Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Keep Re-routing. I think it is Win32Aluereon


  • This topic is locked This topic is locked
16 replies to this topic

#1 80Coug

80Coug

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 30 January 2010 - 08:28 PM

Hello,

My browser keeps rerouting when I click on links. Also, my antivirus program keeps telling me I am infected with Win32Aleureon (sp?) I use the program to remove it, but it keeps coming back. I've tried multiple programs and a system restore, to no avail. I would appreciate any help!

DDS Report:


DDS (Ver_09-12-01.01) - NTFSx86
Run by at 19:42:26.43 on Sat 01/30/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.1995 [GMT -5:00]

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

============== Running Processes ===============

C:\WINDOWS\system32\DTS.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\AtService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe
C:\Program Files\Equitrac\Professional\Client\EQSharedEngine.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\Program Files\AT&T Global Network Client\NetClientSvc.exe
C:\Program Files\AT&T Global Network Client\NetLogSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\eCopy\Desktop 9.2\Bin\eDP2eD.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Symantec\Backup Exec\DLO\DLOClientu.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LexisNexis\Cost Recovery Manager\LNCRMD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\edit\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: LexisNexis.CostRM.Client.CRMLoader: {24c526e6-afc1-4267-89ad-7a0e35d67625} - mscoree.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: CRMBarControl: {daa6c242-b7cb-39d4-b70b-d7d393b30720} - mscoree.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: LexisNexis Cost Recovery Manager: {f9637618-70e8-4631-b48f-c190f95d6085} - mscoree.dll
TB: CRMBarControl: {daa6c242-b7cb-39d4-b70b-d7d393b30720} - mscoree.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [RightFAX Print-to-Fax Driver] c:\program files\rightfax\\FaxCtrl.exe
mRun: [eCopy Scan Inbox Monitor] "c:\program files\ecopy\desktop 9.2\bin\InboxMonitor.exe" -run
mRun: [eDP2eD] "c:\program files\ecopy\desktop 9.2\bin\eDP2eD.exe"
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft firewall client 2004\FwcMgmt.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\symantec\backup exec\dlo\DLOClientu.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\program files\microsoft firewall client 2004\FwcWsp.dll
Trusted Zone: adiclient.com
Trusted Zone: alsrc01
Trusted Zone: alsrc01dev
Trusted Zone: cch.com
Trusted Zone: lasrc01
Trusted Zone: lasrc01dev
Trusted Zone: lexis-nexis.com
Trusted Zone: lexis.com
Trusted Zone: lexisnexis.com
Trusted Zone: lexisone.com
Trusted Zone: livedgar.com
Trusted Zone: martindale.com
Trusted Zone: mealeysonline.com
Trusted Zone: nexis.com
Trusted Zone: reed-elsevier.com
Trusted Zone: teams
DPF: {3F777025-3835-4117-B9FA-5E5230669310} - hxxp://www.encorediscovery.com/FYI/dataflight_fyi.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247603830046
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247603860531
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {9E472D58-F10C-11CF-B7A9-0020AFD6A362} - hxxps://vault.netvoyage.com/neWeb2/neWebCl.cab
DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} - hxxps://g63.hostedeet.com/WFC/plugins/j2re-1_4_2_12-windows-i586-p.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: ACNotify - ACNotify.dll
Notify: ATFUS - c:\windows\system32\FpWinLogonNp.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
AppInit_DLLs: EQDtpSp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli ACGina
mASetup: >>Workshare Protect Client - c:\program files\workshare\modules\Workshare.Protect.UserInit.exe

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================


============= FINISH: 19:43:24.96 ===============

Attached Files


Edited by Buckeye_Sam, 02 February 2010 - 07:50 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:29 AM

Posted 31 January 2010 - 05:12 AM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 80Coug

80Coug
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 31 January 2010 - 05:26 PM

Thank you, Sam for your quick response and offer to help. I'll get right on this.


#4 80Coug

80Coug
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 31 January 2010 - 10:11 PM

Hi Sam,

The browser is still re-routing, though not as often. I installed Webroot software, which seemed to help. Here are the logs:

OTL:

OTL logfile created on: 1/31/2010 9:34:33 PM - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\edit\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 203.27 Gb Free Space | 87.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name:
Current User Name:
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/31 21:33:10 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\edit\Desktop\OTL.exe
PRC - [2010/01/31 02:40:18 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
PRC - [2009/11/06 15:19:58 | 006,515,784 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
PRC - [2009/11/06 12:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
PRC - [2009/11/06 12:00:22 | 000,165,232 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SSU.exe
PRC - [2009/09/18 04:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2009/08/28 20:42:54 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/08/20 10:38:30 | 000,062,752 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
PRC - [2009/08/04 05:32:00 | 000,062,240 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
PRC - [2009/07/15 11:18:02 | 000,062,320 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
PRC - [2009/06/29 03:35:10 | 000,634,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/06/03 19:29:46 | 001,033,600 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
PRC - [2009/06/03 19:26:50 | 000,016,880 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
PRC - [2009/05/22 11:08:58 | 007,177,592 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Backup Exec\DLO\DLOClientu.exe
PRC - [2009/05/22 09:43:54 | 000,472,440 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe
PRC - [2009/05/21 21:48:38 | 000,128,368 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2009/05/05 12:57:16 | 000,068,888 | ---- | M] (AT&T) -- C:\Program Files\AT&T Global Network Client\NetLogSvc.exe
PRC - [2009/05/05 12:57:14 | 000,437,528 | ---- | M] (AT&T) -- C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
PRC - [2009/05/05 12:57:10 | 000,336,152 | ---- | M] (AT&T) -- C:\Program Files\AT&T Global Network Client\NetClientSvc.exe
PRC - [2009/04/17 15:23:28 | 000,163,840 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
PRC - [2009/04/17 15:22:12 | 000,217,088 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
PRC - [2009/04/17 15:22:06 | 000,098,304 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
PRC - [2009/04/17 15:20:14 | 000,425,984 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
PRC - [2009/04/17 15:17:40 | 001,349,912 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2009/04/17 15:15:02 | 000,172,032 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
PRC - [2009/04/16 14:41:28 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
PRC - [2009/03/19 20:08:44 | 000,038,176 | ---- | M] (Lenovo) -- C:\WINDOWS\system32\ibmpmsvc.exe
PRC - [2009/03/19 04:53:02 | 000,098,304 | ---- | M] () -- C:\WINDOWS\system32\DTS.exe
PRC - [2009/03/19 04:48:34 | 001,680,632 | ---- | M] (AuthenTec, Inc.) -- C:\WINDOWS\system32\AtService.exe
PRC - [2009/03/13 18:32:48 | 000,068,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2009/02/27 13:14:26 | 000,640,376 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2009/02/27 08:54:22 | 000,870,672 | ---- | M] (Intel« Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2009/02/27 07:55:20 | 000,909,312 | ---- | M] (Intel« Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2009/02/27 07:38:38 | 000,473,360 | ---- | M] (Intel« Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2009/02/12 13:48:42 | 002,058,776 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
PRC - [2009/02/02 21:16:48 | 000,181,536 | ---- | M] (Lenovo.) -- C:\WINDOWS\system32\TpShocks.exe
PRC - [2009/02/02 19:04:10 | 000,067,432 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2009/01/29 04:10:00 | 000,185,688 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
PRC - [2009/01/29 04:10:00 | 000,124,248 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
PRC - [2009/01/28 18:59:12 | 000,039,976 | ---- | M] (Lenovo.) -- C:\WINDOWS\system32\TPHDEXLG.exe
PRC - [2009/01/09 13:36:12 | 000,083,248 | ---- | M] (LexisNexis) -- C:\Program Files\LexisNexis\Cost Recovery Manager\LNCRMD.exe
PRC - [2008/12/12 12:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/10/30 17:38:32 | 000,150,040 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2008/10/30 17:38:28 | 000,256,536 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2008/10/30 17:38:26 | 000,150,040 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2008/10/30 17:38:18 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2008/10/08 04:38:00 | 000,256,576 | ---- | M] (Lenovo Group Ltd.) -- C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
PRC - [2008/10/06 12:14:18 | 000,118,784 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2008/10/06 12:06:48 | 001,323,008 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2008/07/25 17:22:46 | 001,712,128 | ---- | M] (Equitrac) -- C:\Program Files\Equitrac\Professional\Client\EQSharedEngine.exe
PRC - [2008/05/29 18:10:48 | 000,174,616 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2008/05/26 23:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/29 19:28:22 | 000,144,648 | ---- | M] (eCopy, Inc.) -- C:\Program Files\eCopy\Desktop 9.2\Bin\eDP2eD.exe
PRC - [2007/04/06 05:12:48 | 000,073,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
PRC - [2007/01/04 20:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/12/09 20:04:10 | 000,128,832 | ---- | M] (Microsoft « Corporation) -- C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
PRC - [2006/12/09 20:04:10 | 000,117,568 | ---- | M] (Microsoft « Corporation) -- C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
PRC - [2006/11/03 18:02:14 | 000,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2005/07/21 12:14:58 | 000,134,656 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
PRC - [2004/05/20 04:34:50 | 000,110,592 | ---- | M] (Captaris, Inc.) -- C:\Program Files\RightFax\FaxCtrl.exe


========== Modules (SafeList) ==========

MOD - [2010/01/31 21:33:10 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\edited\Desktop\OTL.exe
MOD - [2008/07/25 17:29:08 | 000,524,288 | ---- | M] (Equitrac) -- C:\WINDOWS\system32\EQDtpHook.dll
MOD - [2008/07/25 17:27:00 | 000,061,440 | ---- | M] (Equitrac) -- C:\WINDOWS\system32\EQDtpSp.dll
MOD - [2008/07/25 16:04:14 | 000,004,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\detoured_EQ.dll
MOD - [2008/04/14 07:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\vdmdbg.dll
MOD - [2008/03/13 19:46:24 | 000,079,224 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\HKVOLKEY.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SessionLauncher)
SRV - [2010/01/31 02:40:18 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe -- (WRConsumerService)
SRV - [2009/11/06 12:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2009/09/21 17:36:02 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/09/18 04:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2009/09/18 04:00:00 | 000,246,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
SRV - [2009/08/28 20:42:54 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/15 13:18:36 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/07/15 11:18:02 | 000,062,320 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2009/07/03 19:47:10 | 000,045,424 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)
SRV - [2009/06/19 18:54:24 | 000,036,864 | ---- | M] (Workshare) [Disabled | Stopped] -- C:\Program Files\Workshare\Modules\Workshare.Protect.Svc.exe -- (Workshare Protect Service)
SRV - [2009/06/03 19:26:50 | 000,016,880 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe -- (FCSAM)
SRV - [2009/05/22 09:43:54 | 000,472,440 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe -- (DLOChangeJournalSvc)
SRV - [2009/05/05 12:57:16 | 000,068,888 | ---- | M] (AT&T) [Auto | Running] -- C:\Program Files\AT&T Global Network Client\NetLogSvc.exe -- (NetLogSvc)
SRV - [2009/05/05 12:57:14 | 000,437,528 | ---- | M] (AT&T) [Auto | Running] -- C:\Program Files\AT&T Global Network Client\netcfgsvr.exe -- (netcfgsvr)
SRV - [2009/05/05 12:57:10 | 000,336,152 | ---- | M] (AT&T) [Auto | Running] -- C:\Program Files\AT&T Global Network Client\NetClientSvc.exe -- (NetClientSvc)
SRV - [2009/04/17 15:22:12 | 000,217,088 | ---- | M] (Lenovo ) [Auto | Running] -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe -- (AcSvc)
SRV - [2009/04/17 15:22:06 | 000,098,304 | ---- | M] (Lenovo ) [Auto | Running] -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -- (AcPrfMgrSvc)
SRV - [2009/04/17 15:17:40 | 001,349,912 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2009/04/16 14:41:28 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)
SRV - [2009/03/19 20:08:44 | 000,038,176 | ---- | M] (Lenovo) [Auto | Running] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2009/03/19 04:55:36 | 000,118,784 | ---- | M] (AuthenTec,Inc) [On_Demand | Stopped] -- C:\WINDOWS\system32\FpLogonServ.exe -- (FingerprintServer)
SRV - [2009/03/19 04:53:02 | 000,098,304 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\DTS.exe -- (dtsvc)
SRV - [2009/03/19 04:52:56 | 000,106,496 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\ADMonitor.exe -- (ADMonitor)
SRV - [2009/03/19 04:48:34 | 001,680,632 | ---- | M] (AuthenTec, Inc.) [Auto | Running] -- C:\WINDOWS\system32\AtService.exe -- (ATService)
SRV - [2009/02/27 08:54:22 | 000,870,672 | ---- | M] (Intel« Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel«
SRV - [2009/02/27 07:55:20 | 000,909,312 | ---- | M] (Intel« Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel«
SRV - [2009/02/27 07:38:38 | 000,473,360 | ---- | M] (Intel« Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel«
SRV - [2009/02/12 13:48:42 | 002,058,776 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS) Intel«
SRV - [2009/01/28 18:59:12 | 000,039,976 | ---- | M] (Lenovo.) [Auto | Running] -- C:\WINDOWS\system32\TPHDEXLG.exe -- (TPHDEXLGSVC)
SRV - [2008/12/12 12:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/04 02:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/07/25 17:22:46 | 001,712,128 | ---- | M] (Equitrac) [Auto | Running] -- C:\Program Files\Equitrac\Professional\Client\EQSharedEngine.exe -- (EQSharedEngine)
SRV - [2008/06/30 16:36:35 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/05/29 18:10:48 | 000,174,616 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel«
SRV - [2008/04/25 09:15:24 | 001,120,752 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2008/03/24 08:35:22 | 000,074,384 | R--- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2007/04/06 05:12:48 | 000,073,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe -- (FcsSas)
SRV - [2007/01/04 20:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/12/09 20:04:10 | 000,128,832 | ---- | M] (Microsoft « Corporation) [Auto | Running] -- C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe -- (FwcAgent)
SRV - [2006/10/26 15:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005/11/14 02:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/07/21 12:14:58 | 000,134,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe -- (MOM)
SRV - [2005/04/27 15:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1078081533-515967899-725345543-71352\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://net/
IE - HKU\S-1-5-21-1078081533-515967899-725345543-71352\S-1-5-21-1078081533-515967899-725345543-71352\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1078081533-515967899-725345543-71352\S-1-5-21-1078081533-515967899-725345543-71352\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1078081533-515967899-725345543-71352\S-1-5-21-1078081533-515967899-725345543-71352\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" =

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7


[2010/01/30 17:18:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\edit\Application Data\Mozilla\Firefox\Profiles\6zdh7iwy.default\extensions

O1 HOSTS File: ([2010/01/31 02:44:16 | 000,000,925 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 10.120.200.51 haucprs1.
O1 - Hosts: 10.120.200.51 haucprs1
O1 - Hosts: 10.128.200.51 alucprs1.
O1 - Hosts: 10.128.200.51 alucprs1
O1 - Hosts: 10.144.200.51 luucprs1.
O1 - Hosts: 10.144.200.51 luucprs1
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1078081533-515967899-725345543-71352\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (Lenovo )
O4 - HKLM..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (Lenovo )
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [eCopy Scan Inbox Monitor] c:\Program Files\eCopy\Desktop 9.2\Bin\InboxMonitor.exe (eCopy, Inc.)
O4 - HKLM..\Run: [eDP2eD] c:\Program Files\eCopy\Desktop 9.2\Bin\eDP2eD.exe (eCopy, Inc.)
O4 - HKLM..\Run: [EZEJMNAP] C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE (Lenovo Group Ltd.)
O4 - HKLM..\Run: [FingerPrintSoftware] C:\Program Files\Lenovo Fingerprint Software\fpapp.exe (Authentec,Inc)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [LPMailChecker] C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [LPManager] C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [Microsoft Forefront Client Security Antimalware Service] c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe ()
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TpShocks] C:\WINDOWS\System32\TpShocks.exe (Lenovo.)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Firewall Client Management.lnk = C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe (Microsoft « Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Backup Exec Desktop Agent.lnk = C:\Program Files\Symantec\Backup Exec\DLO\DLOClientu.exe (Symantec Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1078081533-515967899-725345543-71352\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-21-1078081533-515967899-725345543-71352\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1078081533-515967899-725345543-71352\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1078081533-515967899-725345543-71352\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1
O7 - HKU\S-1-5-21-1078081533-515967899-725345543-71352\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKU\S-1-5-21-1078081533-515967899-725345543-71352\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKU\S-1-5-21-1078081533-515967899-725345543-71352\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-1078081533-515967899-725345543-71352\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1
O7 - HKU\S-1-5-21-1078081533-515967899-725345543-71352_Classes\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-21-1078081533-515967899-725345543-71352_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Microsoft Firewall Client 2004\FwcWsp.dll (Microsoft « Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Microsoft Firewall Client 2004\FwcWsp.dll (Microsoft « Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Microsoft Firewall Client 2004\FwcWsp.dll (Microsoft « Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Microsoft Firewall Client 2004\FwcWsp.dll (Microsoft « Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Microsoft Firewall Client 2004\FwcWsp.dll (Microsoft « Corporation)
O16 - DPF: {3F777025-3835-4117-B9FA-5E5230669310} http://www.encorediscovery.com/FYI/dataflight_fyi.cab (Dataflight FYI Reviewer Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1247603830046 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1247603860531 (MUWebControl Class)
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} http://picture.vzw.com/activex/VerizonWire...loadControl.cab (Verizon Wireless Media Upload)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_12)
O16 - DPF: {9E472D58-F10C-11CF-B7A9-0020AFD6A362} https://vault.netvoyage.com/neWeb2/neWebCl.cab (NeRemoteDoc Class)
O16 - DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} https://g63.hostedeet.com/WFC/plugins/j2re-...dows-i586-p.exe (Java Plug-in 1.4.2_12)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (EQDtpSp.dll) - C:\WINDOWS\System32\EQDtpSp.dll (Equitrac)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (XPNewLogo1.dll) - C:\WINDOWS\System32\XPNewLogo1.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ACNotify: DllName - ACNotify.dll - C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll (Lenovo )
O20 - Winlogon\Notify\ATFUS: DllName - C:\WINDOWS\system32\FpWinLogonNp.dll - C:\WINDOWS\system32\FpWinlogonNp.dll (AuthenTec,Inc)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\tpfnf2: DllName - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll ()
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/14 15:13:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/07/14 08:57:48 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (71779512085381120)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/31 21:33:02 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\edited\Desktop\OTL.exe
[2010/01/31 02:39:58 | 000,000,000 | ---D | C] -- C:\Program Files\MSSOAP
[2010/01/31 00:06:59 | 001,563,008 | ---- | C] (Webroot Software, Inc.) -- C:\WINDOWS\WRSetup.dll
[2010/01/31 00:06:58 | 000,000,000 | ---D | C] -- C:\Program Files\Webroot
[2010/01/31 00:06:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Webroot
[2010/01/31 00:06:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\edited\Application Data\Webroot
[2010/01/30 19:47:14 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\edited\Desktop\RootRepeal.exe
[2010/01/30 19:07:25 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/01/30 17:27:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/30 17:27:35 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/30 17:17:40 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/01/30 15:11:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\edit\Application Data\Malwarebytes
[2010/01/30 15:10:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/30 15:10:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/28 08:38:37 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/01/28 08:38:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/01/27 15:48:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\edit\Desktop\New Folder (2)
[2010/01/26 17:41:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/01/26 11:31:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\edit\My Documents\Downloads
[2010/01/26 08:22:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\edit\Local Settings\Application Data\Mozilla
[2010/01/26 08:22:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\edit\Application Data\Mozilla
[2010/01/26 08:22:40 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox(2)
[2010/01/25 07:38:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/01/22 12:23:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\edit\Desktop\Appeals Summaries
[2010/01/21 16:57:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\edit\Local Settings\Application Data\Cisco
[2010/01/21 16:57:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\edit\Application Data\Cisco
[2009/11/27 21:57:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2009/11/25 08:33:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/09/22 11:22:29 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/07/30 10:25:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\IsolatedStorage
[2009/07/14 16:08:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Intel
[2009/07/14 16:08:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Intel
[2009/07/14 15:16:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/07/14 15:16:41 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/07/14 15:16:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/01/31 21:33:10 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\edit\Desktop\OTL.exe
[2010/01/31 17:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/31 17:36:35 | 000,579,696 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/31 17:36:35 | 000,485,288 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/31 17:36:35 | 000,083,378 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/31 17:35:15 | 000,000,430 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
[2010/01/31 17:35:15 | 000,000,412 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Signature Update.job
[2010/01/31 17:35:15 | 000,000,406 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/31 17:35:00 | 000,000,463 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2010/01/31 17:34:49 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\DLOClientu.exe -
[2010/01/31 17:33:10 | 000,001,024 | ---- | M] () -- C:\.rnd
[2010/01/31 17:32:55 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/31 17:32:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/31 17:31:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/31 17:31:44 | 3179,307,008 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/31 17:30:44 | 004,980,736 | ---- | M] () -- C:\Documents and Settings\edit\ntuser.dat
[2010/01/31 17:30:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\edit\ntuser.ini
[2010/01/31 11:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/31 05:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/31 02:44:16 | 000,000,925 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2010/01/31 02:44:13 | 000,001,626 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_0F64D2981A03411CAEFBBF8D701CEC2D.job
[2010/01/31 02:40:16 | 000,001,669 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spy Sweeper.lnk
[2010/01/31 02:39:12 | 000,000,164 | ---- | M] () -- C:\WINDOWS\install.dat
[2010/01/31 00:32:47 | 000,001,292 | ---- | M] () -- C:\WINDOWS\firm.ini
[2010/01/31 00:32:41 | 000,326,405 | ---- | M] () -- C:\Documents and Settings\edit\My Documents\TrialPay.mht
[2010/01/31 00:32:16 | 000,000,765 | ---- | M] () -- C:\Documents and Settings\edit\TSCG.ini
[2010/01/31 00:31:51 | 000,141,312 | ---- | M] () -- C:\Documents and Settings\edit\Desktop\To DO.doc
[2010/01/31 00:29:07 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysD4876D04
[2010/01/31 00:18:47 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys0CD75CD5
[2010/01/31 00:08:36 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys5B8F245C
[2010/01/30 23:58:20 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys6D20BEB5
[2010/01/30 23:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/30 23:47:14 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysB0020224
[2010/01/30 23:46:38 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysC5D8CF64
[2010/01/30 23:39:17 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys5B3EE5F9
[2010/01/30 23:31:41 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysF67066AF
[2010/01/30 23:31:16 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysFBEA29A6
[2010/01/30 23:31:00 | 000,002,441 | ---- | M] () -- C:\Documents and Settings\edit\Desktop\HiJackThis.lnk
[2010/01/30 23:30:54 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysCC4D5C10
[2010/01/30 23:30:22 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys2C770FC7
[2010/01/30 23:20:10 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys9CB41C76
[2010/01/30 23:09:51 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys19DF20F1
[2010/01/30 23:09:14 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys13794353
[2010/01/30 23:07:31 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys488AB707
[2010/01/30 22:57:15 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys7B11EA3D
[2010/01/30 22:47:00 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys2E96B44E
[2010/01/30 22:36:49 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys45D4BEDE
[2010/01/30 22:26:38 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys932C75C7
[2010/01/30 22:16:17 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys9845C6CF
[2010/01/30 22:05:57 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysFCEFDA60
[2010/01/30 21:55:37 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys9A83472F
[2010/01/30 21:45:18 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysDA9431A7
[2010/01/30 21:39:30 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysEBF4F7B8
[2010/01/30 21:29:09 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysA53EE35F
[2010/01/30 21:18:58 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysE60EC6C7
[2010/01/30 21:18:31 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys8A22977D
[2010/01/30 21:17:50 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys8544F79D
[2010/01/30 21:17:23 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys3243A7D6
[2010/01/30 21:17:02 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys92BA877E
[2010/01/30 21:12:27 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys26280447
[2010/01/30 21:02:16 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysCD8D56CE
[2010/01/30 20:51:59 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys06795932
[2010/01/30 20:41:48 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysE032451A
[2010/01/30 20:31:37 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys8CF8155D
[2010/01/30 20:25:15 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysEFA47CA5
[2010/01/30 20:15:00 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysFF60D97E
[2010/01/30 20:13:58 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys8EEC32D7
[2010/01/30 20:03:47 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys40A74DC1
[2010/01/30 19:53:34 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys67BF8DAA
[2010/01/30 19:53:07 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysA6ED158E
[2010/01/30 19:48:04 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\edit\Desktop\settings.dat
[2010/01/30 19:47:17 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\edit\Desktop\RootRepeal.exe
[2010/01/30 19:42:44 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys9FD9E740
[2010/01/30 19:42:14 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sysD787746F
[2010/01/30 19:41:08 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\edit\Desktop\dds.scr
[2010/01/30 19:31:58 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys4A18EA96
[2010/01/30 19:21:41 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys0C24A54C
[2010/01/30 19:11:29 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys8E8B033E
[2010/01/30 19:01:16 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys5E80FEFE
[2010/01/30 19:00:52 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys57CC8B23
[2010/01/30 17:53:21 | 000,329,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys0950E54B
[2010/01/30 17:33:19 | 005,895,522 | -H-- | M] () -- C:\Documents and Settings\edit\Local Settings\Application Data\IconCache.db
[2010/01/30 17:27:40 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/30 17:22:23 | 000,002,329 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Outlook 2007.lnk
[2010/01/30 15:23:26 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/01/29 17:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/28 09:03:48 | 2145,386,496 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010/01/27 21:09:10 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/26 08:22:46 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/01/22 07:36:05 | 000,086,559 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/01/22 07:33:54 | 000,003,756 | RHS- | M] () -- C:\Documents and Settings\edit\ntuser.pol
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/31 17:34:49 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\DLOClientu.exe -
[2010/01/31 17:33:10 | 000,001,024 | ---- | C] () -- C:\.rnd
[2010/01/31 02:44:13 | 000,001,626 | ---- | C] () -- C:\WINDOWS\tasks\wrSpySweeper_0F64D2981A03411CAEFBBF8D701CEC2D.job
[2010/01/31 02:40:16 | 000,001,669 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spy Sweeper.lnk
[2010/01/31 00:32:36 | 000,326,405 | ---- | C] () -- C:\Documents and Settings\edit\My Documents\TrialPay.mht
[2010/01/31 00:29:07 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysD4876D04
[2010/01/31 00:18:47 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys0CD75CD5
[2010/01/31 00:08:36 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys5B8F245C
[2010/01/31 00:04:10 | 000,000,164 | ---- | C] () -- C:\WINDOWS\install.dat
[2010/01/30 23:58:20 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys6D20BEB5
[2010/01/30 23:47:14 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysB0020224
[2010/01/30 23:46:38 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysC5D8CF64
[2010/01/30 23:39:17 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys5B3EE5F9
[2010/01/30 23:31:41 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysF67066AF
[2010/01/30 23:31:16 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysFBEA29A6
[2010/01/30 23:30:54 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysCC4D5C10
[2010/01/30 23:30:22 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys2C770FC7
[2010/01/30 23:20:10 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys9CB41C76
[2010/01/30 23:09:51 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys19DF20F1
[2010/01/30 23:09:14 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys13794353
[2010/01/30 23:07:31 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys488AB707
[2010/01/30 22:57:15 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys7B11EA3D
[2010/01/30 22:47:00 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys2E96B44E
[2010/01/30 22:36:49 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys45D4BEDE
[2010/01/30 22:26:38 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys932C75C7
[2010/01/30 22:16:17 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys9845C6CF
[2010/01/30 22:05:57 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysFCEFDA60
[2010/01/30 21:55:37 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys9A83472F
[2010/01/30 21:45:18 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysDA9431A7
[2010/01/30 21:39:30 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysEBF4F7B8
[2010/01/30 21:29:09 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysA53EE35F
[2010/01/30 21:18:58 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysE60EC6C7
[2010/01/30 21:18:31 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys8A22977D
[2010/01/30 21:17:50 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys8544F79D
[2010/01/30 21:17:23 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys3243A7D6
[2010/01/30 21:17:02 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys92BA877E
[2010/01/30 21:12:27 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys26280447
[2010/01/30 21:02:16 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysCD8D56CE
[2010/01/30 20:51:59 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys06795932
[2010/01/30 20:41:48 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysE032451A
[2010/01/30 20:31:37 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys8CF8155D
[2010/01/30 20:25:15 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysEFA47CA5
[2010/01/30 20:15:00 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysFF60D97E
[2010/01/30 20:13:58 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys8EEC32D7
[2010/01/30 20:03:47 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys40A74DC1
[2010/01/30 19:53:34 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys67BF8DAA
[2010/01/30 19:53:07 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysA6ED158E
[2010/01/30 19:48:04 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\edit\Desktop\settings.dat
[2010/01/30 19:42:44 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys9FD9E740
[2010/01/30 19:42:14 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysD787746F
[2010/01/30 19:41:06 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\edit\Desktop\dds.scr
[2010/01/30 19:31:58 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys4A18EA96
[2010/01/30 19:21:41 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys0C24A54C
[2010/01/30 19:11:29 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys8E8B033E
[2010/01/30 19:07:26 | 000,002,441 | ---- | C] () -- C:\Documents and Settings\edit\Desktop\HiJackThis.lnk
[2010/01/30 19:01:16 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys5E80FEFE
[2010/01/30 19:00:52 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys57CC8B23
[2010/01/30 17:53:21 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys0950E54B
[2010/01/30 17:27:40 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/26 17:53:35 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/26 17:53:35 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/26 17:53:35 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/26 17:53:34 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/26 17:53:34 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/26 08:22:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/01/22 17:36:11 | 004,980,736 | ---- | C] () -- C:\Documents and Settings\edit\ntuser.dat
[2009/11/20 08:58:39 | 000,000,199 | ---- | C] () -- C:\Documents and Settings\edit\Application Data\wfcwin32.log
[2009/11/17 13:22:46 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v5002.dll
[2009/11/17 10:15:22 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/11/16 13:27:53 | 000,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
[2009/11/06 12:00:28 | 000,031,088 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/15 13:53:25 | 000,149,504 | ---- | C] () -- C:\Program Files\UNWISE.EXE
[2009/07/15 13:22:35 | 000,962,830 | ---- | C] () -- C:\Program Files\Common Files\CiscoUnifiedVideoAdvantageInstall.log
[2009/07/15 13:21:25 | 014,581,728 | ---- | C] () -- C:\Program Files\Common Files\UnifiedClientInstall.log
[2009/07/15 12:44:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/07/14 16:46:23 | 000,000,463 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/07/14 16:27:59 | 001,892,896 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/07/14 16:27:45 | 000,004,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.sys
[2009/07/14 16:22:52 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2009/07/14 16:22:02 | 000,004,608 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSMAPIP.SYS
[2009/07/14 16:20:51 | 000,009,343 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2009/07/14 16:16:51 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2009/07/14 16:16:51 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2009/07/14 16:16:51 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2009/07/14 16:16:51 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2009/07/14 16:16:50 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2009/07/14 16:16:50 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2009/07/09 16:35:10 | 000,000,017 | ---- | C] () -- C:\WINDOWS\cms.ini
[2009/06/18 14:06:36 | 000,001,292 | ---- | C] () -- C:\WINDOWS\firm.ini
[2009/05/05 12:42:40 | 000,192,490 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceManager.xml.rc4
[2008/01/04 16:13:58 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\DEVMAN.DLL
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/07/18 12:20:12 | 000,002,544 | ---- | C] () -- C:\WINDOWS\nrt.ini
[2007/03/14 15:46:56 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\Odma32.dll
[2005/07/21 12:01:04 | 000,008,527 | ---- | C] () -- C:\WINDOWS\System32\MOMCounters.ini
[2005/07/21 12:01:04 | 000,005,295 | ---- | C] () -- C:\WINDOWS\System32\MomAgntCtrs.ini
[2000/07/05 15:16:20 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\gnetstat.dll
[2000/02/18 13:29:00 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\GUTILITY.dll
[2000/02/18 13:26:58 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\GIMANAGE.dll

========== LOP Check ==========


[2009/07/14 16:26:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AGNS
[2010/01/28 08:38:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/07/28 14:32:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
[2009/07/28 12:15:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GroupPolicy
[2009/07/14 16:21:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo
[2009/07/14 16:18:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2009/08/24 13:35:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2009/10/01 08:29:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Workshare
[2009/09/22 11:16:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/25 14:35:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Avaya
[2009/08/24 13:45:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\ICAClient
[2009/07/15 12:37:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Lenovo
[2009/07/30 10:18:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Research In Motion
[2009/07/15 12:38:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Windows Desktop Search
[2009/09/22 12:33:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Windows Search
[2009/10/01 08:29:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Workshare
[2009/07/15 14:51:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ISAdmin\Application Data\Avaya
[2009/07/14 16:25:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ISAdmin\Application Data\Lenovo
[2009/07/14 15:46:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ISAdmin\Application Data\Windows Desktop Search
[2009/07/14 16:34:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ISAdmin\Application Data\Windows Search
[2009/08/04 10:59:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zsms2\Application Data\Avaya
[2009/11/16 13:08:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zsms2\Application Data\CachedFiles
[2009/07/15 12:37:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zsms2\Application Data\Lenovo
[2009/07/30 10:18:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zsms2\Application Data\Research In Motion
[2009/07/15 12:38:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zsms2\Application Data\Windows Desktop Search
[2009/08/04 14:15:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zsms2\Application Data\Windows Search
[2009/10/01 08:29:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zsms2\Application Data\Workshare
[2010/01/31 17:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2010/01/30 23:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2010/01/31 05:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2010/01/31 11:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2010/01/29 17:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/01/31 17:34:49 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\DLOClientu.exe -
[2010/01/31 17:35:15 | 000,000,430 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job
[2010/01/31 17:35:15 | 000,000,406 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/01/31 17:35:15 | 000,000,412 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Signature Update.job
[2010/01/31 02:44:13 | 000,001,626 | ---- | M] () -- C:\WINDOWS\Tasks\wrSpySweeper_0F64D2981A03411CAEFBBF8D701CEC2D.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\DriversAndTools\I386\sp3.cab:AGP440.sys
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 01:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/14 01:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\DriversAndTools\I386\sp3.cab:atapi.sys
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2009/02/11 18:11:50 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\DriversAndTools\IntelMatrixStorageDriver8.8.0.1009\IaStor.sys
[2009/02/11 12:11:50 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\WINDOWS\OemDir\iaStor.sys
[2010/01/31 00:33:33 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/06/29 11:12:14 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/06/29 11:12:14 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2009/11/06 12:00:28 | 000,031,088 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\wrLZMA.dll
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

========== Alternate Data Streams ==========

@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\zktbffzt.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\zgkgqkgm.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\yhxydmol.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\xodlsykq.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\wlfyzzcr.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\vwggelko.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\vtnohbui.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\vhdavxck.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\ujvlfhsk.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\typyumdb.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\twvfcnfs.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\tnaagonb.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\swzkdarm.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\scnpjleb.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\rtbsqzhf.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\rolhkpqa.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\rokxdcdn.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\qpynhtzy.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\qjbrzyfm.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\pwrgnlnq.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\pkvijbzq.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\pjpileru.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\ojqglcdj.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\ogtvgapc.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\nrvfennh.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\nqwuuylh.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\mqxxhfnh.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\ldtsyjur.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\kusdchxq.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\jvgtvzhh.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\jrqrvgjs.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\iwbkhyrj.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\idxhngsx.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\htcgdipc.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\hifhdngd.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\gqpjknhb.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\gnuscyur.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\gmxfmkkt.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\flmrefao.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\fjmfhcpq.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\dvwrqabu.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\dohmikis.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\cgoojivx.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\bnijtcge.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\bahvuzxk.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\atufpinm.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\ardettmx.sys:changelist
@Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\apjcgfsu.sys:changelist
@Alternate Data Stream - 588 bytes -> C:\WINDOWS\System32\drivers\nzwsftoa.sys:changelist
< End of report >


OTL Extras:

OTL Extras logfile created on: 1/31/2010 9:34:44 PM - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\edit\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 203.27 Gb Free Space | 87.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: edited
Current User Name:
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{030CE751-24F5-4E36-8115-AE888D9D8B47}" = Interwoven Outlook Integration Module 8.2 SP1 for DeskSite
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data
"{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = ThinkPad EasyEject Utility
"{17CBC505-D1AE-459D-B445-3D2000A85842}" = ThinkPad UltraNav Utility
"{199B7F78-69B7-47C5-8D4B-A3ED1391FB6B}" = Microsoft Firewall Client
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools
"{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1" = Spy Sweeper
"{21D51EF6-7C90-4BFE-AAE7-295068708077}" = LawPort_Utility
"{226024DE-CC99-4D20-863E-0B5F894871E2}" = Workshare Professional
"{2609EDF1-34C4-4B03-B634-55F3B3BC4931}" = Configuration Manager Client
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3694899E-5C7F-4EAA-A26B-ED163D5DCADB}" = InterVideo WinDVD Creator
"{388C130B-0079-46B4-A0D5-DC2DD7A89A7B}" = Citrix XenApp Plugin for Hosted Apps
"{3D8994A3-02A8-45B5-B955-53E608BC69ED}" = Lenovo Fingerprint Software
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Active Protection System
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{50391F9C-82FF-458F-A77B-DEF724E6140D}" = Microsoft Forefront Client Security Antimalware Service
"{537BF16E-7412-448C-95D8-846E85A1D817}" = Roxio Creator Business Edition
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
"{632B82E8-6173-49C3-B3B8-3AEAE6B9A59F}" = Microsoft Report Viewer Redistributable 2005
"{65706020-7B6F-41F2-8047-FC69579E386A}" = Presentation Director
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{7148F0A8-6813-11D6-A77B-00B0D0142120}" = Java 2 Runtime Environment, SE v1.4.2_12
"{71C512A2-E620-40CD-B29D-9D8F34446F13}" = Workshare PDF Converter
"{721ABC3B-5F12-4332-9C0C-C11424EF666C}" = WIMGAPI
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78E884B8-7DB5-4708-AFE5-DAECEA900EE4}" = Diskeeper 2009 Professional
"{7AF037C5-2538-488A-8F59-C54B1427D258}" = iManage DeskSite 8.2 SP2
"{7EB114D8-207F-45AE-BABD-1669715F2630}" = ThinkVantage Access Connections
"{80D4EE61-D31A-4DA5-87D5-A0FEE18366B1}" = AppLaunchOCX
"{86EF9EB6-DE10-4ABB-B221-D61972BB3C09}" = Collaboration Data Objects 1.2.1
"{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}" = Windows Support Tools
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{A5CD6ACD-C283-484D-B300-E7EEC5780F77}" =
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{901F0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Proofing Tools
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = ThinkPad Power Manager
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Franšais, Deutsch
"{AC76BA86-1033-F400-7760-000000000004}_913" = Adobe Acrobat 9.1.3 - CPSID_49522
"{AC76BA86-1033-F400-7760-000000000004}{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Franšais, Deutsch
"{B05B22B8-72AE-4DC3-8D6F-FBC2233CAF41}" = Roxio Creator Business Edition
"{B232CC8B-A796-4944-9ABF-00B06E58124D}" = Cisco VT Camera Driver
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4846B86-556B-4F2A-9F42-C0DDE06EDF2D}" = RFClient
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy
"{BBD6BA59-4593-43CC-BBC8-8E53D354AEA4}" = Atmel TPM Driver Installer 3.0.3.15
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6FA39A7-26B1-480A-BC74-6D17531AC222}" = Access Help
"{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDF792AD-650D-4F65-BB64-B74A8632B356}" = System Migration Assistant
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}" = ThinkVantage Productivity Center
"{D24683E3-5ADA-4CB1-AEBD-BB4B65B794CF}" = Cisco Unified Personal Communicator
"{D2BE4C7A-DDB0-4A2F-B3DD-534A891E6255}" = Symantec Backup Exec Desktop Agent
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D728E945-256D-4477-B377-6BBA693714AC}" = Productivity Center Supplement for ThinkPad
"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes
"{DD424583-A864-4727-ACBD-0D19B8E9E6EA}" = Cisco Unified Video Advantage
"{DDD076BF-C5C3-468C-AA1B-F9A7E47446FE}" = Intel« Network Connections 13.1.33.0
"{E0AE6FFB-5B30-4332-A59F-DDB4234D4BB5}" = Equitrac Professional Client HF-160896
"{E68E7B54-1E25-4F70-8287-41BCE9F9A483}" = LexisNexis« Cost Recovery Manager
"{E8B56B38-A826-11DB-8C83-0011430C73A4}" = Microsoft Forefront Client Security State Assessment Service
"{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core
"{EE59E3BD-6B7D-4BBB-B9CD-20EA7AEF1E10}" = BlackBerry Desktop Software 5.0
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F22FD942-651D-4EE8-BD6F-7E0AF5E17625}" = Intel« PROSet/Wireless WiFi Software
"{F419A620-F627-4BEF-8507-84EDAF8E71FC}" = AT&T Global Network Client Internet Edition
"{F692770D-0E27-4D3F-8386-F04C6F434040}" = Microsoft Operations Manager 2005 Agent
"{F6933C3F-8B88-46C6-8001-81BD53A1CB47}" = eCopy Desktop 9.2
"{FC081D4D-DF1B-4CF1-B530-027E4118D846}" = ThinkPad Configuration
"{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service
"55561B78CE6B05712E16A21D48C0770299335A83" = Windows Driver Package - Logitech MEDIA (05/09/2007 10.5.1.1200)
"A4680BD43717441189C52EBF2C4FD6B182EE1101" = Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (10/02/2008 8.1.2.37)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe PDF IFilter 6.0" = Adobe PDF IFilter 6.0
"B362AA9D6C22409A5BF357D730C62E3BD125DA66" = Windows Driver Package - Logitech USB (05/09/2007 10.5.1.1200)
"BlackBerry_{EE59E3BD-6B7D-4BBB-B9CD-20EA7AEF1E10}" = BlackBerry Desktop Software 5.0
"CNXT_AUDIO_HDA" = Conexant 20561 SmartAudio HD
"CNXT_MODEM_HDA_HSF" = ThinkPad Modem Adapter
"D2C644CE680FF1FF7F541D1D5115A345F663B18E" = Windows Driver Package - Logitech (CamDrL) Image (05/09/2007 10.5.1.1200)
"eWebEditPro 3 Client" = eWebEditPro 3 Client
"HDMI" = Intel« Graphics Media Accelerator Driver
"HECI" = Intel« Management Engine Interface
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ITPM" = Intel« Trusted Platform Module
"LENOVO.SMIIF" = Lenovo System Interface Driver
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MESOL" = Intel« Active Management Technology
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Report Viewer Redistributable 2005" = Microsoft Report Viewer Redistributable 2005
"Microsoft XML Parser" = Microsoft XML Parser
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OnScreenDisplay" = On Screen Display
"PC-Doctor for Windows" = Lenovo System Toolbox
"Power Management Driver" = ThinkPad Power Management Driver
"ProInst" = Intel PROSet Wireless
"PROPLUS" = Microsoft Office Professional Plus 2007
"RDC" = RDC
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"TEMP" = TEMP
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"TSCG Client-Matter Search" = TSCG Client-Matter Search
"TSCGWizard" = TSCGWizard
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1078081533-515967899-725345543-71352\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/31/2010 3:58:54 PM | Computer Name = | Source = MPSampleSubmission | ID =
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 1.5.1972.0,
P5 mpsigdwn.dll, P6 1.5.1972.0, P7 microsoft forefront client security, P8 NIL,
P9 NIL, P10 NIL.

Error - 1/31/2010 6:30:30 PM | Computer Name = | Source = UserInit | ID =
Description = Could not execute the following script C:\Program Files\Outlook\ResetCustom11.vbs.
The system cannot find the file specified. .

Error - 1/31/2010 6:32:05 PM | Computer Name =| Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 1/31/2010 6:32:06 PM | Computer Name = | Source = AutoEnrollment | ID =
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 1/31/2010 6:32:38 PM | Computer Name = | Source = Userenv | ID =
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 1/31/2010 6:32:47 PM | Computer Name = | Source = Microsoft Operations Manager | ID =
Description = The agent could not resolve the IP of the MOM Server ALFOREFRONT1.
The error reported is 'The requested name is valid and was found in the database,
but it does not have the correct associated data being resolved for.'.

Error - 1/31/2010 6:32:56 PM | Computer Name =| Source = Exclaimer Update Client | ID = 0
Description =

Error - 1/31/2010 6:33:14 PM | Computer Name = | Source = Microsoft Operations Manager | ID =
Description = The Agent outgoing data processing has been blocked. This indicates
problems with communication or database processing.


Error - 1/31/2010 10:27:14 PM | Computer Name = edited | Source = LMS | ID = 2
Description = LMS Service lost connection to HECI driver

[ System Events ]
Error - 1/30/2010 3:39:29 PM | Computer Name = edited | Source = iaStor | ID = 262153
Description = The device, \Device\Ide\iaStor0, did not respond within the timeout
period.

Error - 1/30/2010 8:08:32 PM | Computer Name = edited | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.

Error - 1/30/2010 9:38:39 PM | Computer Name = edited | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 119 minutes. NtpClient has no source of accurate
time.

Error - 1/31/2010 1:28:07 AM | Computer Name = edited | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Windows Installer service
to connect.

Error - 1/31/2010 3:13:25 AM | Computer Name = edited | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 1/31/2010 5:45:11 AM | Computer Name = edited | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 119 minutes. NtpClient has no source of accurate
time.

Error - 1/31/2010 6:25:54 AM | Computer Name = edited | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 1/31/2010 7:45:16 AM | Computer Name = edited | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 239 minutes. NtpClient has no source of accurate
time.

Error - 1/31/2010 11:45:33 AM | Computer Name = edited | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 479 minutes. NtpClient has no source of accurate
time.

Error - 1/31/2010 5:30:02 PM | Computer Name = edited | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.


< End of report >


MalwareBytes:

Malwarebytes' Anti-Malware 1.44
Database version: 3670
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/31/2010 5:30:01 PM
mbam-log-2010-01-31 (17-30-01).txt

Scan type: Quick Scan
Objects scanned: 140270
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job (Rogue.AntiSpyware) -> Quarantined and deleted successfully.

Edited by Buckeye_Sam, 02 February 2010 - 07:49 AM.


#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:29 AM

Posted 01 February 2010 - 07:54 AM


We need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here.


================


After tdsskiller runs and you reboot please run a new scan with OTL and post the log.
Copy in the custom scan text just like you did on the first run.
There will only be one log this time.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 80Coug

80Coug
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 01 February 2010 - 09:06 AM

Thanks, Sam. I just PM'ed you.

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:29 AM

Posted 01 February 2010 - 06:51 PM

I replied to your PM. Just post the logs once you've had a chance to proceed with my last set of instructions.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 80Coug

80Coug
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 01 February 2010 - 08:56 PM

Here you go Sam. You have been incredibly gracious.

20:47:48:562 3792 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
20:47:48:562 3792 ================================================================================
20:47:48:562 3792 SystemInfo:

20:47:48:562 3792 OS Version: 5.1.2600 ServicePack: 3.0
20:47:48:562 3792 Product type: Workstation
20:47:48:562 3792 ComputerName:
20:47:48:562 3792 UserName:
20:47:48:562 3792 Windows directory: C:\WINDOWS
20:47:48:562 3792 Processor architecture: Intel x86
20:47:48:562 3792 Number of processors: 2
20:47:48:562 3792 Page size: 0x1000
20:47:48:562 3792 Boot type: Normal boot
20:47:48:562 3792 ================================================================================
20:47:48:562 3792 UnloadDriverW: NtUnloadDriver error 2
20:47:48:562 3792 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:47:48:625 3792 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
20:47:48:703 3792 UtilityInit: KLMD drop and load success
20:47:48:703 3792 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
20:47:48:703 3792 UtilityInit: KLMD open success
20:47:48:703 3792 UtilityInit: Initialize success
20:47:48:703 3792
20:47:48:703 3792 Scanning Services ...
20:47:48:703 3792 CreateRegParser: Registry parser init started
20:47:48:703 3792 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
20:47:48:703 3792 CreateRegParser: DisableWow64Redirection error
20:47:48:703 3792 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:47:48:703 3792 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
20:47:48:703 3792 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:47:48:703 3792 wfopen_ex: Trying to KLMD file open
20:47:48:703 3792 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
20:47:48:703 3792 wfopen_ex: File opened ok (Flags 2)
20:47:48:703 3792 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 264C08
20:47:48:703 3792 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:47:48:703 3792 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
20:47:48:703 3792 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:47:48:703 3792 wfopen_ex: Trying to KLMD file open
20:47:48:703 3792 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
20:47:48:703 3792 wfopen_ex: File opened ok (Flags 2)
20:47:48:703 3792 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 264CB0
20:47:48:703 3792 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
20:47:48:703 3792 CreateRegParser: EnableWow64Redirection error
20:47:48:703 3792 CreateRegParser: RegParser init completed
20:47:48:812 3792 GetAdvancedServicesInfo: Raw services enum returned 490 services
20:47:48:812 3792 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:47:48:812 3792 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:47:48:812 3792
20:47:48:812 3792 Scanning Kernel memory ...
20:47:48:812 3792 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
20:47:48:812 3792 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AEA6E18
20:47:48:812 3792 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
20:47:48:812 3792
20:47:48:812 3792 DetectCureTDL3: DEVICE_OBJECT: 8AE7A030
20:47:48:812 3792 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE7A030
20:47:48:812 3792 KLMD_ReadMem: Trying to ReadMemory 0x8AE7A030[0x38]
20:47:48:812 3792 DetectCureTDL3: DRIVER_OBJECT: 8AEA6E18
20:47:48:812 3792 KLMD_ReadMem: Trying to ReadMemory 0x8AEA6E18[0xA8]
20:47:48:812 3792 KLMD_ReadMem: Trying to ReadMemory 0xE1030928[0x18]
20:47:48:812 3792 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:47:48:812 3792 DetectCureTDL3: IrpHandler (0) addr: BA1AEBB0
20:47:48:812 3792 DetectCureTDL3: IrpHandler (1) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (2) addr: BA1AEBB0
20:47:48:812 3792 DetectCureTDL3: IrpHandler (3) addr: BA1A8D1F
20:47:48:812 3792 DetectCureTDL3: IrpHandler (4) addr: BA1A8D1F
20:47:48:812 3792 DetectCureTDL3: IrpHandler (5) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (6) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (7) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (8) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (9) addr: BA1A92E2
20:47:48:812 3792 DetectCureTDL3: IrpHandler (10) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (11) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (12) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (13) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (14) addr: BA1A93BB
20:47:48:812 3792 DetectCureTDL3: IrpHandler (15) addr: BA1ACF28
20:47:48:812 3792 DetectCureTDL3: IrpHandler (16) addr: BA1A92E2
20:47:48:812 3792 DetectCureTDL3: IrpHandler (17) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (18) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (19) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (20) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (21) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (22) addr: BA1AAC82
20:47:48:812 3792 DetectCureTDL3: IrpHandler (23) addr: BA1AF99E
20:47:48:812 3792 DetectCureTDL3: IrpHandler (24) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (25) addr: 804F4562
20:47:48:812 3792 DetectCureTDL3: IrpHandler (26) addr: 804F4562
20:47:48:812 3792 TDL3_FileDetect: Processing driver: Disk
20:47:48:812 3792 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:47:48:812 3792 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:47:48:828 3792 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:47:48:828 3792
20:47:48:828 3792 DetectCureTDL3: DEVICE_OBJECT: 8A4CE030
20:47:48:828 3792 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A4CE030
20:47:48:828 3792 DetectCureTDL3: DEVICE_OBJECT: 8AEDD4E8
20:47:48:828 3792 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEDD4E8
20:47:48:828 3792 DetectCureTDL3: DEVICE_OBJECT: 8A8D2028
20:47:48:828 3792 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A8D2028
20:47:48:828 3792 KLMD_ReadMem: Trying to ReadMemory 0x8A8D2028[0x38]
20:47:48:828 3792 DetectCureTDL3: DRIVER_OBJECT: 8AE78AA0
20:47:48:828 3792 KLMD_ReadMem: Trying to ReadMemory 0x8AE78AA0[0xA8]
20:47:48:828 3792 KLMD_ReadMem: Trying to ReadMemory 0x8AE7C028[0x38]
20:47:48:828 3792 KLMD_ReadMem: Trying to ReadMemory 0x8AE5FF38[0xA8]
20:47:48:828 3792 KLMD_ReadMem: Trying to ReadMemory 0xE1916138[0x1C]
20:47:48:828 3792 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
20:47:48:828 3792 DetectCureTDL3: IrpHandler (0) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (1) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (2) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (3) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (4) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (5) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (6) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (7) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (8) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (9) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (10) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (11) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (12) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (13) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (14) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (15) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (16) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (17) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (18) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (19) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (20) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (21) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (22) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (23) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (24) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (25) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: IrpHandler (26) addr: 8ADFA856
20:47:48:828 3792 DetectCureTDL3: All IRP handlers pointed to one addr: 8ADFA856
20:47:48:828 3792 KLMD_ReadMem: Trying to ReadMemory 0x8ADFA856[0x400]
20:47:48:828 3792 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
20:47:48:828 3792 Driver "iaStor" Irp handler infected by TDSS rootkit ... 20:47:48:828 3792 KLMD_WriteMem: Trying to WriteMemory 0x8ADFA8CF[0xD]
20:47:48:828 3792 cured
20:47:48:828 3792 KLMD_ReadMem: Trying to ReadMemory 0x8ADFA701[0x400]
20:47:48:828 3792 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
20:47:48:828 3792 Driver "iaStor" StartIo handler infected by TDSS rootkit ... 20:47:48:828 3792 TDL3_StartIoHookCure: Number of patches 1
20:47:48:828 3792 KLMD_WriteMem: Trying to WriteMemory 0x8ADFA80A[0x6]
20:47:48:828 3792 cured
20:47:48:828 3792 TDL3_FileDetect: Processing driver: iaStor
20:47:48:828 3792 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\iaStor.sys
20:47:48:828 3792 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\iaStor.sys
20:47:48:859 3792 TDL3_FileDetect: C:\WINDOWS\system32\Drivers\iaStor.sys - Verdict: Infected
20:47:48:859 3792 File C:\WINDOWS\system32\Drivers\iaStor.sys infected by TDSS rootkit ... 20:47:48:859 3792 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\Drivers\iaStor.sys
20:47:48:859 3792 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
20:47:48:859 3792 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
20:47:48:921 3792 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
20:47:48:937 3792 FileCallback: Backup candidate found: C:\WINDOWS\OemDir\iaStor.sys:329752, checking..
20:47:49:000 3792 ValidateDriverFile: Stage 1 passed
20:47:49:000 3792 ValidateDriverFile: Stage 2 passed
20:47:49:140 3792 DigitalSignVerifyByHandle: Embedded DS result: 00000000
20:47:49:140 3792 ValidateDriverFile: Stage 3 passed
20:47:49:140 3792 FileCallback: File validated successfully, restore information prepared
20:47:49:140 3792 FindDriverFileBackup: Backup copy found in OemDir
20:47:49:140 3792 TDL3_FileCure: Backup copy found, using it..
20:47:49:140 3792 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk12.tmp
20:47:49:187 3792 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk12.tmp, system32\drivers\iaStor.sys)
20:47:49:312 3792 TDL3_FileCure: KLMD jobs schedule success
20:47:49:312 3792 will be cured on next reboot
20:47:49:312 3792 UtilityBootReinit: Reboot required for cure complete..
20:47:49:312 3792 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
20:47:49:453 3792 UtilityBootReinit: KLMD drop success
20:47:49:453 3792 KLMD_ApplyPendList: Pending buffer(3E12_102D, 608) dropped successfully
20:47:49:453 3792 UtilityBootReinit: Cure on reboot scheduled successfully
20:47:49:453 3792
20:47:49:453 3792 Completed
20:47:49:453 3792
20:47:49:453 3792 Results:
20:47:49:453 3792 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
20:47:49:453 3792 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:47:49:468 3792 File objects infected / cured / cured on reboot: 1 / 0 / 1
20:47:49:468 3792
20:47:49:468 3792 UnloadDriverW: NtUnloadDriver error 1
20:47:49:468 3792 KLMD_Unload: UnloadDriverW(klmd21) error 1
20:47:49:468 3792 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
20:47:49:468 3792 UtilityDeinit: KLMD(ARK) unloaded successfully


#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:29 AM

Posted 02 February 2010 - 07:54 AM

It looks like that took care of the rootkit infection, but we still have some remnants to clean up. Please run OTL and post a new log for me. Make sure you read the PM I sent you before posting the logs.

Edited by Buckeye_Sam, 02 February 2010 - 07:54 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 80Coug

80Coug
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 02 February 2010 - 08:46 PM

Hi Sam,

Yes, my computer is running MUCH better. You are a certifiable genius. My anti-spyware picked up an aleureon virus twice, but no re-routing. I've attached the OTL log. I thought there were supposed to be two but the search only produced one. Thanks a million.

Edited by 80Coug, 03 February 2010 - 08:14 PM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:29 AM

Posted 03 February 2010 - 08:44 AM

The extra log is only created on the first run. So you'll only get one log going forward each time you run OTL.

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    [2010/02/01 12:04:58 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysE870DA97
    [2010/02/01 08:29:30 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysB74E24B0
    [2010/02/01 07:19:29 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysC7EEB864
    [2010/01/31 00:29:07 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysD4876D04
    [2010/01/31 00:18:47 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys0CD75CD5
    [2010/01/31 00:08:36 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys5B8F245C
    [2010/01/30 23:58:20 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys6D20BEB5
    [2010/01/30 23:47:14 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysB0020224
    [2010/01/30 23:46:38 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysC5D8CF64
    [2010/01/30 23:39:17 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys5B3EE5F9
    [2010/01/30 23:31:41 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysF67066AF
    [2010/01/30 23:31:16 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysFBEA29A6
    [2010/01/30 23:30:54 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysCC4D5C10
    [2010/01/30 23:30:22 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys2C770FC7
    [2010/01/30 23:20:10 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys9CB41C76
    [2010/01/30 23:09:51 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys19DF20F1
    [2010/01/30 23:09:14 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys13794353
    [2010/01/30 23:07:31 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys488AB707
    [2010/01/30 22:57:15 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys7B11EA3D
    [2010/01/30 22:47:00 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys2E96B44E
    [2010/01/30 22:36:49 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys45D4BEDE
    [2010/01/30 22:26:38 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys932C75C7
    [2010/01/30 22:16:17 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys9845C6CF
    [2010/01/30 22:05:57 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysFCEFDA60
    [2010/01/30 21:55:37 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys9A83472F
    [2010/01/30 21:45:18 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysDA9431A7
    [2010/01/30 21:39:30 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysEBF4F7B8
    [2010/01/30 21:29:09 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysA53EE35F
    [2010/01/30 21:18:58 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysE60EC6C7
    [2010/01/30 21:18:31 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys8A22977D
    [2010/01/30 21:17:50 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys8544F79D
    [2010/01/30 21:17:23 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys3243A7D6
    [2010/01/30 21:17:02 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys92BA877E
    [2010/01/30 21:12:27 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys26280447
    [2010/01/30 21:02:16 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysCD8D56CE
    [2010/01/30 20:51:59 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys06795932
    [2010/01/30 20:41:48 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysE032451A
    [2010/01/30 20:31:37 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys8CF8155D
    [2010/01/30 20:25:15 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysEFA47CA5
    [2010/01/30 20:15:00 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysFF60D97E
    [2010/01/30 20:13:58 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys8EEC32D7
    [2010/01/30 20:03:47 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys40A74DC1
    [2010/01/30 19:53:34 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys67BF8DAA
    [2010/01/30 19:53:07 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysA6ED158E
    [2010/01/30 19:42:44 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys9FD9E740
    [2010/01/30 19:42:14 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sysD787746F
    [2010/01/30 19:31:58 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys4A18EA96
    [2010/01/30 19:21:41 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys0C24A54C
    [2010/01/30 19:11:29 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys8E8B033E
    [2010/01/30 19:01:16 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys5E80FEFE
    [2010/01/30 19:00:52 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys57CC8B23
    [2010/01/30 17:53:21 | 000,329,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys0950E54B
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\zktbffzt.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\zgkgqkgm.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\yhxydmol.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\xodlsykq.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\wlfyzzcr.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\vwggelko.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\vtnohbui.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\vhdavxck.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\ujvlfhsk.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\typyumdb.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\twvfcnfs.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\tnaagonb.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\swzkdarm.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\scnpjleb.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\rtbsqzhf.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\rolhkpqa.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\rokxdcdn.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\qpynhtzy.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\qjbrzyfm.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\pwrgnlnq.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\pkvijbzq.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\pjpileru.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\ojqglcdj.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\ogtvgapc.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\nrvfennh.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\nqwuuylh.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\mqxxhfnh.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\ldtsyjur.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\kusdchxq.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\jvgtvzhh.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\jrqrvgjs.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\iwbkhyrj.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\idxhngsx.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\htcgdipc.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\hifhdngd.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\gqpjknhb.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\gnuscyur.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\gmxfmkkt.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\flmrefao.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\fjmfhcpq.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\dvwrqabu.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\dohmikis.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\cgoojivx.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\bnijtcge.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\bahvuzxk.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\atufpinm.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\ardettmx.sys:changelist
    @Alternate Data Stream - 658 bytes -> C:\WINDOWS\System32\drivers\apjcgfsu.sys:changelist
    @Alternate Data Stream - 588 bytes -> C:\WINDOWS\System32\drivers\nzwsftoa.sys:changelist

    :Commands
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 80Coug

80Coug
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 03 February 2010 - 08:31 PM

Hey Sam,

They are attached. I assumed you wanted the OTL quick scan run with the original custom terms pasted in the box.

Thanks, as always.

Attached Files



#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:29 AM

Posted 04 February 2010 - 08:26 AM

Looks good to me. How are things on your end? Any remaining issues?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 80Coug

80Coug
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 05 February 2010 - 12:04 AM

Hey Sam,

Yes, my computer is running great. No more re-routing, etc. Before the infection, I was able to access outlook and other things remotely via VPN. I can't do that now--would that be related in any way?

Thanks!

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:29 AM

Posted 05 February 2010 - 08:40 AM

I'm not real familiar with VPN, but I don't see anything that we did that should have affected anything other than the malware infection. It's probably unrelated. Here are some final steps and then some recommendations.


Follow these steps to remove OTL and some of the other tools we've used.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  6. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

thumbup.gif smile.gif





Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users