Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Maybe infected with V0250cvw.dll or Trogan.Agent


  • This topic is locked This topic is locked
16 replies to this topic

#1 subu

subu

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 10 July 2009 - 01:15 AM

Hello Staff,

I am pasting below the log from Hijack this and the DDS.txt. I have tried to delete this entry I find in msconfig:
O4 - HKLM\..\Run: [C:\WINNT\system32\V0250Cvw.dll] C:\WINNT\system32\RegSvr32.exe /s C:\WINNT\system32\V0250Cvw.dll
Malware bytes reports there is an infection and it says one infection found. It reports the V0250cvw.dll as the infection file. It deletes it and on every boot I find the file has managed to reappear in the startup. I have gone to the safe mode and also tried to delete the entry but in vain.



THE DDS.TXT FILE:

DDS (Ver_09-06-26.01) - NTFSx86
Run by at 22:50:04.92 on Thu 07/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3063.2335 [GMT -7:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
svchost.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINNT\system32\enstart.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\winnt\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\progra~1\merlin\merlin.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\orant\ora9i\bin\omtsreco.exe
C:\WINNT\system32\Prot_srv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINNT\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\Merlin\MWIStats.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\WS_FTP Pro\ftpqueue.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\WebEx\Productivity Tools\ptSrv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClientUI.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\nrnet\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\winnt\system32\dla\tfswshx.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\progra~1\ws_ftp~1\wsbho2k0.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [PTOneClick] c:\program files\webex\productivity tools\ptoneclk.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [Persistence] c:\winnt\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Pointsec Tray] c:\program files\pointsec\pointsec for pc\P95Tray.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [MWIStats] "c:\program files\merlin\MWIStats.exe"
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [ftpqueue] c:\program files\ws_ftp pro\ftpqueue.exe -tray
mRun: [c:\winnt\system32\v0250cvw.dll] c:\winnt\system32\regsvr32.exe /s c:\winnt\system32\V0250Cvw.dll
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\office.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\winnt\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
uPolicies-explorer: NoDevMgrUpdate = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {2222EF56-F49E-4d07-A14E-8D2B08766958} - c:\program files\altova\xmlspy2009\spy.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} - hxxp://10.233.49.167/iSite3_3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 TivoliAP

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nrnet\applic~1\mozilla\firefox\profiles\1cvoyks9.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - component: c:\program files\webex\productivity tools\components\OCFF.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 prot_2k;prot_2k;c:\winnt\system32\drivers\prot_2k.sys [2007-5-21 240760]
R1 enstart_;enstart_;c:\winnt\system32\enstart_.sys [2007-6-20 31744]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2007-10-16 31784]
R2 CITMDRV;CITMDRV;c:\winnt\system32\drivers\CITMDRV.SYS [2009-4-27 10752]
R2 enstart;enstart;c:\winnt\system32\enstart.exe [2007-6-20 491520]
R2 lcfd;Tivoli Endpoint;c:\winnt\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe [2008-3-12 139264]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-12 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-10-16 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-10-16 54608]
R2 Merlin;Merlin;c:\progra~1\merlin\merlin.exe [2008-3-12 110592]
R2 Pointsec;Pointsec;c:\winnt\system32\Prot_srv.exe [2007-5-21 147832]
R2 Pointsec_start;Pointsec Service Start;c:\winnt\system32\pstartSr.exe [2007-5-21 110968]
R3 IFXTPM;IFXTPM;c:\winnt\system32\drivers\ifxtpm.sys [2008-3-12 41216]
R3 mfeavfk;McAfee Inc.;c:\winnt\system32\drivers\mfeavfk.sys [2008-3-12 72680]
R3 mfebopk;McAfee Inc.;c:\winnt\system32\drivers\mfebopk.sys [2008-3-12 33960]
R3 mfehidk;McAfee Inc.;c:\winnt\system32\drivers\mfehidk.sys [2008-3-12 171272]
R3 rismc32;RICOH Smart Card Reader;c:\winnt\system32\drivers\rismc32.sys [2009-4-23 47616]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\orant\ora81\bin\ONRSD.EXE [2000-10-19 411244]
S3 OracleOraHome91ClientCache;OracleOraHome91ClientCache;c:\orant\ora9i\bin\ONRSD.EXE [2002-4-26 242328]
S3 V0250Dev;Live! Cam Notebook Pro;c:\winnt\system32\drivers\V0250Dev.sys [2009-4-28 163840]
S4 radexecd;Radia Notify Daemon;c:\program files\novadigm\radexecd.exe [2002-12-2 196608]
S4 radsched;Radia Scheduler Daemon;c:\program files\novadigm\radsched.exe [2002-9-30 200704]
S4 Radstgms;Radia MSI Redirector;c:\program files\novadigm\Radstgms.exe [2003-3-27 303104]

=============== Created Last 30 ================

2009-07-09 17:19 <DIR> --d----- c:\winnt\ERUNT
2009-07-06 11:40 <DIR> -cd----- c:\winnt\system32\dllcache\cache
2009-07-06 11:39 50,176 ac------ c:\winnt\system32\dllcache\proquota.exe
2009-07-06 11:39 50,176 a------- c:\winnt\system32\proquota.exe
2009-07-06 11:35 161,792 a------- c:\winnt\SWREG.exe
2009-07-06 11:35 155,136 a------- c:\winnt\PEV.exe
2009-07-06 11:35 98,816 a------- c:\winnt\sed.exe
2009-07-06 10:52 <DIR> --d----- c:\winnt\pss
2009-06-13 10:04 <DIR> --d----- c:\program files\Yahoo!

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\winnt\system32\drivers\mbam.sys
2009-05-07 08:44 344,064 a------- c:\winnt\system32\localspl.dll
2009-04-28 21:52 659,456 a------- c:\winnt\system32\wininet.dll
2009-04-28 21:52 81,920 a------- c:\winnt\system32\ieencode.dll
2009-04-23 12:41 57,344 a------- c:\winnt\uneng.exe
2009-04-23 12:20 31,744 a------- c:\winnt\system32\enstart_.sys
2009-04-23 12:00 2,097,152 ---shr-- C:\PROT_INS.SYS
2009-04-23 11:59 6 a------- C:\VOL_CHAR.DAT
2009-04-23 11:48 21,393 a------- c:\winnt\AegisP.sys
2009-04-17 02:58 1,846,656 a------- c:\winnt\system32\win32k.sys
2009-04-15 08:11 584,192 a------- c:\winnt\system32\rpcrt4.dll
2004-12-20 17:10 151,552 a------- c:\program files\UNWISE.EXE
2004-08-04 01:56 73,728 a--sh--- c:\winnt\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe

============= FINISH: 22:50:30.96 ===============

THE HIJACK THIS REPORT FILE:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:30 PM, on 7/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINNT\system32\enstart.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\winnt\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\progra~1\merlin\merlin.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\orant\ora9i\bin\omtsreco.exe
C:\WINNT\system32\Prot_srv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINNT\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\Merlin\MWIStats.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\WS_FTP Pro\ftpqueue.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\WebEx\Productivity Tools\ptSrv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClientUI.exe
C:\WINNT\system32\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRA~1\WS_FTP~1\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [MWIStats] "C:\Program Files\Merlin\MWIStats.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [C:\WINNT\system32\V0250Cvw.dll] C:\WINNT\system32\RegSvr32.exe /s C:\WINNT\system32\V0250Cvw.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [PTOneClick] C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: office.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2009\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2009\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll (HKCU)
O9 - Extra 'Tools' menuitem: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll (HKCU)
O16 - DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} (ISiteNonVisual Control 3.3) - http://10.233.49.167/iSite3_3.cab
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: enstart - Unknown owner - C:\WINNT\system32\enstart.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\winnt\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\orant\ora9i\bin\omtsreco.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\orant\Ora81\bin\ONRSD.EXE
O23 - Service: OracleOraHome91ClientCache - Unknown owner - C:\orant\ora9i\BIN\ONRSD.EXE
O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\Prot_srv.exe
O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINNT\system32\pstartSr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11675 bytes

THE MALWARE BYTES REPORT

Malwarebytes' Anti-Malware 1.38
Database version: 2401
Windows 5.1.2600 Service Pack 2

7/9/2009 11:03:06 PM
mbam-log-2009-07-09 (23-03-06).txt

Scan type: Quick Scan
Objects scanned: 118201
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\winnt\system32\v0250cvw.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Kindly let me know what I should do to remove this entry from the computer. I am aware there is no firewall,unfortunately company issues prevent me from installing one. I would greatly appreciate help in resolving this issue.

Sincerely,
Subu


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:05 PM

Posted 18 July 2009 - 06:47 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 subu

subu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 20 July 2009 - 12:14 PM

Dear Bleeping staff,
Thank you for the kind reply. I have included all what you have mentioned in the email. The problem persists and remains the same. I have had no changes since my last post.
I have tried to delete this entry I find in msconfig:
O4 - HKLM\..\Run: [C:\WINNT\system32\V0250Cvw.dll] C:\WINNT\system32\RegSvr32.exe /s C:\WINNT\system32\V0250Cvw.dll
Malware bytes reports there is an infection and it says one infection found. It reports the V0250cvw.dll as the infection file. It deletes it and on every boot I find the file has managed to reappear in the startup. I have gone to the safe mode and also tried to delete the entry but in vain.


The DDS FILE BELOW:
:
DDS (Ver_09-06-26.01) - NTFSx86
Run by NRNet at 9:28:52.37 on Mon 07/20/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3063.2258 [GMT -700]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
svchost.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\VPN Client\cvpnd.exe
C:\WINNT\system32\enstart.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\winnt\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\progra~1\merlin\merlin.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\orant\ora9i\bin\omtsreco.exe
C:\WINNT\system32\Prot_srv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINNT\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Merlin\MWIStats.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\WS_FTP Pro\ftpqueue.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\WebEx\Productivity Tools\ptSrv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClientUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcconsol.exe
C:\Documents and Settings\nrnet\Desktop\dds.pif

============== Pseudo HJT Report ===============

BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\winnt\system32\dla\tfswshx.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\progra~1\ws_ftp~1\wsbho2k0.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [PTOneClick] c:\program files\webex\productivity tools\ptoneclk.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [Persistence] c:\winnt\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Pointsec Tray] c:\program files\pointsec\pointsec for pc\P95Tray.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [MWIStats] "c:\program files\merlin\MWIStats.exe"
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [ftpqueue] c:\program files\ws_ftp pro\ftpqueue.exe -tray
mRun: [c:\winnt\system32\v0250cvw.dll] c:\winnt\system32\regsvr32.exe /s c:\winnt\system32\V0250Cvw.dll
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\office.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\winnt\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
uPolicies-explorer: NoDevMgrUpdate = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {2222EF56-F49E-4d07-A14E-8D2B08766958} - c:\program files\altova\xmlspy2009\spy.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: Sametime Meeting Room Client ST25PF1 - sametime/stmeetingroomclient/STMeetingRoomClient.cab
DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} - hxxp://10.233.49.167/iSite3_3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} - sametime/stmeetingroomclient/STJNILoader.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - client/T26L10NSP49EP24/webex/ieatgpc.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 TivoliAP

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nrnet\applic~1\mozilla\firefox\profiles\1cvoyks9.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - component: c:\program files\webex\productivity tools\components\OCFF.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-10-16 144704]
R0 prot_2k;prot_2k;c:\winnt\system32\drivers\prot_2k.sys [2007-5-21 240760]
R1 enstart_;enstart_;c:\winnt\system32\enstart_.sys [2007-6-20 31744]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2007-10-16 31784]
R2 CITMDRV;CITMDRV;c:\winnt\system32\drivers\CITMDRV.SYS [2009-4-27 10752]
R2 enstart;enstart;c:\winnt\system32\enstart.exe [2007-6-20 491520]
R2 lcfd;Tivoli Endpoint;c:\winnt\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe [2008-3-12 139264]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-12 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-10-16 54608]
R2 Merlin;Merlin;c:\progra~1\merlin\merlin.exe [2008-3-12 110592]
R2 Pointsec;Pointsec;c:\winnt\system32\Prot_srv.exe [2007-5-21 147832]
R2 Pointsec_start;Pointsec Service Start;c:\winnt\system32\pstartSr.exe [2007-5-21 110968]
R3 IFXTPM;IFXTPM;c:\winnt\system32\drivers\ifxtpm.sys [2008-3-12 41216]
R3 mfeavfk;McAfee Inc.;c:\winnt\system32\drivers\mfeavfk.sys [2008-3-12 72680]
R3 mfebopk;McAfee Inc.;c:\winnt\system32\drivers\mfebopk.sys [2008-3-12 33960]
R3 mfehidk;McAfee Inc.;c:\winnt\system32\drivers\mfehidk.sys [2008-3-12 171272]
R3 rismc32;RICOH Smart Card Reader;c:\winnt\system32\drivers\rismc32.sys [2009-4-23 47616]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\orant\ora81\bin\ONRSD.EXE [2000-10-19 411244]
S3 OracleOraHome91ClientCache;OracleOraHome91ClientCache;c:\orant\ora9i\bin\ONRSD.EXE [2002-4-26 242328]
S3 V0250Dev;Live! Cam Notebook Pro;c:\winnt\system32\drivers\V0250Dev.sys [2009-4-28 163840]
S4 radexecd;Radia Notify Daemon;c:\program files\novadigm\radexecd.exe [2002-12-2 196608]
S4 radsched;Radia Scheduler Daemon;c:\program files\novadigm\radsched.exe [2002-9-30 200704]
S4 Radstgms;Radia MSI Redirector;c:\program files\novadigm\Radstgms.exe [2003-3-27 303104]

=============== Created Last 30 ================

2009-07-20 09:22 <DIR> --d-h--- c:\winnt\PIF
2009-07-13 14:18 69,632 a------- c:\winnt\system32\drivers\geyekrlbostjjm.sys
2009-07-09 17:19 <DIR> --d----- c:\winnt\ERUNT
2009-07-06 11:40 <DIR> -cd----- c:\winnt\system32\dllcache\cache
2009-07-06 11:39 50,176 ac------ c:\winnt\system32\dllcache\proquota.exe
2009-07-06 11:39 50,176 a------- c:\winnt\system32\proquota.exe
2009-07-06 11:35 161,792 a------- c:\winnt\SWREG.exe
2009-07-06 11:35 155,136 a------- c:\winnt\PEV.exe
2009-07-06 11:35 98,816 a------- c:\winnt\sed.exe
2009-07-06 10:52 <DIR> --d----- c:\winnt\pss

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\winnt\system32\drivers\mbam.sys
2009-05-07 08:44 344,064 a------- c:\winnt\system32\localspl.dll
2009-04-28 21:52 659,456 a------- c:\winnt\system32\wininet.dll
2009-04-28 21:52 81,920 a------- c:\winnt\system32\ieencode.dll
2009-04-23 12:41 57,344 a------- c:\winnt\uneng.exe
2009-04-23 12:20 31,744 a------- c:\winnt\system32\enstart_.sys
2009-04-23 12:00 2,097,152 ---shr-- C:\PROT_INS.SYS
2009-04-23 11:59 6 a------- C:\VOL_CHAR.DAT
2009-04-23 11:48 21,393 a------- c:\winnt\AegisP.sys
2004-12-20 17:10 151,552 a------- c:\program files\UNWISE.EXE
2004-08-04 01:56 73,728 a--sh--- c:\winnt\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe

============= FINISH: 9:29:14.57 ===============

Please find that i have also included the DDS in my previous post and also the malware bytes file and the hijack this file too. Kindly revert on what I may do to get rid of this problem. I appreciate your time.


Sincerely,
Subu

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 23 July 2009 - 04:02 PM

Hello and welcome to the BleepingComputer.com! :thumbup2:

I will be helping you today. :) If you still need help, please let me know by replying to this thread. :)

your log suggests that you have run Combofix on your own. Please note that this is highly dangerous and should only be done when a trained helper advises you to do so.
If you did run Combofix, please include the file C:\combofix.txt in your next reply.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 subu

subu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 23 July 2009 - 07:50 PM

Hello Staff,
Thanks for the reply.
As mentioned I am pasting the combofix.txt file.


ComboFix 09-07-09.06 - 07/10/2009 19:45.11.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3063.2607 [GMT -7:00]
Running from: c:\documents and settings\Desktop\bleeping computer stuff\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-07-10 00:19 . 2009-07-10 00:19 -------- d-----w- c:\winnt\ERUNT
2009-07-09 04:40 . 2009-07-09 04:40 -------- d-----w- c:\documents and settings\Nrnet.CSPARAM1529592\Application Data\Malwarebytes
2009-07-06 18:39 . 2004-08-04 08:56 50176 -c--a-w- c:\winnt\system32\dllcache\proquota.exe
2009-07-06 18:39 . 2004-08-04 08:56 50176 ----a-w- c:\winnt\system32\proquota.exe
2009-07-06 18:15 . 2009-07-06 18:15 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-23 05:14 . 2009-06-23 05:14 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-19 20:30 . 2009-06-19 20:30 77824 ----a-w- c:\documents and settings\Application Data\webex\PlugIns\T26L10NSP49EP24\824\mticket.dll
2009-06-19 20:30 . 2009-06-19 20:30 585728 ----a-w- c:\documents and settings\Application Data\webex\PlugIns\T26L10NSP49EP24\824\mutiltpd.dll
2009-06-19 20:30 . 2009-06-19 20:30 188416 ----a-w- c:\documents and settings\Application Data\webex\PlugIns\T26L10NSP49EP24\824\msess.dll
2009-06-19 20:30 . 2009-06-19 20:30 364544 ----a-w- c:\documents and settings\Application Data\webex\PlugIns\T26L10NSP49EP24\824\mvc.dll
2009-06-19 20:30 . 2009-06-19 20:30 294989 ----a-w- c:\documents and settings\Application Data\webex\PlugIns\T26L10NSP49EP24\824\h264dec.dll
2009-06-19 20:30 . 2009-06-19 20:30 221254 ----a-w- c:\documents and settings\Application Data\webex\PlugIns\T26L10NSP49EP24\824\h264enc.dll
2009-06-13 17:06 . 2009-06-13 17:06 -------- d-----w- c:\documents and settings\Application Data\Yahoo!
2009-06-13 17:06 . 2009-06-13 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-06-13 17:04 . 2009-05-27 02:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-06-13 17:04 . 2009-06-13 17:06 -------- d-----w- c:\program files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 16:19 . 2009-04-23 23:24 35464 ----a-w- c:\documents and settings\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 18:26 . 2009-04-27 21:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-06 18:15 . 2009-04-27 20:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-05 05:09 . 2009-04-28 18:00 -------- d-----w- c:\documents and settings\Application Data\Skype
2009-07-02 22:35 . 2009-05-08 18:03 -------- d-----w- c:\documents and settings\Application Data\webex
2009-07-02 22:35 . 2009-05-12 18:56 27976 ----a-w- c:\documents and settings\Application Data\webex\PlugIns\T26L10NSP49EP24\ptgpcdec.dll
2009-06-17 18:27 . 2009-04-27 20:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2009-04-27 20:36 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-06-08 18:08 . 2009-06-08 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-07 02:59 . 2009-06-07 02:59 -------- d-----w- c:\documents and settings\Application Data\Creative
2009-06-07 02:55 . 2009-04-23 18:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-05 03:19 . 2009-06-05 03:19 -------- d-----w- c:\documents and settings\Application Data\InterVideo
2009-06-03 00:59 . 2009-06-03 00:59 -------- d-----w- c:\program files\Trend Micro
2009-06-01 13:32 . 2009-06-01 13:32 1915520 ----a-w- c:\documents and settings\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-05-14 20:48 . 2009-05-14 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-12 18:47 . 2009-05-12 18:47 -------- d-----w- c:\program files\WebEx
2009-05-12 18:47 . 2009-05-12 18:47 -------- d-----w- c:\documents and settings\Application Data\Productivity Tools
2009-05-07 15:44 . 2008-03-12 17:01 344064 ----a-w- c:\winnt\system32\localspl.dll
2009-05-01 15:50 . 2009-05-01 15:50 335872 ----a-r- c:\documents and settings\Application Data\Microsoft\Installer\{2F400402-B5FF-47F5-BDD4-8FD0883C752B}\ARPPRODUCTICON.exe
2009-04-29 04:52 . 2008-03-12 17:02 659456 ----a-w- c:\winnt\system32\wininet.dll
2009-04-29 04:52 . 2008-03-12 17:01 81920 ----a-w- c:\winnt\system32\ieencode.dll
2009-04-27 19:04 . 2009-04-27 19:04 10752 ------w- c:\winnt\system32\drivers\CITMDRV.SYS
2009-04-25 01:59 . 2009-04-25 01:59 0 ----a-w- c:\winnt\nsreg.dat
2009-04-23 19:58 . 2009-04-23 19:58 33760 ----a-w- c:\documents and settings\d111911a\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-23 19:41 . 2002-12-17 19:29 25898 ----a-w- c:\winnt\system32\drivers\Dvd_2k.sys
2009-04-23 19:41 . 2002-12-17 19:29 30630 ----a-w- c:\winnt\system32\drivers\Mmc_2k.sys
2009-04-23 19:41 . 2002-12-17 19:29 143834 ----a-w- c:\winnt\system32\drivers\pwd_2K.sys
2009-04-23 19:41 . 2002-12-17 19:27 206464 ----a-w- c:\winnt\system32\drivers\udfreadr_xp.sys
2009-04-23 19:41 . 2009-04-23 19:41 57344 ----a-w- c:\winnt\uneng.exe
2009-04-23 19:20 . 2007-06-20 21:11 31744 ----a-w- c:\winnt\system32\enstart_.sys
2009-04-23 19:00 . 2009-04-23 18:59 2097152 --sh--r- C:\PROT_INS.SYS
2009-04-23 18:59 . 2009-04-23 18:59 6 ----a-w- C:\VOL_CHAR.DAT
2009-04-23 18:48 . 2009-04-23 18:48 21393 ----a-w- c:\winnt\system32\drivers\AegisP.sys
2009-04-23 18:48 . 2009-04-23 18:48 21393 ----a-w- c:\winnt\AegisP.sys
2009-04-17 09:58 . 2008-03-12 17:02 1846656 ----a-w- c:\winnt\system32\win32k.sys
2009-04-15 15:11 . 2008-03-12 17:02 584192 ----a-w- c:\winnt\system32\rpcrt4.dll
2004-12-21 00:10 . 2009-04-23 19:39 151552 ----a-w- c:\program files\UNWISE.EXE
2009-06-05 21:16 . 2009-06-05 21:16 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-06-05 21:16 . 2009-06-05 21:16 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-06-05 21:18 . 2009-06-05 21:18 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-06-05 21:18 . 2009-06-05 21:18 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2004-08-04 08:56 . 2009-04-23 19:24 73728 --sha-w- c:\winnt\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-17 111952]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2007-05-19 162584]
"Persistence"="c:\winnt\system32\igfxpers.exe" [2007-05-19 138008]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-06 872448]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 177456]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 970752]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2007-05-21 942536]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"MWIStats"="c:\program files\Merlin\MWIStats.exe" [2004-10-27 204800]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"ftpqueue"="c:\program files\WS_FTP Pro\ftpqueue.exe" [2004-03-01 245760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
office.exe [2009-5-21 126552]
VPN Client.lnk - c:\winnt\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2009-4-23 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 TivoliAP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Synchronization Manager"=%SystemRoot%\system32\mobsync.exe /logon

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 prot_2k;prot_2k;c:\winnt\system32\drivers\prot_2k.sys [5/21/2007 2:52 PM 240760]
R3 IFXTPM;IFXTPM;c:\winnt\system32\drivers\ifxtpm.sys [3/12/2008 10:06 AM 41216]
S1 enstart_;enstart_;c:\winnt\system32\enstart_.sys [6/20/2007 2:11 PM 31744]
S2 CITMDRV;CITMDRV;c:\winnt\system32\drivers\CITMDRV.SYS [4/27/2009 12:04 PM 10752]
S2 enstart;enstart;c:\winnt\system32\enstart.exe [6/20/2007 2:11 PM 491520]
S2 lcfd;Tivoli Endpoint;c:\winnt\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe [3/12/2008 12:24 PM 139264]
S2 Merlin;Merlin;c:\progra~1\merlin\merlin.exe [3/12/2008 10:07 AM 110592]
S2 Pointsec;Pointsec;c:\winnt\system32\Prot_srv.exe [5/21/2007 2:54 PM 147832]
S2 Pointsec_start;Pointsec Service Start;c:\winnt\system32\pstartSr.exe [5/21/2007 2:54 PM 110968]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\orant\Ora81\bin\ONRSD.EXE [10/19/2000 11:55 AM 411244]
S3 OracleOraHome91ClientCache;OracleOraHome91ClientCache;c:\orant\ora9i\bin\ONRSD.EXE [4/26/2002 7:34 PM 242328]
S3 rismc32;RICOH Smart Card Reader;c:\winnt\system32\drivers\rismc32.sys [4/23/2009 11:44 AM 47616]
S3 V0250Dev;Live! Cam Notebook Pro;c:\winnt\system32\drivers\V0250Dev.sys [4/28/2009 10:59 AM 163840]
S4 radexecd;Radia Notify Daemon;c:\program files\Novadigm\radexecd.exe [12/2/2002 3:50 PM 196608]
S4 radsched;Radia Scheduler Daemon;c:\program files\Novadigm\radsched.exe [9/30/2002 2:53 PM 200704]
S4 Radstgms;Radia MSI Redirector;c:\program files\Novadigm\Radstgms.exe [3/27/2003 9:44 AM 303104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0AF4C301-9A12-4452-BC65-8731488C711E}]
msiexec /fu {0AF4C301-9A12-4452-BC65-8731488C711E}


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{144FDCF3-46AB-4BA2-9FE3-36E1C9E572DB}]
Msiexec /fu {144FDCF3-46AB-4BA2-9FE3-36E1C9E572DB}

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1887F5EF-077F-4A15-BCD4-DEBC060CF729}]
msiexec /fu {1887F5EF-077F-4A15-BCD4-DEBC060CF729}

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{609F7AC8-C510-11D4-A788-009027ABA5D0}]
msiexec /fu {609F7AC8-C510-11D4-A788-009027ABA5D0} /qn

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{90520409-6000-11D3-8CFE-0150048383C9}]
msiexec /fup {90520409-6000-11D3-8CFE-0150048383C9}

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{928D6D96-AF6A-4C9A-8986-0F4B4BA488AB}]
Msiexec /fu {928D6D96-AF6A-4C9A-8986-0F4B4BA488AB}

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A67F6402-81BE-4030-B481-64458C3A06C8}]
c:\program files\RAP\PinShortcut.vbs /s

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AEB7C78C-735A-4350-93F1-56494ECDBBE1-DEL_MP10_USER_SHORTCUT}]
MP10HKCU.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C374B00E-07C9-474F-8BD4-EB6066DF9F99}]
msiexec /fu {C374B00E-07C9-474F-8BD4-EB6066DF9F99}
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} - hxxp://10.233.49.167/iSite3_3.cab
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 19:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(340)
- - - - - - - > 'lsass.exe'(396)
c:\winnt\system32\TivoliAP.dll
.
Completion time: 2009-07-11 19:48
ComboFix-quarantined-files.txt 2009-07-11 02:48
ComboFix2.txt 2009-07-09 13:51

Pre-Run: 40,816,418,816 bytes free
Post-Run: 40,845,410,304 bytes free

255


I will ensure to avoid running any program until you get back to me. Thank you for guiding me.

Sincerely,
Subu

Edited by subu, 23 July 2009 - 07:51 PM.


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 24 July 2009 - 02:11 AM

Hi,

we need to take a closer look at that file:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINNT\system32\V0250Cvw.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


We will also run a couple of rootkit scans:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


  • Please download SysProt from one of the following sites and save it to your Desktop:

    Link 1
    Link 2

  • unzip the file and place the executable on your Desktop.
  • Start the file by doubleclicking it.
  • Switch to the tab log and select all the options:

    Process
    Kernel Modules
    SSDT
    Kernel Hooks
    IRP Hooks
    Ports
    Hidden Files


  • Select create Log
  • Select Scan all files and Start when asked about Scanning for hidden files and folders
  • Once finished a log called SysProtLog.txt will be created on your Desktop.
Please post back the results from Virustotal, Gmer and SysProt in your next reply,
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 subu

subu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 24 July 2009 - 10:49 AM

Hello Staff,

I have completed all the steps you mentioned in the email.

1) I made sure all the hidden files can be seen. I tried to use Jotti and Virustotal to scan the file
C:\WINNT\system32\V0250Cvw.dll. But this file does not exist. I tried to look for it and it's just not there in the computer.

2) Please find results from GMER


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-24 08:40:15
Windows 5.1.2600 Service Pack 2


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x93F7687B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0x93F767FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x93F768A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0x93F7680F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0x93F7683B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x93F768CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0x93F767E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x93F7688F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0x93F76825]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0x93F76851]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x93F76867]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x93F768E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x93F768B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

3) Please find results from SYSPROT


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\smss.exe
PID: 932
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\csrss.exe
PID: 1044
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\winlogon.exe
PID: 1072
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\services.exe
PID: 1116
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\lsass.exe
PID: 1128
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\svchost.exe
PID: 1336
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\svchost.exe
PID: 1424
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\svchost.exe
PID: 1548
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PID: 1608
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\svchost.exe
PID: 1644
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\svchost.exe
PID: 1816
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\spoolsv.exe
PID: 1872
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\svchost.exe
PID: 1948
Hidden: No
Window Visible: No

Name: C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
PID: 2000
Hidden: No
Window Visible: No


Name: C:\WINNT\system32\enstart.exe
PID: 220
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PID: 248
Hidden: No
Window Visible: No

Name: C:\Program Files\WS_FTP Pro\ftpsched.exe
PID: 304
Hidden: No
Window Visible: No

Name: C:\WINNT\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
PID: 516
Hidden: No
Window Visible: No

Name: C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PID: 556
Hidden: No
Window Visible: No

Name: C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PID: 684
Hidden: No
Window Visible: No

Name: C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PID: 728
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Merlin\Merlin.exe
PID: 808
Hidden: No
Window Visible: No

Name: C:\Program Files\Lotus\Notes\ntmulti.exe
PID: 1012
Hidden: No
Window Visible: No

Name: C:\orant\ora9i\bin\omtsreco.exe
PID: 1204
Hidden: No
Window Visible: No

Name: C:\orant\Ora81\bin\ONRSD.EXE
PID: 1052
Hidden: No
Window Visible: No

Name: C:\orant\ora9i\bin\ONRSD.EXE
PID: 1352
Hidden: No
Window Visible: No

Name: C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PID: 1364
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\pstartSr.exe
PID: 1652
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PID: 1756
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\snmp.exe
PID: 204
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\wdfmgr.exe
PID: 216
Hidden: No
Window Visible: No

Name: C:\Program Files\UPHClean\uphclean.exe
PID: 480
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PID: 1272
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\wbem\wmiprvse.exe
PID: 1000
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\alg.exe
PID: 3672
Hidden: No
Window Visible: No

Name: C:\Program Files\Citrix\ICA Client\ssonsvr.exe
PID: 1780
Hidden: No
Window Visible: No

Name: C:\WINNT\explorer.exe
PID: 768
Hidden: No
Window Visible: No

Name: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PID: 2352
Hidden: No
Window Visible: No

Name: C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PID: 2360
Hidden: No
Window Visible: No

Name: C:\Program Files\WS_FTP Pro\ftpqueue.exe
PID: 2368
Hidden: No
Window Visible: No

Name: C:\Program Files\Analog Devices\Core\smax4pnp.exe
PID: 2408
Hidden: No
Window Visible: No

Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 2440
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PID: 2504
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PID: 2524
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\hkcmd.exe
PID: 2520
Hidden: No
Window Visible: No

Name: C:\Program Files\Pointsec\Pointsec for PC\P95tray.exe
PID: 2536
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Merlin\MWIStats.exe
PID: 2544
Hidden: No
Window Visible: No

Name: C:\WINNT\system32\ctfmon.exe
PID: 3200
Hidden: No
Window Visible: No

Name: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 924
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PID: 3916
Hidden: No
Window Visible: No

Name: C:\Program Files\BigFix Enterprise\BES Client\BESClientUI.exe
PID: 3620
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 3860
Hidden: No
Window Visible: No

Name: C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
PID: 2716
Hidden: No
Window Visible: No

Name: C:\Program Files\McAfee\VirusScan Enterprise\mcconsol.exe
PID: 3152
Hidden: No
Window Visible: No

Name: C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PID: 3280
Hidden: No
Window Visible: No

Name: C:\Program Files\McAfee\Common Framework\Mctray.exe
PID: 3292
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\nrnet\Desktop\bleeping computer stuff\lsyqwc26.exe
PID: 2828
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\nrnet\Desktop\bleeping computer stuff\SysProt\SysProt.exe
PID: 820
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\nrnet\Desktop\bleeping computer stuff\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: 93877000
Module End: 93882000
Hidden: No

Module Name: \WINNT\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E2000
Hidden: No

Module Name: \WINNT\system32\hal.dll
Service Name: ---
Module Base: 806E2000
Module End: 80702D00
Hidden: No

Module Name: \WINNT\system32\KDCOM.DLL
Service Name: ---
Module Base: BA5A8000
Module End: BA5AA000
Hidden: No

Module Name: \WINNT\system32\BOOTVID.dll
Service Name: ---
Module Base: BA4B8000
Module End: BA4BB000
Hidden: No

Module Name: C:\WINNT\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: B9F79000
Module End: B9FA7000
Hidden: No

Module Name: \WINNT\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: BA5AA000
Module End: BA5AC000
Hidden: No

Module Name: C:\WINNT\system32\drivers\pci.sys
Service Name: PCI
Module Base: B9F68000
Module End: B9F79000
Hidden: No

Module Name: C:\WINNT\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: BA0A8000
Module End: BA0B1000
Hidden: No

Module Name: C:\WINNT\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: BA4BC000
Module End: BA4BF000
Hidden: No

Module Name: \WINNT\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: BA4C0000
Module End: BA4C4000
Hidden: No

Module Name: C:\WINNT\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: BA670000
Module End: BA671000
Hidden: No

Module Name: \WINNT\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: BA328000
Module End: BA32F000
Hidden: No

Module Name: C:\WINNT\system32\drivers\aliide.sys
Service Name: AliIde
Module Base: BA5AC000
Module End: BA5AE000
Hidden: No

Module Name: C:\WINNT\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: BA5AE000
Module End: BA5B0000
Hidden: No

Module Name: C:\WINNT\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: BA5B0000
Module End: BA5B2000
Hidden: No

Module Name: C:\WINNT\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: B9F4A000
Module End: B9F68000
Hidden: No

Module Name: C:\WINNT\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: BA0B8000
Module End: BA0C3000
Hidden: No

Module Name: C:\WINNT\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: B9F2B000
Module End: B9F4A000
Hidden: No

Module Name: C:\WINNT\system32\drivers\dmload.sys
Service Name: dmload
Module Base: BA5B2000
Module End: BA5B4000
Hidden: No

Module Name: C:\WINNT\system32\drivers\dmio.sys
Service Name: dmio
Module Base: B9F05000
Module End: B9F2B000
Hidden: No

Module Name: C:\WINNT\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: BA330000
Module End: BA335000
Hidden: No

Module Name: C:\WINNT\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: BA4C4000
Module End: BA4C7000
Hidden: No

Module Name: \WINNT\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: BA671000
Module End: BA672000
Hidden: No

Module Name: C:\WINNT\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: BA0C8000
Module End: BA0D5000
Hidden: No

Module Name: C:\WINNT\system32\drivers\atapi.sys
Service Name: atapi
Module Base: B9EED000
Module End: B9F05000
Hidden: No

Module Name: C:\WINNT\system32\drivers\iaStor.sys
Service Name: iaStor
Module Base: B9E25000
Module End: B9EED000
Hidden: No

Module Name: C:\WINNT\system32\drivers\disk.sys
Service Name: ---
Module Base: BA0D8000
Module End: BA0E1000
Hidden: No

Module Name: \WINNT\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: BA0E8000
Module End: BA0F5000
Hidden: No

Module Name: C:\WINNT\system32\drivers\fltMgr.sys
Service Name: FltMgr
Module Base: B9E06000
Module End: B9E25000
Hidden: No

Module Name: C:\WINNT\system32\drivers\sr.sys
Service Name: sr
Module Base: B9DF4000
Module End: B9E06000
Hidden: No

Module Name: C:\WINNT\system32\drivers\drvmcdb.sys
Service Name: drvmcdb
Module Base: B9DDF000
Module End: B9DF4000
Hidden: No

Module Name: C:\WINNT\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: BA0F8000
Module End: BA104000
Hidden: No

Module Name: C:\WINNT\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: B9DC8000
Module End: B9DDF000
Hidden: No

Module Name: C:\WINNT\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: B9D3B000
Module End: B9DC8000
Hidden: No

Module Name: C:\WINNT\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: B9D0E000
Module End: B9D3B000
Hidden: No

Module Name: C:\WINNT\system32\drivers\prot_2k.sys
Service Name: prot_2k
Module Base: B9CD4000
Module End: B9D0E000
Hidden: No

Module Name: C:\WINNT\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: BA108000
Module End: BA117000
Hidden: No

Module Name: \WINNT\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: BA118000
Module End: BA125000
Hidden: No

Module Name: C:\WINNT\system32\drivers\Mup.sys
Service Name: Mup
Module Base: B9CB9000
Module End: B9CD4000
Hidden: No

Module Name: C:\WINNT\system32\drivers\agp440.sys
Service Name: agp440
Module Base: BA128000
Module End: BA133000
Hidden: No

Module Name: C:\WINNT\system32\drivers\hpdskflt.sys
Service Name: hpdskflt
Module Base: BA138000
Module End: BA141000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: BA168000
Module End: BA178000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: B77F0000
Module End: B77F9000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\igxpmp32.sys
Service Name: ialm
Module Base: B6832000
Module End: B6DA4000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: B681E000
Module End: B6832000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\HECI.sys
Service Name: HECI
Module Base: B7684000
Module End: B768F000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: B7674000
Module End: B7684000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: B9C4D000
Module End: B9C51000
Hidden: No

Module Name: C:\WINNT\System32\drivers\swmsflt.sys
Service Name: swmsflt
Module Base: B70FC000
Module End: B7101000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: B70F4000
Module End: B70F9000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B67FB000
Module End: B681E000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: B70EC000
Module End: B70F3000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: B67D6000
Module End: B67FB000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\NETw4x32.sys
Service Name: NETw4x32
Module Base: B65BB000
Module End: B67D6000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\rismc32.sys
Service Name: rismc32
Module Base: B7664000
Module End: B7670000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\SMCLIB.SYS
Service Name: ---
Module Base: B9C45000
Module End: B9C49000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\sdbus.sys
Service Name: sdbus
Module Base: B65AA000
Module End: B65BB000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\rimmptsk.sys
Service Name: rimmptsk
Module Base: B7654000
Module End: B7663000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: B6596000
Module End: B65AA000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\IFXTPM.SYS
Service Name: IFXTPM
Module Base: B7644000
Module End: B764F000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: B7634000
Module End: B7641000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\HpqKbFiltr.sys
Service Name: HpqKbFiltr
Module Base: B70E4000
Module End: B70E9000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\WDFLDR.SYS
Service Name: ---
Module Base: B7624000
Module End: B7631000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\Wdf01000.sys
Service Name: Wdf01000
Module Base: B651B000
Module End: B6596000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: B70DC000
Module End: B70E2000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: B64E6000
Module End: B651B000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: BA64E000
Module End: BA650000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: B70D4000
Module End: B70DA000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: B7614000
Module End: B761F000
Hidden: No

Module Name: C:\WINNT\system32\drivers\sscdbhk5.sys
Service Name: sscdbhk5
Module Base: BA650000
Module End: BA652000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: B7604000
Module End: B7611000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: B75F4000
Module End: B7603000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: B64C3000
Module End: B64E6000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\pwd_2k.SYS
Service Name: pwd_2k
Module Base: B64A4000
Module End: B64C3000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\Accelerometer.sys
Service Name: Accelerometer
Module Base: B6E34000
Module End: B6E3E000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\cpqbttn.sys
Service Name: HBtnKey
Module Base: B9C39000
Module End: B9C3C000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: B6E24000
Module End: B6E2D000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: B70CC000
Module End: B70D3000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: B7140000
Module End: B7144000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: B713C000
Module End: B713F000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\dne2000.sys
Service Name: DNE
Module Base: B6489000
Module End: B64A4000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: BA766000
Module End: BA767000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: B6E14000
Module End: B6E21000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: B7134000
Module End: B7137000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B6472000
Module End: B6489000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: B6E04000
Module End: B6E0F000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: B6DF4000
Module End: B6E00000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: BA378000
Module End: BA37D000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: B6461000
Module End: B6472000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: B6DE4000
Module End: B6DED000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: BA3E0000
Module End: BA3E5000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: BA398000
Module End: BA39D000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: B6430000
Module End: B6461000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: B6DD4000
Module End: B6DDE000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: BA652000
Module End: BA654000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\update.sys
Service Name: Update
Module Base: B63FC000
Module End: B6430000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: B7120000
Module End: B7124000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\mmc_2K.SYS
Service Name: mmc_2K
Module Base: BA388000
Module End: BA38E000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: BA568000
Module End: BA56C000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: B6DC4000
Module End: B6DCE000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: A3E9D000
Module End: A3EAC000
Hidden: No

Module Name: C:\WINNT\system32\drivers\ADIHdAud.sys
Service Name: ADIHdAudAddService
Module Base: A38C0000
Module End: A3909000
Hidden: No

Module Name: C:\WINNT\system32\drivers\portcls.sys
Service Name: ---
Module Base: A389E000
Module End: A38C0000
Hidden: No

Module Name: C:\WINNT\system32\drivers\drmk.sys
Service Name: ---
Module Base: A3E8D000
Module End: A3E9C000
Hidden: No

Module Name: C:\WINNT\system32\drivers\AEAudio.sys
Service Name: AEAudio
Module Base: A3886000
Module End: A389E000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\HSFHWAZL.sys
Service Name: HSFHWAZL
Module Base: A3852000
Module End: A3886000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\HSF_DPV.sys
Service Name: HSF_DPV
Module Base: A3760000
Module End: A3852000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\HSF_CNXT.sys
Service Name: winachsf
Module Base: A36AD000
Module End: A3760000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: B7104000
Module End: B710C000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\Cdr4_xp.SYS
Service Name: Cdr4_xp
Module Base: 9F3FB000
Module End: 9F3FC000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\Cdralw2k.SYS
Service Name: Cdralw2k
Module Base: 9F393000
Module End: 9F394000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: 9F45D000
Module End: 9F45F000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\Null.SYS
Service Name: Null
Module Base: 9F392000
Module End: 9F393000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: 9F45B000
Module End: 9F45D000
Hidden: No

Module Name: C:\WINNT\system32\drivers\ssrtln.sys
Service Name: ssrtln
Module Base: 9F67B000
Module End: 9F681000
Hidden: No

Module Name: C:\WINNT\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: 9F673000
Module End: 9F679000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: 9F44D000
Module End: 9F44F000
Hidden: No

Module Name: C:\WINNT\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: A39D9000
Module End: A39DB000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\cdudf_xp.SYS
Service Name: cdudf_xp
Module Base: 949A6000
Module End: 949E1000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: 95C09000
Module End: 95C0E000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: 95C01000
Module End: 95C09000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\UdfReadr_xp.SYS
Service Name: UdfReadr_xp
Module Base: 94939000
Module End: 9496C000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: 958EF000
Module End: 958F2000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: 94914000
Module End: 94927000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: 948BC000
Module End: 94914000
Hidden: No

Module Name: C:\WINNT\system32\drivers\mfetdik.sys
Service Name: mfetdik
Module Base: 95B69000
Module End: 95B75000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: 94873000
Module End: 94894000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: 9484B000
Module End: 94873000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: 95B59000
Module End: 95B62000
Hidden: No

Module Name: C:\WINNT\System32\drivers\afd.sys
Service Name: AFD
Module Base: 94829000
Module End: 9484B000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: 95B49000
Module End: 95B52000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: 95B29000
Module End: 95B38000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: 947FE000
Module End: 94829000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: 9478F000
Module End: 947FE000
Hidden: No

Module Name: \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
Service Name: mferkdk
Module Base: 95BF9000
Module End: 95C00000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: 95B19000
Module End: 95B22000
Hidden: No

Module Name: \??\C:\WINNT\system32\enstart_.sys
Service Name: enstart_
Module Base: 95BE1000
Module End: 95BE9000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: 946C7000
Module End: 9478F000
Hidden: Yes

Module Name: C:\WINNT\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: 94898000
Module End: 9489B000
Hidden: No

Module Name: C:\WINNT\System32\watchdog.sys
Service Name: ---
Module Base: 95879000
Module End: 9587E000
Hidden: No

Module Name: C:\WINNT\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BA6E4000
Module End: BA6E5000
Hidden: No

Module Name: C:\WINNT\system32\drivers\drvnddm.sys
Service Name: drvnddm
Module Base: 94F65000
Module End: 94F6F000
Hidden: No

Module Name: C:\WINNT\system32\dla\tfsndres.sys
Service Name: tfsndres
Module Base: 95117000
Module End: 95118000
Hidden: No

Module Name: C:\WINNT\system32\dla\tfsnifs.sys
Service Name: tfsnifs
Module Base: 946B1000
Module End: 946C7000
Hidden: No

Module Name: C:\WINNT\system32\dla\tfsnopio.sys
Service Name: tfsnopio
Module Base: A1045000
Module End: A1049000
Hidden: No

Module Name: C:\WINNT\system32\dla\tfsnpool.sys
Service Name: tfsnpool
Module Base: BA60A000
Module End: BA60C000
Hidden: No

Module Name: C:\WINNT\system32\dla\tfsnboio.sys
Service Name: tfsnboio
Module Base: A12F3000
Module End: A12FA000
Hidden: No

Module Name: C:\WINNT\system32\dla\tfsncofs.sys
Service Name: tfsncofs
Module Base: 94F75000
Module End: 94F7E000
Hidden: No

Module Name: C:\WINNT\system32\dla\tfsndrct.sys
Service Name: tfsndrct
Module Base: 9511A000
Module End: 9511B000
Hidden: No

Module Name: C:\WINNT\system32\dla\tfsnudf.sys
Service Name: tfsnudf
Module Base: 94698000
Module End: 946B1000
Hidden: No

Module Name: C:\WINNT\system32\dla\tfsnudfa.sys
Service Name: tfsnudfa
Module Base: 9467F000
Module End: 94698000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\AegisP.sys
Service Name: AegisP
Module Base: 9937D000
Module End: 99382000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\s24trans.sys
Service Name: s24trans
Module Base: 9510D000
Module End: 95111000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: 94653000
Module End: 9467F000
Hidden: No

Module Name: \??\C:\WINNT\System32\drivers\CITMDRV.SYS
Service Name: CITMDRV
Module Base: B77A6000
Module End: B77AD000
Hidden: No

Module Name: \??\C:\WINNT\system32\Drivers\CVPNDRVA.sys
Service Name: CVPNDRVA
Module Base: 945A6000
Module End: 9462B000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: 944B4000
Module End: 94506000
Hidden: No

Module Name: C:\WINNT\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: 9453E000
Module End: 94542000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: B92C7000
Module End: B92D7000
Hidden: No

Module Name: \??\C:\WINNT\system32\Drivers\uphcleanhlp.sys
Service Name: ---
Module Base: A1841000
Module End: A1843000
Hidden: Yes

Module Name: C:\WINNT\system32\drivers\mfehidk.sys
Service Name: mfehidk
Module Base: 93F63000
Module End: 93F8C000
Hidden: No

Module Name: C:\WINNT\system32\drivers\mfebopk.sys
Service Name: mfebopk
Module Base: A3C45000
Module End: A3C4C000
Hidden: No

Module Name: C:\WINNT\system32\drivers\mfeapfk.sys
Service Name: mfeapfk
Module Base: 940BC000
Module End: 940CB000
Hidden: No

Module Name: C:\WINNT\system32\drivers\mfeavfk.sys
Service Name: mfeavfk
Module Base: 93F2A000
Module End: 93F3B000
Hidden: No

Module Name: C:\WINNT\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: 93D5D000
Module End: 93D72000
Hidden: No

Module Name: C:\WINNT\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: 94144000
Module End: 94153000
Hidden: No

Module Name: C:\WINNT\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: 93907000
Module End: 93948000
Hidden: No

Module Name: C:\WINNT\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: 9365D000
Module End: 93687000
Hidden: No

Module Name: \??\C:\DOCUME~1\nrnet\LOCALS~1\Temp\avyaaomn.sys
Service Name: avyaaomn
Module Base: 93649000
Module End: 9365D000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwUnloadKey
Address: A184163C
Driver Base: A1841000
Driver End: A1843000
Driver Name: \??\C:\WINNT\system32\Drivers\uphcleanhlp.sys

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwYieldExecution
At Address: 80503FE8
Jump To: 93F768BD
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: ZwUnmapViewOfSection
At Address: 805B188C
Jump To: 93F768E9
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: ZwTerminateProcess
At Address: 805D1232
Jump To: 93F7686B
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: ZwSetValueKey
At Address: 806207EE
Jump To: 93F76855
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: ZwRenameKey
At Address: 80621B54
Jump To: 93F76829
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: ZwProtectVirtualMemory
At Address: 805B6E5E
Jump To: 93F76893
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenKey
At Address: 806234C4
Jump To: 93F767EB
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: ZwMapViewOfSection
At Address: 805B0A7E
Jump To: 93F768D3
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteValueKey
At Address: 8062278E
Jump To: 93F7683F
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteKey
At Address: 806225BE
Jump To: 93F76813
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcess
At Address: 805CFAE0
Jump To: 93F768A9
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateKey
At Address: 8062212E
Jump To: 93F767FF
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateFile
At Address: 80577ED2
Jump To: 93F7687F
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

Hooked Function: PsCreateSystemProcess
At Address: 805CFAE0
Jump To: 93F768A9
Module Name: C:\WINNT\system32\drivers\mfehidk.sys

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************

Local Address: CSPARAM1529592:1054
Remote Address: LOCALHOST:1053
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CSPARAM1529592:1053
Remote Address: LOCALHOST:1054
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CSPARAM1529592:1049
Remote Address: LOCALHOST:1048
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CSPARAM1529592:1048
Remote Address: LOCALHOST:1049
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CSPARAM1529592:1030
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINNT\system32\alg.exe
State: LISTENING

Local Address: CSPARAM1529592:9495
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINNT\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
State: LISTENING

Local Address: CSPARAM1529592:9081
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\McAfee\Common Framework\FrameworkService.exe
State: LISTENING

Local Address: CSPARAM1529592:4445
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINNT\system32\enstart.exe
State: LISTENING

Local Address: CSPARAM1529592:2030
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\orant\ora9i\bin\omtsreco.exe
State: LISTENING

Local Address: CSPARAM1529592:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: CSPARAM1529592:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINNT\system32\svchost.exe
State: LISTENING


Local Address: CSPARAM1529592:1900
Remote Address: NA
Type: UDP
Process: C:\WINNT\system32\svchost.exe
State: NA

Local Address: CSPARAM1529592:123
Remote Address: NA
Type: UDP
Process: C:\WINNT\system32\svchost.exe
State: NA

Local Address: CSPARAM1529592:52311
Remote Address: NA
Type: UDP
Process: C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
State: NA

Local Address: CSPARAM1529592:9082
Remote Address: NA
Type: UDP
Process: C:\Program Files\McAfee\Common Framework\FrameworkService.exe
State: NA

Local Address: CSPARAM1529592:9081
Remote Address: NA
Type: UDP
Process: C:\Program Files\McAfee\Common Framework\FrameworkService.exe
State: NA

Local Address: CSPARAM1529592:4500
Remote Address: NA
Type: UDP
Process: C:\WINNT\system32\lsass.exe
State: NA

Local Address: CSPARAM1529592:500
Remote Address: NA
Type: UDP
Process: C:\WINNT\system32\lsass.exe
State: NA

Local Address: CSPARAM1529592:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: CSPARAM1529592:161
Remote Address: NA
Type: UDP
Process: C:\WINNT\system32\snmp.exe
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{3A044DA0-E215-4B1A-86A1-A260A7C48422}
Status: Access denied



I think I completed all you have mentioned. If I missed any steps please let me know.

Thank you,
Sincerely,
Subu


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 24 July 2009 - 11:53 AM

Hi,


I do not think the file V0250Cvw.dll is malicious, I actually believe, that it is related to your video camera. There is a driver from it, that is probably bringing it back. This might be a False Positive from Malwarebytes.

Could you please update Malwarebytes and run a new scan? Let's see if it is still showing.

Please also provide a log from OTL:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 subu

subu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 25 July 2009 - 12:13 AM

Hello Staff,

Thank you for your patient replies. I have completed the steps you asked me to do:

1) Updated malware bytes and ran the scan. It now reports two objects infected. I have not cleaned them using mbam. I will wait for your reply.

I am pasting the log file, but here it shows just one object infected. In the scan resultd it shows this file too :

C:\WINNT\system32\drivers\geyekrlbostjjm.sys

mbam log file:

Malwarebytes' Anti-Malware 1.39
Database version: 2498
Windows 5.1.2600 Service Pack 2

7/24/2009 10:09:02 PM
mbam-log-2009-07-24 (22-08-52).txt

Scan type: Quick Scan
Objects scanned: 90233
Time elapsed: 2 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\winnt\system32\v0250cvw.dll (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINNT\system32\drivers\geyekrlbostjjm.sys (Rootkit.Agent) -> No action taken.



2) The results from OTL


Extras.txt

OTL Extras logfile created on: 7/24/2009 9:56:36 PM - Run 1
OTL by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\Desktop\bleeping computer stuff
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 37.47 Gb Free Space | 50.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive P: | 74.52 Gb Total Space | 37.47 Gb Free Space | 50.28% Space Free | Partition Type: *NT5CSC

Computer Name: CSPARAM1529592
Current User Name: NRNet
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"2799:UDP" = 2799:UDP:*:Enabled:Altova License Metering Port (UDP)
"2799:TCP" = 2799:TCP:*:Enabled:Altova License Metering Port (TCP)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"E:\skype\Phone\Skype.exe" = E:\skype\Phone\Skype.exe:*:Enabled:Skype -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01C33895-5229-497E-8568-46DED43D2D52}" = TechSmithScreenCaptureCodec 2.06
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0AF4C301-9A12-4452-BC65-8731488C711E}" = QuickTime 6.5.2
"{0D167CC5-D945-4993-A7B4-D2C2E480B07E}" = KPHCDowntime 3.0
"{0D2CD8E6-EEEE-45F0-B408-5A13463DC45A}" = FlashPlayer 9.0
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{144FDCF3-46AB-4BA2-9FE3-36E1C9E572DB}" = ClarityMicrosoftProjectInterface 8.1FP03
"{1887F5EF-077F-4A15-BCD4-DEBC060CF729}" = RealPlayer 10
"{1E9A9E08-0366-45EE-9B66-51852F8D9812}" = Open Workbench
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{240DE964-ADF8-42C8-B184-4982D6811732}" = Office 2003SP1
"{24C67B54-0718-445E-B663-3138D9246BD1}" = Cisco Systems VPN Client 4.8.00.0440
"{27A8E11A-8CA6-45EE-8471-9B6A19B1C25D}" = SnagIt 7.2.1
"{2F400402-B5FF-47F5-BDD4-8FD0883C752B}" = IBM Lotus Sametime Connect 7.5.1
"{31B33270-24D7-4307-84F2-A3288636B83A}" = Pointsec for PC
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 B2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{408CCB7B-D842-4A33-B1D1-FE635131A251}" = Oracle 8.1.7r1
"{429E92A4-159F-4AEC-85A1-D693E1E4274D}" = HP 3D DriveGuard
"{43A2D442-1724-460C-9F1D-BD031D322AE5}" = NotesCMTDlls 1.66
"{58FDDA90-59F4-44F3-A007-8A0609D0F0F2}" = Citrix Presentation Server Client
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C853 Driver WXP Ver.1.01.05
"{60242F85-4389-420A-B4BE-9E46E4C060EE}" = Extra 7.11
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{66595A14-66BF-4C17-A512-B5BB2B48067F}" = ToadForOracle 8.5
"{673E5F79-7931-4556-AC9D-2177A09A20BB}" = TNSNAMES.ORA 12-Apr-2006
"{6F1D1F78-931A-464D-805F-CFD52C5B6903}" = SameTime 3.1
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7D1D6A24-65D4-454C-8815-4F08A5FFF12C}" = Macromedia Shockwave Player
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{8509076C-B975-46EC-A3F3-7FE4DFBA4BD4}" = WIRE-NotebookWorkstation 1.0
"{87DCCD84-2007-4177-A790-44B395ED07DD}" = JavaRuntimeEnvironment 1.5.0.09
"{897B0191-F68F-49E6-A183-5178D538E020}" = iSiteExtOCX 3.3.1.7
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A661EB6-5539-4B2B-B6DB-665E809AE39A}" = Altova XMLSpy® 2009 sp1 Standard Edition
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{8F12782C-E2E1-405B-9E1C-3B72DC09AB13}" = WinZip 9.0
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{90150409-6000-11D3-8CFE-0050048383C9}" = Microsoft Access 2002
"{901C0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Access 2002 Runtime
"{903A0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Standard 2003
"{90520409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Viewer 2003 (English)
"{90530409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Standard 2003
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{928D6D96-AF6A-4C9A-8986-0F4B4BA488AB}" = OpenWorkbench 8.1.0.4247
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow! Plus
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A32A35C0-2A9C-4FFE-9C15-575484E620F8}" = WSFTPPro 6.7
"{A67F6402-81BE-4030-B481-64458C3A06C8}" = RAP 1.0r1
"{A9C3C3B8-5EB4-4655-9F12-06D807DBFBA4}" = 816093
"{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B510A987-487E-4C66-9F4F-D386AC275715}" = TextPad 4.7
"{BE452791-3EEC-4E27-B468-7001F0A92E68}" = TNSNAMES.ORA 14-Feb-2008
"{BECB458E-2900-4327-A97C-57EE50C5691C}" = Clarity Schedule Connect
"{BF7023BC-319B-4FE1-B569-C854A19F81F8}" = BigFix Enterprise Client
"{BF755CD9-E185-498A-AAFB-E9F8470AB1CC}" = User Profile Hive Cleanup Service
"{C1E26EED-CC8B-4371-9CC7-AD8A5814B4B2}" = IE5 Registration
"{C374B00E-07C9-474F-8BD4-EB6066DF9F99}" = ICAClient 8.0r1
"{C9E12E16-DE77-43FF-872C-0B65A19A7A78}" = Remedy 6.30.15r1
"{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}" = mToolkit
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE35D113-8EFC-4BC2-AB76-BC63D6CCB6B4}" = TeraDataODBC 3.05.00.05
"{D4AEFE66-4355-4E9E-9896-B51B37E65FDA}" = StarTeamClient 2008
"{D5378D6A-BC17-4178-B748-3FA98FB3BEB4}" = iSiteOCX 3.3.1.7r1
"{D7114325-F3BC-4C13-BA37-C0CC482CF3C3}" = CaliberRM 2006.1HotFix34c35c
"{D91EEFEB-965F-4975-9094-14808CC0D651}" = Windows Media Player 9 Series
"{DF6B8EA9-32CF-4937-BADF-6CF43313C9FC}" = mGina
"{E3374DA5-BC28-4113-97FF-C57D3EF84BD7}" = BusinessObjects 5.1.7
"{E7055B3E-CE56-43FB-B971-7A88616AD1AF}" = WebEx Productivity Tools
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{ED1636B2-936F-4977-A026-E2D3F2798625}" = VZAccess Manager for Sierra Wireless
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F197C872-161D-43FD-B099-CEF5440089C3}" = QualityCenter 9.2P7
"{F2345F6A-25F8-46DB-AA4D-4937547970CB}" = Radia Client
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{F64A026A-0CF2-4C17-B3A1-652E58FC3FCD}" = EncaseServlet 5.05G
"{FA00A998-F2EF-4030-9CDA-773FAEED2870}" = Lotus Notes 6.5.5
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CNXT_MODEM_PCI_VEN_14F1&DEV_2C06_hpqZ3795" = Soft Data Fax Modem with SmartCP
"Creative VF0250" = Creative Live! Cam Notebook Pro Driver (1.01.03.0405)
"HDMI" = Intel® Graphics Media Accelerator Driver
"HECI" = Intel® Management Engine Interface
"HijackThis" = HijackThis 2.0.2
"IE 6.0 Foreign Languages" = IE 6.0 Foreign Languages
"IE 6.01" = IE 6.01
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.5.1)" = Mozilla Firefox (3.5.1)
"ProInst" = Intel® PROSet/Wireless Software
"PROSet" = Intel® PRO Network Connections Drivers
"RealPlayer 6.0" = RealPlayer
"RealPlayer10 Delete .LNK files" = RealPlayer10 Delete .LNK files
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Ingenuity Pathways Analysis" = Ingenuity Pathways Analysis
"Ingenuity Webstart Test" = Ingenuity Webstart Test

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/25/2009 12:39:21 AM | Computer Name = CSPARAM1529592 | Source = Merlin - MapUpdatesShare | ID = 0
Description = \\\Updates$ is unreachable. MapUpdatesShare() failed.

Error - 7/25/2009 12:39:21 AM | Computer Name = CSPARAM1529592 | Source = Merlin - GetDomainController | ID = 0
Description = Trapped Error: Can't get domain controller. The specified domain either
does not exist or could not be contacted

Error - 7/25/2009 12:39:21 AM | Computer Name = CSPARAM1529592 | Source = Merlin - XML Machine Update | ID = 0
Description = Trapped Error: The underlying connection was closed: The remote name
could not be resolved.

Error - 7/25/2009 12:39:30 AM | Computer Name = CSPARAM1529592 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 7/25/2009 12:39:31 AM | Computer Name = CSPARAM1529592 | Source = Merlin - GetRootDN | ID = 0
Description = Trapped Error: Can't get root DN from Active Directory. The specified
domain either does not exist or could not be contacted

Error - 7/25/2009 12:39:31 AM | Computer Name = CSPARAM1529592 | Source = Merlin - GetDomain | ID = 0
Description = Can't get domain information. The specified domain either does not
exist or could not be contacted

Error - 7/25/2009 12:39:31 AM | Computer Name = CSPARAM1529592 | Source = Merlin - GetRootDN | ID = 0
Description = Trapped Error: Can't get root DN from Active Directory. The specified
domain either does not exist or could not be contacted

Error - 7/25/2009 12:39:31 AM | Computer Name = CSPARAM1529592 | Source = Merlin - GetMachineAppGroups | ID = 0
Description = Error getting machine app groups. Trapped Error: The specified domain
either does not exist or could not be contacted

Error - 7/25/2009 12:39:31 AM | Computer Name = CSPARAM1529592 | Source = Merlin - CheckInstallations | ID = 0
Description = Trapped error: Object reference not set to an instance of an object.

Error - 7/25/2009 12:39:35 AM | Computer Name = CSPARAM1529592 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

[ Pointsec Events ]
Error - 7/15/2009 11:52:34 AM | Computer Name = CSPARAM1529592 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

Error - 7/16/2009 11:03:09 AM | Computer Name = CSPARAM1529592 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

Error - 7/17/2009 9:49:56 AM | Computer Name = CSPARAM1529592 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

Error - 7/18/2009 11:43:45 AM | Computer Name = CSPARAM1529592 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

Error - 7/19/2009 2:03:19 PM | Computer Name = CSPARAM1529592 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

Error - 7/20/2009 11:31:08 AM | Computer Name = CSPARAM1529592 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

Error - 7/21/2009 11:32:15 AM | Computer Name = CSPARAM1529592 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

Error - 7/22/2009 11:44:55 AM | Computer Name = CSPARAM1529592 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

Error - 7/23/2009 10:22:40 AM | Computer Name = CSPARAM1529592 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

Error - 7/24/2009 11:23:06 AM | Computer Name = CSPARAM1529592 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

[ System Events ]
Error - 7/25/2009 12:38:30 AM | Computer Name = CSPARAM1529592 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain CS due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 7/25/2009 12:39:13 AM | Computer Name = CSPARAM1529592 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 7/25/2009 12:39:14 AM | Computer Name = CSPARAM1529592 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 7/25/2009 12:39:14 AM | Computer Name = CSPARAM1529592 | Source = Print | ID = 23
Description = Printer SnagIt 7 failed to initialize because a suitable SnagIt 7
Printer driver could not be found.

Error - 7/25/2009 12:39:58 AM | Computer Name = CSPARAM1529592 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 7/25/2009 12:40:01 AM | Computer Name = CSPARAM1529592 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the hpqwmiex service to connect.

Error - 7/25/2009 12:40:01 AM | Computer Name = CSPARAM1529592 | Source = Service Control Manager | ID = 7000
Description = The hpqwmiex service failed to start due to the following error: %%1053

Error - 7/25/2009 12:40:01 AM | Computer Name = CSPARAM1529592 | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 7/25/2009 12:53:46 AM | Computer Name = CSPARAM1529592 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 7/25/2009 12:54:04 AM | Computer Name = CSPARAM1529592 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.


< End of report >

OTL.TXT

,OTL logfile created on: 7/24/2009 9:56:36 PM - Run 1
OTL by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\Desktop\bleeping computer stuff
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 37.47 Gb Free Space | 50.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive P: | 74.52 Gb Total Space | 37.47 Gb Free Space | 50.28% Space Free | Partition Type: *NT5CSC

Computer Name: CSPARAM1529592
Current User Name: NRNet
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2007/04/16 11:21:20 | 00,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2008/04/22 19:39:42 | 02,809,856 | ---- | M] (BigFix Inc.) -- C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
PRC - [2007/06/20 14:11:46 | 00,491,520 | ---- | M] () -- C:\WINNT\System32\enstart.exe
PRC - [2007/04/16 11:33:18 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2004/03/01 11:44:58 | 00,212,992 | ---- | M] (Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421) -- C:\Program Files\WS_FTP Pro\ftpsched.exe
PRC - [2004/08/12 00:15:04 | 00,139,264 | ---- | M] () -- C:\winnt\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
PRC - [2007/03/27 15:06:00 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2007/10/16 20:50:00 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2007/10/16 20:50:00 | 00,054,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2005/12/01 07:35:58 | 00,057,393 | ---- | M] (IBM Corp) -- C:\Program Files\lotus\notes\ntmulti.exe
PRC - [2002/04/30 15:23:46 | 00,057,603 | ---- | M] (Oracle Corporation) -- C:\orant\ora9i\bin\omtsreco.exe
PRC - [2000/10/19 11:55:50 | 00,411,244 | ---- | M] () -- C:\orant\Ora81\bin\ONRSD.EXE
PRC - [2002/04/26 19:34:38 | 00,242,328 | ---- | M] () -- C:\orant\ora9i\BIN\ONRSD.EXE
PRC - [2007/03/27 15:06:00 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2007/05/21 14:54:38 | 00,110,968 | ---- | M] () -- C:\WINNT\System32\pstartSr.exe
PRC - [2007/04/16 11:14:24 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2006/11/20 01:42:45 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\snmp.exe
PRC - [2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\wdfmgr.exe
PRC - [2004/03/05 01:45:34 | 00,192,573 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2007/04/16 11:24:16 | 00,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
PRC - [2009/02/06 09:39:29 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\wbem\wmiprvse.exe
PRC - [2008/05/07 12:30:36 | 00,070,968 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\ssonsvr.exe
PRC - [2004/08/04 01:56:50 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Explorer.EXE
PRC - [2002/12/17 12:28:00 | 00,684,032 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
PRC - [2007/10/16 20:50:00 | 00,111,952 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
PRC - [2004/03/01 11:44:58 | 00,245,760 | ---- | M] (Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421) -- C:\Program Files\WS_FTP Pro\ftpqueue.exe
PRC - [2007/01/05 17:36:48 | 00,872,448 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2007/09/14 19:27:20 | 01,015,808 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/04/16 11:24:32 | 00,819,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
PRC - [2007/04/16 11:22:16 | 00,970,752 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
PRC - [2007/05/18 22:50:08 | 00,162,584 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\hkcmd.exe
PRC - [2007/05/21 14:55:56 | 00,942,536 | ---- | M] (Pointsec Mobile Technologies AB) -- C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2007/04/16 11:17:58 | 00,487,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2008/04/22 19:13:16 | 01,384,448 | ---- | M] (BigFix, Inc.) -- C:\Program Files\BigFix Enterprise\BES Client\BESClientUI.exe
PRC - [2009/07/18 09:54:00 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/05/26 21:06:32 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
PRC - [2007/03/27 15:06:00 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2007/03/27 15:06:00 | 00,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2009/07/13 13:36:16 | 01,287,440 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/07/24 21:54:54 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\nrnet\Desktop\bleeping computer stuff\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/04/22 19:39:42 | 02,809,856 | ---- | M] (BigFix Inc.) -- C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe -- (BESClient [Auto | Running])
SRV - [2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2005/11/04 10:21:28 | 01,516,584 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\VPN Client\cvpnd.exe -- (CVPND [Auto | Running])
SRV - [2007/06/20 14:11:46 | 00,491,520 | ---- | M] () -- C:\WINNT\System32\enstart.exe -- (enstart [Auto | Running])
SRV - [2007/04/16 11:33:18 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Running])
SRV - [2004/03/01 11:44:58 | 00,212,992 | ---- | M] (Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421) -- C:\Program Files\WS_FTP Pro\ftpsched.exe -- (ftpqueue [Auto | Running])
SRV - [2004/08/04 01:56:46 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/12/05 16:30:40 | 00,144,688 | R--- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex [Auto | Stopped])
SRV - [2005/11/14 01:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2004/08/12 00:15:04 | 00,139,264 | ---- | M] () -- C:\winnt\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe -- (lcfd [Auto | Running])
SRV - [2007/03/27 15:06:00 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework [Auto | Running])
SRV - [2007/10/16 20:50:00 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield [Auto | Running])
SRV - [2007/10/16 20:50:00 | 00,054,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager [Auto | Running])
SRV - [2005/12/01 07:35:58 | 00,057,393 | ---- | M] (IBM Corp) -- C:\Program Files\lotus\notes\ntmulti.exe -- (Multi-user Cleanup Service [Auto | Running])
SRV - [2002/04/30 15:23:46 | 00,057,603 | ---- | M] (Oracle Corporation) -- C:\orant\ora9i\bin\omtsreco.exe -- (OracleMTSRecoveryService [Auto | Running])
SRV - [2000/10/19 11:55:50 | 00,411,244 | ---- | M] () -- C:\orant\Ora81\bin\ONRSD.EXE -- (OracleOraHome81ClientCache [Auto | Running])
SRV - [2002/04/26 19:34:38 | 00,242,328 | ---- | M] () -- C:\orant\ora9i\BIN\ONRSD.EXE -- (OracleOraHome91ClientCache [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/05/21 14:54:24 | 00,147,832 | ---- | M] () -- C:\WINNT\System32\Prot_srv.exe -- (Pointsec [Disabled | Stopped])
SRV - [2007/05/21 14:54:38 | 00,110,968 | ---- | M] () -- C:\WINNT\System32\pstartSr.exe -- (Pointsec_start [Auto | Running])
SRV - [2002/12/02 15:50:18 | 00,196,608 | ---- | M] (Novadigm) -- C:\Program Files\Novadigm\radexecd.exe -- (radexecd [Disabled | Stopped])
SRV - [2002/09/30 14:53:00 | 00,200,704 | ---- | M] (Novadigm) -- C:\Program Files\Novadigm\radsched.exe -- (radsched [Disabled | Stopped])
SRV - [2003/03/27 09:44:20 | 00,303,104 | ---- | M] (Novadigm) -- C:\Program Files\Novadigm\Radstgms.exe -- (Radstgms [Disabled | Stopped])
SRV - [2007/04/16 11:14:24 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Running])
SRV - [2007/04/16 11:21:20 | 00,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
SRV - [2006/11/20 01:42:45 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\snmp.exe -- (SNMP [Auto | Running])
SRV - [2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2004/03/05 01:45:34 | 00,192,573 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean [Auto | Running])
SRV - [2007/04/16 11:24:16 | 00,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- (WLANKEEPER [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2001/08/17 05:20:04 | 00,096,256 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\drivers\ac97intc.sys -- (ac97intc [On_Demand | Stopped])
DRV - [2006/07/24 01:00:04 | 00,022,016 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINNT\System32\DRIVERS\Accelerometer.sys -- (Accelerometer [On_Demand | Running])
DRV - [2007/10/01 13:27:40 | 00,281,600 | ---- | M] (Analog Devices, Inc.) -- C:\WINNT\System32\drivers\ADIHdAud.sys -- (ADIHdAudAddService [On_Demand | Running])
DRV - [2007/07/13 10:26:12 | 00,094,976 | ---- | M] (Andrea Electronics Corporation) -- C:\WINNT\System32\drivers\AEAudio.sys -- (AEAudio [On_Demand | Running])
DRV - [2009/04/23 11:48:40 | 00,021,393 | ---- | M] (Cisco Systems, Inc.) -- C:\WINNT\System32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2001/08/17 13:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINNT\system32\DRIVERS\aliide.sys -- (AliIde [Boot | Running])
DRV - [2004/08/03 15:29:28 | 00,327,040 | ---- | M] (ATI Technologies Inc.) -- C:\WINNT\System32\DRIVERS\ati2mtaa.sys -- (ati2mtaa [On_Demand | Stopped])
DRV - [2005/11/03 04:00:00 | 00,002,432 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Running])
DRV - [2005/11/03 04:00:00 | 00,002,560 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
DRV - [2002/12/17 12:27:32 | 00,241,152 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\cdudf_xp.sys -- (cdudf_xp [System | Running])
DRV - [2009/04/27 12:04:28 | 00,010,752 | ---- | M] () -- C:\WINNT\System32\drivers\CITMDRV.SYS -- (CITMDRV [Auto | Running])
DRV - [2005/05/17 04:51:34 | 00,005,315 | ---- | M] (Cisco Systems, Inc.) -- C:\WINNT\System32\DRIVERS\CVirtA.sys -- (CVirtA [On_Demand | Stopped])
DRV - [2005/11/04 10:20:40 | 00,303,735 | ---- | M] (Cisco Systems, Inc.) -- C:\WINNT\System32\Drivers\CVPNDRVA.sys -- (CVPNDRVA [Auto | Running])
DRV - [2005/08/18 19:22:30 | 00,110,080 | ---- | M] (Deterministic Networks, Inc.) -- C:\WINNT\System32\DRIVERS\dne2000.sys -- (DNE [On_Demand | Running])
DRV - [2004/08/04 03:21:00 | 00,087,136 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
DRV - [2004/08/13 02:56:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\drvnddm.sys -- (drvnddm [Auto | Running])
DRV - [2009/04/23 12:41:20 | 00,025,898 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\Dvd_2k.sys -- (dvd_2K [On_Demand | Stopped])
DRV - [2007/04/13 13:33:34 | 00,254,872 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\e1e5132.sys -- (e1express [On_Demand | Stopped])
DRV - [2001/08/17 05:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINNT\System32\DRIVERS\el90xbc5.sys -- (EL90XBC [On_Demand | Stopped])
DRV - [2009/04/23 12:20:38 | 00,031,744 | ---- | M] (Guidance Software Inc.) -- C:\WINNT\System32\enstart_.sys -- (enstart_ [System | Running])
DRV - [2006/06/28 09:54:00 | 00,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINNT\System32\DRIVERS\cpqbttn.sys -- (HBtnKey [On_Demand | Running])
DRV - [2005/01/07 18:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINNT\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2007/04/06 09:27:36 | 00,044,800 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\HECI.sys -- (HECI [On_Demand | Running])
DRV - [2006/07/24 01:00:04 | 00,017,920 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINNT\system32\DRIVERS\hpdskflt.sys -- (hpdskflt [Boot | Running])
DRV - [2007/06/18 16:12:04 | 00,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINNT\System32\DRIVERS\HpqKbFiltr.sys -- (HpqKbFiltr [On_Demand | Running])
DRV - [2007/04/26 17:23:06 | 00,210,816 | ---- | M] (Conexant Systems, Inc.) -- C:\WINNT\System32\DRIVERS\HSFHWAZL.sys -- (HSFHWAZL [On_Demand | Running])
DRV - [2007/04/26 17:23:44 | 00,988,032 | ---- | M] (Conexant Systems, Inc.) -- C:\WINNT\System32\DRIVERS\HSF_DPV.sys -- (HSF_DPV [On_Demand | Running])
DRV - [2007/05/16 12:14:58 | 05,707,744 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Running])
DRV - [2007/09/29 23:03:12 | 00,308,248 | ---- | M] (Intel Corporation) -- C:\WINNT\system32\DRIVERS\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2007/04/04 20:16:20 | 00,041,216 | ---- | M] (Infineon Technologies AG) -- C:\WINNT\System32\DRIVERS\IFXTPM.SYS -- (IFXTPM [On_Demand | Running])
DRV - [2006/06/19 14:26:58 | 00,012,672 | ---- | M] (Conexant) -- C:\WINNT\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2007/10/16 20:50:00 | 00,064,168 | ---- | M] (McAfee, Inc.) -- C:\WINNT\System32\drivers\mfeapfk.sys -- (mfeapfk [On_Demand | Running])
DRV - [2007/10/16 20:50:00 | 00,072,680 | ---- | M] (McAfee, Inc.) -- C:\WINNT\System32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
DRV - [2007/10/16 20:50:00 | 00,033,960 | ---- | M] (McAfee, Inc.) -- C:\WINNT\System32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
DRV - [2007/10/16 20:50:00 | 00,171,272 | ---- | M] (McAfee, Inc.) -- C:\WINNT\System32\drivers\mfehidk.sys -- (mfehidk [On_Demand | Running])
DRV - [2007/10/16 20:50:00 | 00,031,784 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk [System | Running])
DRV - [2007/10/16 20:50:00 | 00,051,944 | ---- | M] (McAfee, Inc.) -- C:\WINNT\System32\drivers\mfetdik.sys -- (mfetdik [System | Running])
DRV - [2009/04/23 12:41:20 | 00,030,630 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\Mmc_2k.sys -- (mmc_2K [On_Demand | Running])
DRV - [2007/04/30 06:37:20 | 02,206,976 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\NETw4x32.sys -- (NETw4x32 [On_Demand | Running])
DRV - [2007/05/21 14:52:40 | 00,240,760 | ---- | M] (Pointsec Mobile Technologies AB) -- C:\WINNT\System32\drivers\prot_2k.sys -- (prot_2k [Boot | Running])
DRV - [2001/08/23 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINNT\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2009/04/23 12:41:20 | 00,143,834 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\pwd_2K.sys -- (pwd_2k [System | Running])
DRV - [2005/11/03 04:00:00 | 00,046,080 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/02/24 14:42:22 | 00,039,936 | ---- | M] (REDC) -- C:\WINNT\System32\DRIVERS\rimmptsk.sys -- (rimmptsk [Auto | Running])
DRV - [2006/12/20 01:08:00 | 00,047,616 | ---- | M] (RICOH Company, Ltd.) -- C:\WINNT\System32\DRIVERS\rismc32.sys -- (rismc32 [On_Demand | Running])
DRV - [2007/03/29 15:19:36 | 00,012,416 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\s24trans.sys -- (s24trans [Auto | Running])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINNT\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/07/14 11:29:04 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\sscdbhk5.sys -- (sscdbhk5 [System | Running])
DRV - [2004/07/14 11:28:50 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\ssrtln.sys -- (ssrtln [System | Running])
DRV - [2008/02/29 17:08:08 | 00,024,840 | ---- | M] () -- C:\WINNT\System32\drivers\swmsflt.sys -- (swmsflt [On_Demand | Running])
DRV - [2007/11/29 13:30:00 | 00,149,000 | ---- | M] (Sierra Wireless Inc.) -- C:\WINNT\System32\DRIVERS\swmx00.sys -- (SWMX00 [On_Demand | Stopped])
DRV - [2007/11/02 14:44:04 | 00,164,480 | ---- | M] (Sierra Wireless Inc.) -- C:\WINNT\System32\DRIVERS\SWNC5E00.sys -- (SWNC5E00 [On_Demand | Stopped])
DRV - [2007/09/14 19:09:44 | 00,213,696 | ---- | M] (Synaptics, Inc.) -- C:\WINNT\System32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2004/08/13 01:05:00 | 00,025,723 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsnboio.sys -- (tfsnboio [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,034,843 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsncofs.sys -- (tfsncofs [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,004,123 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsndrct.sys -- (tfsndrct [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,002,239 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsndres.sys -- (tfsndres [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,086,202 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsnifs.sys -- (tfsnifs [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,014,715 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsnopio.sys -- (tfsnopio [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,006,363 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsnpool.sys -- (tfsnpool [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,098,714 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsnudf.sys -- (tfsnudf [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,100,603 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Running])
DRV - [2009/04/23 12:41:20 | 00,206,464 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp [System | Running])
DRV - [2006/04/05 02:46:30 | 00,163,840 | R--- | M] (Creative Technology Ltd.) -- C:\WINNT\System32\DRIVERS\V0250Dev.sys -- (V0250Dev [On_Demand | Stopped])
DRV - [2007/04/26 17:23:04 | 00,731,136 | ---- | M] (Conexant Systems, Inc.) -- C:\WINNT\System32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
DRV - [2009/07/13 13:36:34 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kpnet.kp.org
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Update_Check_Page = http://www.microsoft.com/isapi/redir.dll?P...mp;Ar=ie5update
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\S-1-5-21-113589470-2089963198-1726288727-11192\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://kpnet.kp.org/
IE - HKU\S-1-5-21-1229272821-706699826-839522115-664551\S-1-5-21-1229272821-706699826-839522115-664551\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1229272821-706699826-839522115-664551\S-1-5-21-1229272821-706699826-839522115-664551\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://yahoo.com/"
FF - prefs.js..extensions.enabledItems: ocplugin@webex.com:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.1
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/07/18 09:54:06 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/07/18 09:54:06 | 00,000,000 | ---D | M]

[2009/04/24 18:59:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\nrnet\Application Data\mozilla\Extensions
[2009/04/24 18:59:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\nrnet\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/01 08:51:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\nrnet\Application Data\mozilla\eclipse1\extensions
[2009/07/24 21:50:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\nrnet\Application Data\mozilla\Firefox\Profiles\1cvoyks9.default\extensions
[2009/07/01 15:47:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\nrnet\Application Data\mozilla\Firefox\Profiles\1cvoyks9.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/04/24 18:59:13 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/07/18 09:54:00 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/18 09:54:00 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/07/18 09:54:00 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/06/05 14:16:52 | 00,027,976 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
[2009/06/05 14:16:52 | 00,126,360 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
[2009/06/05 14:18:28 | 00,046,408 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\atmccli.dll
[2009/06/05 14:18:31 | 00,098,712 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
[2009/06/05 14:16:51 | 00,060,824 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
[2009/07/18 09:54:01 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/07/01 00:15:50 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/01 00:15:50 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/01 00:15:50 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/01 00:15:50 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/01 00:15:50 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/01 00:15:50 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/01 00:15:50 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (316140 bytes) - C:\WINNT\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-domains-registrations.com
O1 - Hosts: 127.0.0.1 www.1-domains-registrations.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 10871 more lines...
O2 - BHO: (HelperObject Class) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\System32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (WsftpBrowserHelper Class) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll ()
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [C:\WINNT\system32\V0250Cvw.dll] C:\WINNT\System32\V0250Cvw.dll File not found
O4 - HKLM..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe (Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe (Pointsec Mobile Technologies AB)
O4 - HKLM..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192..\Run: [PTOneClick] C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe (WebEx Communications Inc.)
O4 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\office.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINNT\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMSAppLogo5ChannelNotify = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = Important Notice:
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = This is a private enterprise computer system limited to business use. Access to and use of this system requires explicit and current authorization. All users expressly consent to monitoring by system personnel to detect improper access or use. If such monitoring reveals possible criminal activity or improper access or use,system personnel may provide evidence of such conduct to law enforcement officials and/or company management.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDevMgrUpdate = 1
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDevMgrUpdate = 1
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceClassicControlPanel = 1
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2009\spy.htm ()
O9 - Extra 'Tools' menuitem : Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2009\spy.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: kp.org ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: 22 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: Sametime Meeting Room Client ST25PF1 Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.75.160.63 66.75.160.64
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pars.ca.kp.org.
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (IWPDGINA.DLL) - C:\WINNT\System32\IWPDGINA.DLL (Intel Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINNT\System32\igfxdev.dll (Intel Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home
O30 - LSA: Authentication Packages - (TivoliAP) - C:\WINNT\System32\TivoliAP.dll (IBM Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/12 11:33:21 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINNT\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINNT\System32\*.tmp files]
[1 C:\WINNT\*.tmp files]
[2009/07/22 23:39:53 | 00,457,728 | ---- | C] () -- C:\Documents and Settings\nrnet\Desktop\VMS Interface with RPM Project Plan.mpp
[2009/07/22 22:50:45 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/07/22 18:49:41 | 00,126,552 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\office.exe
[2009/07/22 18:49:41 | 00,001,784 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
[2009/07/22 18:49:40 | 00,001,742 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2009/07/22 18:49:38 | 00,001,726 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2009/07/22 18:49:37 | 00,002,399 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2009/07/22 18:25:23 | 00,000,000 | ---D | C] -- C:\WINNT\System32\appmgmt
[2009/07/20 23:12:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\nrnet\Application Data\Smith Micro
[2009/07/20 23:08:02 | 00,001,023 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VZAccess Manager.lnk
[2009/07/20 23:07:56 | 00,000,000 | ---D | C] -- C:\Program Files\Verizon Wireless
[2009/07/20 23:07:56 | 00,000,000 | ---D | C] -- C:\Program Files\Sierra Wireless
[2009/07/20 22:55:56 | 00,017,024 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\usbohci.sys
[2009/07/20 22:55:56 | 00,017,024 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\usbohci.sys
[2009/07/20 10:21:56 | 00,002,002 | ---- | C] () -- C:\Documents and Settings\nrnet\Desktop\Ingenuity Pathways Analysis.lnk
[2009/07/20 09:22:06 | 00,000,000 | -H-D | C] -- C:\WINNT\PIF
[2009/07/16 22:45:24 | 00,069,120 | ---- | C] () -- C:\Documents and Settings\nrnet\Desktop\PDA_BlackBerry_Device_Model_Table.doc
[2009/07/13 23:23:03 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/07/13 14:18:14 | 00,069,632 | ---- | C] () -- C:\WINNT\System32\drivers\geyekrlbostjjm.sys
[2009/07/10 19:48:17 | 00,000,000 | ---D | C] -- C:\WINNT\temp
[2009/07/10 19:44:37 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/07/09 17:19:38 | 00,000,000 | ---D | C] -- C:\WINNT\ERUNT
[2009/07/09 17:05:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\nrnet\Desktop\bleeping computer stuff
[2009/07/06 11:40:10 | 02,136,064 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\ntoskrnl.exe
[2009/07/06 11:40:10 | 02,015,744 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\ntkrnlpa.exe
[2009/07/06 11:40:10 | 01,580,544 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\sfcfiles.dll
[2009/07/06 11:40:10 | 01,032,192 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\explorer.exe
[2009/07/06 11:40:10 | 00,986,112 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\kernel32.dll
[2009/07/06 11:40:10 | 00,659,456 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\wininet.dll
[2009/07/06 11:40:10 | 00,577,536 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\user32.dll
[2009/07/06 11:40:10 | 00,502,272 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\winlogon.exe
[2009/07/06 11:40:10 | 00,360,320 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\tcpip.sys
[2009/07/06 11:40:10 | 00,295,424 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\termsrv.dll
[2009/07/06 11:40:10 | 00,182,912 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\ndis.sys
[2009/07/06 11:40:10 | 00,167,936 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\appmgmts.dll
[2009/07/06 11:40:10 | 00,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\wuauclt.exe
[2009/07/06 11:40:10 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\services.exe
[2009/07/06 11:40:10 | 00,110,080 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\imm32.dll
[2009/07/06 11:40:10 | 00,082,944 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\ws2_32.dll
[2009/07/06 11:40:10 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\spoolsv.exe
[2009/07/06 11:40:10 | 00,029,056 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\ip6fw.sys
[2009/07/06 11:40:10 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\userinit.exe
[2009/07/06 11:40:10 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\kbdclass.sys
[2009/07/06 11:40:10 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\powrprof.dll
[2009/07/06 11:40:10 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\ctfmon.exe
[2009/07/06 11:40:10 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\svchost.exe
[2009/07/06 11:40:10 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\lsass.exe
[2009/07/06 11:40:10 | 00,000,000 | ---D | C] -- C:\WINNT\System32\dllcache\cache
[2009/07/06 11:39:41 | 00,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\proquota.exe
[2009/07/06 11:39:41 | 00,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\proquota.exe
[2009/07/06 11:35:32 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe
[2009/07/06 11:35:32 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
[2009/07/06 11:35:32 | 00,155,136 | ---- | C] () -- C:\WINNT\PEV.exe
[2009/07/06 11:35:32 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe
[2009/07/06 11:35:32 | 00,098,816 | ---- | C] () -- C:\WINNT\sed.exe
[2009/07/06 11:35:32 | 00,080,412 | ---- | C] () -- C:\WINNT\grep.exe
[2009/07/06 11:35:32 | 00,068,096 | ---- | C] () -- C:\WINNT\zip.exe
[2009/07/06 11:35:32 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe
[2009/07/06 11:25:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\nrnet\My Documents\Downloads
[2009/07/06 10:52:23 | 00,000,000 | ---D | C] -- C:\WINNT\pss
[2009/05/21 07:10:17 | 00,000,073 | ---- | C] () -- C:\WINNT\EurekaLog.ini
[2009/04/27 12:04:31 | 00,010,752 | ---- | C] () -- C:\WINNT\System32\drivers\CITMDRV.SYS
[2009/04/23 12:35:01 | 00,000,218 | ---- | C] () -- C:\WINNT\oraodbc.ini
[2009/04/23 12:22:01 | 00,000,076 | ---- | C] () -- C:\WINNT\webica.ini
[2009/04/23 12:14:18 | 00,000,770 | ---- | C] () -- C:\WINNT\ODBC.INI
[2009/04/23 11:52:37 | 00,000,138 | ---- | C] () -- C:\WINNT\wininit.ini
[2009/04/23 11:51:47 | 00,204,800 | ---- | C] () -- C:\WINNT\System32\IVIresizeW7.dll
[2009/04/23 11:51:47 | 00,200,704 | ---- | C] () -- C:\WINNT\System32\IVIresizeA6.dll
[2009/04/23 11:51:47 | 00,192,512 | ---- | C] () -- C:\WINNT\System32\IVIresizeP6.dll
[2009/04/23 11:51:47 | 00,192,512 | ---- | C] () -- C:\WINNT\System32\IVIresizeM6.dll
[2009/04/23 11:51:47 | 00,188,416 | ---- | C] () -- C:\WINNT\System32\IVIresizePX.dll
[2009/04/23 11:51:47 | 00,020,480 | ---- | C] () -- C:\WINNT\System32\IVIresize.dll
[2008/04/10 13:49:28 | 00,000,061 | ---- | C] () -- C:\WINNT\smscfg.ini
[2008/03/12 12:33:55 | 00,000,280 | ---- | C] () -- C:\WINNT\System32\epoPGPsdk.dll.sig
[2008/03/12 12:24:33 | 00,000,231 | ---- | C] () -- C:\WINNT\multi.ini
[2008/03/12 10:09:30 | 00,004,096 | ---- | C] () -- C:\WINNT\cchmvmsg.dll
[2008/03/12 10:06:08 | 00,204,800 | ---- | C] () -- C:\WINNT\System32\igfxCoIn_v4831.dll
[2008/03/12 10:06:07 | 00,910,304 | ---- | C] () -- C:\WINNT\System32\igmedkrn.dll
[2008/03/12 10:02:28 | 00,000,677 | ---- | C] () -- C:\WINNT\win.ini
[2008/03/12 10:02:21 | 00,000,227 | ---- | C] () -- C:\WINNT\system.ini
[2008/02/29 17:08:08 | 00,024,840 | ---- | C] () -- C:\WINNT\System32\drivers\swmsflt.sys
[2008/02/27 16:28:20 | 00,000,223 | ---- | C] () -- C:\WINNT\mercury.ini
[2007/05/21 14:55:04 | 00,119,160 | ---- | C] () -- C:\WINNT\System32\NovPwd32.dll
[2007/05/21 14:54:50 | 00,303,480 | ---- | C] () -- C:\WINNT\System32\Esso32.dll
[2005/11/04 10:21:48 | 00,197,672 | ---- | C] () -- C:\WINNT\System32\vpnapi.dll
[2005/11/04 10:21:24 | 00,189,480 | ---- | C] () -- C:\WINNT\System32\CSGina.dll
[2004/09/22 12:17:35 | 00,000,000 | ---- | C] () -- C:\WINNT\System32\px.ini
[2004/06/22 14:38:18 | 00,335,872 | ---- | C] () -- C:\WINNT\btnotes.dll
[2004/06/19 11:52:14 | 00,221,184 | ---- | C] () -- C:\WINNT\exDirectory.dll
[2004/06/19 11:49:08 | 00,073,728 | ---- | C] () -- C:\WINNT\BTAdmin.dll
[2004/06/19 11:49:06 | 00,102,400 | ---- | C] () -- C:\WINNT\BTProgressDialog.DLL
[2004/04/20 12:03:20 | 00,053,248 | ---- | C] () -- C:\WINNT\BTCMTHook.dll
[2003/06/02 20:47:48 | 00,020,480 | ---- | C] () -- C:\WINNT\BTisoTranslate.dll
[2003/06/02 16:45:34 | 00,045,056 | ---- | C] () -- C:\WINNT\btcheck.dll
[2003/06/02 16:45:32 | 00,040,960 | ---- | C] () -- C:\WINNT\btbreak.dll
[2001/05/31 11:18:28 | 00,262,202 | ---- | C] () -- C:\WINNT\btprog.dll
[2000/06/05 15:41:22 | 00,028,672 | ---- | C] () -- C:\WINNT\BTwwait.dll
[1998/12/30 11:15:56 | 00,009,216 | ---- | C] () -- C:\WINNT\libcomm.dll
[1997/09/22 11:06:28 | 00,032,256 | ---- | C] () -- C:\WINNT\System32\_RegTLB.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINNT\System32\*.tmp files]
[1 C:\WINNT\*.tmp files]
[2009/07/24 21:39:54 | 00,002,399 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2009/07/24 21:38:30 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2009/07/24 21:38:29 | 00,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2009/07/24 18:18:50 | 00,457,728 | ---- | M] () -- C:\Documents and Settings\nrnet\Desktop\VMS Interface with RPM Project Plan.mpp
[2009/07/24 08:22:22 | 00,035,464 | ---- | M] () -- C:\Documents and Settings\nrnet\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/07/24 08:20:50 | 00,173,872 | ---- | M] () -- C:\WINNT\System32\FNTCACHE.DAT
[2009/07/23 23:51:58 | 00,001,374 | ---- | M] () -- C:\WINNT\imsins.BAK
[2009/07/22 22:51:04 | 00,002,613 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Altova XMLSpy.lnk
[2009/07/22 18:58:39 | 00,316,140 | R--- | M] () -- C:\WINNT\System32\drivers\etc\hosts
[2009/07/22 18:27:16 | 00,001,744 | ---- | M] () -- C:\Documents and Settings\nrnet\Desktop\HijackThis.lnk
[2009/07/22 16:28:19 | 00,000,155 | ---- | M] () -- C:\WINNT\System32\drivers\etc\hosts.20090722-182149.backup
[2009/07/21 08:30:32 | 00,002,206 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2009/07/20 23:08:02 | 00,001,023 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VZAccess Manager.lnk
[2009/07/20 10:22:36 | 00,002,002 | ---- | M] () -- C:\Documents and Settings\nrnet\Desktop\Ingenuity Pathways Analysis.lnk
[2009/07/17 08:19:25 | 00,000,677 | ---- | M] () -- C:\WINNT\win.ini
[2009/07/16 22:45:24 | 00,069,120 | ---- | M] () -- C:\Documents and Settings\nrnet\Desktop\PDA_BlackBerry_Device_Model_Table.doc
[2009/07/13 22:51:42 | 00,009,216 | ---- | M] () -- C:\Documents and Settings\nrnet\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/13 14:18:14 | 00,069,632 | ---- | M] () -- C:\WINNT\System32\drivers\geyekrlbostjjm.sys
[2009/07/13 13:36:34 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2009/07/13 13:36:12 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2009/07/10 19:47:22 | 00,000,227 | ---- | M] () -- C:\WINNT\system.ini
[2009/07/08 23:27:51 | 00,000,277 | RHS- | M] () -- C:\boot.ini
< End of report >



Do let me know any further steps. Thanks again for your time.

Sincerely,
Subu


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 25 July 2009 - 06:10 AM

Hi,

the file found by Malwarebytes is indeed malicious, but it is no longer active. You should be able to simply delete it using Explorer.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows


Then you can simply navigate to C:\windows\system32\drivers and delete geyekrlbostjjm.sys.


Concerning the other entry foundby MBAM you have 2 or 3 possbile solutions:

the first one is to simply ignore the message.

the second one is to uninstall Creative Live! Cam Notebook Pro Driver (1.01.03.0405). This will likely make the entry disappear, but will also leave your WebCam not working. You could try reinstalling the Driver afterwards, maybe the entry does not reappear if the file is successfully registered during the installation.

the third option is to register at Malwarebytes.org and report the entry as a FalsePositive: How to report FalsePositives.


Please run an online scan to see if it picks up anything left:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Uncheck remove known threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Please let me know what you decide regarding v0250cvw.dll and post back the online scan.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 subu

subu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 25 July 2009 - 05:44 PM

Hello staff,

1)I have reinstalled the creative software and driver. No luck it still exists. I ran the steps to report a false positive at mbam but I am unable to understand where to post the log file. Can you please let me know where I am do so. Since it's a webcam file I will report as a false positive.

2) I ran the ESET scan:


C:\Documents and Settings\nrnet\Desktop\bleeping computer stuff\SDFix(2).exe Win32/PrcView application deleted - quarantined


Thank you,
Sincerely,
Subu

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 25 July 2009 - 06:02 PM

Hi,

sorry I haven't been really clear on this.

You need to register at their forum here and create your own thread in the forum called False positives, into which you post your log and the information you have about the entry.


The Eset scan is clean, the file found is part of SDFix. :thumbup2:


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please post back a final OTL log after updating.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 subu

subu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 26 July 2009 - 01:31 AM

Dear Staff,

Thanks for your reply. I cannot uninstall java from computer as per company rules I can only the version I have installed. So sorry I cannot follow that step of yours. I will register with mbam site and post the false positive.

As for the OTC scan please find below.

OTL logfile created on: 7/25/2009 11:22:47 PM - Run 2
OTL by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\nrnet\Desktop\bleeping computer stuff
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 37.23 Gb Free Space | 49.97% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive P: | 74.52 Gb Total Space | 37.23 Gb Free Space | 49.97% Space Free | Partition Type: *NT5CSC

Computer Name: CSPARAM1529592
Current User Name: NRNet
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2007/04/16 11:21:20 | 00,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2008/04/22 19:39:42 | 02,809,856 | ---- | M] (BigFix Inc.) -- C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
PRC - [2007/06/20 14:11:46 | 00,491,520 | ---- | M] () -- C:\WINNT\System32\enstart.exe
PRC - [2007/04/16 11:33:18 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2004/03/01 11:44:58 | 00,212,992 | ---- | M] (Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421) -- C:\Program Files\WS_FTP Pro\ftpsched.exe
PRC - [2004/08/12 00:15:04 | 00,139,264 | ---- | M] () -- C:\winnt\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
PRC - [2007/03/27 15:06:00 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2007/10/16 20:50:00 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2007/10/16 20:50:00 | 00,054,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2009/03/15 14:09:33 | 00,110,592 | ---- | M] (Kaiser Permanente) -- c:\Program Files\Merlin\Merlin.exe
PRC - [2005/12/01 07:35:58 | 00,057,393 | ---- | M] (IBM Corp) -- C:\Program Files\lotus\notes\ntmulti.exe
PRC - [2002/04/30 15:23:46 | 00,057,603 | ---- | M] (Oracle Corporation) -- C:\orant\ora9i\bin\omtsreco.exe
PRC - [2000/10/19 11:55:50 | 00,411,244 | ---- | M] () -- C:\orant\Ora81\bin\ONRSD.EXE
PRC - [2002/04/26 19:34:38 | 00,242,328 | ---- | M] () -- C:\orant\ora9i\BIN\ONRSD.EXE
PRC - [2007/05/21 14:54:38 | 00,110,968 | ---- | M] () -- C:\WINNT\System32\pstartSr.exe
PRC - [2007/04/16 11:14:24 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/03/27 15:06:00 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2006/11/20 01:42:45 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\snmp.exe
PRC - [2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\wdfmgr.exe
PRC - [2004/03/05 01:45:34 | 00,192,573 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2007/04/16 11:24:16 | 00,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
PRC - [2009/02/06 09:39:29 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\wbem\wmiprvse.exe
PRC - [2008/05/07 12:30:36 | 00,070,968 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\ssonsvr.exe
PRC - [2004/08/04 01:56:50 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Explorer.EXE
PRC - [2002/12/17 12:28:00 | 00,684,032 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
PRC - [2007/10/16 20:50:00 | 00,111,952 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
PRC - [2004/03/01 11:44:58 | 00,245,760 | ---- | M] (Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421) -- C:\Program Files\WS_FTP Pro\ftpqueue.exe
PRC - [2007/01/05 17:36:48 | 00,872,448 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2007/09/14 19:27:20 | 01,015,808 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/04/16 11:24:32 | 00,819,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
PRC - [2007/04/16 11:22:16 | 00,970,752 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
PRC - [2007/05/18 22:50:08 | 00,162,584 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\hkcmd.exe
PRC - [2007/05/21 14:55:56 | 00,942,536 | ---- | M] (Pointsec Mobile Technologies AB) -- C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
PRC - [2004/10/27 08:30:18 | 00,204,800 | ---- | M] (Kaiser Permanente Information Technology) -- C:\Program Files\Merlin\MWIStats.exe
PRC - [2009/03/06 13:02:52 | 00,165,192 | ---- | M] (WebEx Communications Inc.) -- C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe
PRC - [2007/04/16 11:17:58 | 00,487,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2009/03/06 13:02:56 | 00,070,984 | ---- | M] (WebEx Communications Inc.) -- C:\Program Files\WebEx\Productivity Tools\ptSrv.exe
PRC - [2008/04/22 19:13:16 | 01,384,448 | ---- | M] (BigFix, Inc.) -- C:\Program Files\BigFix Enterprise\BES Client\BESClientUI.exe
PRC - [2009/05/26 21:06:32 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
PRC - [2007/03/27 15:06:00 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2007/03/27 15:06:00 | 00,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2009/07/18 09:54:00 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2007/03/27 15:06:00 | 00,169,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
PRC - [2009/07/24 21:54:54 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\nrnet\Desktop\bleeping computer stuff\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/04/22 19:39:42 | 02,809,856 | ---- | M] (BigFix Inc.) -- C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe -- (BESClient [Auto | Running])
SRV - [2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2007/06/20 14:11:46 | 00,491,520 | ---- | M] () -- C:\WINNT\System32\enstart.exe -- (enstart [Auto | Running])
SRV - [2007/04/16 11:33:18 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Running])
SRV - [2004/03/01 11:44:58 | 00,212,992 | ---- | M] (Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421) -- C:\Program Files\WS_FTP Pro\ftpsched.exe -- (ftpqueue [Auto | Running])
SRV - [2004/08/04 01:56:46 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/12/05 16:30:40 | 00,144,688 | R--- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex [Auto | Stopped])
SRV - [2005/11/14 01:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2004/08/12 00:15:04 | 00,139,264 | ---- | M] () -- C:\winnt\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe -- (lcfd [Auto | Running])
SRV - [2007/03/27 15:06:00 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework [Auto | Running])
SRV - [2007/10/16 20:50:00 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield [Auto | Running])
SRV - [2007/10/16 20:50:00 | 00,054,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager [Auto | Running])
SRV - [2005/12/01 07:35:58 | 00,057,393 | ---- | M] (IBM Corp) -- C:\Program Files\lotus\notes\ntmulti.exe -- (Multi-user Cleanup Service [Auto | Running])
SRV - [2002/04/30 15:23:46 | 00,057,603 | ---- | M] (Oracle Corporation) -- C:\orant\ora9i\bin\omtsreco.exe -- (OracleMTSRecoveryService [Auto | Running])
SRV - [2000/10/19 11:55:50 | 00,411,244 | ---- | M] () -- C:\orant\Ora81\bin\ONRSD.EXE -- (OracleOraHome81ClientCache [Auto | Running])
SRV - [2002/04/26 19:34:38 | 00,242,328 | ---- | M] () -- C:\orant\ora9i\BIN\ONRSD.EXE -- (OracleOraHome91ClientCache [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/05/21 14:54:24 | 00,147,832 | ---- | M] () -- C:\WINNT\System32\Prot_srv.exe -- (Pointsec [Disabled | Stopped])
SRV - [2007/05/21 14:54:38 | 00,110,968 | ---- | M] () -- C:\WINNT\System32\pstartSr.exe -- (Pointsec_start [Auto | Running])
SRV - [2002/12/02 15:50:18 | 00,196,608 | ---- | M] (Novadigm) -- C:\Program Files\Novadigm\radexecd.exe -- (radexecd [Disabled | Stopped])
SRV - [2002/09/30 14:53:00 | 00,200,704 | ---- | M] (Novadigm) -- C:\Program Files\Novadigm\radsched.exe -- (radsched [Disabled | Stopped])
SRV - [2003/03/27 09:44:20 | 00,303,104 | ---- | M] (Novadigm) -- C:\Program Files\Novadigm\Radstgms.exe -- (Radstgms [Disabled | Stopped])
SRV - [2007/04/16 11:14:24 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Running])
SRV - [2007/04/16 11:21:20 | 00,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
SRV - [2006/11/20 01:42:45 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\snmp.exe -- (SNMP [Auto | Running])
SRV - [2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2004/03/05 01:45:34 | 00,192,573 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean [Auto | Running])
SRV - [2007/04/16 11:24:16 | 00,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- (WLANKEEPER [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2001/08/17 05:20:04 | 00,096,256 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\drivers\ac97intc.sys -- (ac97intc [On_Demand | Stopped])
DRV - [2006/07/24 01:00:04 | 00,022,016 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINNT\System32\DRIVERS\Accelerometer.sys -- (Accelerometer [On_Demand | Running])
DRV - [2007/10/01 13:27:40 | 00,281,600 | ---- | M] (Analog Devices, Inc.) -- C:\WINNT\System32\drivers\ADIHdAud.sys -- (ADIHdAudAddService [On_Demand | Running])
DRV - [2007/07/13 10:26:12 | 00,094,976 | ---- | M] (Andrea Electronics Corporation) -- C:\WINNT\System32\drivers\AEAudio.sys -- (AEAudio [On_Demand | Running])
DRV - [2009/04/23 11:48:40 | 00,021,393 | ---- | M] (Cisco Systems, Inc.) -- C:\WINNT\System32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2001/08/17 13:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINNT\system32\DRIVERS\aliide.sys -- (AliIde [Boot | Running])
DRV - [2004/08/03 15:29:28 | 00,327,040 | ---- | M] (ATI Technologies Inc.) -- C:\WINNT\System32\DRIVERS\ati2mtaa.sys -- (ati2mtaa [On_Demand | Stopped])
DRV - [2005/11/03 04:00:00 | 00,002,432 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Running])
DRV - [2005/11/03 04:00:00 | 00,002,560 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
DRV - [2002/12/17 12:27:32 | 00,241,152 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\cdudf_xp.sys -- (cdudf_xp [System | Running])
DRV - [2009/04/27 12:04:28 | 00,010,752 | ---- | M] () -- C:\WINNT\System32\drivers\CITMDRV.SYS -- (CITMDRV [Auto | Running])
DRV - [2005/05/17 04:51:34 | 00,005,315 | ---- | M] (Cisco Systems, Inc.) -- C:\WINNT\System32\DRIVERS\CVirtA.sys -- (CVirtA [On_Demand | Stopped])
DRV - [2005/11/04 10:20:40 | 00,303,735 | ---- | M] (Cisco Systems, Inc.) -- C:\WINNT\System32\Drivers\CVPNDRVA.sys -- (CVPNDRVA [Auto | Running])
DRV - [2005/08/18 19:22:30 | 00,110,080 | ---- | M] (Deterministic Networks, Inc.) -- C:\WINNT\System32\DRIVERS\dne2000.sys -- (DNE [On_Demand | Running])
DRV - [2004/08/04 03:21:00 | 00,087,136 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
DRV - [2004/08/13 02:56:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\drvnddm.sys -- (drvnddm [Auto | Running])
DRV - [2009/04/23 12:41:20 | 00,025,898 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\Dvd_2k.sys -- (dvd_2K [On_Demand | Stopped])
DRV - [2007/04/13 13:33:34 | 00,254,872 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\e1e5132.sys -- (e1express [On_Demand | Stopped])
DRV - [2001/08/17 05:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINNT\System32\DRIVERS\el90xbc5.sys -- (EL90XBC [On_Demand | Stopped])
DRV - [2009/04/23 12:20:38 | 00,031,744 | ---- | M] (Guidance Software Inc.) -- C:\WINNT\System32\enstart_.sys -- (enstart_ [System | Running])
DRV - [2006/06/28 09:54:00 | 00,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINNT\System32\DRIVERS\cpqbttn.sys -- (HBtnKey [On_Demand | Running])
DRV - [2005/01/07 18:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINNT\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2007/04/06 09:27:36 | 00,044,800 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\HECI.sys -- (HECI [On_Demand | Running])
DRV - [2006/07/24 01:00:04 | 00,017,920 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINNT\system32\DRIVERS\hpdskflt.sys -- (hpdskflt [Boot | Running])
DRV - [2007/06/18 16:12:04 | 00,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINNT\System32\DRIVERS\HpqKbFiltr.sys -- (HpqKbFiltr [On_Demand | Running])
DRV - [2007/04/26 17:23:06 | 00,210,816 | ---- | M] (Conexant Systems, Inc.) -- C:\WINNT\System32\DRIVERS\HSFHWAZL.sys -- (HSFHWAZL [On_Demand | Running])
DRV - [2007/04/26 17:23:44 | 00,988,032 | ---- | M] (Conexant Systems, Inc.) -- C:\WINNT\System32\DRIVERS\HSF_DPV.sys -- (HSF_DPV [On_Demand | Running])
DRV - [2007/05/16 12:14:58 | 05,707,744 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Running])
DRV - [2007/09/29 23:03:12 | 00,308,248 | ---- | M] (Intel Corporation) -- C:\WINNT\system32\DRIVERS\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2007/04/04 20:16:20 | 00,041,216 | ---- | M] (Infineon Technologies AG) -- C:\WINNT\System32\DRIVERS\IFXTPM.SYS -- (IFXTPM [On_Demand | Running])
DRV - [2006/06/19 14:26:58 | 00,012,672 | ---- | M] (Conexant) -- C:\WINNT\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2007/10/16 20:50:00 | 00,064,168 | ---- | M] (McAfee, Inc.) -- C:\WINNT\System32\drivers\mfeapfk.sys -- (mfeapfk [On_Demand | Running])
DRV - [2007/10/16 20:50:00 | 00,072,680 | ---- | M] (McAfee, Inc.) -- C:\WINNT\System32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
DRV - [2007/10/16 20:50:00 | 00,033,960 | ---- | M] (McAfee, Inc.) -- C:\WINNT\System32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
DRV - [2007/10/16 20:50:00 | 00,171,272 | ---- | M] (McAfee, Inc.) -- C:\WINNT\System32\drivers\mfehidk.sys -- (mfehidk [On_Demand | Running])
DRV - [2007/10/16 20:50:00 | 00,031,784 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk [System | Running])
DRV - [2007/10/16 20:50:00 | 00,051,944 | ---- | M] (McAfee, Inc.) -- C:\WINNT\System32\drivers\mfetdik.sys -- (mfetdik [System | Running])
DRV - [2009/04/23 12:41:20 | 00,030,630 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\Mmc_2k.sys -- (mmc_2K [On_Demand | Running])
DRV - [2007/04/30 06:37:20 | 02,206,976 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\NETw4x32.sys -- (NETw4x32 [On_Demand | Running])
DRV - [2007/05/21 14:52:40 | 00,240,760 | ---- | M] (Pointsec Mobile Technologies AB) -- C:\WINNT\System32\drivers\prot_2k.sys -- (prot_2k [Boot | Running])
DRV - [2001/08/23 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINNT\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2009/04/23 12:41:20 | 00,143,834 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\pwd_2K.sys -- (pwd_2k [System | Running])
DRV - [2005/11/03 04:00:00 | 00,046,080 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/02/24 14:42:22 | 00,039,936 | ---- | M] (REDC) -- C:\WINNT\System32\DRIVERS\rimmptsk.sys -- (rimmptsk [Auto | Running])
DRV - [2006/12/20 01:08:00 | 00,047,616 | ---- | M] (RICOH Company, Ltd.) -- C:\WINNT\System32\DRIVERS\rismc32.sys -- (rismc32 [On_Demand | Running])
DRV - [2007/03/29 15:19:36 | 00,012,416 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\s24trans.sys -- (s24trans [Auto | Running])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINNT\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/07/14 11:29:04 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\sscdbhk5.sys -- (sscdbhk5 [System | Running])
DRV - [2004/07/14 11:28:50 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\ssrtln.sys -- (ssrtln [System | Running])
DRV - [2008/02/29 17:08:08 | 00,024,840 | ---- | M] () -- C:\WINNT\System32\drivers\swmsflt.sys -- (swmsflt [On_Demand | Running])
DRV - [2007/11/29 13:30:00 | 00,149,000 | ---- | M] (Sierra Wireless Inc.) -- C:\WINNT\System32\DRIVERS\swmx00.sys -- (SWMX00 [On_Demand | Stopped])
DRV - [2007/11/02 14:44:04 | 00,164,480 | ---- | M] (Sierra Wireless Inc.) -- C:\WINNT\System32\DRIVERS\SWNC5E00.sys -- (SWNC5E00 [On_Demand | Stopped])
DRV - [2007/09/14 19:09:44 | 00,213,696 | ---- | M] (Synaptics, Inc.) -- C:\WINNT\System32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2004/08/13 01:05:00 | 00,025,723 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsnboio.sys -- (tfsnboio [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,034,843 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsncofs.sys -- (tfsncofs [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,004,123 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsndrct.sys -- (tfsndrct [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,002,239 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsndres.sys -- (tfsndres [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,086,202 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsnifs.sys -- (tfsnifs [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,014,715 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsnopio.sys -- (tfsnopio [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,006,363 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsnpool.sys -- (tfsnpool [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,098,714 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsnudf.sys -- (tfsnudf [Auto | Running])
DRV - [2004/08/13 01:05:00 | 00,100,603 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Running])
DRV - [2009/04/23 12:41:20 | 00,206,464 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp [System | Running])
DRV - [2006/04/05 02:46:30 | 00,163,840 | R--- | M] (Creative Technology Ltd.) -- C:\WINNT\System32\DRIVERS\V0250Dev.sys -- (V0250Dev [On_Demand | Stopped])
DRV - [2007/04/26 17:23:04 | 00,731,136 | ---- | M] (Conexant Systems, Inc.) -- C:\WINNT\System32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Update_Check_Page = http://www.microsoft.com/isapi/redir.dll?P...mp;Ar=ie5update
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\S-1-5-21-113589470-2089963198-1726288727-11192\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1229272821-706699826-839522115-664551\S-1-5-21-1229272821-706699826-839522115-664551\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1229272821-706699826-839522115-664551\S-1-5-21-1229272821-706699826-839522115-664551\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://yahoo.com/"
FF - prefs.js..extensions.enabledItems: ocplugin@webex.com:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.1
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/07/18 09:54:06 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/07/18 09:54:06 | 00,000,000 | ---D | M]

[2009/04/24 18:59:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\nrnet\Application Data\mozilla\Extensions
[2009/04/24 18:59:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\nrnet\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/01 08:51:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\nrnet\Application Data\mozilla\eclipse1\extensions
[2009/07/25 23:04:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\nrnet\Application Data\mozilla\Firefox\Profiles\1cvoyks9.default\extensions
[2009/07/01 15:47:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\nrnet\Application Data\mozilla\Firefox\Profiles\1cvoyks9.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/04/24 18:59:13 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/07/18 09:54:00 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/18 09:54:00 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/07/18 09:54:00 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/06/05 14:16:52 | 00,027,976 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
[2009/06/05 14:16:52 | 00,126,360 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
[2009/06/05 14:18:28 | 00,046,408 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\atmccli.dll
[2009/06/05 14:18:31 | 00,098,712 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
[2009/06/05 14:16:51 | 00,060,824 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
[2009/07/18 09:54:01 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/07/01 00:15:50 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/01 00:15:50 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/01 00:15:50 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/01 00:15:50 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/01 00:15:50 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/01 00:15:50 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/01 00:15:50 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (316140 bytes) - C:\WINNT\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-domains-registrations.com
O1 - Hosts: 127.0.0.1 www.1-domains-registrations.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 10871 more lines...
O2 - BHO: (HelperObject Class) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\System32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (WsftpBrowserHelper Class) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll ()
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [C:\WINNT\system32\V0250Cvw.dll] C:\WINNT\System32\V0250Cvw.dll File not found
O4 - HKLM..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe (Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe (Pointsec Mobile Technologies AB)
O4 - HKLM..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe (Creative Technology Ltd)
O4 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192..\Run: [PTOneClick] C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe (WebEx Communications Inc.)
O4 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\office.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINNT\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMSAppLogo5ChannelNotify = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = Important Notice:
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = This is a private enterprise computer system limited to business use. Access to and use of this system requires explicit and current authorization. All users expressly consent to monitoring by system personnel to detect improper access or use. If such monitoring reveals possible criminal activity or improper access or use,system personnel may provide evidence of such conduct to law enforcement officials and/or company management.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDevMgrUpdate = 1
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-113589470-2089963198-1726288727-11192_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDevMgrUpdate = 1
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceClassicControlPanel = 1
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1229272821-706699826-839522115-664551_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2009\spy.htm ()
O9 - Extra 'Tools' menuitem : Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2009\spy.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 22 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: Sametime Meeting Room Client ST25PF1 Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.75.160.63 66.75.160.64
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (IWPDGINA.DLL) - C:\WINNT\System32\IWPDGINA.DLL (Intel Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINNT\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O30 - LSA: Authentication Packages - (TivoliAP) - C:\WINNT\System32\TivoliAP.dll (IBM Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/12 11:33:21 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINNT\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINNT\System32\*.tmp files]
[1 C:\WINNT\*.tmp files]
[2009/07/25 10:44:05 | 00,000,000 | ---D | C] -- C:\WCamNbook
[2009/07/25 10:41:55 | 00,001,948 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Creative WebCam Center.lnk
[2009/07/25 10:41:20 | 00,000,000 | ---D | C] -- C:\Program Files\Creative
[2009/07/25 09:28:13 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/07/22 23:39:53 | 00,457,728 | ---- | C] () -- C:\Documents and Settings\nrnet\Desktop\VMS Interface with RPM Project Plan.mpp
[2009/07/22 22:50:45 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/07/22 18:49:41 | 00,126,552 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\office.exe
[2009/07/22 18:49:41 | 00,001,784 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
[2009/07/22 18:49:40 | 00,001,742 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2009/07/22 18:49:38 | 00,001,726 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2009/07/22 18:49:37 | 00,001,964 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2009/07/22 18:25:23 | 00,000,000 | ---D | C] -- C:\WINNT\System32\appmgmt
[2009/07/20 23:12:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\nrnet\Application Data\Smith Micro
[2009/07/20 23:08:02 | 00,001,023 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VZAccess Manager.lnk
[2009/07/20 23:07:56 | 00,000,000 | ---D | C] -- C:\Program Files\Verizon Wireless
[2009/07/20 23:07:56 | 00,000,000 | ---D | C] -- C:\Program Files\Sierra Wireless
[2009/07/20 22:55:56 | 00,017,024 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\usbohci.sys
[2009/07/20 22:55:56 | 00,017,024 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\usbohci.sys
[2009/07/20 10:21:56 | 00,002,002 | ---- | C] () -- C:\Documents and Settings\nrnet\Desktop\Ingenuity Pathways Analysis.lnk
[2009/07/20 09:22:06 | 00,000,000 | -H-D | C] -- C:\WINNT\PIF
[2009/07/16 22:45:24 | 00,069,120 | ---- | C] () -- C:\Documents and Settings\nrnet\Desktop\PDA_BlackBerry_Device_Model_Table.doc
[2009/07/13 23:23:03 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/07/10 19:48:17 | 00,000,000 | ---D | C] -- C:\WINNT\temp
[2009/07/10 19:44:37 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/07/09 17:19:38 | 00,000,000 | ---D | C] -- C:\WINNT\ERUNT
[2009/07/09 17:05:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\nrnet\Desktop\bleeping computer stuff
[2009/07/06 11:40:10 | 02,136,064 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\ntoskrnl.exe
[2009/07/06 11:40:10 | 02,015,744 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\ntkrnlpa.exe
[2009/07/06 11:40:10 | 01,580,544 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\sfcfiles.dll
[2009/07/06 11:40:10 | 01,032,192 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\explorer.exe
[2009/07/06 11:40:10 | 00,986,112 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\kernel32.dll
[2009/07/06 11:40:10 | 00,659,456 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\wininet.dll
[2009/07/06 11:40:10 | 00,577,536 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\user32.dll
[2009/07/06 11:40:10 | 00,502,272 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\winlogon.exe
[2009/07/06 11:40:10 | 00,360,320 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\tcpip.sys
[2009/07/06 11:40:10 | 00,295,424 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\termsrv.dll
[2009/07/06 11:40:10 | 00,182,912 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\ndis.sys
[2009/07/06 11:40:10 | 00,167,936 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\appmgmts.dll
[2009/07/06 11:40:10 | 00,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\wuauclt.exe
[2009/07/06 11:40:10 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\services.exe
[2009/07/06 11:40:10 | 00,110,080 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\imm32.dll
[2009/07/06 11:40:10 | 00,082,944 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\ws2_32.dll
[2009/07/06 11:40:10 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\spoolsv.exe
[2009/07/06 11:40:10 | 00,029,056 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\ip6fw.sys
[2009/07/06 11:40:10 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\userinit.exe
[2009/07/06 11:40:10 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\kbdclass.sys
[2009/07/06 11:40:10 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\powrprof.dll
[2009/07/06 11:40:10 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\ctfmon.exe
[2009/07/06 11:40:10 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\svchost.exe
[2009/07/06 11:40:10 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\cache\lsass.exe
[2009/07/06 11:40:10 | 00,000,000 | ---D | C] -- C:\WINNT\System32\dllcache\cache
[2009/07/06 11:39:41 | 00,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\proquota.exe
[2009/07/06 11:39:41 | 00,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\proquota.exe
[2009/07/06 11:35:32 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe
[2009/07/06 11:35:32 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
[2009/07/06 11:35:32 | 00,155,136 | ---- | C] () -- C:\WINNT\PEV.exe
[2009/07/06 11:35:32 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe
[2009/07/06 11:35:32 | 00,098,816 | ---- | C] () -- C:\WINNT\sed.exe
[2009/07/06 11:35:32 | 00,080,412 | ---- | C] () -- C:\WINNT\grep.exe
[2009/07/06 11:35:32 | 00,068,096 | ---- | C] () -- C:\WINNT\zip.exe
[2009/07/06 11:35:32 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe
[2009/07/06 11:25:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\nrnet\My Documents\Downloads
[2009/07/06 10:52:23 | 00,000,000 | ---D | C] -- C:\WINNT\pss
[2009/05/21 07:10:17 | 00,000,073 | ---- | C] () -- C:\WINNT\EurekaLog.ini
[2009/04/27 12:04:31 | 00,010,752 | ---- | C] () -- C:\WINNT\System32\drivers\CITMDRV.SYS
[2009/04/23 12:35:01 | 00,000,218 | ---- | C] () -- C:\WINNT\oraodbc.ini
[2009/04/23 12:22:01 | 00,000,076 | ---- | C] () -- C:\WINNT\webica.ini
[2009/04/23 12:14:18 | 00,000,770 | ---- | C] () -- C:\WINNT\ODBC.INI
[2009/04/23 11:52:37 | 00,000,138 | ---- | C] () -- C:\WINNT\wininit.ini
[2009/04/23 11:51:47 | 00,204,800 | ---- | C] () -- C:\WINNT\System32\IVIresizeW7.dll
[2009/04/23 11:51:47 | 00,200,704 | ---- | C] () -- C:\WINNT\System32\IVIresizeA6.dll
[2009/04/23 11:51:47 | 00,192,512 | ---- | C] () -- C:\WINNT\System32\IVIresizeP6.dll
[2009/04/23 11:51:47 | 00,192,512 | ---- | C] () -- C:\WINNT\System32\IVIresizeM6.dll
[2009/04/23 11:51:47 | 00,188,416 | ---- | C] () -- C:\WINNT\System32\IVIresizePX.dll
[2009/04/23 11:51:47 | 00,020,480 | ---- | C] () -- C:\WINNT\System32\IVIresize.dll
[2008/04/10 13:49:28 | 00,000,061 | ---- | C] () -- C:\WINNT\smscfg.ini
[2008/03/12 12:33:55 | 00,000,280 | ---- | C] () -- C:\WINNT\System32\epoPGPsdk.dll.sig
[2008/03/12 12:24:33 | 00,000,231 | ---- | C] () -- C:\WINNT\multi.ini
[2008/03/12 10:09:30 | 00,004,096 | ---- | C] () -- C:\WINNT\cchmvmsg.dll
[2008/03/12 10:06:08 | 00,204,800 | ---- | C] () -- C:\WINNT\System32\igfxCoIn_v4831.dll
[2008/03/12 10:06:07 | 00,910,304 | ---- | C] () -- C:\WINNT\System32\igmedkrn.dll
[2008/03/12 10:02:28 | 00,000,677 | ---- | C] () -- C:\WINNT\win.ini
[2008/03/12 10:02:21 | 00,000,227 | ---- | C] () -- C:\WINNT\system.ini
[2008/02/29 17:08:08 | 00,024,840 | ---- | C] () -- C:\WINNT\System32\drivers\swmsflt.sys
[2008/02/27 16:28:20 | 00,000,223 | ---- | C] () -- C:\WINNT\mercury.ini
[2007/05/21 14:55:04 | 00,119,160 | ---- | C] () -- C:\WINNT\System32\NovPwd32.dll
[2007/05/21 14:54:50 | 00,303,480 | ---- | C] () -- C:\WINNT\System32\Esso32.dll
[2005/11/04 10:21:48 | 00,197,672 | ---- | C] () -- C:\WINNT\System32\vpnapi.dll
[2005/11/04 10:21:24 | 00,189,480 | ---- | C] () -- C:\WINNT\System32\CSGina.dll
[2004/09/22 12:17:35 | 00,000,000 | ---- | C] () -- C:\WINNT\System32\px.ini
[2004/06/22 14:38:18 | 00,335,872 | ---- | C] () -- C:\WINNT\btnotes.dll
[2004/06/19 11:52:14 | 00,221,184 | ---- | C] () -- C:\WINNT\exDirectory.dll
[2004/06/19 11:49:08 | 00,073,728 | ---- | C] () -- C:\WINNT\BTAdmin.dll
[2004/06/19 11:49:06 | 00,102,400 | ---- | C] () -- C:\WINNT\BTProgressDialog.DLL
[2004/04/20 12:03:20 | 00,053,248 | ---- | C] () -- C:\WINNT\BTCMTHook.dll
[2003/06/02 20:47:48 | 00,020,480 | ---- | C] () -- C:\WINNT\BTisoTranslate.dll
[2003/06/02 16:45:34 | 00,045,056 | ---- | C] () -- C:\WINNT\btcheck.dll
[2003/06/02 16:45:32 | 00,040,960 | ---- | C] () -- C:\WINNT\btbreak.dll
[2001/05/31 11:18:28 | 00,262,202 | ---- | C] () -- C:\WINNT\btprog.dll
[2000/06/05 15:41:22 | 00,028,672 | ---- | C] () -- C:\WINNT\BTwwait.dll
[1998/12/30 11:15:56 | 00,009,216 | ---- | C] () -- C:\WINNT\libcomm.dll
[1997/09/22 11:06:28 | 00,032,256 | ---- | C] () -- C:\WINNT\System32\_RegTLB.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINNT\System32\*.tmp files]
[1 C:\WINNT\*.tmp files]
[2009/07/25 15:27:56 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2009/07/25 15:27:55 | 00,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2009/07/25 10:41:55 | 00,001,948 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Creative WebCam Center.lnk
[2009/07/24 18:18:50 | 00,457,728 | ---- | M] () -- C:\Documents and Settings\nrnet\Desktop\VMS Interface with RPM Project Plan.mpp
[2009/07/24 08:22:22 | 00,035,464 | ---- | M] () -- C:\Documents and Settings\nrnet\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/07/24 08:20:50 | 00,173,872 | ---- | M] () -- C:\WINNT\System32\FNTCACHE.DAT
[2009/07/23 23:51:58 | 00,001,374 | ---- | M] () -- C:\WINNT\imsins.BAK
[2009/07/22 22:51:04 | 00,002,613 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Altova XMLSpy.lnk
[2009/07/22 18:58:39 | 00,316,140 | R--- | M] () -- C:\WINNT\System32\drivers\etc\hosts
[2009/07/22 18:27:16 | 00,001,744 | ---- | M] () -- C:\Documents and Settings\nrnet\Desktop\HijackThis.lnk
[2009/07/22 16:28:19 | 00,000,155 | ---- | M] () -- C:\WINNT\System32\drivers\etc\hosts.20090722-182149.backup
[2009/07/21 08:30:32 | 00,002,206 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2009/07/20 23:08:02 | 00,001,023 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VZAccess Manager.lnk
[2009/07/20 10:22:36 | 00,002,002 | ---- | M] () -- C:\Documents and Settings\nrnet\Desktop\Ingenuity Pathways Analysis.lnk
[2009/07/17 08:19:25 | 00,000,677 | ---- | M] () -- C:\WINNT\win.ini
[2009/07/16 22:45:24 | 00,069,120 | ---- | M] () -- C:\Documents and Settings\nrnet\Desktop\PDA_BlackBerry_Device_Model_Table.doc
[2009/07/13 22:51:42 | 00,009,216 | ---- | M] () -- C:\Documents and Settings\nrnet\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/13 13:36:34 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2009/07/13 13:36:12 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2009/07/10 19:47:22 | 00,000,227 | ---- | M] () -- C:\WINNT\system.ini
[2009/07/08 23:27:51 | 00,000,277 | RHS- | M] () -- C:\boot.ini
< End of report >



Thanks for being patient and giving me in depth guidance. Kindly let me know if I must follow any more steps.

Sincerely,
Subu

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:05 AM

Posted 26 July 2009 - 04:41 AM

Hi,

you're very welcome. :)

The Java version you are using is over 3 years old. It contains security holes, that allow attackers to execute code without your consent. I would highly advise, that you update (or ask your admins to update. :thumbup2: )
If you have no problems with your PC anymore, we are going to uninstall the used programs. :)
(This is going to delete all the files that have been backuped, so if anything is amiss please tell me before proceeding.)

Delete the tools used during the disinfection:
  • Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      Posted Image
  • Run ATF
    • Please download ATF Cleaner by Atribune & save it to your desktop.
      • Double-click ATF-Cleaner.exe to run the program.
      • Under Main "Select Files to Delete" choose: Select All.
      • Click the Empty Selected button.
      • If you use Firefox browser click Firefox at the top and choose: Select All
      • Click the Empty Selected button.
        If you would like to keep your saved passwords, please click No at the prompt.
      • If you use Opera browser click Opera at the top and choose: Select All
      • Click the Empty Selected button.
        If you would like to keep your saved passwords, please click No at the prompt.
      • Click Exit on the Main menu to close the program.
      Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
  • Run OTC
    • Download OTC from the following mirror and save it to your desktop:
    • Double click on Posted Image
    • Push the large "Cleanup" button.
    • Allow your system to reboot.
Please post back, how that went. :cool:

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 subu

subu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 26 July 2009 - 11:48 AM

Hello Staff,

All steps went fine. I know with regard to java you are correct. I use some programs that use the older version and the new version is not supported. To add to all this my company does not allow update of java as yet by end users,so my hands are tied. If there anything else do let me know. Thank you for being so patient and answering all my questions.

It nice to see such forums where we all help one another.

Sincerely,
Subu




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users