)
    DRV - (IntelC52 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\IntelC52.sys (Intel Corporation)
    DRV - (IntelC53 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\IntelC53.sys (Intel Corporation)
    DRV - (MODEMCSA [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\MODEMCSA.sys (Microsoft Corporation)
    DRV - (mohfilt [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\mohfilt.sys (Intel Corporation)
    DRV - (mraid35x [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
    DRV - (nv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
    DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
    DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
    DRV - (ql1080 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
    DRV - (ql12160 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
    DRV - (ql1280 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
    DRV - (SASDIFSV [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    DRV - (SASENUM [On_Demand | Running]) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
    DRV - (SASKUTIL [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
    DRV - (senfilt [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\senfilt.sys (Sensaura)
    DRV - (sisagp [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
    DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\smwdm.sys (Analog Devices, Inc.)
    DRV - (Sparrow [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
    DRV - (sscdbhk5 [System | Running]) -- C:\WINDOWS\System32\drivers\sscdbhk5.sys (Sonic Solutions)
    DRV - (ssrtln [System | Running]) -- C:\WINDOWS\System32\drivers\ssrtln.sys (Sonic Solutions)
    DRV - (symc810 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
    DRV - (symc8xx [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
    DRV - (sym_hi [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
    DRV - (sym_u3 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
    DRV - (tfsnboio [Auto | Running]) -- C:\WINDOWS\System32\dla\tfsnboio.sys (Sonic Solutions)
    DRV - (tfsncofs [Auto | Running]) -- C:\WINDOWS\System32\dla\tfsncofs.sys (Sonic Solutions)
    DRV - (tfsndrct [Auto | Running]) -- C:\WINDOWS\System32\dla\tfsndrct.sys (Sonic Solutions)
    DRV - (tfsndres [Auto | Running]) -- C:\WINDOWS\System32\dla\tfsndres.sys (Sonic Solutions)
    DRV - (tfsnifs [Auto | Running]) -- C:\WINDOWS\System32\dla\tfsnifs.sys (Sonic Solutions)
    DRV - (tfsnopio [Auto | Running]) -- C:\WINDOWS\System32\dla\tfsnopio.sys (Sonic Solutions)
    DRV - (tfsnpool [Auto | Running]) -- C:\WINDOWS\System32\dla\tfsnpool.sys (Sonic Solutions)
    DRV - (tfsnudf [Auto | Running]) -- C:\WINDOWS\System32\dla\tfsnudf.sys (Sonic Solutions)
    DRV - (tfsnudfa [Auto | Running]) -- C:\WINDOWS\System32\dla\tfsnudfa.sys (Sonic Solutions)
    DRV - (ultra [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)

    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = Bing
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = Bing
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = MyStart by IncrediMail.com
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

    FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 18:39:27 | 00,000,000 | ---D | M]


    Hosts file not found
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\dla\tfswshx.dll (Sonic Solutions)
    O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
    O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
    O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
    O4 - HKLM..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
    O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
    O4 - HKLM..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe ()
    O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
    O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (Microsoft Corporation)
    O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
    O9 - Extra Button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - File not found
    O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
    O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
    O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
    O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
    O15 - HKCU\..Trusted Domains: taxwise.com ([]https in Trusted sites)
    O15 - HKCU\..Trusted Domains: webx.com ([taxwise] https in Trusted sites)
    O15 - HKCU\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab (StagingUI Object)
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab (MSN Games – Buddy Invite)
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab (ZonePAChat Object)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177601530515 (MUWebControl Class)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab (MSN Games – Texas Holdem Poker)
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} http://zone.msn.com/binframework/v10/StProxy.cab55579.cab (MSN Games – Game Communicator)
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab (PopCapLoader Object)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    O18 - Protocol\Handler\ipp - No CLSID value found
    O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
    O18 - Protocol\Handler\msdaipp - No CLSID value found
    O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
    O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
    O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
    O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
    O24 - Desktop Components:0 (My Current Home Page) - About:Home
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O31 - SafeBoot: AlternateShell - cmd.exe
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2004/08/10 15:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck) - File not found
    O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
    O34 - HKLM BootExecute: (*) - File not found

    MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe - (Adobe Systems Incorporated)
    MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk - C:\lotus\organize\easyclip.exe - (Lotus Development Corporation)
    MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk - C:\lotus\wordpro\ltsstart.exe - (Lotus Development Corporation)
    MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SmartCenter.lnk - C:\lotus\smartctr\smartctr.exe - (Lotus Development Corporation.)
    MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart.lnk - C:\lotus\smartctr\suitest.exe - (Lotus Development Corporation.)
    MsConfig - StartUpFolder: C:^Documents and Settings^Kurt Popp CPA^Start Menu^Programs^Startup^Lotus SmartSuite Release 9 Registration.lnk - C:\lotus\register\remind32.exe - ()
    MsConfig - StartUpReg: 11935004 - hkey= - key= - C:\Documents and Settings\All Users\Application Data\11935004\11935004.exe File not found
    MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
    MsConfig - StartUpReg: DellSupport - hkey= - key= - C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
    MsConfig - StartUpReg: DellSupportCenter - hkey= - key= - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
    MsConfig - StartUpReg: dla - hkey= - key= - File not found
    MsConfig - StartUpReg: dscactivate - hkey= - key= - C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
    MsConfig - StartUpReg: igfxtray - hkey= - key= - File not found
    MsConfig - StartUpReg: mmtask - hkey= - key= - C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe (Musicmatch Inc.)
    MsConfig - StartUpReg: MMTray - hkey= - key= - C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
    MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
    MsConfig - StartUpReg: Net-It Launcher - hkey= - key= - File not found
    MsConfig - StartUpReg: PCMService - hkey= - key= - C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
    MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
    MsConfig - StartUpReg: RealTray - hkey= - key= - C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
    MsConfig - State: "system.ini" - 0
    MsConfig - State: "win.ini" - 0
    MsConfig - State: "bootini" - 0
    MsConfig - State: "services" - 0
    MsConfig - State: "startup" - 2

    ========== Files/Folders - Created Within 30 Days ==========

    [2009/09/26 20:35:05 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kurt Popp CPA\Desktop\OTL.exe
    [2009/09/26 20:33:58 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
    [2009/09/25 15:17:22 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2009/09/25 15:16:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kurt Popp CPA\Application Data\Malwarebytes
    [2009/09/25 15:16:32 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2009/09/25 15:16:31 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2009/09/25 15:16:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2009/09/25 15:16:30 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2009/09/25 14:44:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    [2009/09/25 14:43:14 | 00,001,756 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Professional.lnk
    [2009/09/25 14:43:04 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
    [2009/09/25 14:43:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kurt Popp CPA\Application Data\SUPERAntiSpyware.com
    [2009/09/25 14:33:58 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Kurt Popp CPA\Desktop\HiJackThis.exe
    [2009/09/24 16:37:41 | 53,482,7008 | -HS- | C] () -- C:\hiberfil.sys
    [2009/09/24 13:11:59 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
    [2009/09/24 13:08:27 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
    [2009/09/24 11:32:37 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
    [2009/09/08 15:43:22 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll
    [2009/02/06 14:23:19 | 00,181,760 | ---- | C] () -- C:\WINDOWS\patchw32.dll
    [2007/12/17 11:31:36 | 00,549,376 | ---- | C] () -- C:\WINDOWS\System32\u2ltw.dll
    [2006/05/25 10:16:48 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
    [2006/04/11 11:38:18 | 00,050,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
    [2005/12/21 18:57:36 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll
    [2005/12/21 18:57:04 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\nsldappr32v50.dll
    [2005/12/21 18:54:34 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\nsldapssl32v50.dll
    [2005/02/17 08:45:32 | 00,000,050 | ---- | C] () -- C:\WINDOWS\upst.ini
    [2005/02/17 08:45:32 | 00,000,024 | ---- | C] () -- C:\WINDOWS\atid.ini
    [2004/12/31 12:25:57 | 00,016,991 | ---- | C] () -- C:\WINDOWS\hplj1300.ini
    [2004/12/31 11:43:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Net-It Now! SE.INI
    [2004/12/31 11:42:25 | 00,000,038 | ---- | C] () -- C:\WINDOWS\Approach.ini
    [2004/12/31 11:38:35 | 00,000,000 | ---- | C] () -- C:\WINDOWS\winhelp.ini
    [2004/12/29 12:15:05 | 00,000,059 | ---- | C] () -- C:\WINDOWS\TSKSCH03.INI
    [2004/12/29 12:09:45 | 00,000,059 | ---- | C] () -- C:\WINDOWS\TSKSCH02.INI
    [2004/12/29 11:51:04 | 00,002,327 | ---- | C] () -- C:\WINDOWS\Prowin02.ini
    [2004/12/25 21:38:02 | 00,002,476 | ---- | C] () -- C:\WINDOWS\Prowin03.ini
    [2004/12/25 19:35:12 | 00,001,214 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2004/12/21 18:29:23 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2004/12/21 18:21:50 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2004/12/21 17:50:36 | 00,000,519 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
    [2004/09/16 00:03:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
    [2004/08/10 15:13:12 | 00,000,780 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
    [2004/08/10 15:04:08 | 00,000,603 | ---- | C] () -- C:\WINDOWS\WIN.INI
    [2004/08/10 14:57:52 | 00,000,227 | ---- | C] () -- C:\WINDOWS\SYSTEM.INI
    [2004/08/04 07:00:00 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
    [2003/01/16 13:16:17 | 00,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
    [2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [1999/03/10 21:23:00 | 00,222,928 | ---- | C] () -- C:\WINDOWS\System32\lobas09.dll
    [1999/01/04 13:25:00 | 00,375,296 | ---- | C] () -- C:\WINDOWS\System32\tx32.dll
    [1998/11/04 02:20:00 | 00,000,202 | ---- | C] () -- C:\WINDOWS\System32\Ic32.ini
    [1998/03/18 21:23:00 | 00,096,256 | ---- | C] () -- C:\WINDOWS\System32\nsqlc32.dll
    [1998/01/13 21:23:00 | 00,047,104 | ---- | C] () -- C:\WINDOWS\System32\lotrn13.dll
    [1997/11/14 21:23:00 | 00,031,008 | ---- | C] () -- C:\WINDOWS\System32\ivtrn09.dll
    [1997/05/13 21:23:00 | 00,000,153 | ---- | C] () -- C:\WINDOWS\acroread.ini
    [1994/07/25 21:23:00 | 00,014,928 | ---- | C] () -- C:\WINDOWS\System32\wingen.drv
    [1994/04/07 21:23:00 | 00,000,462 | ---- | C] () -- C:\WINDOWS\lodbf13.ini
    [1980/01/01 02:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

    ========== Files - Modified Within 30 Days ==========

    [5 C:\WINDOWS\System32\*.tmp files]
    [2009/09/26 20:36:35 | 41,832,760 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
    [2009/09/26 20:35:05 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kurt Popp CPA\Desktop\OTL.exe
    [2009/09/26 20:28:46 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
    [2009/09/26 20:27:48 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2009/09/26 20:27:42 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
    [2009/09/26 20:27:41 | 53,482,7008 | -HS- | M] () -- C:\hiberfil.sys
    [2009/09/25 20:40:31 | 00,113,133 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
    [2009/09/25 18:38:09 | 00,000,603 | ---- | M] () -- C:\WINDOWS\WIN.INI
    [2009/09/25 18:38:09 | 00,000,227 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
    [2009/09/25 18:38:09 | 00,000,211 | RHS- | M] () -- C:\BOOT.INI
    [2009/09/25 15:16:32 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2009/09/25 14:43:14 | 00,001,756 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Professional.lnk
    [2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2009/09/09 12:44:05 | 00,524,634 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2009/09/09 12:44:05 | 00,445,370 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
    [2009/09/09 12:44:05 | 00,072,576 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
    [2009/09/08 18:53:16 | 00,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2009/09/03 13:06:35 | 00,127,392 | ---- | M] () -- C:\Documents and Settings\Kurt Popp CPA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    [2009/08/28 17:38:20 | 24,689,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

    ========== LOP Check ==========

    [2009/09/25 18:24:51 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
    [2006/09/14 17:33:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{657091F2-F595-46C2-B485-D1461158DDE6}
    [2004/12/21 18:18:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
    [2008/02/26 12:40:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dell
    [2006/06/20 14:45:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intuit
    [2007/11/08 13:53:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
    [2007/11/08 13:49:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
    [2004/12/21 17:50:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
    [2008/01/31 18:00:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
    [2009/07/20 18:07:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2007/12/17 11:32:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UniversalTaxSystems
    [2004/12/21 18:27:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2009/09/25 15:16:41 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Kurt Popp CPA\Application Data
    [2004/12/26 16:25:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kurt Popp CPA\Application Data\Corel
    [2004/12/25 22:32:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kurt Popp CPA\Application Data\Leadertech
    [2008/11/06 18:00:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kurt Popp CPA\Application Data\Musicmatch
    [2007/02/22 18:15:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kurt Popp CPA\Application Data\Viewpoint
    [2004/08/04 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\DESKTOP.INI
    [2009/09/26 20:27:48 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5B132D3E
    @Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B203B914
    < End of report >
     
  7. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,082
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Re: Total Security infection

    OTL Extras logfile created on: 09/26/2009 8:39:53 PM - Run 1
    OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\Kurt Popp CPA\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

    509.98 Mb Total Physical Memory | 134.10 Mb Available Physical Memory | 26.29% Memory free
    1.22 Gb Paging File | 0.68 Gb Available in Paging File | 56.16% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 71.55 Gb Total Space | 52.05 Gb Free Space | 72.75% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: edited out by Dragnet
    Current User Name: edited out by Dragnet
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Minimal

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
    .html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %* File not found
    chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
    cmdfile [open] -- "%1" %* File not found
    comfile [open] -- "%1" %* File not found
    exefile [open] -- "%1" %* File not found
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
    htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
    htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
    htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
    http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
    https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
    piffile [open] -- "%1" %* File not found
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1" File not found
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S File not found
    txtfile [edit] -- Reg Error: Key error.
    Directory [Browse with Paint Shop Pro Studio] -- "C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\\Paint Shop Pro Studio.exe" "/Browse" "%L" (Jasc Software, Inc.)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
    CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "110:TCP" = 110:TCP:*:Enabled:svchost

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
    "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
    "C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
    "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 -- (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
    "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
    "C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
    "C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe" = C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe:*:Disabled:javaw -- ()
    "C:\Program Files\Intuit\QuickBooks Enterprise Solutions 6.0\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks Enterprise Solutions 6.0\QBDBMgrN.exe:*:Enabled:QuickBooks Enterprise 6.0 Data Manager -- (Intuit, Inc.)
    "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 -- (Microsoft Corporation)
    "C:\Program Files\Grisoft\AVG7\avginet.exe" = C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe -- File not found
    "C:\Program Files\Grisoft\AVG7\avgcc.exe" = C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe -- File not found
    "C:\Program Files\Grisoft\AVG7\avgamsvr.exe" = C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe -- File not found
    "C:\Program Files\IncrediMail\bin\ImApp.exe" = C:\Program Files\IncrediMail\bin\ImApp.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
    "C:\Program Files\IncrediMail\bin\IncMail.exe" = C:\Program Files\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
    "C:\Program Files\IncrediMail\bin\ImpCnt.exe" = C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
    "C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
    "C:\Documents and Settings\All Users\Application Data\csrss.exe" = C:\Documents and Settings\All Users\Application Data\csrss.exe:*:Enabled:svchost -- File not found


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{04f6ffea-6702-11dc-8314-0800200c9a66}" = Inter-Tel Collaboration Client 2.0
    "{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
    "{0AAEB5AC-418F-4A0E-9939-73E1DCE0FB4B}" = TaxWise® Fixed Asset Manager
    "{0C4E1AFF-779C-443A-9B96-91D0D3063061}" = ReportViewer
    "{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
    "{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement
    "{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
    "{13E824B4-FE15-4F8D-94C6-A7F98EBF9F01}" = TaxWise Workstation Setup
    "{1485B7CD-4CBD-4039-8EAE-5A22993D7F54}" = hp LaserJet 1150 / 1300
    "{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel(R) PROSet for Wired Connections
    "{242B78B1-956B-4304-9104-F1619BE694C8}" = TaxWise 2008 WorkStation
    "{25EF00BE-F17B-11D6-88EA-000476CD2443}" = Verizon Online
    "{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
    "{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
    "{2E86D00D-0900-4A70-B876-1686F8C795A7}" = Trial Balance PLUS
    "{31C35E66-1A94-4ADB-B571-04E1138A0470}" = TaxWise 2003
    "{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
    "{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
    "{3E8FD2B5-F5CF-49CC-AE87-CDFD828E1DE9}" = TaxWise 2003 WorkStation Setup
    "{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
    "{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5
    "{4CE0A2C7-A8AB-40C7-AA83-385258FEE64D}" = Conversion
    "{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
    "{69B02159-7629-4DBB-B9EE-F933039830AD}" = QuickBooks Enterprise Solutions: Accountant Edition 6.0
    "{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
    "{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
    "{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{736550DC-6C0D-41B2-8C74-57FE57F8346C}" = TaxWise 2006
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{77BC7BEB-7D0A-4F4C-B05C-3C3AB725FB86}" = TaxWise® Trial Balance
    "{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon
    "{78D944D7-A97B-4004-AB0A-B5AD06839940}" = My Way Search Assistant
    "{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
    "{7A3F0566-5E05-4919-9C98-456F6B5CF831}" = Get High Speed Internet!
    "{7AEC8978-2650-4DC6-8085-63B9D98454F9}" = TaxWise 2007
    "{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
    "{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
    "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11170417}" = Luxor 2
    "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113606753}" = Monopoly
    "{845E4167-FD71-4673-87F2-7DACC5E4A236}" = TaxWise® Fixed Asset Manager
    "{87C31118-C566-4949-94B0-86F1CEA88DAF}" = TaxWise® Fixed Asset Manager
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
    "{8D41B21E-9011-41A0-9BA8-C80BA60A8E96}" = TaxWise 2007 WorkStation
    "{8DF79951-8380-4F7E-A8E9-EB848432CEC6}" = TaxWise 2005
    "{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}" = Musicmatch® Jukebox
    "{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A74D15EE-512E-4A76-A102-D6C04E943A31}" = TaxWise 2004 WorkStation Setup
    "{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
    "{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
    "{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
    "{BCB9AAE9-FBE1-4FC9-8AC8-EC115E900489}" = TaxWise 2005 WorkStation
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Professional
    "{CE26F10F-C80F-4377-908B-1B7882AE2CE3}" = Crystal Reports Basic Runtime for Visual Studio 2008
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D0CEA293-82D5-4CB7-8A23-61F561AF415B}" = TaxWise 2008
    "{E2F06576-226D-4F4E-B162-0583509760BA}" = TaxWise Workstation
    "{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
    "{E79F34D1-578C-4AB8-922A-1667F87987D2}" = TaxWise Workstation
    "{E8024435-9BC5-4110-A0A4-8D36F981B3B9}" = TaxWise 2004
    "{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
    "{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
    "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
    "{F7558F8A-1448-482F-9919-1F96B0234727}" = TaxWise Workstation
    "{F7B46695-EBDF-4A90-8235-4B597C84E554}" = 2003 ProSeries User's Guide
    "{FC88C8F6-507B-4150-B2B1-6F9A414300ED}" = TaxWise Workstation Setup
    "{FDC634DB-D711-434A-9224-1961ABF62D6D}" = TaxWise 2006 WorkStation
    "2002 ProSeries User's Guide" = 2002 ProSeries User's Guide
    "ActiveTouchMeetingClient" = WebEx
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "AVG8Uninstall" = AVG Free 8.5
    "Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
    "ESET Online Scanner" = ESET Online Scanner v3
    "HijackThis" = HijackThis 2.0.2
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "IncrediMail" = IncrediMail Xe
    "Intel(R) 537EP V9x DF PCI Modem" = Intel(R) 537EP V9x DF PCI Modem
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "ProSeries 2002" = ProSeries 2002
    "ProSeries 2003" = ProSeries 2003
    "PROSet" = Intel(R) PRO Network Adapters and Drivers
    "QuickTime" = QuickTime
    "RealPlayer 6.0" = RealPlayer Basic
    "SmartSuite V99.0" = Lotus SmartSuite Release 9.5
    "StreetPlugin" = Learn2 Player (Uninstall Only)
    "ViewpointMediaPlayer" = Viewpoint Media Player
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 05/30/2009 3:33:27 PM | Computer Name = KURTPOPP | Source = Application Hang | ID = 1002
    Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 05/30/2009 3:52:42 PM | Computer Name = KURTPOPP | Source = Application Hang | ID = 1002
    Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 05/31/2009 5:00:33 PM | Computer Name = KURTPOPP | Source = Application Hang | ID = 1002
    Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 05/31/2009 5:44:38 PM | Computer Name = KURTPOPP | Source = Application Hang | ID = 1002
    Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 06/07/2009 1:19:26 PM | Computer Name = KURTPOPP | Source = Application Hang | ID = 1002
    Description = Hanging application TWW07.exe, version 22.0.7.1, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 07/29/2009 10:35:03 AM | Computer Name = KURTPOPP | Source = Application Hang | ID = 1002
    Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 08/21/2009 10:44:13 AM | Computer Name = KURTPOPP | Source = Application Hang | ID = 1002
    Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 08/22/2009 2:15:16 PM | Computer Name = KURTPOPP | Source = Application Hang | ID = 1002
    Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 08/22/2009 2:15:16 PM | Computer Name = KURTPOPP | Source = Application Hang | ID = 1002
    Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 09/24/2009 1:11:59 PM | Computer Name = KURTPOPP | Source = MsiInstaller | ID = 1008
    Description = The installation of C:\Program Files\Common Files\Wise Installation
    Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_4_29_0_1002.MSI is not permitted due
    to an error in software restriction policy processing. The object cannot be trusted.

    [ System Events ]
    Error - 09/25/2009 2:38:14 PM | Computer Name = KURTPOPP | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 09/25/2009 2:38:29 PM | Computer Name = KURTPOPP | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 15 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 09/25/2009 2:38:29 PM | Computer Name = KURTPOPP | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 09/25/2009 2:47:07 PM | Computer Name = KURTPOPP | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 15 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 09/25/2009 2:47:07 PM | Computer Name = KURTPOPP | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 09/25/2009 2:47:22 PM | Computer Name = KURTPOPP | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 15 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 09/25/2009 2:47:22 PM | Computer Name = KURTPOPP | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 09/25/2009 2:50:41 PM | Computer Name = KURTPOPP | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 15 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 09/25/2009 2:50:41 PM | Computer Name = KURTPOPP | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 09/25/2009 6:51:26 PM | Computer Name = KURTPOPP | Source = DCOM | ID = 10010
    Description = The server {5A5AA0AA-1DEB-4683-96B0-B43301E83971} did not register
    with DCOM within the required timeout.


    < End of report >
     
  8. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Re: Total Security infection

    Hi Dragnet

    Don't you just love the rubbish that Dell add to their systems. :)
    Most of it is unnecessary.
    Let's run some tools first and try and save the manual work.
    This will help with the 'orphan' entries you have.

    Step 1
    Optional
    The PC Decrapifier will uninstall many of the common trialware and annoyances found on many of the PCs from big name OEMs (especially Dell).

    Download Pc-decrapifier
    Save it to your Desktop.
    Click on the desktop icon to run the program (there's no installer)
    Follow the prompts.
    You will have the choice to pick and choose what you want to remove.
    It will not begin removing anything without prompting you first!


    Note:
    Your anti-virus software may complain about this program because it is written with a scripting language. These warnings can be safely ignored.

    Step 2
    Please update MBAM and run another scan: (malwarebytes anti malware)
    Start MBAM
    Click on the Update tab >> click Search for Updates
    If it says that MBAM needs to close to update it... let it close and then restart it.
    On restart >> click the Scan button.

    Don't forget:
    Step 3
    Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
      For more information read:
      How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

      Then:
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      If running Vista, you may not see this screen
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    In your next reply, please submit:
    New MBAM scan report
    ComboFix.txt


    Thanks.

    BTW: editing out the user name etc is perfectly ok.
     
  9. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,082
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Re: Total Security infection

    I really didn't want to run the PC Decrapifier. Hope you understand. I happy with just turning everything off in msconfig.

    I updated and ran MBAM. Here's the results. Now off to Combofix.

    Malwarebytes' Anti-Malware 1.41
    Database version: 2865
    Windows 5.1.2600 Service Pack 3

    09/27/2009 10:20:15 AM
    mbam-log-2009-09-27 (10-20-15).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 200103
    Time elapsed: 1 hour(s), 22 minute(s), 13 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  10. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,082
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Re: Total Security infection

    I may have hosed the Combofix scan. It ran and installed the Recovery Console. It then ran the scan and said that the log could be found in C:\Combofix. It stayed there a long time. I X'd out of it and was left with a desktop wallpaper and no icons. It was in limbo so I tapped the power button and it shut down gracefully.

    On restart, I don't see the log files. I don't want to run Combofix again until further instructions.

    ... opps
     
  11. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Re: Total Security infection

    Hi Dragnet

    ok, sounds like a simple case of 'Explorer.exe' being shut off.
    This can sometimes happen when malware is removed or the scan was interrupted. A simple reboot will set everything right.
    Like the note said, the log should be located at:
    C:\Combofix
    open it up and see if the report is there.
    if so, just copy and paste it into your next reply.

    The results from MBAM look encouraging, so it'll be interesting to see if CF finds anything.

    Perfectly ok, it was an optional step anyway.
     
  12. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,082
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Re: Total Security infection

    ComboFix 09-09-25.01 - [user - edited out] CPA 09/27/2009 10:39:47.1.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.223 [GMT -4:00]
    Running from: C:\Documents and Settings\[user - edited out] CPA\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\Common Files\WinSoftware
    C:\RECYCLER\S-1-5-21-1202660629-1606980848-1060284298-1003
    C:\WINDOWS\Downloaded Program Files\popcaploader.dll
    C:\WINDOWS\Downloaded Program Files\popcaploader.inf
    C:\WINDOWS\system32\bszip.dll
    C:\WINDOWS\winhelp.ini

    .
    ((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
    .

    2009-09-25 19:17:22 . 2009-09-10 18:54:06 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2009-09-25 19:16:41 . 2009-09-25 19:16:41 0 d-----w- C:\Documents and Settings\[edited out]\Application Data\Malwarebytes
    2009-09-25 19:16:31 . 2009-09-25 19:16:31 0 d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2009-09-25 19:16:31 . 2009-09-10 18:53:50 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
    2009-09-25 19:16:30 . 2009-09-25 19:17:25 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
    2009-09-25 18:44:05 . 2009-09-25 18:44:05 0 d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-09-25 18:43:04 . 2009-09-25 20:50:31 0 d-----w- C:\Program Files\SUPERAntiSpyware
    2009-09-25 18:43:04 . 2009-09-25 18:43:04 0 d-----w- C:\Documents and Settings\[user - edited out] CPA\Application Data\SUPERAntiSpyware.com
    2009-09-24 17:11:59 . 2009-09-25 18:42:38 0 d-----w- C:\Program Files\Common Files\Wise Installation Wizard
    2009-09-24 17:10:50 . 2009-09-24 17:11:28 0 d-----w- C:\Documents and Settings\Administrator\.housecall6.6
    2009-09-24 17:08:27 . 2009-09-24 17:08:27 0 d-----w- C:\Program Files\ESET
    2009-09-24 17:07:11 . 2009-09-24 17:07:11 0 d-sh--w- C:\Documents and Settings\Administrator\IECompatCache
    2009-09-24 17:06:17 . 2009-09-24 17:06:17 0 d-sh--w- C:\Documents and Settings\Administrator\PrivacIE
    2009-09-24 17:03:59 . 2009-09-24 17:03:59 0 d-sh--w- C:\Documents and Settings\Administrator\IETldCache
    2009-09-08 19:43:22 . 2009-06-21 21:44:50 153088 ------w- C:\WINDOWS\system32\dllcache\triedit.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-25 12:15:50 . 2006-04-11 15:37:44 0 d-----w- C:\Program Files\WebEx
    2009-09-03 17:06:35 . 2004-12-31 15:05:19 127392 -c--a-w- C:\Documents and Settings\[user - edited out] CPA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-08-22 02:58:46 . 2009-08-22 02:58:46 0 d-----w- C:\Program Files\MSBuild
    2009-08-22 02:58:33 . 2009-08-22 02:58:33 0 d-----w- C:\Program Files\Reference Assemblies
    2009-08-17 20:50:59 . 2008-06-26 19:59:47 11952 ----a-w- C:\WINDOWS\system32\avgrsstx.dll
    2009-08-17 20:50:58 . 2007-02-16 21:30:32 27784 ----a-w- C:\WINDOWS\system32\drivers\avgmfx86.sys
    2009-08-17 20:50:57 . 2008-06-26 19:59:46 335240 ----a-w- C:\WINDOWS\system32\drivers\avgldx86.sys
    2009-08-05 09:01:48 . 2004-08-04 11:00:00 204800 ----a-w- C:\WINDOWS\system32\mswebdvd.dll
    2009-07-17 19:01:06 . 2004-08-04 11:00:00 58880 ----a-w- C:\WINDOWS\system32\atl.dll
    2009-07-14 03:43:24 . 2004-08-04 11:00:00 286208 ----a-w- C:\WINDOWS\system32\wmpdxm.dll
    2009-07-03 17:09:28 . 2004-08-04 11:00:00 915456 ----a-w- C:\WINDOWS\system32\wininet.dll
    2007-12-04 01:52:56 . 2005-12-25 22:16:14 63839744 ----a-w- C:\Program Files\Common Files\TaxWise Workstation.msi
    2007-10-31 21:02:02 . 2007-12-17 16:16:51 78561280 ----a-w- C:\Program Files\Common Files\TaxWise® Fixed Asset Manager.msi
    2004-12-22 20:58:38 . 2004-12-25 23:34:32 18448384 ----a-w- C:\Program Files\Common Files\TaxWise Workstation Setup.msi
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-25 20:50:25 1998576]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 19:33:04 1388544]
    "IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 02:12:44 221184]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 07:01:00 110592]
    "StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 21:51:24 36864]
    "TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2002-12-03 18:21:40 143360]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 14:32:24 77824]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 14:36:20 114688]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-08-17 20:50:27 2007832]
    "Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 18:53:56 1312080]
    "dellsupportcenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 22:32:40 206064]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 13:13:36 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-25 20:50:32 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-17 20:50:59 11952 ----a-w- C:\WINDOWS\SYSTEM32\avgrsstx.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
    backup=C:\WINDOWS\pss\Lotus Organizer EasyClip.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk
    backup=C:\WINDOWS\pss\Lotus QuickStart.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SmartCenter.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus SmartCenter.lnk
    backup=C:\WINDOWS\pss\Lotus SmartCenter.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus SuiteStart.lnk
    backup=C:\WINDOWS\pss\Lotus SuiteStart.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^[user - edited out] CPA^Start Menu^Programs^Startup^Lotus SmartSuite Release 9 Registration.lnk]
    path=C:\Documents and Settings\[user - edited out] CPA\Start Menu\Programs\Startup\Lotus SmartSuite Release 9 Registration.lnk
    backup=C:\WINDOWS\pss\Lotus SmartSuite Release 9 Registration.lnkStartup

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
    "C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 6.0\\QBDBMgrN.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "110:TCP"= 110:TCP:svchost

    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys [06/26/2008 3:59:46 PM 335240]
    R1 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys [06/26/2008 3:59:47 PM 108552]
    R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12/04/2008 1:50:04 PM 9968]
    R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [12/04/2008 1:50:02 PM 74480]
    R3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [12/04/2008 1:50:06 PM 7408]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://mystart.incredimail.com/english
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: taxwise.com
    Trusted Zone: webx.com\taxwise
    DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    .
     
  13. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Re: Total Security infection

    Hi Dragnet

    unfortunately your combofix.txt is not complete.
    Please locate the file again and copy and paste from the 'Supplementary Scan' section.
    I need to see the whole report.

    Thanks
     
  14. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,082
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Re: Total Security infection

    You're right. However, that's the complete log file. Maybe I X'd out of it before it completed writing the log file. I can run Combofix again. Is that what you suggest?
     
  15. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Re: Total Security infection

    Ok, running it again is fine..... i've got the important 'deletions' section.
    (these may not be shown on a 2nd run)

    This time let it run until fully completed. ( the log report will pop up once it's completed)

    Thanks.
     
  16. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,082
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Re: Total Security infection

    here goes

    ComboFix 09-09-25.01 - [user edited out] 09/27/2009 13:19.2.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.113 [GMT -4:00]
    Running from: c:\documents and settings\[user edited out]\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\program files\Common Files\WinSoftware
    c:\recycler\S-1-5-21-1202660629-1606980848-1060284298-1003
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf
    c:\windows\system32\bszip.dll
    c:\windows\winhelp.ini

    .
    ((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
    .

    2009-09-25 19:17 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-25 19:16 . 2009-09-25 19:16 -------- d-----w- c:\documents and settings\[user edited out]\Application Data\Malwarebytes
    2009-09-25 19:16 . 2009-09-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-09-25 19:16 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-09-25 19:16 . 2009-09-25 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-09-25 18:44 . 2009-09-25 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-09-25 18:43 . 2009-09-25 20:50 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-09-25 18:43 . 2009-09-25 18:43 -------- d-----w- c:\documents and settings\[user edited out]\Application Data\SUPERAntiSpyware.com
    2009-09-24 17:11 . 2009-09-25 18:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-09-24 17:10 . 2009-09-24 17:11 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
    2009-09-24 17:08 . 2009-09-24 17:08 -------- d-----w- c:\program files\ESET
    2009-09-24 17:07 . 2009-09-24 17:07 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
    2009-09-24 17:06 . 2009-09-24 17:06 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2009-09-24 17:03 . 2009-09-24 17:03 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2009-09-08 19:43 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-25 12:15 . 2006-04-11 15:37 -------- d-----w- c:\program files\WebEx
    2009-09-03 17:06 . 2004-12-31 15:05 127392 -c--a-w- c:\documents and settings\[user edited out]\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-08-22 02:58 . 2009-08-22 02:58 -------- d-----w- c:\program files\MSBuild
    2009-08-22 02:58 . 2009-08-22 02:58 -------- d-----w- c:\program files\Reference Assemblies
    2009-08-17 20:50 . 2008-06-26 19:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-08-17 20:50 . 2007-02-16 21:30 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-08-17 20:50 . 2008-06-26 19:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-08-05 09:01 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-14 03:43 . 2004-08-04 11:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
    2009-07-03 17:09 . 2004-08-04 11:00 915456 ------w- c:\windows\system32\wininet.dll
    2007-12-04 01:52 . 2005-12-25 22:16 63839744 ----a-w- c:\program files\Common Files\TaxWise Workstation.msi
    2007-10-31 21:02 . 2007-12-17 16:16 78561280 ----a-w- c:\program files\Common Files\TaxWise® Fixed Asset Manager.msi
    2004-12-22 20:58 . 2004-12-25 23:34 18448384 ----a-w- c:\program files\Common Files\TaxWise Workstation Setup.msi
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-25 1998576]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
    "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
    "StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
    "TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2002-12-03 143360]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-17 2007832]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-25 20:50 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-17 20:50 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
    backup=c:\windows\pss\Lotus Organizer EasyClip.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk
    backup=c:\windows\pss\Lotus QuickStart.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SmartCenter.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SmartCenter.lnk
    backup=c:\windows\pss\Lotus SmartCenter.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SuiteStart.lnk
    backup=c:\windows\pss\Lotus SuiteStart.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^[user edited out]^Start Menu^Programs^Startup^Lotus SmartSuite Release 9 Registration.lnk]
    path=c:\documents and settings\[user edited out]\Start Menu\Programs\Startup\Lotus SmartSuite Release 9 Registration.lnk
    backup=c:\windows\pss\Lotus SmartSuite Release 9 Registration.lnkStartup

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 6.0\\QBDBMgrN.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
    "c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
    "c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "110:TCP"= 110:TCP:svchost

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [06/26/2008 3:59 PM 335240]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [06/26/2008 3:59 PM 108552]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/04/2008 1:50 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/04/2008 1:50 PM 74480]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/04/2008 1:50 PM 7408]
    S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [07/06/2008 2:23 PM 908056]
    S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/06/2009 10:40 AM 297752]
    S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [12/25/2004 9:38 PM 68608]
    S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\[user edited out]\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [09/20/2007 6:10 PM 32768]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://mystart.incredimail.com/english
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: taxwise.com
    Trusted Zone: webx.com\taxwise
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2009-09-27 13:27
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(656)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\documents and settings\[user edited out]\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

    - - - - - - - > 'explorer.exe'(308)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2009-09-27 13:30
    ComboFix-quarantined-files.txt 2009-09-27 17:30

    Pre-Run: 55,942,705,152 bytes free
    Post-Run: 55,911,976,960 bytes free

    159 --- E O F --- 2009-09-27 00:42
     
  17. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Re: Total Security infection

    Hi Dragnet

    Thanks for that.
    We're slowly chipping away the rubbish.
    Let's get your Java updated, then we'll run an online scan just to double check everything.

    Step 1
    Download TFC by OldTimer to your desktop
    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

    Step 2
    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 16 and save it to your desktop.
    • Scroll down to where it says "Java Runtime Environment (JRE) 6u16...allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Read the License Agreement and then check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

    Step 3
    Please run a BitDefender Online Scan
    • Click I Agree to agree to the EULA.
    • Allow the ActiveX control to install when prompted.
    • Click Click here to scan to begin the scan.
    • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
    • When the scan is finished, click on Click here to export the scan results.
    • Save the report to your desktop so you can post it in your next reply.
    Note: You will need to use Internet Explorer for this scan.

    In your next reply, please submit:
    BitDefender scan report
    and let me know how the system is running now.


    Thanks.
     
  18. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,082
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Re: Total Security infection

    Thank you

    Step 1 - done
    Step 2 - done
    Step 3 - well that looks like it's going to take some time. It gets stuck at C:\Dell\MEDIA.EXE (twice now). As it sits there, the estimate time remaining continues to count up. It's now at 39 hours. I don't think this looks right.
     
  19. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Re: Total Security infection

    Ok, if the BitDefender scan seems to be having problems .. try this:

    Please run the F-Secure Online Scanner

    Instructions for use with Internet Explorer

    Follow the Instruction here for installation.
    Accept the License Agreement.
    Once the ActiveX installs, Click Full System Scan
    Once the download completes, the scan will begin automatically.
    The scan will take some time to finish, so please be patient.
    When the scan completes, click the Automatic cleaning (recommended) button.

    Click the Show Report button and Copy & Paste the entire report in your next reply.

    Instructions for use with Firefox

    If you see the box:
    Click on the license terms to read them, if you agree.....
    put a tick in the box and then click on 'Install'.
    Once the Add on installs, Click Full System Scan
    Once the download completes, the scan will begin automatically.
    The scan will take some time to finish, so please be patient.
    When the scan completes, click the Automatic cleaning (recommended) button.

    Click the Show Report button and Copy & Paste the entire report in your next reply.
     
  20. Tony D

    Tony D Administrator Administrator

    Joined:
    Sep 25, 2009
    Messages:
    5,082
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Re: Total Security infection

    Scanning Report
    Monday, September 28, 2009 08:09:27 - 10:07:09
    Computer name: [Edited out by Dragnet]
    Scanning type: Scan system for malware, spyware and rootkits
    Target: C:\


    --------------------------------------------------------------------------------

    2 malware found
    TrackingCookie.Doubleclick (spyware)
    System (Disinfected)
    Trojan.Generic.1471504 (virus)
    C:\PROGRAM FILES\MSN GAMES\MONOPOLY\MONOPOLYPB.EXE (Renamed & Submitted)

    --------------------------------------------------------------------------------

    Statistics
    Scanned:
    Files: 72136
    System: 3699
    Not scanned: 6
    Actions:
    Disinfected: 1
    Renamed: 1
    Deleted: 0
    Not cleaned: 0
    Submitted: 1
    Files not scanned:
    C:\PAGEFILE.SYS
    C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
    C:\WINDOWS\SYSTEM32\CONFIG\SAM
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
    C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
    C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

    --------------------------------------------------------------------------------

    Options
    Scanning engines:
    Scanning options:
    Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
    Use advanced heuristics
     

Share This Page