Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:Win32/Alureon.CO; search engine results hijacked in browser


  • Please log in to reply
12 replies to this topic

#1 batou

batou

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 28 December 2009 - 01:29 PM

Hello and thanks in advance.

I seem to have contracted a search engine hijack virus that takes me to random ad sites whenever i click on my yahoo, bing, or google search results.

I've scanned/cleaned with Windows Defender, McAfee VirusScan, SpyBot Search & Destroy, Spyware Doctor, Malwarebytes' Anti-Malware, ESET online scanner....and no luck. The issue is still there.

Everytime i open a web browser Windows Defender pops up a warning that "Trojan:Win32/Alureon.CO" has been detected (which is why I put this in the subject of this post). I tell Defender to remove, but the search results hijacking behavior and Defender warnings always return.

Without further ado, here is my DDS.TXT log. I've also generated the attachment files as instructed in your Prep Guide.

DDS (Ver_09-12-01.01) - NTFSx86
Run by d01135352 at 12:18:18.11 on Mon 12/28/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.916 [GMT -6:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ImageNow6\bin\inausvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\CiscoSystems\CTIOS\SilentMonitor\Bin\SilentMonitorService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\CISCOS~1\CTIOS\SILENT~1\Bin\CTIOST~1.EXE
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\d01135352\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.thedevrycommons.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall33.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234881195328
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258738386403
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://connect.devry.net/dana-cached/setup/JuniperSetupSP1.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\d01135~1\applic~1\mozilla\firefox\profiles\zoispxv0.default\
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-11 343664]
R2 ImageNow Automatic Update 6.2;ImageNow Automatic Update 6.2;c:\program files\imagenow6\bin\inausvc.exe [2009-1-2 3878912]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-8-31 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-25 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-8-31 146448]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-8-31 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-9-11 70728]
R2 SilentMonitorService;CTI OS Silent Monitor Service;c:\ciscosystems\ctios\silentmonitor\bin\silentmonitorservice --> c:\ciscosystems\ctios\silentmonitor\bin\SilentMonitorService [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-2-12 193840]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-11 91672]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-11 43288]
R3 WPRO_40_1040;WinPcap Packet Driver (WPRO_40_1040);c:\windows\system32\drivers\wpro_40_1040.sys --> c:\windows\system32\drivers\WPRO_40_1040.sys [?]
R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-9-11 65448]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-8 1112560]

=============== Created Last 30 ================

2009-12-28 17:00:10 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-28 16:58:36 0 d-----w- c:\program files\Spyware Doctor
2009-12-28 16:58:36 0 d-----w- c:\program files\common files\PC Tools
2009-12-28 16:46:02 100880 ----a-w- c:\windows\system32\WPRO_40_1040woem.tmp
2009-12-23 01:07:02 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-23 01:07:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-22 00:32:15 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-22 00:31:32 13180816 ----a-w- c:\temp\WindowsDefender_mpas-fe.exe
2009-12-21 23:03:49 0 d-----w- c:\docume~1\d01135~1\applic~1\Malwarebytes
2009-12-21 23:03:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-21 17:35:42 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-21 17:35:42 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-12-17 17:03:54 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-16 21:30:46 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-16 21:30:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-16 18:35:54 1374154 ----a-w- c:\temp\wrar390.exe
2009-12-10 18:34:13 0 d-----w- c:\windows\ie8updates
2009-12-09 17:22:43 0 d-sh--w- c:\documents and settings\d01135352\IECompatCache
2009-12-08 20:13:51 0 d-----w- c:\docume~1\d01135~1\applic~1\ICAClient
2009-12-07 18:47:58 0 d-sh--w- c:\documents and settings\d01135352\PrivacIE
2009-12-07 18:09:32 0 d-sh--w- c:\documents and settings\d01135352\IETldCache
2009-12-07 17:08:53 0 dc-h--w- c:\windows\ie8
2009-12-07 17:03:48 16883056 ----a-w- c:\temp\IE8-WindowsXP-x86-ENU.exe
2009-11-29 23:23:59 18305378 ----a-w- c:\temp\wireshark-win32-1.2.4.exe

==================== Find3M ====================

2009-11-19 15:48:54 44544 ----a-w- c:\windows\system32\agremove.exe
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 20:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 20:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 20:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll

============= FINISH: 12:18:46.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:14 PM

Posted 07 January 2010 - 03:50 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 batou

batou
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 08 January 2010 - 05:54 PM

thanks for the reply fireman4it.

As requested I've regenerated the DDS.txt and other attachments.

DDS (Ver_09-12-01.01) - NTFSx86
Run by batou at 16:18:18.11 on Fri 1/8/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.916 [GMT -6:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

{918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ImageNow6\bin\inausvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\CiscoSystems\CTIOS\SilentMonitor\Bin\SilentMonitorService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\CISCOS~1\CTIOS\SILENT~1\Bin\CTIOST~1.EXE
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\d01135352\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.thedevrycommons.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program

files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe

/Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe"

/fromrunkey
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe"

/StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader

9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program

files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth

software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth

software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} -

hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall33.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -

hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?

1234881195328
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.ca

b?1258738386403
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} -

hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} -

hxxps://connect.devry.net/dana-cached/setup/JuniperSetupSP1.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} -

c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} -

c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\d01135~1\applic~1\mozilla\firefox\profiles\zoispxv0.default\
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant:

{20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-11 343664]
R2 ImageNow Automatic Update 6.2;ImageNow Automatic Update 6.2;c:\program

files\imagenow6\bin\inausvc.exe [2009-1-2 3878912]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan

enterprise\EngineServer.exe [2009-8-31 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common

framework\FrameworkService.exe [2009-9-25 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe

[2009-8-31 146448]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan

enterprise\VsTskMgr.exe [2009-8-31 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe

[2009-9-11 70728]
R2 SilentMonitorService;CTI OS Silent Monitor

Service;c:\ciscosystems\ctios\silentmonitor\bin\silentmonitorservice -->

c:\ciscosystems\ctios\silentmonitor\bin\SilentMonitorService [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3

13592]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch

buttons\Com4QLBEx.exe [2009-2-12 193840]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-11 91672]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-11 43288]
R3 WPRO_40_1040;WinPcap Packet Driver

(WPRO_40_1040);c:\windows\system32\drivers\wpro_40_1040.sys -->

c:\windows\system32\drivers\WPRO_40_1040.sys [?]
R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys -->

c:\windows\system32\drivers\PCTCore.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-9-11

65448]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys -->

c:\windows\system32\drivers\rootrepeal.sys [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio

shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-8 1112560]

=============== Created Last 30 ================

2009-12-28 17:00:10 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-28 16:58:36 0 d-----w- c:\program files\Spyware Doctor
2009-12-28 16:58:36 0 d-----w- c:\program files\common files\PC Tools
2009-12-28 16:46:02 100880 ----a-w- c:\windows\system32\WPRO_40_1040woem.tmp
2009-12-23 01:07:02 0 d-----w- c:\program files\Spybot - Search &

Destroy
2009-12-23 01:07:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot -

Search & Destroy
2009-12-22 00:32:15 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-22 00:31:32 13180816 ----a-w-

c:\temp\WindowsDefender_mpas-fe.exe
2009-12-21 23:03:49 0 d-----w-

c:\docume~1\d01135~1\applic~1\Malwarebytes
2009-12-21 23:03:42 0 d-----w-

c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-21 17:35:42 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-21 17:35:42 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-12-17 17:03:54 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-16 21:30:46 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-16 21:30:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-16 18:35:54 1374154 ----a-w- c:\temp\wrar390.exe
2009-12-10 18:34:13 0 d-----w- c:\windows\ie8updates
2009-12-09 17:22:43 0 d-sh--w- c:\documents and

settings\d01135352\IECompatCache
2009-12-08 20:13:51 0 d-----w- c:\docume~1\d01135~1\applic~1\ICAClient
2009-12-07 18:47:58 0 d-sh--w- c:\documents and

settings\d01135352\PrivacIE
2009-12-07 18:09:32 0 d-sh--w- c:\documents and

settings\d01135352\IETldCache
2009-12-07 17:08:53 0 dc-h--w- c:\windows\ie8
2009-12-07 17:03:48 16883056 ----a-w- c:\temp\IE8-WindowsXP-x86-ENU.exe
2009-11-29 23:23:59 18305378 ----a-w- c:\temp\wireshark-win32-1.2.4.exe

==================== Find3M ====================

2009-11-19 15:48:54 44544 ----a-w- c:\windows\system32\agremove.exe
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 20:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 20:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 20:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll

============= FINISH: 16:18:46.87 ===============

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:14 PM

Posted 10 January 2010 - 07:04 PM

Hi,

we need to check a couple more things, please run the following scans:

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
I'd also like to see a gmer scan:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 batou

batou
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 11 January 2010 - 12:45 PM

Thanks for the reply myrti! Here are the OTL reports....working on the GMER steps next!

OTL logfile created on: 1/11/2010 10:48:56 AM - Run 1
OTL by OldTimer - Version 3.1.23.0 Folder = C:\Documents and Settings\d01135352\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 43.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 95.53 Gb Free Space | 85.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OBTLTCNU7402PQF
Current User Name: d01135352
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/11 10:47:56 | 00,543,744 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\d01135352\Desktop\OTL.exe
PRC - [2009/10/17 17:08:08 | 00,045,603 | ---- | M] (The Pidgin developer community) -- C:\Program Files\Pidgin\pidgin.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/09 13:11:12 | 25,623,336 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
PRC - [2009/09/25 04:50:00 | 00,185,664 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/09/25 04:50:00 | 00,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/09/25 04:50:00 | 00,120,128 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/09/25 04:50:00 | 00,075,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2009/08/31 20:07:00 | 00,146,448 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2009/08/31 20:07:00 | 00,070,728 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2009/08/31 20:07:00 | 00,066,896 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2009/08/31 20:07:00 | 00,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2009/08/31 20:07:00 | 00,021,256 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
PRC - [2009/08/17 22:54:54 | 12,957,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
PRC - [2009/03/14 15:12:22 | 05,731,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office Communicator\communicator.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/01/23 01:46:56 | 00,431,472 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2009/01/02 01:34:22 | 03,878,912 | ---- | M] (Perceptive Software, Inc.) -- C:\Program Files\ImageNow6\bin\inausvc.exe
PRC - [2008/11/28 06:43:58 | 01,523,712 | ---- | M] () -- C:\CiscoSystems\CTIOS\SilentMonitor\Bin\SilentMonitorService.exe
PRC - [2008/11/28 05:52:14 | 00,045,056 | ---- | M] (Cisco Systems, Inc.) -- C:\CiscoSystems\CTIOS\SilentMonitor\Bin\CTIOSTraceText.exe
PRC - [2008/06/03 16:40:08 | 00,177,456 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
PRC - [2008/05/26 22:19:14 | 00,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/05/20 04:00:00 | 00,757,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2008/05/01 16:25:56 | 00,165,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/03 11:33:26 | 00,193,840 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
PRC - [2008/03/28 01:28:00 | 01,040,384 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2008/03/18 12:27:12 | 00,013,312 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe
PRC - [2007/12/20 12:54:42 | 00,141,848 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2007/12/20 12:54:38 | 00,252,440 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2007/12/20 12:54:36 | 00,137,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2007/12/20 12:54:24 | 00,166,424 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2007/02/06 15:02:26 | 00,266,295 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PRC - [2007/01/05 16:36:48 | 00,872,448 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 19:20:06 | 00,293,144 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpCmdRun.exe
PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe


========== Modules (SafeList) ==========

MOD - [2010/01/11 10:47:56 | 00,543,744 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\d01135352\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/09/25 04:50:00 | 00,120,128 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2009/08/31 20:07:00 | 00,146,448 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2009/08/31 20:07:00 | 00,070,728 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2009/08/31 20:07:00 | 00,066,896 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2009/08/31 20:07:00 | 00,021,256 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe -- (McAfeeEngineService)
SRV - [2009/01/23 01:46:56 | 00,431,472 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2009/01/02 01:34:22 | 03,878,912 | ---- | M] (Perceptive Software, Inc.) [Auto | Running] -- C:\Program Files\ImageNow6\bin\inausvc.exe -- (ImageNow Automatic Update 6.2)
SRV - [2008/11/28 06:43:58 | 01,523,712 | ---- | M] () [Auto | Running] -- C:\CiscoSystems\CTIOS\SilentMonitor\Bin\SilentMonitorService.exe -- (SilentMonitorService)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/15 11:02:34 | 00,111,872 | ---- | M] (PCTEL) [On_Demand | Stopped] -- C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe -- (SprintRcAppSvc)
SRV - [2008/05/20 04:00:00 | 00,757,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2008/05/20 04:00:00 | 00,249,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
SRV - [2008/05/01 16:25:56 | 00,165,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Running] -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex)
SRV - [2008/04/08 06:12:50 | 01,112,560 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2008/04/03 11:33:26 | 00,193,840 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Running] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe -- (Com4QLBEx)
SRV - [2008/03/24 07:35:22 | 00,074,384 | R--- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2008/03/18 12:27:12 | 00,013,312 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2007/05/15 17:08:40 | 00,053,248 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZIPM12.DLL -- (Pml Driver HPZ12)
SRV - [2007/03/05 05:40:00 | 00,065,585 | ---- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\WINDOWS\cwbrxd.exe -- (Cwbrxd)
SRV - [2007/02/06 15:02:26 | 00,266,295 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (WPRO_40_1040) WinPcap Packet Driver (WPRO_40_1040)
DRV - [2009/08/31 20:07:00 | 00,343,664 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/08/31 20:07:00 | 00,091,672 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/08/31 20:07:00 | 00,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/08/31 20:07:00 | 00,065,448 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2009/08/31 20:07:00 | 00,063,728 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/08/31 20:07:00 | 00,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/01/23 01:27:22 | 00,023,552 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2008/11/21 20:53:40 | 01,204,128 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2008/11/17 15:23:16 | 03,636,864 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2008/10/15 10:58:34 | 00,171,144 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SWNC5E00.sys -- (SWNC5E00) Sierra Wireless MUX NDIS Driver (#00)
DRV - [2008/10/15 10:58:34 | 00,149,512 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swmx00.sys -- (swmx00) Sierra Wireless USB MUX Driver (#00)
DRV - [2008/10/15 10:58:34 | 00,024,840 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2008/10/15 10:58:26 | 00,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2008/10/15 10:58:18 | 00,038,680 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctnullport.sys -- (Nmea)
DRV - [2008/10/15 10:56:10 | 00,032,408 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2008/07/23 11:31:38 | 00,044,800 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2008/05/20 04:00:00 | 00,023,584 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2008/04/28 15:22:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2008/04/13 23:23:10 | 00,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 21:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 21:06:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/08 17:27:04 | 00,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)
DRV - [2008/04/07 21:00:00 | 00,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/03/28 01:14:00 | 00,224,672 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/02/05 13:38:22 | 00,281,600 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2007/10/12 16:04:40 | 00,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2007/09/18 11:08:56 | 05,779,296 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/08/28 15:47:36 | 00,146,560 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atswpdrv.sys -- (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor)
DRV - [2007/07/13 09:26:12 | 00,094,976 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (AEAudio)
DRV - [2007/07/12 16:35:02 | 00,305,176 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2007/06/18 17:12:04 | 00,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/02/27 09:21:00 | 00,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k) Broadcom NetLink ™
DRV - [2007/02/14 14:21:00 | 00,067,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2007/02/14 14:20:58 | 00,868,298 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2007/01/18 09:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RimSerial.sys -- (RimVSerPort)
DRV - [2006/10/17 10:59:06 | 00,022,016 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Accelerometer.sys -- (Accelerometer)
DRV - [2006/10/17 10:57:58 | 00,017,920 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\hpdskflt.sys -- (hpdskflt)
DRV - [2006/02/28 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2006/02/28 06:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1288954953-1049438514-3278356109-88507\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thedevrycommons.com
IE - HKU\S-1-5-21-1288954953-1049438514-3278356109-88507\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1288954953-1049438514-3278356109-88507\S-1-5-21-1288954953-1049438514-3278356109-88507\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/24 11:10:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/29 19:10:04 | 00,000,000 | ---D | M]

[2009/11/24 11:11:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\d01135352\Application Data\Mozilla\Extensions
[2009/11/24 11:11:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\d01135352\Application Data\Mozilla\Firefox\Profiles\zoispxv0.default\extensions
[2009/11/24 11:11:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\d01135352\Application Data\Mozilla\Firefox\Profiles\zoispxv0.default\extensions\staged-xpis
[2009/11/20 15:19:36 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/08/31 20:07:00 | 00,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2008/08/16 16:42:02 | 00,070,456 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
[2008/08/16 16:42:12 | 00,091,448 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
[2008/08/16 16:42:08 | 00,020,800 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
[2008/05/21 07:41:08 | 00,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcm80.dll
[2008/05/21 07:41:08 | 00,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp80.dll
[2008/05/21 07:41:08 | 00,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr80.dll
[2008/08/16 16:44:46 | 00,427,312 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
[2008/08/16 16:42:04 | 00,023,864 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll

O1 HOSTS File: (1220 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-1288954953-1049438514-3278356109-88507\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Client Access Service] C:\Program Files\IBM\Client Access\cwbsvstr.exe (IBM Corporation)
O4 - HKLM..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\communicator.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [Sprint SmartView] C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe (Sprint)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe File not found
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1288954953-1049438514-3278356109-88507..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1288954953-1049438514-3278356109-88507\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1288954953-1049438514-3278356109-88507\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: devry.edu ([delta] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: devry.edu ([delta] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1288954953-1049438514-3278356109-88507\..Trusted Domains: devry.edu ([delta] http in Local intranet)
O15 - HKU\S-1-5-21-1288954953-1049438514-3278356109-88507\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall33.cab (HPVirtualRooms33 Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1234881195328 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1258738386403 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} Reg Error: Value error. (Oracle JInitiator 1.1.8.16)
O16 - DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://connect.devry.net/dana-cached/setup...perSetupSP1.cab (JuniperSetupControlXP Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.2.239.34 10.2.239.36
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dvuadmin.net
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/11 16:29:33 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/11 10:47:48 | 00,543,744 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\d01135352\Desktop\OTL.exe
[2010/01/11 10:46:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\d01135352\Desktop\detox
[2010/01/11 10:03:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\d01135352\My Documents\DC1 Move
[2010/01/11 10:02:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\d01135352\My Documents\Cascade
[2010/01/11 10:01:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\d01135352\My Documents\Websense
[2010/01/11 10:00:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\d01135352\My Documents\DELTA
[2010/01/08 18:03:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\d01135352\Application Data\Xerox
[2010/01/05 12:25:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\d01135352\Desktop\Blakroc
[2009/12/28 15:25:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\d01135352\My Documents\DeVry Templates
[2009/12/28 11:41:48 | 00,000,000 | ---D | C] -- C:\Program Files\Hijackthis
[2009/12/28 11:02:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\d01135352\Local Settings\Application Data\Threat Expert
[2009/12/28 10:58:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/12/23 14:51:16 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2009/12/22 19:07:02 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/12/22 19:07:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/12/21 18:32:15 | 00,195,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2009/12/21 17:03:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\d01135352\Application Data\Malwarebytes
[2009/12/21 17:03:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/21 11:40:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/12/21 11:35:42 | 00,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidserv.dll
[2009/12/17 13:11:06 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/12/17 12:50:49 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2009/12/16 13:13:05 | 00,241,721 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPBMINI.DLL
[2009/12/16 13:13:05 | 00,163,840 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPJCMN2U.DLL
[2009/12/16 13:13:05 | 00,094,208 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPJIPX1U.DLL
[2009/12/16 13:13:05 | 00,053,248 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZIPM12.DLL
[2009/12/16 13:13:05 | 00,049,152 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZIDR12.DLL
[2009/12/16 13:13:05 | 00,049,152 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPBNRAC2.DLL
[2009/12/16 13:13:05 | 00,043,520 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZINW12.DLL
[2009/12/16 13:13:05 | 00,039,424 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\HPBPRO.DLL
[2009/12/16 13:13:05 | 00,033,280 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZIPR12.DLL
[2009/12/16 13:13:05 | 00,029,696 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZIPT12.DLL
[2009/12/16 13:13:05 | 00,025,600 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\HPBOID.DLL
[2009/12/16 13:13:05 | 00,024,576 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\HPBMIAPI.DLL
[2009/12/16 13:13:05 | 00,020,480 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZISN12.DLL
[2009/12/16 13:13:05 | 00,007,680 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\HPBPROPS.DLL
[2009/12/16 13:13:05 | 00,007,680 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\HPBOIDPS.DLL
[2009/12/14 13:56:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\d01135352\Application Data\WinRAR
[2009/12/14 13:55:38 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2009/12/14 13:48:58 | 00,000,000 | R--D | C] -- C:\Documents and Settings\d01135352\My Documents\My Videos
[2009/12/14 13:48:53 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/14 13:31:23 | 00,000,000 | --SD | C] -- C:\Documents and Settings\d01135352\My Documents\My Shapes
[2009/06/12 11:33:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2009/02/11 16:38:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/02/11 16:34:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/11 10:49:32 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\d01135352\Desktop\38v5g57d.exe
[2010/01/11 10:47:56 | 00,543,744 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\d01135352\Desktop\OTL.exe
[2010/01/11 10:07:04 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/11 09:58:15 | 00,000,227 | ---- | M] () -- C:\Documents and Settings\d01135352\Desktop\Advanced Client Authentication.url
[2010/01/11 09:57:00 | 00,000,261 | ---- | M] () -- C:\Documents and Settings\d01135352\Desktop\Writing iRules.url
[2010/01/11 09:54:40 | 00,000,218 | ---- | M] () -- C:\Documents and Settings\d01135352\Desktop\Disabling nodes or pool members for maintenance.url
[2010/01/11 09:53:44 | 00,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/01/11 09:50:37 | 00,002,447 | ---- | M] () -- C:\Documents and Settings\d01135352\Desktop\Office Communicator.lnk
[2010/01/11 09:50:29 | 00,000,475 | ---- | M] () -- C:\WINDOWS\SMSCFG.ini
[2010/01/11 09:50:05 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\d01135352\Desktop\Outlook.lnk
[2010/01/11 09:48:58 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/11 09:46:32 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/11 09:46:30 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/08 18:54:52 | 05,242,880 | -H-- | M] () -- C:\Documents and Settings\d01135352\NTUSER.DAT
[2010/01/08 18:54:48 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\d01135352\ntuser.ini
[2010/01/07 19:15:54 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\d01135352\Local Settings\Application Data\PUTTY.RND
[2010/01/07 19:09:13 | 02,382,045 | ---- | M] () -- C:\Documents and Settings\d01135352\My Documents\Configuration_Guide_for_BIG-IP_Local_Traffic_Management.pdf
[2010/01/07 13:30:49 | 00,036,747 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/01/07 11:09:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/04 16:39:46 | 00,036,352 | ---- | M] () -- C:\Documents and Settings\d01135352\My Documents\Unix nodes behind DC1 F5.xls
[2010/01/04 16:20:59 | 00,030,208 | ---- | M] () -- C:\Documents and Settings\d01135352\My Documents\DC1 F5 keepalive health monitors.xls
[2009/12/30 18:52:47 | 00,968,160 | ---- | M] () -- C:\Documents and Settings\d01135352\My Documents\F5 LTM Operator Access.docx
[2009/12/30 18:02:34 | 00,000,219 | ---- | M] () -- C:\Documents and Settings\d01135352\Desktop\Partitions to Control User Access.url
[2009/12/22 17:56:36 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\d01135352\Local Settings\Application Data\housecall.guid.cache
[2009/12/21 18:36:04 | 07,428,632 | -H-- | M] () -- C:\Documents and Settings\d01135352\Local Settings\Application Data\IconCache.db
[2009/12/21 17:05:42 | 00,000,203 | ---- | M] () -- C:\Documents and Settings\d01135352\Desktop\Access Policy Manager.url
[2009/12/21 13:47:02 | 00,029,184 | ---- | M] () -- C:\Documents and Settings\d01135352\My Documents\Luminis Portal DC2 Dev SSL TPS trend graph.xls
[2009/12/17 11:04:53 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/17 10:48:28 | 00,557,030 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/17 10:48:28 | 00,466,922 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/17 10:48:28 | 00,079,878 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/15 18:33:12 | 00,000,174 | ---- | M] () -- C:\Documents and Settings\d01135352\Desktop\Offloading Remote Authentication for Servers.url
[2009/12/14 17:56:23 | 00,301,568 | ---- | M] () -- C:\Documents and Settings\d01135352\Desktop\login.devry.edu.vsd
[2009/12/14 17:44:34 | 00,172,032 | ---- | M] () -- C:\Documents and Settings\d01135352\Desktop\gtwy.devry.edu.vsd
[2009/12/14 17:43:51 | 01,524,736 | ---- | M] () -- C:\Documents and Settings\d01135352\Desktop\my.devry.edu.vsd
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/11 10:49:28 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\d01135352\Desktop\38v5g57d.exe
[2010/01/07 19:09:05 | 02,382,045 | ---- | C] () -- C:\Documents and Settings\d01135352\My Documents\Configuration_Guide_for_BIG-IP_Local_Traffic_Management.pdf
[2010/01/07 18:40:04 | 00,000,261 | ---- | C] () -- C:\Documents and Settings\d01135352\Desktop\Writing iRules.url
[2010/01/04 14:52:57 | 00,030,208 | ---- | C] () -- C:\Documents and Settings\d01135352\My Documents\DC1 F5 keepalive health monitors.xls
[2010/01/04 13:44:11 | 00,036,352 | ---- | C] () -- C:\Documents and Settings\d01135352\My Documents\Unix nodes behind DC1 F5.xls
[2009/12/30 18:02:27 | 00,000,218 | ---- | C] () -- C:\Documents and Settings\d01135352\Desktop\Disabling nodes or pool members for maintenance.url
[2009/12/28 19:57:23 | 00,968,160 | ---- | C] () -- C:\Documents and Settings\d01135352\My Documents\F5 LTM Operator Access.docx
[2009/12/22 17:56:36 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\d01135352\Local Settings\Application Data\housecall.guid.cache
[2009/12/21 17:05:42 | 00,000,203 | ---- | C] () -- C:\Documents and Settings\d01135352\Desktop\Access Policy Manager.url
[2009/12/21 17:05:37 | 00,000,219 | ---- | C] () -- C:\Documents and Settings\d01135352\Desktop\Partitions to Control User Access.url
[2009/12/21 13:06:52 | 00,029,184 | ---- | C] () -- C:\Documents and Settings\d01135352\My Documents\Luminis Portal DC2 Dev SSL TPS trend graph.xls
[2009/12/17 12:53:54 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/12/16 13:16:45 | 00,048,586 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xpif-v02030a.dtd
[2009/12/16 13:13:05 | 00,018,747 | ---- | C] () -- C:\WINDOWS\System32\HPCEAC06.HPI
[2009/12/15 18:33:12 | 00,000,174 | ---- | C] () -- C:\Documents and Settings\d01135352\Desktop\Offloading Remote Authentication for Servers.url
[2009/12/15 18:33:07 | 00,000,227 | ---- | C] () -- C:\Documents and Settings\d01135352\Desktop\Advanced Client Authentication.url
[2009/12/14 17:56:22 | 00,301,568 | ---- | C] () -- C:\Documents and Settings\d01135352\Desktop\login.devry.edu.vsd
[2009/12/14 17:44:34 | 00,172,032 | ---- | C] () -- C:\Documents and Settings\d01135352\Desktop\gtwy.devry.edu.vsd
[2009/12/14 17:43:48 | 01,524,736 | ---- | C] () -- C:\Documents and Settings\d01135352\Desktop\my.devry.edu.vsd
[2009/11/28 15:02:00 | 00,000,600 | ---- | C] () -- C:\Documents and Settings\d01135352\Local Settings\Application Data\PUTTY.RND
[2009/11/23 12:26:46 | 00,000,600 | ---- | C] () -- C:\Documents and Settings\d01135352\Application Data\winscp.rnd
[2009/11/19 13:08:15 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\d01135352\Local Settings\Application Data\QSwitch.txt
[2009/11/19 13:08:15 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\d01135352\Local Settings\Application Data\DSwitch.txt
[2009/11/19 13:08:15 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\d01135352\Local Settings\Application Data\AtStart.txt
[2009/11/19 11:22:29 | 00,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/02/17 14:39:39 | 00,000,475 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2009/02/17 14:07:04 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\cwbad.dll
[2009/02/17 14:07:03 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\cwbrw.dll
[2009/02/17 14:07:03 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\cwbsv.dll
[2009/02/17 14:07:03 | 00,020,529 | ---- | C] () -- C:\WINDOWS\System32\cwbwiz.dll
[2009/02/17 14:07:03 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbsy.dll
[2009/02/17 14:07:03 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbnl.dll
[2009/02/17 14:07:03 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbco.dll
[2009/02/17 14:07:03 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\cwbnldlg.dll
[2009/02/16 16:35:32 | 00,000,000 | ---- | C] () -- C:\WINDOWS\stnote32.INI
[2009/02/16 16:33:44 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2009/02/16 16:31:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2009/02/16 16:31:42 | 00,051,712 | ---- | C] () -- C:\WINDOWS\System32\JinPanel.dll
[2009/02/12 12:47:41 | 00,000,162 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/12 12:20:47 | 00,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2009/02/12 11:45:08 | 01,174,000 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2009/02/12 11:45:08 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4873.dll
[2009/02/12 11:45:08 | 00,104,636 | ---- | C] () -- C:\WINDOWS\System32\igmedcompkrn.dll
[2008/10/15 10:58:34 | 00,024,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\swmsflt.sys
[2008/10/10 08:57:26 | 00,003,584 | ---- | C] () -- C:\WINDOWS\System32\wceprv.dll
[2007/09/27 10:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/02/06 15:20:00 | 02,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/02/06 14:55:52 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/02/17 11:41:32 | 00,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 11:41:30 | 00,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 12:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >


OTL Extras logfile created on: 1/11/2010 10:48:56 AM - Run 1
OTL by OldTimer - Version 3.1.23.0 Folder = C:\Documents and Settings\d01135352\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 43.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 95.53 Gb Free Space | 85.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OBTLTCNU7402PQF
Current User Name: d01135352
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\Microsoft Office Communicator\communicator.exe" = C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Microsoft Office Communicator 2007 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Cisco Systems\CTIOS Client\CTIOS Desktop Phones\CTIOSSoftphone.exe" = C:\Program Files\Cisco Systems\CTIOS Client\CTIOS Desktop Phones\CTIOSSoftphone.exe:*:Enabled:CTIOS Agent Desktop -- (Cisco, Inc.)
"C:\Program Files\Cisco Systems\CTIOS Client\CTIOS Desktop Phones\SupervisorSoftphone.exe" = C:\Program Files\Cisco Systems\CTIOS Client\CTIOS Desktop Phones\SupervisorSoftphone.exe:*:Enabled:CTIOS Supervisor Desktop -- (Cisco, Inc.)
"C:\CiscoSystems\CTIOS\SilentMonitor\Bin\SilentMonitorService.exe" = C:\CiscoSystems\CTIOS\SilentMonitor\Bin\SilentMonitorService.exe:*:Enabled:CTIOS Silent Monitor -- ()
"C:\Program Files\Microsoft Office Communicator\communicator.exe" = C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Microsoft Office Communicator 2007 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)
"C:\Program Files\Sprint\Sprint SmartView\SwiApiMux.exe" = C:\Program Files\Sprint\Sprint SmartView\SwiApiMux.exe:*:Enabled:SwiApiMux -- (Sierra Wireless, Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{0FFD55FA-40CE-4B7F-9001-A06930C63FA2}" = Sprint SmartView
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{1B3C42AD-F3E5-4511-9ED7-AC7910106AF1}" = Cisco CTIOS Silent Monitor
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{24BBF857-FDB0-42A9-9E9E-2BEF3DD62C81}" = Cisco CTIOS Security 7.0 Uninstall
"{2515BF88-E42E-4AFA-A8E7-DF272762589B}" = Microsoft Office Live Meeting 2007
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 17
"{28F51520-8583-4840-9549-7BB9E6853A33}" = ProSAM Solution Suite
"{30A2A953-DEB1-466A-B660-F4399C7C6B9D}" = Roxio MyDVD
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388C130B-0079-46B4-A0D5-DC2DD7A89A7B}" = Citrix XenApp Plugin for Hosted Apps
"{429E92A4-159F-4AEC-85A1-D693E1E4274D}" = HP 3D DriveGuard
"{537BF16E-7412-448C-95D8-846E85A1D817}" = Roxio Creator Business
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7148F0A8-6813-11D6-A77B-00B0D0142120}" = Java 2 Runtime Environment, SE v1.4.2_12
"{721ABC3B-5F12-4332-9C0C-C11424EF666C}" = WIMGAPI
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7F362F06-A9A3-440F-8B19-6A01A72723C4}" = AuthenTec Fingerprint Sensor Minimum Install
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = HP Integrated Module with Bluetooth wireless technology
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{898B8B49-C90A-42F4-A4A4-B7495BE63D54}" =
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PRJSTD_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_VISPRO_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PRJSTD_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_VISPRO_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PRJSTD_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPRO_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-003A-0000-0000-0000000FF1CE}" = Microsoft Office Project Standard 2007
"{90120000-003A-0000-0000-0000000FF1CE}_PRJSTD_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-003A-0000-0000-0000000FF1CE}_PRJSTD_{9E73617F-2F38-4864-BD61-BB2DDFE43323}" = Microsoft Office Project 2007 Service Pack 2 (SP2)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{0FD405D3-CAF8-4CA6-8BFD-911D2F8A6585}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007
"{90120000-0054-0409-0000-0000000FF1CE}_VISPRO_{519D9F45-CBF4-4E57-B419-11F196CCA8AE}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PRJSTD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2007
"{90120000-00B4-0409-0000-0000000FF1CE}_PRJSTD_{27A9D316-D332-433B-8EB1-1D93EE49F26D}" = Microsoft Office Project 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PRJSTD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{93A2E63B-3B57-4B81-8362-BF07C0BFD00E}" = ImageNow Desktop Client
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A6F0720-739C-408B-966F-93091631A918}" =
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AEBD6B38-A1C4-4D1B-9116-0A68F3F7C4E0}" = ProSAM Solution Suite
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B639A4DE-A375-47D3-89C3-DDCF98D992F7}" = McAfee Agent
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C320135A-98C5-485A-AB29-9EC92537537F}" = ProSAM Solution Suite
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE6A85D8-D6B9-479A-9FE9-A06E56881E61}" = Configuration Manager Client
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom NetXtreme Ethernet Controller
"{D675A0CF-0371-40A5-955B-0D60147512C1}" = Cisco CTI Toolkit Desktop Client 7.0.0 Uninstall
"{DBBE5C26-72B7-4E01-950D-86BDE35918ED}" = Embedded Security for HP ProtectTools Driver
"{E5BA0430-919F-46DD-B656-0796F8A5ADFF}" = Microsoft Office Communicator 2007
"{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator Business v10
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"ClientAccessExpress" = IBM iSeries Access for Windows
"ClientAccessExpressSP" = IBM iSeries Access for Windows SI26879
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CTIOS_7_2_7_0_0_0_17_product" = Cisco CTIOS Maintenance Release CTIOS7.2(7)
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"Hijackthis_is1" = Hijackthis 1.99.1
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ImageNow 5.42 Client" = ImageNow 5.42 Client
"Juniper Network Connect 6.3.0" = Juniper Networks Network Connect 6.3.0
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.6)" = Mozilla Firefox (3.0.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Oracle JInitiator 1.1.8.16" = Oracle JInitiator 1.1.8.16
"Pidgin" = Pidgin
"PRJSTD" = Microsoft Office Project Standard 2007
"PROPLUS" = Microsoft Office Professional Plus 2007
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VISPRO" = Microsoft Office Visio Professional 2007
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"winscp3_is1" = WinSCP 4.1.9
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1288954953-1049438514-3278356109-88507\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/7/2010 11:55:59 AM | Computer Name = OBTLTCNU7402PQF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/7/2010 4:04:25 PM | Computer Name = OBTLTCNU7402PQF | Source = Communicator | ID = 15728647
Description = Communicator failed to connect to server ocs._tcp.devry.com (10.154.210.79)
on port 5061 due to error 10060. The server is not listening on the port in question,
the service is not running on this machine, the service is not responsive, or network
connectivity doesn't exist. Resolution: Please make sure that your workstation has
network connectivity. If you are using manual configuration, please double-check
the configuration. The network administrator should make sure that the service
is running on port 5061 on server ocs._tcp.devry.com (10.154.210.79).

Error - 1/7/2010 4:04:27 PM | Computer Name = OBTLTCNU7402PQF | Source = Communicator | ID = 15728647
Description = Communicator failed to connect to server ocs._tcp.devry.com (10.154.210.79)
on port 5061 due to error 10060. The server is not listening on the port in question,
the service is not running on this machine, the service is not responsive, or network
connectivity doesn't exist. Resolution: Please make sure that your workstation has
network connectivity. If you are using manual configuration, please double-check
the configuration. The network administrator should make sure that the service
is running on port 5061 on server ocs._tcp.devry.com (10.154.210.79).

Error - 1/7/2010 4:05:18 PM | Computer Name = OBTLTCNU7402PQF | Source = Communicator | ID = 15728647
Description = Communicator failed to connect to server ocs._tcp.devry.com (10.154.210.79)
on port 5061 due to error 10060. The server is not listening on the port in question,
the service is not running on this machine, the service is not responsive, or network
connectivity doesn't exist. Resolution: Please make sure that your workstation has
network connectivity. If you are using manual configuration, please double-check
the configuration. The network administrator should make sure that the service
is running on port 5061 on server ocs._tcp.devry.com (10.154.210.79).

Error - 1/7/2010 4:06:00 PM | Computer Name = OBTLTCNU7402PQF | Source = Communicator | ID = 15728647
Description = Communicator failed to connect to server sip.devry.com (206.209.110.181)
on port 443 due to error 10060. The server is not listening on the port in question,
the service is not running on this machine, the service is not responsive, or network
connectivity doesn't exist. Resolution: Please make sure that your workstation has
network connectivity. If you are using manual configuration, please double-check
the configuration. The network administrator should make sure that the service
is running on port 443 on server sip.devry.com (206.209.110.181).

Error - 1/7/2010 4:07:02 PM | Computer Name = OBTLTCNU7402PQF | Source = Communicator | ID = 15728643
Description = Communicator was unable to resolve the DNS hostname of the login server
sipinternal.devry.com. Resolution: If you are using manual configuration for Communicator,
please check that the server name is typed correctly and in full. If you are using
automatic configuration, the network administrator will need to double-check the
DNS A record configuration for sipinternal.devry.com because it could not be resolved.

Error - 1/7/2010 4:07:02 PM | Computer Name = OBTLTCNU7402PQF | Source = Communicator | ID = 15728643
Description = Communicator was unable to resolve the DNS hostname of the login server
sipinternal.devry.com. Resolution: If you are using manual configuration for Communicator,
please check that the server name is typed correctly and in full. If you are using
automatic configuration, the network administrator will need to double-check the
DNS A record configuration for sipinternal.devry.com because it could not be resolved.

Error - 1/7/2010 9:16:33 PM | Computer Name = OBTLTCNU7402PQF | Source = McLogEvent | ID = 5059
Description = Exception in ShStat.Exe Exception details follow : Crash address 0x7c801804
Code
0xc0000005 Flags 0x00000000 2 Parameters : 0x00000001 0x00000238 Thread = MainWindow


Error - 1/8/2010 12:37:04 PM | Computer Name = OBTLTCNU7402PQF | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 1/8/2010 8:54:29 PM | Computer Name = OBTLTCNU7402PQF | Source = McLogEvent | ID = 5059
Description = Exception in ShStat.Exe Exception details follow : Crash address 0x7c801804
Code
0xc0000005 Flags 0x00000000 2 Parameters : 0x00000001 0x00000238 Thread = MainWindow


[ System Events ]
Error - 1/7/2010 2:46:50 PM | Computer Name = OBTLTCNU7402PQF | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 1/7/2010 4:07:08 PM | Computer Name = OBTLTCNU7402PQF | Source = Dhcp | ID = 1002
Description = The IP address lease 10.254.6.140 for the Network Card with network
address 001A4B7037D0 has been denied by the DHCP server 10.254.6.8 (The DHCP Server
sent a DHCPNACK message).

Error - 1/8/2010 12:37:04 PM | Computer Name = OBTLTCNU7402PQF | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain DVUADMIN due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 1/8/2010 12:37:10 PM | Computer Name = OBTLTCNU7402PQF | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 1/8/2010 12:41:14 PM | Computer Name = OBTLTCNU7402PQF | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 1/8/2010 12:50:05 PM | Computer Name = OBTLTCNU7402PQF | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 1/8/2010 7:49:11 PM | Computer Name = OBTLTCNU7402PQF | Source = Print | ID = 22
Description = Failed to ugrade printer settings for printer \\obt-w-prtsvr1p\OBT-PRT-10.2.3.127,LocalOnly
driver C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\UNIDRVUI.DLL error 5.

Error - 1/8/2010 7:49:11 PM | Computer Name = OBTLTCNU7402PQF | Source = Print | ID = 22
Description = Failed to ugrade printer settings for printer \\obt-w-prtsvr1p\OBT-PRT-10.2.3.122,LocalOnly
driver C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\UNIDRVUI.DLL error 5.

Error - 1/11/2010 11:49:07 AM | Computer Name = OBTLTCNU7402PQF | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 1/11/2010 11:50:51 AM | Computer Name = OBTLTCNU7402PQF | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.


< End of report >

#6 batou

batou
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 11 January 2010 - 01:50 PM

Sorry mytri....I tried to run GMER twice....once with network connection disabled and all programs closed, as well as a 2nd time in safe mode...and both times it blue-screened my computer....

Hopefully the rootrepeal, hijackthis, DDS, and OTL are enough to make some progress on this...

Edited by batou, 11 January 2010 - 01:50 PM.


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:14 PM

Posted 11 January 2010 - 04:26 PM

Hi,

please try to run mbr instead of gmer, it's a real quick application and should run without trouble:

Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 batou

batou
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 11 January 2010 - 05:25 PM

Here's the mbr log....


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:14 PM

Posted 11 January 2010 - 05:32 PM

Hi,

that did not work as expected. Have you run the mbr.exe after entering the command? Could you please try again?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 batou

batou
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 11 January 2010 - 05:39 PM

is this better?

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys iaStor.sys >>UNKNOWN [0x89D5F8C6]<<
kernel: MBR read successfully
user & kernel MBR OK

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:14 PM

Posted 11 January 2010 - 06:12 PM

Hi,

that was the log I was looking for, yes. :(

Sadly it shows the rootkit I feared to be present. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to clean your PC please run ComboFix and post the log in your next reply:
Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 batou

batou
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 11 January 2010 - 06:36 PM

Thanks for the reply myrti. I would like to proceed with cleaning the computer, please.

The good news is that I havent' done anything relating to financial information, personal information, highly secure information, etc. since the original search engine hijacking was identified. The laptop was pretty much new only days before I contracted this issue, and shortly thereafter the machine has been locked down and all real time protection has been enabled. The main usage for the laptop has been research and development...which means lots of web surfing and ms office usage, but not much else.

I am about to go offline for the day, but will post the information you are requesting from ComboFix tomorrow moring. Thanks again, in advance, for all your help!

#13 batou

batou
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 13 January 2010 - 05:21 PM

sorry for the delay. will have an updated response tonight. was havign some issues disabling my real-time scanning because it is locked down by a group policy.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users