Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet another redirect virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 Deb.

Deb.

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 08 December 2009 - 06:10 PM

I have an infected computer AT WORK. Ugh. I have run malware and mcafee scans, but they don't detect anything. I get random redirects to google searches using IE, but if I type the address out by hand things don't redirect.

I downloaded HijackThis and ran it on the computer. I also followed your sticky for posting malware problems and here is the DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by williard at 16:42:01.51 on Tue 12/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2146 [GMT -6:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *enabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Merge eFilm\eFilm\Auditor\efAuditorService.exe
C:\Program Files\Merge eFilm\eFilm\efPMNT.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Merge eFilm\eFilm\efServer.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Merge eFilm\eFilm\efDM.exe
C:\Program Files\Merge eFilm\eFilm\efDBM.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\williard.healthcare\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.uiowa.edu/
mDefault_Page_URL = hxxp://www.uihealthcare.com
mStart Page = hxxp://www.uihealthcare.com
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: IDXHlprObj Class: {31816979-f864-4acf-919f-d0b3b56432e6} - c:\program files\idx web desktop\IDXIEController.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.0\masqform.exe -UpdateCurrentUser
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\SetDefaultPrinter.bat
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: HideStartupScripts = 1 (0x1)
mPolicies-system: HideShutdownScripts = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: formularyproductions.com
Trusted Zone: formweb.com
Trusted Zone: hc-iccapps1
Trusted Zone: stratanetwork.com
Trusted Zone: thomsonhc.com
Trusted Zone: uhc.edu
Trusted Zone: uihealthcare.com\www
Trusted Zone: uiowa.edu\elms.healthcare
Trusted Zone: uiowa.edu\elmsreports.healthcare
Trusted Zone: uiowa.edu\hc-tf1.healthcare
Trusted Zone: uiowa.edu\idx.healthcare
Trusted Zone: uiowa.edu\intercom.medicine
Trusted Zone: uiowa.edu\obtvweb.healthcare
Trusted Zone: uiowa.edu\thepoint.healthcare
Trusted Zone: formularyproductions.com
Trusted Zone: hc-iccapps1
Trusted Zone: thomsonhc.com
Trusted Zone: uhc.edu
Trusted Zone: uiowa.edu\hc-tf1.healthcare
Trusted Zone: uiowa.edu\idx.healthcare
Trusted Zone: uiowa.edu\intercom.medicine
Trusted Zone: uiowa.edu\thepoint.healthcare
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0a454840-7232-11d5-b63d-00c04faedb18}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://128.255.26.210/activex/AxisCamControl.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-11-18 342224]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-1-27 31848]
R2 efAuditorService.exe;eFilm Audit Service;c:\program files\merge efilm\efilm\auditor\efAuditorService.exe [2006-4-26 24576]
R2 eFilmProcessManagerNT;eFilmProcessManagerNT;c:\program files\merge efilm\efilm\efPMNT.exe [2006-4-26 16384]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2008-10-30 1467712]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-3-10 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-1-27 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-6-10 49152]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-2-18 67904]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2008-4-29 42056]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2008-11-19 108280]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2008-11-19 37400]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2008-11-19 34432]
R3 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2009-2-18 34408]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-11-18 73512]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-11-18 34408]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2008-4-29 42056]
S3 MyRunOnce-Cleanup;MyRunOnce-Cleanup;c:\windows\system32\srvany.exe [2007-8-23 8192]
S3 slsService;slsService;c:\program files\merge efilm\efilm\slsService.exe [2006-4-26 53248]

============== File Associations ===============

vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2009-12-08 12:34:21 40719 ----a-w- c:\windows\system32\api_hook_list.dat
2009-12-08 12:34:18 38016 ----a-w- c:\windows\system32\HIPIS0e0118e.dll
2009-12-07 22:20:28 0 d-----w- c:\program files\Trend Micro
2009-12-07 22:20:24 812344 ----a-w- C:\HJTInstall.exe
2009-12-07 22:12:35 9429952 ----a-w- C:\windows-kb890830-v3.1.exe
2009-12-07 20:57:39 0 d-----w- c:\docume~1\willia~1.hea\applic~1\Malwarebytes
2009-12-07 20:57:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 20:57:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-07 20:57:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-07 20:57:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-07 20:56:15 4844296 ----a-w- C:\mbam-setup.exe
2009-12-07 20:42:58 3550592 ----a-w- C:\xplorer.exe.exe
2009-11-17 00:01:23 0 d-----w- c:\windows\system32\Adobe

==================== Find3M ====================

2009-11-06 04:42:14 136512 ----a-w- c:\windows\system32\KevlarSigs.dll
2009-09-14 16:21:47 249856 ------w- c:\windows\Setup1.exe
2009-09-14 16:21:46 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-09-14 16:21:32 5905859 ----a-w- c:\program files\pDRAW32setup.zip
2008-10-15 20:56:36 798270 ----a-w- c:\program files\dfw.zip
2008-10-15 17:34:18 719983 ----a-w- c:\program files\dfw251trial.zip
2008-10-10 17:28:04 1191717 ----a-w- c:\program files\avatar_setup.exe
2008-01-28 16:35:09 13202815 ----a-w- c:\program files\BioEdit.zip
2004-08-04 12:00:00 73728 --sha-w- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe

============= FINISH: 16:43:13.12 ===============

I've attached the other files (dds and rootrepeal scan).

Here's the hijack this log if it helps:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:20 PM, on 12/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Merge eFilm\eFilm\Auditor\efAuditorService.exe
C:\Program Files\Merge eFilm\eFilm\efPMNT.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Merge eFilm\eFilm\efServer.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Merge eFilm\eFilm\efDM.exe
C:\Program Files\Merge eFilm\eFilm\efDBM.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uiowa.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.uihealthcare.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uihealthcare.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: IDXHlprObj Class - {31816979-F864-4acf-919F-D0B3B56432E6} - C:\Program Files\IDX Web Desktop\IDXIEController.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: SetDefaultPrinter.bat
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.formularyproductions.com
O15 - Trusted Zone: *.formweb.com
O15 - Trusted Zone: http://*.hc-iccapps1
O15 - Trusted Zone: *.stratanetwork.com
O15 - Trusted Zone: *.thomsonhc.com
O15 - Trusted Zone: *.uhc.edu
O15 - Trusted Zone: http://www.uihealthcare.com
O15 - Trusted Zone: http://hc-tf1.healthcare.uiowa.edu
O15 - Trusted Zone: http://idx.healthcare.uiowa.edu
O15 - Trusted Zone: http://intercom.medicine.uiowa.edu
O15 - Trusted Zone: http://obtvweb.healthcare.uiowa.edu
O15 - Trusted Zone: *.formularyproductions.com (HKLM)
O15 - Trusted Zone: http://*.hc-iccapps1 (HKLM)
O15 - Trusted Zone: *.thomsonhc.com (HKLM)
O15 - Trusted Zone: *.uhc.edu (HKLM)
O15 - Trusted Zone: http://hc-tf1.healthcare.uiowa.edu (HKLM)
O15 - Trusted Zone: http://idx.healthcare.uiowa.edu (HKLM)
O15 - Trusted Zone: http://intercom.medicine.uiowa.edu (HKLM)
O16 - DPF: {0a454840-7232-11d5-b63d-00c04faedb18} -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.255.26.210/activex/AxisCamControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = healthcare.uiowa.edu
O17 - HKLM\Software\..\Telephony: DomainName = healthcare.uiowa.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = healthcare.uiowa.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = healthcare.uiowa.edu,medicine.uiowa.edu,uihc.uiowa.edu,iowa.uiowa.edu,public-health.uiowa.edu,dentistry.uiowa.edu,uiowa.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = healthcare.uiowa.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = healthcare.uiowa.edu,medicine.uiowa.edu,uihc.uiowa.edu,iowa.uiowa.edu,public-health.uiowa.edu,dentistry.uiowa.edu,uiowa.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = healthcare.uiowa.edu,medicine.uiowa.edu,uihc.uiowa.edu,iowa.uiowa.edu,public-health.uiowa.edu,dentistry.uiowa.edu,uiowa.edu
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: eFilm Audit Service (efAuditorService.exe) - Merge eMed - C:\Program Files\Merge eFilm\eFilm\Auditor\efAuditorService.exe
O23 - Service: eFilmProcessManagerNT - Unknown owner - C:\Program Files\Merge eFilm\eFilm\efPMNT.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: MyRunOnce-Cleanup - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: slsService - Unknown owner - C:\Program Files\Merge eFilm\eFilm\slsService.exe

--
End of file - 10180 bytes

I don't know much about computers...and this is the first virus I've gotten. I feel dirty now. :(

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:21 PM

Posted 20 December 2009 - 07:49 PM

Hi,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Then please post back here with the following logs:
  • OTL.txt
  • Extra.txt
Thanks

unite.jpg


#3 Deb.

Deb.
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 21 December 2009 - 11:07 AM

Thank you!
Here are the logs:

OTL.txt:

OTL logfile created on: 12/21/2009 9:53:52 AM - Run 1
OTL by OldTimer - Version 3.1.19.0 Folder = C:\Documents and Settings\williard.healthcare\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.82 Gb Total Space | 215.55 Gb Free Space | 92.58% Space Free | Partition Type: NTFS
Drive D: | 232.82 Gb Total Space | 232.46 Gb Free Space | 99.84% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 1023.99 Gb Total Space | 594.28 Gb Free Space | 58.04% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive S: | 1023.99 Gb Total Space | 594.28 Gb Free Space | 58.04% Space Free | Partition Type: NTFS
Drive T: | 1023.99 Gb Total Space | 1001.03 Gb Free Space | 97.76% Space Free | Partition Type: NTFS
Drive U: | 117.16 Gb Total Space | 117.05 Gb Free Space | 99.90% Space Free | Partition Type: NTFS

Computer Name: MK9905
Current User Name: williard
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/21 09:52:24 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\williard.healthcare\Desktop\OTL.exe
PRC - [2009/10/28 00:54:16 | 00,634,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/09/22 16:00:00 | 00,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/09/22 16:00:00 | 00,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/09/22 16:00:00 | 00,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/09/22 16:00:00 | 00,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2009/06/10 19:50:00 | 00,106,496 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2009/06/10 19:50:00 | 00,049,152 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2009/02/25 15:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2009/01/27 19:50:00 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2008/12/18 13:32:52 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2008/10/30 16:44:56 | 01,467,712 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
PRC - [2008/10/30 16:44:56 | 00,972,096 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
PRC - [2008/10/30 16:44:56 | 00,067,904 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2008/10/30 16:44:56 | 00,034,408 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
PRC - [2008/04/14 05:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/13 01:50:00 | 00,590,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2007/04/13 01:50:00 | 00,251,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
PRC - [2007/01/19 20:14:54 | 00,239,864 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\OpenManage\Client\Iap.exe
PRC - [2006/05/01 09:07:44 | 00,843,776 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2006/04/26 07:47:06 | 00,027,136 | ---- | M] (Merge eMed) -- C:\Program Files\Merge eFilm\eFilm\efServer.exe
PRC - [2006/04/26 07:46:26 | 00,016,384 | ---- | M] () -- C:\Program Files\Merge eFilm\eFilm\efPMNT.exe
PRC - [2006/04/26 07:45:48 | 00,073,728 | ---- | M] (Merge eMed) -- C:\Program Files\Merge eFilm\eFilm\efDM.exe
PRC - [2006/04/26 07:45:32 | 00,026,624 | ---- | M] (Merge eMed) -- C:\Program Files\Merge eFilm\eFilm\efDBM.exe
PRC - [2002/12/17 11:28:00 | 00,684,032 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PRC - [1999/09/30 20:31:38 | 00,869,376 | ---- | M] (Fred's Software) -- C:\Program Files\PrintKey2000\Printkey2000.exe


========== Modules (SafeList) ==========

MOD - [2009/12/21 09:52:24 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\williard.healthcare\Desktop\OTL.exe
MOD - [2004/08/04 06:00:00 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\serwvdrv.dll
MOD - [2004/08/04 06:00:00 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\umdmxfrm.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/09/22 16:00:00 | 00,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2009/06/10 19:50:00 | 00,049,152 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2009/02/25 15:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/02/25 14:15:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2009/01/27 19:50:00 | 00,144,704 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2008/10/30 16:44:56 | 01,467,712 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe -- (enterceptAgent)
SRV - [2008/10/30 16:44:56 | 00,067,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2008/10/30 16:44:56 | 00,034,408 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe -- (hips)
SRV - [2007/04/13 01:50:00 | 00,590,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2007/04/13 01:50:00 | 00,251,256 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe -- (Wuser32)
SRV - [2007/01/19 20:14:54 | 00,239,864 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\OpenManage\Client\Iap.exe -- (Iap)
SRV - [2007/01/19 11:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2006/04/26 07:46:26 | 00,016,384 | ---- | M] () [Auto | Running] -- C:\Program Files\Merge eFilm\eFilm\efPMNT.exe -- (eFilmProcessManagerNT)
SRV - [2006/04/26 07:00:22 | 00,024,576 | ---- | M] (Merge eMed) [Auto | Stopped] -- C:\Program Files\Merge eFilm\eFilm\Auditor\efAuditorService.exe -- (efAuditorService.exe)
SRV - [2006/04/26 06:51:40 | 00,053,248 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Merge eFilm\eFilm\slsService.exe -- (slsService)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/04/15 18:59:42 | 00,065,536 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE -- (Pml Driver HPZ12)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/04/18 17:06:26 | 00,008,192 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\srvany.exe -- (MyRunOnce-Cleanup)


========== Driver Services (SafeList) ==========

DRV - [2009/02/25 16:58:57 | 03,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/01/27 19:50:00 | 00,073,512 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/01/27 19:50:00 | 00,034,408 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/01/27 19:50:00 | 00,031,848 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2008/10/30 16:44:56 | 00,342,224 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008/10/30 16:44:56 | 00,144,616 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\FireTDI.sys -- (FireTDI)
DRV - [2008/10/30 16:44:56 | 00,133,480 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\FirePM.sys -- (FirePM)
DRV - [2008/10/30 16:44:56 | 00,108,280 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HIPK.sys -- (HIPK)
DRV - [2008/10/30 16:44:56 | 00,074,680 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2008/10/30 16:44:56 | 00,062,768 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2008/10/30 16:44:56 | 00,037,400 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HIPPSK.sys -- (HIPPSK)
DRV - [2008/10/30 16:44:56 | 00,034,432 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HIPQK.sys -- (HIPQK)
DRV - [2008/10/30 16:44:56 | 00,031,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\firelm01.sys -- (firelm01)
DRV - [2008/04/29 16:46:06 | 00,042,056 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\firehk.sys -- (FirehkMP)
DRV - [2008/04/29 16:46:06 | 00,042,056 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\firehk.sys -- (Firehk)
DRV - [2008/04/14 00:06:40 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 00:06:40 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 22:06:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/08/23 09:17:51 | 00,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2007/08/23 09:17:51 | 00,143,834 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2007/08/23 09:17:51 | 00,030,630 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2007/08/23 09:17:51 | 00,025,898 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2007/04/13 01:50:00 | 00,023,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2007/03/21 11:58:56 | 00,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2007/01/30 09:49:18 | 00,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/10/27 07:26:18 | 00,019,968 | R--- | M] (Dell Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
DRV - [2006/07/05 15:08:28 | 00,241,152 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2006/04/26 06:53:18 | 00,004,224 | ---- | M] () [File_System | System | Running] -- C:\WINDOWS\system32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2006/03/17 17:18:58 | 00,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2006/03/17 17:18:58 | 00,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2006/02/09 01:50:00 | 00,011,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\kbstuff5.sys -- (kbstuff)
DRV - [2006/02/09 01:50:00 | 00,008,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\idisw2km.sys -- (idisw2km)
DRV - [2005/04/05 13:46:28 | 00,830,684 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/01/27 14:31:06 | 00,260,352 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2004/08/04 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2003/11/17 14:59:20 | 00,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 14:58:02 | 00,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 14:56:26 | 01,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/04/09 12:48:08 | 00,011,043 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2002/12/17 11:32:58 | 00,061,424 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2002/12/17 11:32:46 | 00,023,436 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2002/12/17 11:27:32 | 00,241,152 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2001/08/17 13:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 13:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 13:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 13:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 13:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 12:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 12:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 12:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 12:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 12:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 12:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 12:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 12:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 12:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 12:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 12:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.uihealthcare.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = https://thepoint.healthcare.uiowa.edu [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://thepoint.healthcare.uiowa.edu [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.uihealthcare.com


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.uihealthcare.com
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.uihealthcare.com
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.uihealthcare.com
IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.uihealthcare.com
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-21-854245398-1004336348-682003330-92701\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.uiowa.edu/
IE - HKU\S-1-5-21-854245398-1004336348-682003330-92701\S-1-5-21-854245398-1004336348-682003330-92701\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-854245398-1004336348-682003330-92701\S-1-5-21-854245398-1004336348-682003330-92701\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (IDXHlprObj Class) - {31816979-F864-4acf-919F-D0B3B56432E6} - C:\Program Files\IDX Web Desktop\IDXIEController.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe (PureEdge Solutions Inc.)
O4 - HKLM..\Run: [McAfee Host Intrusion Prevention Tray] C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-854245398-1004336348-682003330-92701..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [TSClientAXDisabler] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [TSClientAXDisabler] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe (Fred's Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SetDefaultPrinter.bat ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideShutdownScripts = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: formularyproductions.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: hc-iccapps1 ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: skillport.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: thomsonhc.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: uhc.edu ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: uiowa.edu ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: uiowa.edu ([hc-tf1.healthcare] http in Trusted sites)
O15 - HKLM\..Trusted Domains: uiowa.edu ([idx.healthcare] http in Trusted sites)
O15 - HKLM\..Trusted Domains: uiowa.edu ([intercom.medicine] http in Trusted sites)
O15 - HKLM\..Trusted Domains: uiowa.edu ([intercom.medicine] https in Trusted sites)
O15 - HKLM\..Trusted Domains: uiowa.edu ([thepoint.healthcare] https in Trusted sites)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: formularyproductions.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: formweb.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: hc-iccapps1 ([]http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: skillport.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: stratanetwork.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: thomsonhc.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: uhc.edu ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: uihealthcare.com ([www] http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: uiowa.edu ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: uiowa.edu ([elms.healthcare] https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: uiowa.edu ([elmsreports.healthcare] https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: uiowa.edu ([hc-tf1.healthcare] http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: uiowa.edu ([idx.healthcare] http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: uiowa.edu ([intercom.medicine] http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: uiowa.edu ([intercom.medicine] https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: uiowa.edu ([obtvweb.healthcare] http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: uiowa.edu ([thepoint.healthcare] https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: formularyproductions.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: formweb.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: hc-iccapps1 ([]http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: skillport.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: stratanetwork.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: thomsonhc.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: uhc.edu ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: uihealthcare.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: uiowa.edu ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: uiowa.edu ([elms.healthcare] https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: uiowa.edu ([elmsreports.healthcare] https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: uiowa.edu ([hc-tf1.healthcare] http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: uiowa.edu ([idx.healthcare] http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: uiowa.edu ([intercom.medicine] http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: uiowa.edu ([intercom.medicine] https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: uiowa.edu ([obtvweb.healthcare] http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: uiowa.edu ([thepoint.healthcare] https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: formularyproductions.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: formweb.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: hc-iccapps1 ([]http in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: skillport.com ([]* in Local intranet)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: stratanetwork.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: thomsonhc.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: uhc.edu ([]* in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: uihealthcare.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: uiowa.edu ([]* in Local intranet)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: uiowa.edu ([elms.healthcare] https in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: uiowa.edu ([elmsreports.healthcare] https in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: uiowa.edu ([hc-tf1.healthcare] http in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: uiowa.edu ([idx.healthcare] http in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: uiowa.edu ([intercom.medicine] http in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: uiowa.edu ([intercom.medicine] https in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: uiowa.edu ([obtvweb.healthcare] http in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: uiowa.edu ([thepoint.healthcare] https in Trusted sites)
O15 - HKU\S-1-5-21-854245398-1004336348-682003330-92701\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0a454840-7232-11d5-b63d-00c04faedb18} Reg Error: Value error. (Reg Error: Value error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_05)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} http://128.255.26.210/activex/AxisCamControl.cab (CamImage Class)
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_05)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 128.255.64.5 128.255.1.3 128.255.64.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = healthcare.uiowa.edu
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/07 10:50:58 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (51231950454652928)

========== Files/Folders - Created Within 30 Days ==========

[2009/12/21 09:52:17 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\williard.healthcare\Desktop\OTL.exe
[2009/12/21 07:41:28 | 00,038,016 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\HIPIS0e0118e.dll
[2009/12/16 13:07:47 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/11 17:15:38 | 04,454,488 | ---- | C] (Adobe Systems, Inc.) -- C:\Documents and Settings\williard.healthcare\Desktop\nomenclature.exe
[2009/12/11 09:07:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2009/12/08 16:46:18 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\williard.healthcare\Desktop\RootRepeal.exe
[2009/12/07 16:54:21 | 00,434,688 | ---- | C] (XDelBox.com) -- C:\Documents and Settings\williard.healthcare\Desktop\XDelBox.exe
[2009/12/07 16:20:28 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/07 16:20:24 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\HJTInstall.exe
[2009/12/07 16:12:35 | 09,429,952 | ---- | C] (Microsoft Corporation) -- C:\windows-kb890830-v3.1.exe
[2009/12/07 14:57:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\williard.healthcare\Application Data\Malwarebytes
[2009/12/07 14:57:35 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/07 14:57:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/07 14:57:33 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/07 14:57:33 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/07 14:56:15 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\mbam-setup.exe
[2009/12/07 14:42:58 | 03,550,592 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\xplorer.exe.exe
[2007/06/07 10:53:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/06/07 10:53:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/06/07 10:50:56 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/06/07 10:50:56 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\williard.healthcare\My Documents\*.tmp files -> C:\Documents and Settings\williard.healthcare\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/21 09:55:00 | 00,000,398 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F20A4907-4CDC-405E-8917-455EAE69A9CD}.job
[2009/12/21 09:55:00 | 00,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2020020E-9FDA-414A-A573-3DD9E052C962}.job
[2009/12/21 09:53:00 | 00,000,260 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/12/21 09:52:24 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\williard.healthcare\Desktop\OTL.exe
[2009/12/21 09:49:45 | 00,000,185 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[2009/12/21 07:41:31 | 00,040,719 | ---- | M] () -- C:\WINDOWS\System32\api_hook_list.dat
[2009/12/21 07:41:25 | 00,000,456 | ---- | M] () -- C:\WINDOWS\SMSCFG.ini
[2009/12/21 07:40:40 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/21 07:40:38 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/21 07:40:30 | 32,187,18720 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/20 14:25:59 | 04,456,448 | -H-- | M] () -- C:\Documents and Settings\williard.healthcare\NTUSER.DAT
[2009/12/20 14:25:59 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\williard.healthcare\ntuser.ini
[2009/12/20 14:25:54 | 00,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2009/12/20 14:25:54 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009/12/20 13:00:46 | 00,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2009/12/20 12:23:45 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/18 18:23:02 | 06,412,574 | -H-- | M] () -- C:\Documents and Settings\williard.healthcare\Local Settings\Application Data\IconCache.db
[2009/12/18 18:23:02 | 00,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2009/12/18 18:23:02 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009/12/17 17:17:42 | 00,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/12/17 17:17:42 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/12/16 17:27:23 | 00,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/12/16 17:27:23 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/12/16 10:21:37 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/12/15 17:23:10 | 00,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/12/15 17:23:10 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/12/14 17:36:04 | 00,262,232 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/14 17:34:41 | 00,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/12/14 17:34:41 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/12/14 17:00:59 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/12 10:56:15 | 00,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/12/12 10:56:15 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/12/11 17:27:27 | 00,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/12/11 17:27:27 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/12/11 17:18:13 | 00,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/12/11 17:18:13 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/12/11 17:15:40 | 04,454,488 | ---- | M] (Adobe Systems, Inc.) -- C:\Documents and Settings\williard.healthcare\Desktop\nomenclature.exe
[2009/12/10 17:08:47 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/12/10 17:08:47 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/12/09 15:26:43 | 00,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2009/12/09 15:26:43 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2009/12/09 14:58:39 | 00,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2009/12/09 14:58:39 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009/12/08 17:24:49 | 00,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/12/08 17:24:49 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/12/08 16:46:43 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\williard.healthcare\Desktop\settings.dat
[2009/12/08 16:46:42 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\williard.healthcare\Desktop\RootRepeal.exe
[2009/12/08 16:39:52 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\williard.healthcare\Desktop\dds.scr
[2009/12/07 17:03:30 | 00,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/12/07 17:03:30 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/12/07 16:54:22 | 00,434,688 | ---- | M] (XDelBox.com) -- C:\Documents and Settings\williard.healthcare\Desktop\XDelBox.exe
[2009/12/07 16:20:28 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\williard.healthcare\Desktop\HijackThis.lnk
[2009/12/07 16:20:25 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\HJTInstall.exe
[2009/12/07 16:12:48 | 09,429,952 | ---- | M] (Microsoft Corporation) -- C:\windows-kb890830-v3.1.exe
[2009/12/07 15:52:57 | 00,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/12/07 15:52:57 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/12/07 14:57:38 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/07 14:56:16 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup.exe
[2009/12/07 14:42:58 | 03,550,592 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\xplorer.exe.exe
[2009/12/07 13:36:21 | 00,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/12/07 13:36:21 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/12/04 15:01:51 | 00,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/12/04 15:01:51 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/12/03 22:24:12 | 00,136,512 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\KevlarSigs.dll
[2009/12/03 18:46:00 | 00,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/12/03 18:46:00 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/02 16:26:17 | 00,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2009/12/02 16:26:17 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009/12/01 14:49:51 | 00,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2009/12/01 14:49:51 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009/12/01 11:32:40 | 00,002,421 | ---- | M] () -- C:\Documents and Settings\williard.healthcare\Desktop\FinchTV.lnk
[2009/11/25 18:48:55 | 00,000,488 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\williard.healthcare\My Documents\*.tmp files -> C:\Documents and Settings\williard.healthcare\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/21 07:41:31 | 00,040,719 | ---- | C] () -- C:\WINDOWS\System32\api_hook_list.dat
[2009/12/08 16:46:43 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\williard.healthcare\Desktop\settings.dat
[2009/12/08 16:39:47 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\williard.healthcare\Desktop\dds.scr
[2009/12/07 16:20:28 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\williard.healthcare\Desktop\HijackThis.lnk
[2009/12/07 14:57:38 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/30 09:37:34 | 00,000,398 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F20A4907-4CDC-405E-8917-455EAE69A9CD}.job
[2009/11/25 17:21:04 | 00,000,392 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2020020E-9FDA-414A-A573-3DD9E052C962}.job
[2009/06/22 10:37:06 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/03/29 18:57:52 | 00,001,767 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/10/15 14:56:36 | 00,798,270 | ---- | C] () -- C:\Program Files\dfw.zip
[2008/10/15 11:35:01 | 00,003,843 | ---- | C] () -- C:\WINDOWS\DNA.INI
[2008/10/15 11:34:16 | 00,719,983 | ---- | C] () -- C:\Program Files\dfw251trial.zip
[2008/10/10 11:28:01 | 01,191,717 | ---- | C] () -- C:\Program Files\avatar_setup.exe
[2008/10/02 13:13:14 | 00,005,632 | ---- | C] () -- C:\Documents and Settings\williard.healthcare\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/28 10:39:31 | 05,905,859 | ---- | C] () -- C:\Program Files\pDRAW32setup.zip
[2008/01/28 10:35:09 | 13,202,815 | ---- | C] () -- C:\Program Files\BioEdit.zip
[2007/08/23 09:59:27 | 00,000,185 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2007/08/23 09:54:40 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2007/08/23 09:16:46 | 00,000,024 | ---- | C] () -- C:\WINDOWS\infuser.ini
[2007/08/23 09:13:40 | 00,000,488 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/08/23 08:59:20 | 00,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2007/06/07 12:37:55 | 00,000,472 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2007/06/07 11:36:39 | 00,000,061 | ---- | C] () -- C:\WINDOWS\PureEdgeAPI.ini
[2007/06/07 11:36:36 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\MSQOLE.DLL
[2007/06/07 11:26:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2007/06/07 11:26:53 | 00,051,712 | ---- | C] () -- C:\WINDOWS\System32\JinPanel.dll
[2007/06/07 10:56:10 | 00,000,456 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2006/04/26 06:53:18 | 00,004,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2003/02/07 16:24:20 | 00,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/06/14 08:57:34 | 00,000,426 | ---- | C] () -- C:\WINDOWS\krb5.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/12/07 16:20:25 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\HJTInstall.exe
[2009/12/07 14:56:16 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup.exe
[2009/12/07 16:12:48 | 09,429,952 | ---- | M] (Microsoft Corporation) -- C:\windows-kb890830-v3.1.exe
[2009/12/07 14:42:58 | 03,550,592 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\xplorer.exe.exe


< MD5 for: AGP440.SYS >
[2008/04/14 00:06:40 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/14 00:06:40 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 22:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2009/12/20 13:00:46 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2009/12/20 13:00:46 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 21:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 05:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 06:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/03/21 11:58:56 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Drivers\1\IaStor.sys
[2007/03/21 11:58:56 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Drivers\1\IntelSATA\IaStor.sys
[2007/03/21 11:58:56 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\system32\drivers\iaStor.sys
[2004/03/23 11:13:58 | 00,467,200 | ---- | M] (Intel Corporation) MD5=F26BFD48B1C314E0F23BF77ACFA75940 -- C:\Drivers\7\82801FR\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 05:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 06:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/04/24 16:52:28 | 00,100,736 | ---- | M] (NVIDIA Corporation) MD5=C03E15101F6D9E82CD9B0E7D715F5DE3 -- C:\Drivers\1\NVATA\nvata.sys

< MD5 for: NVATABUS.SYS >
[2005/08/18 16:52:06 | 00,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\Drivers\1\NVRAID\nvatabus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 06:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 05:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 05:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< >
< End of report >


Extras.Txt
OTL Extras logfile created on: 12/21/2009 9:53:52 AM - Run 1
OTL by OldTimer - Version 3.1.19.0 Folder = C:\Documents and Settings\williard.healthcare\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.82 Gb Total Space | 215.55 Gb Free Space | 92.58% Space Free | Partition Type: NTFS
Drive D: | 232.82 Gb Total Space | 232.46 Gb Free Space | 99.84% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 1023.99 Gb Total Space | 594.28 Gb Free Space | 58.04% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive S: | 1023.99 Gb Total Space | 594.28 Gb Free Space | 58.04% Space Free | Partition Type: NTFS
Drive T: | 1023.99 Gb Total Space | 1001.03 Gb Free Space | 97.76% Space Free | Partition Type: NTFS
Drive U: | 117.16 Gb Total Space | 117.05 Gb Free Space | 99.90% Space Free | Partition Type: NTFS

Computer Name: MK9905
Current User Name: williard
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [IDFThis] -- C:\Program Files\Identity Finder\IdentityFinder.exe /searchfile="%1" (Velosecure LLC)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0137A953-443D-3864-BFF7-0E7557908E1A}" = Catalyst Control Center Localization All
"{02EBDBB9-4600-41D3-B566-40CB861511D2}" = World of Warcraft FREE Trial
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{05B5DCEC-BD8A-BC78-D0A5-C90484ED378D}" = Catalyst Control Center Graphics Light
"{110DEFF6-1BC3-4C3C-8A9D-F482EA6BA70F}" = Avatar Sizer
"{117CD9C0-0F15-4633-93D7-F957B50535A5}" = Popup Blocker (Windows Live Toolbar)
"{154F197B-F413-7D58-AF50-9CD295A7F443}" = CCC Help English
"{2334740B-61D5-3AC3-B0D7-E0BDA32B8367}" = Catalyst Control Center Graphics Light
"{2B0DBB93-DF0A-5625-7035-471D82BFA975}" = Skins
"{34648701-638D-42A8-B167-EA14BEC16C72}" = Microsoft SQL Server 2005 Analysis Services 9.0 OLEDB Provider
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise
"{3727B920-F5A3-46A4-AC02-94F421A039C7}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{38024121-D084-4E7D-B1A2-1A04CB5C4CF3}" = Windows Live Toolbar Feed Detector (Windows Live Toolbar)
"{3ACA50F4-79BD-3F79-8C61-02F7145BF17B}" = Catalyst Control Center Core Implementation
"{3C3FC19F-3D9E-B64B-14CF-EC9BFCE8BF4D}" = CCC Help English
"{4324BC93-C82F-ED16-BA86-5E34B9E05303}" = ccc-core-static
"{49672EC2-171B-47B4-8CE7-50D7806360D7}" = Windows Live Sign-in Assistant
"{4A39A27F-005B-407E-8CF5-F4D8065658E4}" = SMS Advanced Client
"{4B050456-DA2E-5602-DA35-7F5F8E504191}" = Catalyst Control Center Graphics Full Existing
"{4D5C1F43-2D45-42C1-B4BF-F74BFA28E7FF}" = FinchTV
"{4ED118EE-785C-CC18-5D2E-D5CA4BAA03F0}" = Catalyst Control Center Graphics Full New
"{539475B7-44B7-8B0A-134C-F01B9C8B7569}" = ccc-core-preinstall
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{57C4F1A9-FC5E-CB1C-8ACA-E8BB142307C4}" = CCC Help Japanese
"{5AC7AE54-55DF-1126-076C-623F008D40B6}" = Catalyst Control Center Graphics Full Existing
"{5FBAE328-AA32-4996-A033-99E86A6E75E9}" = Identity Finder Enterprise Edition
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{6351D217-3EE3-1967-29BE-6A77635FE485}" = Skins
"{6752C3B1-EA8F-E74C-FE3F-A05B8E953C80}" = CCC Help Chinese Standard
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6AB9CD3A-F91F-233B-923B-6C59BA63524D}" = Catalyst Control Center HydraVision Full
"{6E04A7BF-65E9-4B74-85A0-929B100E1D04}" = FlowcastDesktopControls
"{70A3EC33-4F1B-AEFF-459C-898E78F635DD}" = ccc-utility
"{7148F0A8-6813-11D6-A77B-00B0D0142050}" = Java 2 Runtime Environment, SE v1.4.2_05
"{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}" = OMCI
"{74323745-D6EB-74DB-D4AD-6C6471482548}" = CCC Help Korean
"{7D0F2155-D7D3-42CE-903F-684ADD77FF89}" = Adobe Shockwave Player 11.5
"{7F72902B-5166-4522-8610-76BD903F8584}" = IDXWebFrameworkControls
"{85A91C22-C369-FCFB-5F1F-D59EB21AD0E1}" = CCC Help English
"{8A62A068-3FD6-495A-9F66-26FE94F32EC9}" = Rhapsody Player Engine
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{94AB7EE4-8335-C799-BECF-9CB63AD73861}" = Catalyst Control Center Graphics Full New
"{9539EE2D-8BAF-A65C-2CC0-504B9BC1516B}" = CCC Help Thai
"{95FC661A-A0C5-4B18-92CE-90347DA79CC9}" = Smart Menus (Windows Live Toolbar)
"{9B55FC02-BC50-4C8C-92EC-B7D4240272BE}" = INFORMM Patient Record
"{9BAC62B6-1F00-44AF-B833-F048D3745D7B}" = Strata Decision Technology Transfer Hub
"{9C08DF6F-0FC2-09DC-3A82-ECF7934522C7}" = ccc-core-static
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A40D6757-B145-4FE7-B694-89180A9F3F64}" = Windows Live Outlook Toolbar (Windows Live Toolbar)
"{A6AF8D58-5773-4C0D-9B2A-3960A4426BDA}" = TeleForm Web Capture Client
"{A6D0140F-E62F-9D1E-2408-9CFF91FF6FC8}" = ccc-utility
"{A736138D-904A-66DF-A156-32049A24D40D}" = Skins
"{A83387AA-6880-4062-BB3A-818B5494E9BE}" = eFilm Workstation
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{AF6D9313-E338-48F0-9B0C-7DE20EDB99CF}" = BioEdit
"{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}" = Citrix Presentation Server Client
"{B332732A-4958-41DD-B439-DDA2D32753C5}" = McAfee Host Intrusion Prevention
"{B7B3E9B3-FB14-4927-894B-E9124509AF5A}" = Adobe Flash Player 10 ActiveX
"{BE32F4CE-E1BC-E31E-0B0E-192266F6016D}" = ccc-core-static
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
"{C2591EB4-FE40-16FD-CF86-028A17A8B18D}" = Catalyst Control Center Graphics Previews Common
"{C44A7422-E380-44BE-79FE-1C032D8A03A7}" = Catalyst Control Center Core Implementation
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCFFF923-9B10-4568-A437-B2D6E6E46C3B}" = Catalyst Control Center Graphics Full Existing
"{CD395C58-AE9F-40C1-BF65-21C223EA3BF2}" = Hummingbird HostExplorer V8.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE940250-1DF7-87E1-10B0-DADCDECF0053}" = ccc-core-preinstall
"{CF8AF715-0C02-4730-8D19-993D2D12D441}" = Strata Decision Technology Model Client
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D579FFC2-9345-B62A-489D-82844AE58C1E}" = Catalyst Control Center Core Implementation
"{D57C2ACB-4246-A901-8D8D-8DA9E311F086}" = ccc-core-preinstall
"{D78E21DE-3CBD-EDA9-AE71-DC03D9754B8E}" = Catalyst Control Center HydraVision Full
"{DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}" = Windows Live Toolbar
"{DA76C4B0-3B47-592D-E167-F0000BE5B2EC}" = ccc-utility
"{DCE65B11-710D-4C54-9DE5-1A6A0BD2186B}" = Windows Live Favorites for Windows Live Toolbar
"{DF821FC5-C198-452B-A0D4-82433EFEAE9B}" = OneCare Advisor (Windows Live Toolbar)
"{E0000600-0600-0600-0600-000000000600}" = ICS Viewer 6.0
"{E008BEB1-AB63-46C1-BD3D-08D3A1F8E26D}" = McAfee Agent
"{E14336FF-AE98-FA53-5E14-7E61E0AE60CC}" = Catalyst Control Center Graphics Previews Common
"{E5D24929-91A4-B0A1-DE00-AFC453921EF7}" = Catalyst Control Center Graphics Light
"{E6C09BFB-BA75-15C7-5B18-A2CE31C4F42B}" = Catalyst Control Center Graphics Previews Common
"{ECDA9BD9-A54E-462A-8191-A2B569D9AB34}" = Map Button (Windows Live Toolbar)
"{EE5A6ACC-5437-4974-03C4-8707DDB7D77C}" = Catalyst Control Center Graphics Full New
"{F5AF5CDA-76FC-4794-9F28-09B6D54E7431}" = Form Fill (Windows Live Toolbar)
"{FBED3E35-40DB-98A6-0661-0C54C124D7B5}" = CCC Help Chinese Traditional
"{FCBADAC8-6014-11D5-9CE5-00207814A0F0}" = Spellex for Word 2003
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"DNA for Windows" = DNA for Windows
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ImageJ_is1" = ImageJ 1.40g
"InstallShield_{A83387AA-6880-4062-BB3A-818B5494E9BE}" = eFilm Workstation
"InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
"Macromedia Authorware Web Player" = Macromedia Authorware Web Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Oracle JInitiator 1.1.8.14" = Oracle JInitiator 1.1.8.14
"PopTools_is1" = PopTools
"PrintKey2000" = PrintKey2000
"ST6UNST #1" = pDRAW32
"ST6UNST #2" = pDRAW32 (C:\Program Files\pDRAW32\)
"ST6UNST #3" = pDRAW32 (C:\Program Files\pDRAW32\) #3
"ST6UNST #4" = pDRAW32 (C:\Program Files\pDRAW32\) #4
"WIC" = Windows Imaging Component
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/12/2009 12:43:58 PM | Computer Name = MK9905 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/14/2009 8:37:44 AM | Computer Name = MK9905 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/14/2009 7:36:17 PM | Computer Name = MK9905 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/15/2009 8:35:06 AM | Computer Name = MK9905 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/16/2009 8:35:00 AM | Computer Name = MK9905 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/16/2009 4:04:31 PM | Computer Name = MK9905 | Source = McLogEvent | ID = 259
Description = The scan found detections. Scan engine version 5400.1158 DAT version
5833.

Error - 12/17/2009 8:35:01 AM | Computer Name = MK9905 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/18/2009 8:35:02 AM | Computer Name = MK9905 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/20/2009 2:23:47 PM | Computer Name = MK9905 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/21/2009 9:40:41 AM | Computer Name = MK9905 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

[ System Events ]
Error - 12/17/2009 8:35:41 AM | Computer Name = MK9905 | Source = Service Control Manager | ID = 7000
Description = The eFilm Audit Service service failed to start due to the following
error: %%1053

Error - 12/18/2009 8:35:02 AM | Computer Name = MK9905 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain HEALTHCARE due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 12/18/2009 8:35:42 AM | Computer Name = MK9905 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the eFilm Audit Service service
to connect.

Error - 12/18/2009 8:35:42 AM | Computer Name = MK9905 | Source = Service Control Manager | ID = 7000
Description = The eFilm Audit Service service failed to start due to the following
error: %%1053

Error - 12/20/2009 2:23:45 PM | Computer Name = MK9905 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain HEALTHCARE due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 12/20/2009 2:24:25 PM | Computer Name = MK9905 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the eFilm Audit Service service
to connect.

Error - 12/20/2009 2:24:25 PM | Computer Name = MK9905 | Source = Service Control Manager | ID = 7000
Description = The eFilm Audit Service service failed to start due to the following
error: %%1053

Error - 12/21/2009 9:40:40 AM | Computer Name = MK9905 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain HEALTHCARE due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 12/21/2009 9:41:19 AM | Computer Name = MK9905 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the eFilm Audit Service service
to connect.

Error - 12/21/2009 9:41:19 AM | Computer Name = MK9905 | Source = Service Control Manager | ID = 7000
Description = The eFilm Audit Service service failed to start due to the following
error: %%1053


< End of report >

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:21 PM

Posted 21 December 2009 - 11:59 AM

Hi Deb.,
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Show All
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

unite.jpg


#5 Deb.

Deb.
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 22 December 2009 - 11:06 AM

It took forever to get the program to run without hanging, so I hope it worked.
Here's the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2009-12-22 09:32:40
Windows 5.1.2600 Service Pack 3
Running: gox4m4jc.exe; Driver: C:\DOCUME~1\WILLIA~1.HEA\LOCALS~1\Temp\fftdypoc.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwConnectPort [0xB9C7A470]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9C7A306]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB9C7A2A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB9C7A2B4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9C7A31A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9C7A346]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB9C7A3B4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB9C7A39E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xB9C7A3CA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMakeTemporaryObject [0xB9C7A45C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB9C7A3F6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9C7A2F2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9C7A264]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9C7A278]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xB9C7A432]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB9C7A388]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB9C7A372]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9C7A330]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xB9C7A41E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xB9C7A40A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB9C7A2DE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB9C7A2CA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9C7A448]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9C7A35C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9C7A28C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xB9C7A3E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtConnectPort
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp FireTDI.sys (McAfee HIP Application Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8AF60618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:21 PM

Posted 22 December 2009 - 04:57 PM

The scan did work but unfortunately it doesn't look good.


One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#7 Deb.

Deb.
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 22 December 2009 - 06:44 PM

None of the downloads work for me...
they should...I'm not locked out of downloading other programs....I'll try and figure out what the problem is tomorrow.

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:21 PM

Posted 22 December 2009 - 08:24 PM

The links are working fine, what happens when you click the links?

unite.jpg


#9 Deb.

Deb.
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 23 December 2009 - 11:22 AM

Cannot download Combofix. Access is denied. Make sure the disk is not write protected and that the file is not currently in use....

I'm talking to the rather unhelpful people here at work in hopes that they can possibly help me to get this to actually download. I'm not hopeful. They haven't been much help so far.

Actually, as I save all my files offsite, we're just going to re-image the HD. It seems the easiest way to go.

Edited by Deb., 23 December 2009 - 12:16 PM.


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:21 PM

Posted 23 December 2009 - 01:38 PM

Yes I think re imaging is the best way to go, just make sure you are using an image that was taken before you started having the problems.

unite.jpg


#11 Deb.

Deb.
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 23 December 2009 - 06:23 PM

Thank you for all your help. :( The IT guy did the re image. He was aware of the dates of the issues, etc.

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:21 PM

Posted 24 December 2009 - 12:59 PM

You are welcome, thanks for informing us :(

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users