Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Firefox and IE search redirect virus


  • This topic is locked This topic is locked
36 replies to this topic

#1 davidbj

davidbj

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 07 January 2010 - 09:34 PM

My computer is plagued with the same (or similar) redirect problem is have seem posted my many others - I get redirectd to bogus web sites most times when clicking in Google (or Bing). This happens in both Firefox and IE. Did not seem to happen when running Firefox in safe mode. I have tried several different malware scanning programs, some of which have found and removed problems, but this redirect problem is never really fixed for long (if at all).

Thanks in advance for your help!!!

Here are the requested dumps:


DDS (Ver_09-12-01.01) - NTFSx86
Run by MGI0560 at 19:04:47.09 on Thu 01/07/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1206 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\CCM\Cache\00N0013B.40.System\ScanWrapper.exe
C:\WINDOWS\system32\VPCache\00N0013B\SmsWusHandler.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\program files\yahoo!\yahoo! desktop search\YDSsystray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
C:\Program Files\Symantec\LiveUpdate\luall.exe
D:\Profiles\MGI0560\Desktop\dds.scr
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?.home=yds
uWindow Title = Microsoft Internet Explorer provided by Motorola
uSearch Bar = hxxp://compass.mot.com
mDefault_Page_URL = hxxp://www.yahoo.com/?.home=yds
uInternet Connection Wizard,ShellNext = hxxp://my.mot.com/
uInternet Settings,ProxyServer = wwwgate0.mot.com:1080
uInternet Settings,ProxyOverride = *.mot.com;help-motorola.amer.csc.com;ShSh-Nxs01.amer.csc.com;access.motorola.com;<local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe" /background
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CSCAdvantage] "c:\program files\help desk\CSCAdv.exe" /s
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [CSCLogonInfo] c:\windows\UsrLogon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Igoxux] rundll32.exe "c:\windows\iricuraqilaq.dll",Startup
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
StartupFolder: d:\profiles\mgi0560\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! desktop search\YahooDesktopSearch.exe
StartupFolder: d:\profiles\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9A04E3F0-3BB2-11D2-91E2-00C04FAEC46B} - hxxp://meet-amer.mot.com/ConferencingBin/xcliacc.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.motorola.com/dana-cached/sc/JuniperSetupClient.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {0EEB34F6-991D-4a1b-8EEB-772DA0EADB22} - "c:\program files\microsoft office communicator\MotIM-default.EXE" /s
mASetup: {BAFC1927-A731-4c34-829B-47EE05ADD199} - "c:\windows\regedit.exe" /s "c:\windows\mot-wmp9.reg"
mASetup: {C10BF3A1-3FEC-4a94-AAAF-9D6A4B522F63} - "c:\program files\winzip\wzusr90.exe" /NOICON /NOTRAY
mASetup: {C2DA1CDC-EF9D-4B7C-91F8-710B17AD44A7} - c:\program files\microsoft office\live meeting 8\console\LM_StandaloneConsole_2007.exe /q
mASetup: >{Z99999999-999-9999-9999-MOT-2K3} - c:\windows\2k3_USR.EXE

================= FIREFOX ===================

FF - ProfilePath - d:\profiles\mgi0560\applic~1\mozilla\firefox\profiles\mvmoqz8g.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.mot.com/portal/site/imoto/|http://my.yahoo.com/|http://calendar.yahoo.com/mezzoelise|http://us.mg1.mail.yahoo.com/dc/launch?.gx=1&.rand=689ndoduoffj3
FF - prefs.js: network.proxy.ftp - wwwgate0.mot.com
FF - prefs.js: network.proxy.ftp_port - 1080
FF - prefs.js: network.proxy.gopher - wwwgate0.mot.com
FF - prefs.js: network.proxy.gopher_port - 1080
FF - prefs.js: network.proxy.http - wwwgate0.mot.com
FF - prefs.js: network.proxy.http_port - 1080
FF - prefs.js: network.proxy.socks - wwwgate0.mot.com
FF - prefs.js: network.proxy.socks_port - 1080
FF - prefs.js: network.proxy.ssl - wwwgate0.mot.com
FF - prefs.js: network.proxy.ssl_port - 1080
FF - prefs.js: network.proxy.type - 1
FF - plugin: d:\profiles\mgi0560\application data\mozilla\firefox\profiles\mvmoqz8g.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: XULRunner: {6EA2D184-A0B2-4098-9A76-E0E6420E79FC} - d:\profiles\mgi0560\local settings\application data\{6ea2d184-a0b2-4098-9a76-e0e6420e79fc}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-12-15 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-12-15 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-12-15 2436536]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-10-28 193840]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2009-10-28 9049]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-28 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2009-6-26 44800]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091231.118\NAVENG.SYS [2010-1-7 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091231.118\NAVEX15.SYS [2010-1-7 1323568]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2009-10-28 47616]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2009-10-28 115008]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-11-22 16512]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-12-15 23888]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\motorola mvp\Extranet_serv.exe [2009-10-28 626688]

=============== Created Last 30 ================

2010-01-06 21:57:35 0 d-----w- d:\profiles\mgi0560\applic~1\Malwarebytes
2010-01-06 21:57:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 21:57:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 21:57:27 0 d-----w- d:\profiles\alluse~1\applic~1\Malwarebytes
2010-01-06 21:57:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 21:44:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-06 21:37:52 0 d-----w- c:\temp\javara
2010-01-06 17:01:12 0 d-----w- C:\monterrey
2010-01-05 21:08:24 0 d-----w- c:\windows\SxsCaPendDel
2010-01-04 15:08:57 262144 ----a-w- C:\ntuser.dat
2009-12-30 13:18:04 0 d-----w- C:\spoolerlogs
2009-12-29 17:55:38 120 ----a-w- c:\windows\Ubulabadeb.dat
2009-12-29 17:55:38 0 ----a-w- c:\windows\Ebugihajilesoq.bin
2009-12-28 16:11:03 0 d-----w- c:\program files\Lame for Audacity
2009-12-28 15:41:17 0 d-----w- c:\program files\Audacity
2009-12-23 21:25:01 0 d-----w- C:\Perl
2009-12-10 22:13:19 0 d-----w- c:\program files\Amazon

==================== Find3M ====================

2010-01-07 17:19:09 328728 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-23 14:46:13 5640880 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-10-28 16:24:17 87328 ----a-w- c:\windows\system32\bcmwlcoi.dll

============= FINISH: 19:10:24.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:14 PM

Posted 14 January 2010 - 02:56 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:14 PM

Posted 19 January 2010 - 01:16 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:14 PM

Posted 20 January 2010 - 04:06 PM

Hi,

topic reopened, please post your logs.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 davidbj

davidbj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 20 January 2010 - 10:23 PM

Hi myti,
Thanks for re-opening this posting!

I am still having the problem - unwanted redirects from Google searches, taking me to various semi-related web sites, usually some low rent search engine. I have tried various malware scanning programs (Malwarebytes and SuperAnitSpyware), and they periodically find something and attempt to clear it out. But the redirect problem keeps recurring.

Thanks again, and here are the requested scans.




OTL logfile created on: 1/20/2010 10:15:59 PM - Run 1
OTL by OldTimer - Version 3.1.25.3 Folder = D:\Profiles\MGI0560\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 44.72 Gb Total Space | 29.49 Gb Free Space | 65.95% Space Free | Partition Type: NTFS
Drive D: | 104.33 Gb Total Space | 53.66 Gb Free Space | 51.44% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MGI0560-03
Current User Name: MGI0560
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/20 22:14:42 | 00,546,816 | ---- | M] (OldTimer Tools) -- D:\Profiles\MGI0560\Desktop\OTL.exe
PRC - [2010/01/06 16:44:26 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/22 12:41:29 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/28 20:12:32 | 00,331,264 | ---- | M] () -- C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
PRC - [2009/10/28 20:12:28 | 00,092,672 | ---- | M] () -- c:\Program Files\Yahoo!\Yahoo! Desktop Search\textExtractor.exe
PRC - [2009/03/11 12:10:44 | 00,611,624 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2009/02/03 08:15:18 | 00,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/12/15 21:21:54 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/12/15 21:21:52 | 01,787,200 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2008/12/15 21:21:52 | 01,439,040 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2008/12/15 21:21:52 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2008/12/15 21:21:50 | 02,436,536 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2008/07/28 16:38:01 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/07/17 14:11:28 | 00,150,040 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2008/07/17 14:11:26 | 00,256,536 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2008/07/17 14:11:22 | 00,141,848 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2008/07/17 14:11:08 | 00,170,520 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2008/06/03 16:40:08 | 00,177,456 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
PRC - [2008/05/01 16:25:56 | 00,165,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2008/04/03 11:33:26 | 00,193,840 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
PRC - [2007/10/02 13:15:22 | 10,687,032 | ---- | M] () -- C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
PRC - [2007/05/30 22:38:14 | 00,241,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
PRC - [2007/04/13 01:50:00 | 00,590,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2007/02/06 15:14:00 | 00,561,213 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/02/06 15:11:50 | 01,409,108 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2007/02/06 15:02:26 | 00,266,295 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PRC - [2007/02/01 17:31:44 | 03,900,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office Communicator\communicator.exe
PRC - [2007/01/24 14:28:58 | 00,124,928 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\accelerometerST.exe
PRC - [2007/01/12 14:36:40 | 00,827,392 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/01/09 15:52:32 | 00,145,184 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
PRC - [2007/01/05 17:36:48 | 00,872,448 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2007/01/04 19:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/10/30 09:00:00 | 01,116,920 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe


========== Modules (SafeList) ==========

MOD - [2010/01/20 22:14:42 | 00,546,816 | ---- | M] (OldTimer Tools) -- D:\Profiles\MGI0560\Desktop\OTL.exe
MOD - [2007/02/06 15:19:44 | 00,077,824 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll
MOD - [2007/02/06 15:16:06 | 00,053,248 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/06 16:44:26 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/12/17 16:37:52 | 00,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/10/20 13:19:48 | 00,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/03/11 12:10:44 | 00,611,624 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2008/12/15 21:21:54 | 00,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2008/12/15 21:21:54 | 00,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2008/12/15 21:21:52 | 01,787,200 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2008/12/15 21:21:52 | 00,312,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2008/12/15 21:21:50 | 02,436,536 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2008/11/09 15:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/07/28 16:38:01 | 00,033,280 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)
SRV - [2008/06/30 15:36:35 | 03,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/05/01 16:25:56 | 00,165,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Running] -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex)
SRV - [2008/04/14 04:41:56 | 00,028,160 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\irmon.dll -- (Irmon)
SRV - [2008/04/03 11:33:26 | 00,193,840 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Running] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe -- (Com4QLBEx)
SRV - [2007/05/30 22:38:14 | 00,241,664 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe -- (Wuser32)
SRV - [2007/04/13 01:50:00 | 00,590,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2007/02/06 15:02:26 | 00,266,295 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2007/01/04 19:48:52 | 00,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/11/06 13:31:14 | 00,887,544 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)
SRV - [2006/11/01 11:17:32 | 00,073,728 | R--- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2002/10/11 15:39:18 | 00,626,688 | ---- | M] (Nortel Networks NA, Inc.) [On_Demand | Stopped] -- C:\Program Files\Motorola MVP\Extranet_serv.exe -- (ExtranetAccess)


========== Driver Services (SafeList) ==========

DRV - [2010/01/17 22:34:18 | 00,328,728 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iastor)
DRV - [2010/01/05 07:56:06 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/01/05 07:56:04 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/05 07:56:02 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/10/30 20:34:11 | 00,034,528 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Pcouffin.sys -- (Pcouffin)
DRV - [2009/10/28 11:24:17 | 01,265,536 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2009/10/20 13:19:44 | 00,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/10/19 07:15:04 | 01,323,568 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100119.008\NAVEX15.SYS -- (NAVEX15)
DRV - [2009/10/19 07:15:04 | 00,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/10/19 07:15:04 | 00,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/10/19 07:15:04 | 00,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100119.008\NAVENG.SYS -- (NAVENG)
DRV - [2009/06/26 10:07:10 | 00,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/04/20 22:12:14 | 00,149,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WpsHelper.sys -- (WpsHelper)
DRV - [2009/03/11 11:57:22 | 00,023,552 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2009/02/09 13:28:51 | 00,242,320 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2008/12/15 21:21:54 | 00,317,872 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2008/12/15 21:21:54 | 00,279,600 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2008/12/15 21:21:54 | 00,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2008/12/15 21:21:54 | 00,041,792 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\WPSDRVnt.sys -- (WPS)
DRV - [2008/12/15 21:21:52 | 00,091,968 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys -- (SysPlant)
DRV - [2008/12/15 21:21:52 | 00,049,536 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Teefer2.sys -- (Teefer2)
DRV - [2008/12/15 21:21:48 | 00,420,400 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/12/15 21:21:48 | 00,191,536 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2008/12/15 21:21:48 | 00,027,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2008/07/30 16:42:12 | 00,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2008/07/28 16:38:01 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/07/28 16:38:01 | 00,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/07/28 16:38:01 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/07/28 16:38:01 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2008/07/23 10:31:38 | 00,044,800 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2008/06/27 08:46:48 | 06,023,072 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/04/28 15:22:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2008/04/13 23:06:40 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 23:06:40 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2007/08/28 15:47:36 | 00,146,560 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atswpdrv.sys -- (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor)
DRV - [2007/06/18 17:12:04 | 00,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/05/30 22:38:08 | 00,011,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\kbstuff5.sys -- (kbstuff)
DRV - [2007/05/30 22:38:08 | 00,008,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\idisw2km.sys -- (idisw2km)
DRV - [2007/04/26 17:23:44 | 00,988,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/04/26 17:23:06 | 00,210,816 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2007/04/26 17:23:04 | 00,731,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2007/04/13 01:50:00 | 00,023,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2007/02/24 14:42:22 | 00,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/02/14 14:21:00 | 00,067,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2007/02/14 14:20:58 | 00,868,298 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2007/02/09 12:34:16 | 00,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2007/02/08 20:05:30 | 00,028,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/02/08 20:05:30 | 00,012,856 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/01/12 14:04:44 | 00,201,856 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/01/09 16:50:24 | 00,288,768 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2006/12/20 01:08:00 | 00,047,616 | ---- | M] (RICOH Company, Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rismc32.sys -- (rismc32)
DRV - [2006/10/26 16:22:02 | 00,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/10/26 16:21:34 | 00,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/10/26 16:21:34 | 00,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/10/26 16:21:32 | 00,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/10/26 16:21:30 | 00,026,296 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/10/26 16:21:28 | 00,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/10/26 16:21:26 | 00,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/10/26 16:21:24 | 00,104,536 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/07 07:57:30 | 00,093,952 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (AEAudio)
DRV - [2006/07/24 03:00:00 | 00,036,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/07/24 00:00:04 | 00,022,016 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Accelerometer.sys -- (Accelerometer)
DRV - [2006/07/24 00:00:04 | 00,017,920 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\hpdskflt.sys -- (hpdskflt)
DRV - [2006/07/21 11:21:26 | 00,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2006/06/19 14:26:58 | 00,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2004/06/16 12:19:58 | 00,046,080 | ---- | M] (SMSC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2003/10/28 14:17:52 | 00,005,273 | ---- | M] (Arrowkey) [Kernel | Auto | Running] -- C:\Program Files\321Studios\Shared\CDRPDACC.SYS -- (CDRPDACC)
DRV - [2002/10/11 15:49:36 | 00,009,049 | ---- | M] (Nortel Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\eacfilt.sys -- (Eacfilt)
DRV - [2002/10/11 15:49:06 | 00,115,008 | ---- | M] (Nortel Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipsecw2k.sys -- (IPSECSHM)
DRV - [2002/10/11 15:49:06 | 00,115,008 | ---- | M] (Nortel Networks) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\ipsecw2k.sys -- (IPSECEXT)
DRV - [2002/07/17 09:05:10 | 00,016,512 | ---- | M] (Adaptec) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI)
DRV - [2001/08/17 13:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 13:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 13:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 13:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 13:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 12:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 12:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 12:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 12:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 12:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 12:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 12:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 12:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 12:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 12:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 07:11:22 | 00,035,328 | ---- | M] (AMD Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pcntpci5.sys -- (PCnet)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=yds
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2052111302-287218729-725345543-141979\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=yds
IE - HKU\S-1-5-21-2052111302-287218729-725345543-141979\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-2052111302-287218729-725345543-141979\S-1-5-21-2052111302-287218729-725345543-141979\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-2052111302-287218729-725345543-141979\S-1-5-21-2052111302-287218729-725345543-141979\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.mot.com;help-motorola.amer.csc.com;ShSh-Nxs01.amer.csc.com;access.motorola.com;<local>
IE - HKU\S-1-5-21-2052111302-287218729-725345543-141979\S-1-5-21-2052111302-287218729-725345543-141979\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = wwwgate0.mot.com:1080

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=867034"
FF - prefs.js..browser.startup.homepage: "http://my.mot.com/portal/site/imoto/|http://my.yahoo.com/|http://calendar.yahoo.com/mezzoelise|http://us.mg1.mail.yahoo.com/dc/launch?.gx=1&.rand=689ndoduoffj3"
FF - prefs.js..extensions.enabledItems: {d5ea4520-61a1-11da-8cd6-0800200c9a66}:2009.07.19
FF - prefs.js..network.proxy.backup.ftp: "wwwgate0.mot.com"
FF - prefs.js..network.proxy.backup.ftp_port: 1080
FF - prefs.js..network.proxy.backup.gopher: "wwwgate0.mot.com"
FF - prefs.js..network.proxy.backup.gopher_port: 1080
FF - prefs.js..network.proxy.backup.socks: "wwwgate0.mot.com"
FF - prefs.js..network.proxy.backup.socks_port: 1080
FF - prefs.js..network.proxy.backup.ssl: "wwwgate0.mot.com"
FF - prefs.js..network.proxy.backup.ssl_port: 1080
FF - prefs.js..network.proxy.ftp: "wwwgate0.mot.com"
FF - prefs.js..network.proxy.ftp_port: 1080
FF - prefs.js..network.proxy.gopher: "wwwgate0.mot.com"
FF - prefs.js..network.proxy.gopher_port: 1080
FF - prefs.js..network.proxy.http: "wwwgate0.mot.com"
FF - prefs.js..network.proxy.http_port: 1080
FF - prefs.js..network.proxy.no_proxies_on: "*.mot.com,help-motorola.amer.csc.com,ShSh-Nxs01.amer.csc.com,localhost,127.0.0.1"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "wwwgate0.mot.com"
FF - prefs.js..network.proxy.socks_port: 1080
FF - prefs.js..network.proxy.ssl: "wwwgate0.mot.com"
FF - prefs.js..network.proxy.ssl_port: 1080

FF - HKLM\software\mozilla\Firefox\Extensions\\{6EA2D184-A0B2-4098-9A76-E0E6420E79FC}: D:\Profiles\MGI0560\Local Settings\Application Data\{6EA2D184-A0B2-4098-9A76-E0E6420E79FC}\ [2010/01/02 15:34:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/06 07:57:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/14 12:45:23 | 00,000,000 | ---D | M]

[2010/01/06 08:32:49 | 00,000,000 | ---D | M] -- D:\Profiles\MGI0560\Application Data\Mozilla\Extensions
[2010/01/20 09:20:09 | 00,000,000 | ---D | M] -- D:\Profiles\MGI0560\Application Data\Mozilla\Firefox\Profiles\mvmoqz8g.default\extensions
[2010/01/07 09:08:28 | 00,000,000 | ---D | M] (QuickProxy) -- D:\Profiles\MGI0560\Application Data\Mozilla\Firefox\Profiles\mvmoqz8g.default\extensions\{d5ea4520-61a1-11da-8cd6-0800200c9a66}
[2010/01/07 15:35:00 | 00,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- D:\Profiles\MGI0560\Application Data\Mozilla\Firefox\Profiles\mvmoqz8g.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/01/20 09:20:09 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/01/20 21:35:45 | 00,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-2052111302-287218729-725345543-141979\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\accelerometerST.exe (Hewlett-Packard Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [CSCAdvantage] C:\Program Files\Help Desk\CSCAdv.exe ()
O4 - HKLM..\Run: [CSCLogonInfo] C:\WINDOWS\UsrLogon.exe ()
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Igoxux] C:\WINDOWS\iricuraqilaq.DLL File not found
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKU\.DEFAULT..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\Communicator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\Communicator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\Communicator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\Communicator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2052111302-287218729-725345543-141979..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe File not found
O4 - HKU\S-1-5-21-2052111302-287218729-725345543-141979..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\Communicator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2052111302-287218729-725345543-141979..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-2052111302-287218729-725345543-141979..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - Startup: D:\Profiles\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: D:\Profiles\MGI0560\Start Menu\Programs\Startup\Yahoo! Desktop Search.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonType = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052111302-287218729-725345543-141979\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052111302-287218729-725345543-141979\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-2052111302-287218729-725345543-141979\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: GreyMSIAds = 1
O7 - HKU\S-1-5-21-2052111302-287218729-725345543-141979\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKU\S-1-5-21-2052111302-287218729-725345543-141979\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKU\S-1-5-21-2052111302-287218729-725345543-141979\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoTrayNotify = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 2003\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office 2003\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1263176799750 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1263176783906 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {9A04E3F0-3BB2-11D2-91E2-00C04FAEC46B} http://meet-amer.mot.com/ConferencingBin/xcliacc.cab (NMClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://active.macromedia.com/flash2/cabs/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://access.motorola.com/dana-cached/sc/...SetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.64.150 68.87.75.198
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ds.mot.com
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (rundll32.exe) - File not found
O20 - HKLM Winlogon: Shell - (dwtt.mro) - File not found
O20 - HKLM Winlogon: Shell - (bpqvc) - File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/26 05:26:46 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{31d08aa8-d920-11de-bbcb-00210019856c}\Shell\AutoRun\command - "" = F:\.\Vado\Vado.exe -- File not found
O33 - MountPoints2\{97b0631c-c416-11de-bba4-00210019856c}\Shell\AutoRun\command - "" = F:\setup.exe -- File not found
O33 - MountPoints2\{afdb56c1-c3fd-11de-bba2-001eec6823c0}\Shell\AutoRun\command - "" = F:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/20 22:14:42 | 00,546,816 | ---- | C] (OldTimer Tools) -- D:\Profiles\MGI0560\Desktop\OTL.exe
[2010/01/20 14:39:54 | 00,000,000 | ---D | C] -- D:\Profiles\MGI0560\Application Data\Wireshark
[2010/01/20 09:16:19 | 00,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2010/01/20 09:15:58 | 00,000,000 | ---D | C] -- C:\Program Files\Wireshark
[2010/01/11 09:15:41 | 00,000,000 | ---D | C] -- D:\Profiles\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/11 09:15:24 | 00,000,000 | ---D | C] -- D:\Profiles\MGI0560\Application Data\SUPERAntiSpyware.com
[2010/01/11 09:15:24 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/11 09:14:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/01/10 21:27:06 | 00,015,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2010/01/07 19:17:04 | 00,472,064 | ---- | C] ( ) -- D:\Profiles\MGI0560\Desktop\RootRepeal.exe
[2010/01/07 15:35:11 | 00,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/01/06 16:57:35 | 00,000,000 | ---D | C] -- D:\Profiles\MGI0560\Application Data\Malwarebytes
[2010/01/06 16:57:29 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/06 16:57:27 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 16:57:27 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/06 16:57:27 | 00,000,000 | ---D | C] -- D:\Profiles\All Users\Application Data\Malwarebytes
[2010/01/06 16:44:48 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/01/06 16:44:48 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/06 16:44:48 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/06 16:44:48 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/06 12:01:12 | 00,000,000 | ---D | C] -- C:\monterrey
[2010/01/05 16:08:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2010/01/05 10:03:29 | 00,000,000 | ---D | C] -- D:\Profiles\All Users\Application Data\NOS
[2010/01/04 10:09:09 | 00,000,000 | ---D | C] -- D:\Profiles\MGI0560\Local Settings\Application Data\Yahoo
[2010/01/04 10:08:44 | 00,000,000 | ---D | C] -- D:\Profiles\All Users\Application Data\Yahoo!
[2010/01/04 10:08:40 | 00,000,000 | ---D | C] -- D:\Profiles\MGI0560\Application Data\Yahoo!
[2010/01/02 15:34:03 | 00,000,000 | ---D | C] -- D:\Profiles\MGI0560\Local Settings\Application Data\{6EA2D184-A0B2-4098-9A76-E0E6420E79FC}
[2009/12/30 08:18:04 | 00,000,000 | ---D | C] -- C:\spoolerlogs
[2009/12/28 11:11:03 | 00,000,000 | ---D | C] -- C:\Program Files\Lame for Audacity
[2009/12/28 10:41:17 | 00,000,000 | ---D | C] -- C:\Program Files\Audacity
[2009/12/23 16:32:57 | 00,000,000 | ---D | C] -- D:\Profiles\MGI0560\Local Settings\Application Data\ActiveState
[2009/12/23 16:25:01 | 00,000,000 | ---D | C] -- C:\Perl
[2009/11/20 13:58:01 | 00,000,000 | ---D | M] -- D:\Profiles\NetworkService\Local Settings\Application Data\Apple
[2009/10/28 15:37:26 | 00,000,000 | ---D | M] -- D:\Profiles\LocalService\Local Settings\Application Data\Microsoft
[2009/06/26 05:38:12 | 00,000,000 | --SD | M] -- D:\Profiles\LocalService\Application Data\Microsoft
[2009/06/26 05:38:07 | 00,000,000 | --SD | M] -- D:\Profiles\NetworkService\Application Data\Microsoft
[2009/06/26 05:38:07 | 00,000,000 | ---D | M] -- D:\Profiles\NetworkService\Local Settings\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/20 22:14:42 | 00,546,816 | ---- | M] (OldTimer Tools) -- D:\Profiles\MGI0560\Desktop\OTL.exe
[2010/01/20 22:00:08 | 00,000,356 | ---- | M] () -- C:\WINDOWS\tasks\CheckNetwork.job
[2010/01/20 22:00:01 | 00,000,467 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2010/01/20 21:59:27 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/20 21:59:19 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/20 21:59:15 | 21,383,61856 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/20 21:58:33 | 04,718,592 | -H-- | M] () -- D:\Profiles\MGI0560\NTUSER.DAT
[2010/01/20 21:58:33 | 00,000,278 | -HS- | M] () -- D:\Profiles\MGI0560\ntuser.ini
[2010/01/20 20:23:23 | 00,000,531 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\Shortcut to Weekly Status.lnk
[2010/01/20 09:16:22 | 00,000,073 | ---- | M] () -- C:\WINDOWS\System32\-1
[2010/01/20 09:16:09 | 00,001,357 | ---- | M] () -- D:\Profiles\All Users\Desktop\Wireshark.lnk
[2010/01/19 08:51:18 | 00,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/17 22:34:18 | 00,328,728 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\iaStor.sys
[2010/01/14 12:45:23 | 00,001,615 | ---- | M] () -- D:\Profiles\All Users\Desktop\Adobe Reader 9.lnk
[2010/01/14 07:35:36 | 00,003,157 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\kaspersky scan report.html
[2010/01/11 11:16:54 | 00,627,200 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\enb-08826_x1.doc
[2010/01/11 09:15:32 | 00,000,664 | ---- | M] () -- D:\Profiles\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/11 08:32:13 | 00,606,208 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\OM_Baseline_Performance_ENB-08826_v1 dmb comments.doc
[2010/01/08 21:25:21 | 00,455,852 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/08 21:25:21 | 00,391,204 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/08 21:25:21 | 00,058,186 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/08 15:48:48 | 00,000,624 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/08 14:30:43 | 00,626,176 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\OM_Baseline_Performance_ENB-xxxx_DRAFT (2) dmb comments.doc
[2010/01/08 09:58:38 | 06,572,544 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\NE PFS 365-095-08971_x6-1.doc
[2010/01/07 20:15:13 | 00,000,000 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\settings.dat
[2010/01/07 19:17:04 | 00,472,064 | ---- | M] ( ) -- D:\Profiles\MGI0560\Desktop\RootRepeal.exe
[2010/01/07 19:03:03 | 00,524,288 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\dds.scr
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 16:57:32 | 00,000,584 | ---- | M] () -- D:\Profiles\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/06 16:44:26 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/06 16:44:26 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/06 16:44:25 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/01/06 16:44:25 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/06 16:44:25 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/01/06 10:09:32 | 00,000,610 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\Shortcut to monterey problem - invalid tiers.lnk
[2010/01/06 07:57:41 | 00,001,506 | ---- | M] () -- D:\Profiles\All Users\Desktop\Mozilla Firefox.lnk
[2010/01/06 07:43:14 | 00,565,970 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\firefox bookmarks 010610.html
[2010/01/04 10:08:57 | 00,262,144 | ---- | M] () -- C:\ntuser.dat
[2010/01/02 15:34:04 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Ebugihajilesoq.bin
[2010/01/02 15:34:03 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Ubulabadeb.dat
[2009/12/28 10:41:18 | 00,000,546 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\Audacity.lnk
[2009/12/23 07:12:10 | 00,017,408 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\xmas cards 2009.xls
[2009/12/22 10:39:14 | 00,019,968 | ---- | M] () -- D:\Profiles\MGI0560\Desktop\xmas card list 2009.doc
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/20 09:16:20 | 00,000,073 | ---- | C] () -- C:\WINDOWS\System32\-1
[2010/01/20 09:16:09 | 00,001,357 | ---- | C] () -- D:\Profiles\All Users\Desktop\Wireshark.lnk
[2010/01/14 12:45:23 | 00,001,615 | ---- | C] () -- D:\Profiles\All Users\Desktop\Adobe Reader 9.lnk
[2010/01/14 07:35:36 | 00,003,157 | ---- | C] () -- D:\Profiles\MGI0560\Desktop\kaspersky scan report.html
[2010/01/11 11:16:53 | 00,627,200 | ---- | C] () -- D:\Profiles\MGI0560\Desktop\enb-08826_x1.doc
[2010/01/11 09:15:32 | 00,000,664 | ---- | C] () -- D:\Profiles\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/01/11 08:32:12 | 00,606,208 | ---- | C] () -- D:\Profiles\MGI0560\Desktop\OM_Baseline_Performance_ENB-08826_v1 dmb comments.doc
[2010/01/08 14:30:42 | 00,626,176 | ---- | C] () -- D:\Profiles\MGI0560\Desktop\OM_Baseline_Performance_ENB-xxxx_DRAFT (2) dmb comments.doc
[2010/01/08 09:58:32 | 06,572,544 | ---- | C] () -- D:\Profiles\MGI0560\Desktop\NE PFS 365-095-08971_x6-1.doc
[2010/01/07 20:15:13 | 00,000,000 | ---- | C] () -- D:\Profiles\MGI0560\Desktop\settings.dat
[2010/01/07 19:03:02 | 00,524,288 | ---- | C] () -- D:\Profiles\MGI0560\Desktop\dds.scr
[2010/01/06 16:57:32 | 00,000,584 | ---- | C] () -- D:\Profiles\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/06 10:09:32 | 00,000,610 | ---- | C] () -- D:\Profiles\MGI0560\Desktop\Shortcut to monterey problem - invalid tiers.lnk
[2010/01/06 07:43:08 | 00,565,970 | ---- | C] () -- D:\Profiles\MGI0560\Desktop\firefox bookmarks 010610.html
[2010/01/04 11:32:54 | 00,001,506 | ---- | C] () -- D:\Profiles\All Users\Desktop\Mozilla Firefox.lnk
[2010/01/04 10:08:57 | 00,262,144 | ---- | C] () -- C:\ntuser.dat
[2009/12/29 12:55:38 | 00,000,120 | ---- | C] () -- C:\WINDOWS\Ubulabadeb.dat
[2009/12/29 12:55:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Ebugihajilesoq.bin
[2009/12/22 14:08:41 | 00,017,408 | ---- | C] () -- D:\Profiles\MGI0560\Desktop\xmas cards 2009.xls
[2009/12/22 08:58:48 | 00,019,968 | ---- | C] () -- D:\Profiles\MGI0560\Desktop\xmas card list 2009.doc
[2009/11/20 18:39:51 | 00,000,000 | ---- | C] () -- D:\Profiles\MGI0560\Local Settings\Application Data\FnF4.txt
[2009/10/28 14:23:42 | 00,000,000 | ---- | C] () -- D:\Profiles\MGI0560\Local Settings\Application Data\QSwitch.txt
[2009/10/28 14:23:42 | 00,000,000 | ---- | C] () -- D:\Profiles\MGI0560\Local Settings\Application Data\DSwitch.txt
[2009/10/28 14:23:42 | 00,000,000 | ---- | C] () -- D:\Profiles\MGI0560\Local Settings\Application Data\AtStart.txt
[2009/10/28 12:29:16 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2009/10/28 12:29:16 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2009/10/28 12:29:16 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2009/10/28 12:29:16 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2009/10/28 12:29:15 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2009/10/28 12:29:15 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2009/10/28 12:28:22 | 00,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2009/10/28 12:28:22 | 00,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/10/28 11:20:52 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4964.dll
[2009/10/20 13:19:30 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/07/06 10:57:38 | 00,000,467 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/06/26 09:17:18 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/06/26 08:57:31 | 00,002,844 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2007/07/03 13:22:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2007/02/06 15:20:00 | 02,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/02/06 14:55:52 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2006/09/24 23:02:34 | 00,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/24 23:02:34 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2005/02/17 11:41:32 | 00,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 11:41:30 | 00,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/11/14 12:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[1998/05/07 03:10:00 | 00,069,632 | R--- | C] () -- C:\WINDOWS\System32\ODMA32.dll
< End of report >

OTL Extras logfile created on: 1/20/2010 10:15:59 PM - Run 1
OTL by OldTimer - Version 3.1.25.3 Folder = D:\Profiles\MGI0560\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 44.72 Gb Total Space | 29.49 Gb Free Space | 65.95% Space Free | Partition Type: NTFS
Drive D: | 104.33 Gb Total Space | 53.66 Gb Free Space | 51.44% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MGI0560-03
Current User Name: MGI0560
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2052111302-287218729-725345543-141979\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office 2003\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office 2003\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [DosHere] -- Reg Error: Value error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DoNotAllowExceptions" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"113:TCP" = 113:TCP:10.176.1.190/199:enabled:bDNA
"497:TCP" = 497:TCP:10.0.38.5/10:enabled:bDNA2
"6000:TCP" = 6000:TCP:*:enabled:exceed
"135:TCP" = 135:TCP:10.160.5.8:enabled:foundscan
"137:TCP" = 137:TCP:10.197.24.2:enabled:foundscan2
"138:TCP" = 138:TCP:10.0.125.17:enabled:foundscan3
"139:TCP" = 139:TCP:10.0.125.20:enabled:foundscan4
"1503:TCP" = 1503:TCP:10.0.125.21:enabled:foundscan5
"1720:TCP" = 1720:TCP:10.1.250.11:enabled:foundscan6
"1761:TCP" = 1761:TCP:10.64.2.96:enabled:foundscan7
"2701:TCP" = 2701:TCP:10.128.132.49:enabled:iss1
"2702:TCP" = 2702:TCP:10.128.132.49:enabled:iss2
"43189:TCP" = 43189:TCP:10.160.9.87:enabled:iss3
"4445:TCP" = 4445:TCP:10.0.125.19:enabled:iss4
"6401:TCP" = 6401:TCP:192.168.30.7:enabled:iss5
"1023:UDP" = 1023:UDP:144.190.1.100:enabled:iss6
"445:TCP" = 445:TCP:10.0.125.15:enabled:nmap
"123:UDP" = 123:UDP:129.188.57.239:enabled:scanner1
"137:UDP" = 137:UDP:129.188.147.55:enabled:scanner2
"138:UDP" = 138:UDP:192.168.3.1:enabled:scanner3
"2233:UDP" = 2233:UDP:129.188.33.18:enabled:scanner4
"371:UDP" = 371:UDP:10.0.125.13:enabled:scanner5
"407:UDP" = 407:UDP:10.0.125.28:enabled:scanner6
"497:UDP" = 497:UDP:10.193.21.54:enabled:scanner7
"500:UDP" = 500:UDP:10.0.125.11:enabled:scanner8
"600:UDP" = 600:UDP:10.79.40.64:enabled:scanner9
"601:UDP" = 601:UDP:10.79.40.64:enabled:scanner10
"602:UDP" = 602:UDP:10.79.40.64:enabled:scanner11
"603:UDP" = 603:UDP:10.79.40.64:enabled:scanner12
"604:UDP" = 604:UDP:10.79.40.64:enabled:scanner13
"605:UDP" = 605:UDP:10.79.40.64:enabled:scanner14
"606:UDP" = 606:UDP:10.79.40.64:enabled:scanner15
"607:UDP" = 607:UDP:10.79.40.64:enabled:scanner16
"608:UDP" = 608:UDP:10.79.40.64:enabled:scanner17
"609:UDP" = 609:UDP:10.79.40.64:enabled:scanner18
"610:UDP" = 610:UDP:10.79.40.64:enabled:scanner19
"62514:UDP" = 62514:UDP:10.79.40.72,10.82.51.100,10.228.96.22/24,10.228.96.26,10.16.225.208,10.17.193.181,10.17.193.182:enabled:scanner20

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"113:TCP" = 113:TCP:10.176.1.190/199:enabled:bDNA
"497:TCP" = 497:TCP:10.0.38.5/10:enabled:bDNA2
"6000:TCP" = 6000:TCP:*:enabled:exceed
"135:TCP" = 135:TCP:10.160.5.8:enabled:foundscan
"137:TCP" = 137:TCP:10.197.24.2:enabled:foundscan2
"138:TCP" = 138:TCP:10.0.125.17:enabled:foundscan3
"139:TCP" = 139:TCP:10.0.125.20:enabled:foundscan4
"1503:TCP" = 1503:TCP:10.0.125.21:enabled:foundscan5
"1720:TCP" = 1720:TCP:10.1.250.11:enabled:foundscan6
"1761:TCP" = 1761:TCP:10.64.2.96:enabled:foundscan7
"2701:TCP" = 2701:TCP:10.128.132.49:enabled:iss1
"2702:TCP" = 2702:TCP:10.128.132.49:enabled:iss2
"43189:TCP" = 43189:TCP:10.160.9.87:enabled:iss3
"4445:TCP" = 4445:TCP:10.0.125.19:enabled:iss4
"6401:TCP" = 6401:TCP:192.168.30.7:enabled:iss5
"1023:UDP" = 1023:UDP:144.190.1.100:enabled:iss6
"445:TCP" = 445:TCP:10.0.125.15:enabled:nmap
"123:UDP" = 123:UDP:129.188.57.239:enabled:scanner1
"137:UDP" = 137:UDP:129.188.147.55:enabled:scanner2
"138:UDP" = 138:UDP:192.168.3.1:enabled:scanner3
"2233:UDP" = 2233:UDP:129.188.33.18:enabled:scanner4
"371:UDP" = 371:UDP:10.0.125.13:enabled:scanner5
"407:UDP" = 407:UDP:10.0.125.28:enabled:scanner6
"497:UDP" = 497:UDP:10.193.21.54:enabled:scanner7
"500:UDP" = 500:UDP:10.0.125.11:enabled:scanner8
"600:UDP" = 600:UDP:10.79.40.64:enabled:scanner9
"601:UDP" = 601:UDP:10.79.40.64:enabled:scanner10
"602:UDP" = 602:UDP:10.79.40.64:enabled:scanner11
"603:UDP" = 603:UDP:10.79.40.64:enabled:scanner12
"604:UDP" = 604:UDP:10.79.40.64:enabled:scanner13
"605:UDP" = 605:UDP:10.79.40.64:enabled:scanner14
"606:UDP" = 606:UDP:10.79.40.64:enabled:scanner15
"607:UDP" = 607:UDP:10.79.40.64:enabled:scanner16
"608:UDP" = 608:UDP:10.79.40.64:enabled:scanner17
"609:UDP" = 609:UDP:10.79.40.64:enabled:scanner18
"610:UDP" = 610:UDP:10.79.40.64:enabled:scanner19
"62514:UDP" = 62514:UDP:10.79.40.72,10.82.51.100,10.228.96.22/24,10.228.96.26,10.16.225.208,10.17.193.181,10.17.193.182:enabled:scanner20

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"c:\Program Files\Netmeeting\conf.exe" = C:\Program Files\Netmeeting\conf.exe:*:enabled:NetMeeting -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"c:\Program Files\Netmeeting\conf.exe" = C:\Program Files\Netmeeting\conf.exe:*:enabled:NetMeeting -- (Microsoft Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0044F4A6-3211-4BAB-A103-F3D7B97A9EFB}" = MaX Compression Client
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{2DB165DC-DDB4-403F-B985-19F3EC7D0357}" = HP ProtectTools Security Manager
"{2F221920-DB3B-4A74-A010-26ABDBA07AC2}" = SMS Advanced Client
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{2FE4F7D0-49ED-4A85-88C1-1EA443789C4F}" = Microsoft Office Communicator 2005 MUI Pack
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3912A629-0020-0005-3131-2FBA74D4DF0A}" = InterVideo WinDVD
"{429E92A4-159F-4AEC-85A1-D693E1E4274D}" = HP 3D DriveGuard
"{450EEA86-30DD-48D9-BD32-91E097837B20}_is1" = Automatic Wireless Control 1.0
"{49C27FB0-CEEF-4A11-8114-0BFE336D3884}" = Symantec Endpoint Protection
"{4C3FFAF4-133E-46BF-8498-E67FF90E2823}" = RSA SecurID Software Token
"{536ED989-16B7-4C27-8A92-1C7303443B4F}" = MOT-ENG-SetImageBranding-1.0-GBL-R1
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C853 Driver WXP Ver.1.01.05
"{5E076CF2-EFED-43A2-A623-13E0D62EC7E0}" = Windows Server 2003 Administration Tools Pack
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = HP Integrated Module with Bluetooth wireless technology
"{84A8E8C9-5EFC-4863-9AA2-23F62AAB613B}" = LOGON via Fiberlink
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{903B0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Professional 2003
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{90520409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Viewer 2003 (English)
"{90AE0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Organization Chart 2.0
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{938B1CD7-7C60-491E-AA90-1F1888168240}" = Roxio MyDVD Basic v9
"{95120000-0038-0409-0000-0000000FF1CE}" = Time Zone Data Update Tool for Microsoft Office Outlook
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AC76BA86-7AD7-2447-0000-810000000003}" = Chinese Simplified Fonts Support For Adobe Reader 8
"{AC76BA86-7AD7-2448-0000-810000000003}" = Chinese Traditional Fonts Support For Adobe Reader 8
"{AC76BA86-7AD7-5670-0000-810000000003}" = Korean Fonts Support For Adobe Reader 8
"{AC76BA86-7AD7-5676-5A64-810000000003}" = Adobe Reader Extended Language Support Font Pack
"{AC76BA86-7AD7-5760-0000-810000000003}" = Japanese Fonts Support For Adobe Reader 8
"{BE5AD430-9E0C-4243-AB3F-593835869855}" = Microsoft Office Communicator 2005
"{C2DA1CDC-EF9D-4B7C-91F8-710B17AD44A7}" = Microsoft Office Live Meeting 2007
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E7DF4F40-A0CE-430E-8B3B-DB7C8DF1C1A2}" = ActivePerl 5.10.1 Build 1006
"{EB4DF30B-102B-4F0C-927A-D50E037A325D}" = AuthenTec Fingerprint Sensor Minimum Install
"{EC759F47-D73E-4987-A857-3E6070737453}" = ClarifyCRM 13.1SR1.08 Client for Oracle
"{EF964A78-078C-11D1-B7A7-0000C0134CE6}" = Motorola MVP Client 4.7
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F126C231-07B2-4246-883F-CE876DB5369D}" = MOT-ENG-SymantecDelTemp-1.0-GBL-R1
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.5
"Audacity_is1" = Audacity 1.2.6
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CDex" = CDex extraction audio
"CNXT_MODEM_PCI_VEN_14F1&DEV_2C06_hpqZ3795" = Soft Data Fax Modem with SmartCP
"DVD X Rescue" = DVD X Rescue
"DVDXCopyPlatinum" = DVD X Copy Platinum 4.0.3
"HDMI" = Intel® Graphics Media Accelerator Driver
"Juniper Network Connect 6.4.0" = Juniper Networks Network Connect 6.4.0
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VLC media player" = VLC media player 1.0.3
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinPcapInst" = WinPcap 4.1.1
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"Wireshark" = Wireshark 1.2.5
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Desktop Search" = Yahoo! Desktop Search

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2052111302-287218729-725345543-141979\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Juniper_Setup_Client" = Juniper Networks Setup Client

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/20/2010 9:19:47 PM | Computer Name = MGI0560-03 | Source = UserInit | ID = 1000
Description = Could not execute the following script patch-2008-10.cmd. The system
cannot find the file specified. .

Error - 1/20/2010 9:19:47 PM | Computer Name = MGI0560-03 | Source = UserInit | ID = 1000
Description = Could not execute the following script w2kenroll.cmd. The system cannot
find the file specified. .

Error - 1/20/2010 9:20:41 PM | Computer Name = MGI0560-03 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for DS\MGI0560 failed to contact
the active directory (0x8007054b). The specified domain either does not exist or
could not be contacted. Enrollment will not be performed.

Error - 1/20/2010 10:59:45 PM | Computer Name = MGI0560-03 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 1/20/2010 10:59:46 PM | Computer Name = MGI0560-03 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 1/20/2010 10:59:53 PM | Computer Name = MGI0560-03 | Source = UserInit | ID = 1000
Description = Could not execute the following script wsinventory.vbs. The system
cannot find the file specified. .

Error - 1/20/2010 10:59:53 PM | Computer Name = MGI0560-03 | Source = UserInit | ID = 1000
Description = Could not execute the following script inventory.vbs. The system cannot
find the file specified. .

Error - 1/20/2010 11:02:20 PM | Computer Name = MGI0560-03 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 1/20/2010 11:02:38 PM | Computer Name = MGI0560-03 | Source = UserInit | ID = 1000
Description = Could not execute the following script patch-2008-10.cmd. The system
cannot find the file specified. .

Error - 1/20/2010 11:02:38 PM | Computer Name = MGI0560-03 | Source = UserInit | ID = 1000
Description = Could not execute the following script w2kenroll.cmd. The system cannot
find the file specified. .

[ System Events ]
Error - 1/20/2010 10:59:46 PM | Computer Name = MGI0560-03 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'citizen.sps.mot.com'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/20/2010 10:59:46 PM | Computer Name = MGI0560-03 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'citizen.sps.mot.com'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/20/2010 10:59:46 PM | Computer Name = MGI0560-03 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'datehost.cig.mot.com'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/20/2010 10:59:46 PM | Computer Name = MGI0560-03 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'timex.sps.mot.com'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/20/2010 10:59:46 PM | Computer Name = MGI0560-03 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 1/20/2010 11:00:00 PM | Computer Name = MGI0560-03 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Yahoo! Updater service
to connect.

Error - 1/20/2010 11:00:00 PM | Computer Name = MGI0560-03 | Source = Service Control Manager | ID = 7000
Description = The Yahoo! Updater service failed to start due to the following error:
%%1053

Error - 1/20/2010 11:14:49 PM | Computer Name = MGI0560-03 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'citizen.sps.mot.com'. NtpClient will try the DNS lookup
again in 30 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/20/2010 11:14:49 PM | Computer Name = MGI0560-03 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'datehost.cig.mot.com'. NtpClient will try the DNS lookup
again in 30 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/20/2010 11:14:49 PM | Computer Name = MGI0560-03 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'timex.sps.mot.com'. NtpClient will try the DNS lookup
again in 30 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)


< End of report >


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:14 PM

Posted 21 January 2010 - 06:29 AM

Hi,

please provide a log from gmer as well:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 davidbj

davidbj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 21 January 2010 - 08:55 AM

Hi myrti,
Thanks!
Below is the log from gmer. Also it may help to mention that I get two 'RUN DLL' error windows that pop-up after boot-up, one indicates 'Error Loading c:\windows\iricuraqilaq.dll' and the other 'Error Loading dwtt.mro'.

Here is the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-21 08:05:35
Windows 5.1.2600 Service Pack 3
Running: w5w2xhb1.exe; Driver: D:\Profiles\MGI0560\LOCALS~1\Temp\pfliykog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwAllocateVirtualMemory [0xF2349570]
SSDT 896CF290 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF23496A0]
SSDT 8959FB38 ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwWriteVirtualMemory [0xF23497D0]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\iaStor.sys entry point in ".rsrc" section [0xF72C8024]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
Device -> \Driver\iastor \Device\Harddisk0\DR0 8A26A841

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:14 PM

Posted 22 January 2010 - 10:55 AM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 davidbj

davidbj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 22 January 2010 - 11:57 AM

Hi myrti,
Thanks for your help! (though the news is not good).

I would like to try to clean my computer, and have already tried to follow your instructions for ComboFix. However, I get the Blue Screen of Death (BSOD) when I try to run it. I have tried several times - same result. It dies just after the initial startup bar fills in. Tried renaming the EXE file - no difference. Tried to boot machine into 'Safe Mode' - did not even completing booting before going BSOD.

Anything else I can try (in order to get ComboFix to run)?
If it helps, this is what BSOD says:

STOP: 0x0000007F (0xC0000006, 0x8A274087, 0xF79027B8, 0xF79024B4).

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:14 PM

Posted 23 January 2010 - 09:16 AM

Hi,

please try an alternative tool:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 davidbj

davidbj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 23 January 2010 - 10:03 AM

Hi myrti,
Thanks! I followed your instructions and ran TDSSKiller. One thing I may have done wrong: the first time it ran, there was an indication that a problem was found and it asked me to enter Y' to reboot or 'N' to continue, I either entered N or just enter and the reboot did not happen. Then I could not find the TXT file (at first I thought it would be on the Desktop, but later realized my mistake). So I ran TDSKiller again, and this time it seemed to indicate no problems. I guess the first log of the first execution of the tool has been overwritten, so all I have is the second log, posted below:

09:51:16:734 3252 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
09:51:16:734 3252 ================================================================================
09:51:16:734 3252 SystemInfo:

09:51:16:734 3252 OS Version: 5.1.2600 ServicePack: 3.0
09:51:16:734 3252 Product type: Workstation
09:51:16:734 3252 ComputerName: MGI0560-03
09:51:16:734 3252 UserName: MGI0560
09:51:16:734 3252 Windows directory: C:\WINDOWS
09:51:16:734 3252 Processor architecture: Intel x86
09:51:16:734 3252 Number of processors: 2
09:51:16:734 3252 Page size: 0x1000
09:51:16:734 3252 Boot type: Normal boot
09:51:16:734 3252 ================================================================================
09:51:16:734 3252 UnloadDriverW: NtUnloadDriver error 1
09:51:16:734 3252 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
09:51:16:734 3252 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
09:51:16:750 3252 LoadDriverW: Driver already loaded
09:51:16:750 3252 KLMD_DropNLoadW: LoadDriverW(klmd21) error 1056
09:51:16:750 3252 UtilityInit: KLMD drop and load failed, trying to open device
09:51:16:750 3252 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
09:51:16:750 3252 UtilityInit: KLMD open success
09:51:16:750 3252 UtilityInit: Initialize success
09:51:16:750 3252
09:51:16:750 3252 Scanning Services ...
09:51:16:750 3252 CreateRegParser: Registry parser init started
09:51:16:750 3252 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
09:51:16:750 3252 CreateRegParser: DisableWow64Redirection error
09:51:16:750 3252 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
09:51:16:750 3252 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
09:51:16:750 3252 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:51:16:750 3252 wfopen_ex: Trying to KLMD file open
09:51:16:750 3252 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
09:51:16:750 3252 wfopen_ex: File opened ok (Flags 2)
09:51:16:750 3252 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 264BD8
09:51:16:750 3252 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
09:51:16:750 3252 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
09:51:16:750 3252 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:51:16:750 3252 wfopen_ex: Trying to KLMD file open
09:51:16:750 3252 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
09:51:16:750 3252 wfopen_ex: File opened ok (Flags 2)
09:51:16:750 3252 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 264AE8
09:51:16:750 3252 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
09:51:16:750 3252 CreateRegParser: EnableWow64Redirection error
09:51:16:750 3252 CreateRegParser: RegParser init completed
09:51:16:796 3252 GetAdvancedServicesInfo: Raw services enum returned 398 services
09:51:16:812 3252 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
09:51:16:812 3252 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
09:51:16:812 3252
09:51:16:812 3252 Scanning Kernel memory ...
09:51:16:812 3252 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
09:51:16:812 3252 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A32E0C0
09:51:16:812 3252 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
09:51:16:812 3252
09:51:16:812 3252 DetectCureTDL3: DEVICE_OBJECT: 8A2CBC68
09:51:16:812 3252 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A2CBC68
09:51:16:812 3252 KLMD_ReadMem: Trying to ReadMemory 0x8A2CBC68[0x38]
09:51:16:812 3252 DetectCureTDL3: DRIVER_OBJECT: 8A32E0C0
09:51:16:812 3252 KLMD_ReadMem: Trying to ReadMemory 0x8A32E0C0[0xA8]
09:51:16:812 3252 KLMD_ReadMem: Trying to ReadMemory 0xE10038C0[0x18]
09:51:16:812 3252 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
09:51:16:812 3252 DetectCureTDL3: IrpHandler (0) addr: F754DBB0
09:51:16:812 3252 DetectCureTDL3: IrpHandler (1) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (2) addr: F754DBB0
09:51:16:812 3252 DetectCureTDL3: IrpHandler (3) addr: F7547D1F
09:51:16:812 3252 DetectCureTDL3: IrpHandler (4) addr: F7547D1F
09:51:16:812 3252 DetectCureTDL3: IrpHandler (5) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (6) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (7) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (8) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (9) addr: F75482E2
09:51:16:812 3252 DetectCureTDL3: IrpHandler (10) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (11) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (12) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (13) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (14) addr: F75483BB
09:51:16:812 3252 DetectCureTDL3: IrpHandler (15) addr: F754BF28
09:51:16:812 3252 DetectCureTDL3: IrpHandler (16) addr: F75482E2
09:51:16:812 3252 DetectCureTDL3: IrpHandler (17) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (18) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (19) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (20) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (21) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (22) addr: F7549C82
09:51:16:812 3252 DetectCureTDL3: IrpHandler (23) addr: F754E99E
09:51:16:812 3252 DetectCureTDL3: IrpHandler (24) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (25) addr: 804F4562
09:51:16:812 3252 DetectCureTDL3: IrpHandler (26) addr: 804F4562
09:51:16:812 3252 TDL3_FileDetect: Processing driver: Disk
09:51:16:812 3252 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
09:51:16:812 3252 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
09:51:16:828 3252 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
09:51:16:828 3252
09:51:16:828 3252 DetectCureTDL3: DEVICE_OBJECT: 8A2CB030
09:51:16:828 3252 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A2CB030
09:51:16:828 3252 KLMD_ReadMem: Trying to ReadMemory 0x8A2CB030[0x38]
09:51:16:828 3252 DetectCureTDL3: DRIVER_OBJECT: 8A32E0C0
09:51:16:828 3252 KLMD_ReadMem: Trying to ReadMemory 0x8A32E0C0[0xA8]
09:51:16:828 3252 KLMD_ReadMem: Trying to ReadMemory 0xE10038C0[0x18]
09:51:16:828 3252 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
09:51:16:828 3252 DetectCureTDL3: IrpHandler (0) addr: F754DBB0
09:51:16:828 3252 DetectCureTDL3: IrpHandler (1) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (2) addr: F754DBB0
09:51:16:828 3252 DetectCureTDL3: IrpHandler (3) addr: F7547D1F
09:51:16:828 3252 DetectCureTDL3: IrpHandler (4) addr: F7547D1F
09:51:16:828 3252 DetectCureTDL3: IrpHandler (5) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (6) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (7) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (8) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (9) addr: F75482E2
09:51:16:828 3252 DetectCureTDL3: IrpHandler (10) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (11) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (12) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (13) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (14) addr: F75483BB
09:51:16:828 3252 DetectCureTDL3: IrpHandler (15) addr: F754BF28
09:51:16:828 3252 DetectCureTDL3: IrpHandler (16) addr: F75482E2
09:51:16:828 3252 DetectCureTDL3: IrpHandler (17) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (18) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (19) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (20) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (21) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (22) addr: F7549C82
09:51:16:828 3252 DetectCureTDL3: IrpHandler (23) addr: F754E99E
09:51:16:828 3252 DetectCureTDL3: IrpHandler (24) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (25) addr: 804F4562
09:51:16:828 3252 DetectCureTDL3: IrpHandler (26) addr: 804F4562
09:51:16:828 3252 TDL3_FileDetect: Processing driver: Disk
09:51:16:828 3252 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
09:51:16:828 3252 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
09:51:16:828 3252 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
09:51:16:828 3252
09:51:16:828 3252 DetectCureTDL3: DEVICE_OBJECT: 8A304690
09:51:16:828 3252 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A304690
09:51:16:828 3252 DetectCureTDL3: DEVICE_OBJECT: 8A304BF8
09:51:16:828 3252 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A304BF8
09:51:16:828 3252 DetectCureTDL3: DEVICE_OBJECT: 8A307210
09:51:16:828 3252 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A307210
09:51:16:828 3252 DetectCureTDL3: DEVICE_OBJECT: 8A394028
09:51:16:828 3252 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A394028
09:51:16:828 3252 KLMD_ReadMem: Trying to ReadMemory 0x8A394028[0x38]
09:51:16:828 3252 DetectCureTDL3: DRIVER_OBJECT: 898E5A40
09:51:16:828 3252 KLMD_ReadMem: Trying to ReadMemory 0x898E5A40[0xA8]
09:51:16:828 3252 KLMD_ReadMem: Trying to ReadMemory 0x8A396030[0x38]
09:51:16:828 3252 KLMD_ReadMem: Trying to ReadMemory 0x8A307998[0xA8]
09:51:16:828 3252 KLMD_ReadMem: Trying to ReadMemory 0xE1015290[0x1C]
09:51:16:828 3252 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iastor, Driver Name: iastor
09:51:16:828 3252 DetectCureTDL3: IrpHandler (0) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (1) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (2) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (3) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (4) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (5) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (6) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (7) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (8) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (9) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (10) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (11) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (12) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (13) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (14) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (15) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (16) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (17) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (18) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (19) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (20) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (21) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (22) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (23) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (24) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (25) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: IrpHandler (26) addr: 8A213841
09:51:16:828 3252 DetectCureTDL3: All IRP handlers pointed to one addr: 8A213841
09:51:16:828 3252 KLMD_ReadMem: Trying to ReadMemory 0x8A213841[0x400]
09:51:16:828 3252 TDL3_IrpHookDetect: TDL3 is already cured
09:51:16:828 3252 KLMD_ReadMem: Trying to ReadMemory 0x8A2136EC[0x400]
09:51:16:828 3252 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 0
09:51:16:828 3252 TDL3_FileDetect: Processing driver: iastor
09:51:16:828 3252 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk16.tmp
09:51:16:828 3252 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk16.tmp
09:51:16:843 3252 TDL3_FileDetect: C:\WINDOWS\system32\drivers\tsk16.tmp - Verdict: Clean
09:51:16:843 3252
09:51:16:843 3252 Completed
09:51:16:843 3252
09:51:16:843 3252 Results:
09:51:16:843 3252 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
09:51:16:843 3252 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:51:16:843 3252 File objects infected / cured / cured on reboot: 0 / 0 / 0
09:51:16:843 3252
09:51:16:843 3252 UnloadDriverW: NtUnloadDriver error 1
09:51:16:843 3252 KLMD_Unload: UnloadDriverW(klmd21) error 1
09:51:16:843 3252 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
09:51:16:843 3252 UtilityDeinit: KLMD(ARK) unloaded successfully


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:14 PM

Posted 23 January 2010 - 01:57 PM

Hi,

please reboot once or twice and check if you are still getting redirected afterwards.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 davidbj

davidbj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 23 January 2010 - 03:15 PM

Hi myrti,
AWESOME!! So far so good (no more redirects)!!

I know you said we can't be 100% sure of a clean system, but is there anything specific you think I should look for as signs of more trouble (besides more redirects of course)?

Thanks so much for your help!!

#14 davidbj

davidbj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 23 January 2010 - 05:51 PM

Hi myrti,
One other thing, I am still getting the two 'RUN DLL' error windows that pop-up after boot-up, one indicates 'Error Loading c:\windows\iricuraqilaq.dll' and the other 'Error Loading dwtt.mro'. I have been getting these errors for the past few weeks, during my infection. Is that something to still be concerned about? As for re-directs - so far so good - still no problems there! I rebooted again, and the re-directs have yet to recur.
Thanks!

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:14 PM

Posted 23 January 2010 - 07:25 PM

Hi,

please provide a new OTL log, these messages should not appear and are a left over of the previous infection.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users