Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Apple Releases Security Updates for MacOS, iOS, and Safari

Featured Deal: Pay What You Want Complete Cyber Security Certification Bundle Deal

Google redirect problem

Started by martin3286 , Feb 25 2010 09:43 AM

This topic is locked

13 replies to this topic

#1 martin3286

Members
6 posts
OFFLINE

Local time:03:53 AM

Posted 25 February 2010 - 09:43 AM

Hello

Im having a problem on of my machines. Occasionally google will redirect to other search engines. Have already ran malware bytes, super-anti spyware and vipre rescue to try and remove but have had no luck.

Someof the sites I am being redirected to are savecompare.com, scour.com, searchhoye.com, softwarebuydirect.com, stopzilla.com, ask.com, blinkx.com and others.

Help would be appreciated

DDS Log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by vikki.latto at 15:55:29.32 on 25/02/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.333 [GMT 0:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Emerson VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateService.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\WINDOWS\LMI11.tmp\LMI_Rescue_srv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\PIPC\BIN\pilogsrv.exe
C:\Program Files\PIPC\BIN\pinetmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\PIPC\BIN\pimsgss.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\LMI11.tmp\LMI_Rescue.exe
C:\WINDOWS\LMI11.tmp\LMI_Rescue_srv.exe
C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateApp.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\vikki.latto\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by METCO Services Ltd.
uStart Page = https://portal.metco-uk.com
uDefault_Page_URL = https://portal.metco-uk.com
mDefault_Page_URL = https://portal.metco-uk.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\emerso~1.lnk - c:\windows\installer\{4c271126-c295-4828-a901-5910ae0c258b}\Icon3E5562ED7.ico
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: metco-uk.com\portal
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 172.26.58.225 Europisrv1

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-2-25 93872]
R2 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2009-3-23 155648]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-3-16 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-3-16 108392]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\landesk\ldclient\policy.client.invoker.exe [2009-12-2 139264]
R2 LMIRescue_933145aa-bb4f-4dcb-bdcc-f3daefe262f9;LogMeIn Rescue (933145aa-bb4f-4dcb-bdcc-f3daefe262f9);c:\windows\lmi11.tmp\LMI_Rescue_srv.exe [2010-2-25 1881976]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\landesk\ldclient\SoftMon.exe [2009-12-2 335872]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-3-16 2440120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-1 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2009-11-30 88192]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2009-12-2 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2009-12-2 3328]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-2-25 38224]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2009-12-2 3712]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100224.035\NAVENG.SYS [2010-2-25 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100224.035\NAVEX15.SYS [2010-2-25 1324720]
S0 cerc6;cerc6; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-3-16 23888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-02-25 14:34:00 0 d-----w- c:\program files\TrendMicro
2010-02-25 12:24:26 0 d-----w- c:\windows\LMI11.tmp
2010-02-25 11:31:17 93872 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-25 10:29:38 0 d-----w- c:\docume~1\vikki~1.lat\applic~1\Malwarebytes
2010-02-25 10:29:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-25 10:29:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-25 10:29:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-25 10:29:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-25 10:28:21 0 d-----w- c:\docume~1\vikki~1.lat\applic~1\Sunbelt
2010-02-25 10:27:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
2010-02-25 09:57:23 0 d-----w- c:\program files\Sunbelt Software
2010-02-24 08:28:00 3250 ----a-w- c:\windows\system32\wbem\Outlook_01cab52b4635642a.mof
2010-02-22 13:54:27 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-02-22 13:44:58 14051 ----a-w- c:\windows\KB977165.cat
2010-02-22 13:43:51 0 d--h--w- C:\ErdUndoCache
2010-02-22 09:52:33 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-22 09:13:30 0 d-----w- C:\VIPRERESCUE
2010-02-22 09:09:19 0 d-----w- c:\windows\pss
2010-02-17 16:46:06 0 d-----w- c:\windows\system32\GroupPolicy
2010-02-17 16:45:59 0 dc----w- c:\windows\$968930Uinstall_KB968930$
2010-02-11 11:18:51 54600 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-05 12:56:28 0 d-----w- c:\program files\MSECache
2010-02-05 12:50:51 0 d-----w- c:\documents and settings\vikki.latto\Tracing
2010-02-05 12:47:20 0 d-----w- c:\program files\Microsoft Office Communicator

==================== Find3M ====================

2010-02-18 08:27:09 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-02-06 23:42:39 33061 ----a-w- c:\windows\king-uninstall.exe
2010-01-08 14:26:08 7391 ----a-w- c:\windows\_000004_.tmp.dll
2010-01-05 11:08:01 31991 ----a-w- c:\windows\_000055_.tmp.dll
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet(2).dll
2010-01-05 10:00:28 1168384 ----a-w- c:\windows\system32\urlmon(2).dll
2010-01-05 10:00:28 105984 ----a-w- c:\windows\system32\url(2).dll
2010-01-05 10:00:24 268288 ----a-w- c:\windows\system32\iertutil(2).dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-19 20:11:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv(2).dll
2009-12-09 11:05:16 14051 ----a-w- c:\windows\_000008_.tmp.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ----a-w- c:\windows\system32\shlwapi(2).dll
2009-11-30 17:13:59 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-30 11:35:21 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-27 17:13:06 15031 ----a-w- c:\windows\_000009_.tmp.dll
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 15:56:29.82 ===============

Attached Files

Attach.txt 12.32KB 8 downloads
ark.txt 6.95KB 10 downloads

Edited by martin3286, 25 February 2010 - 12:02 PM.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 aommaster

I !<3 malware

Malware Response Team
5,289 posts
OFFLINE

Gender:Male
Location:Dubai
Local time:07:53 AM

Posted 27 February 2010 - 03:55 AM

Hello, martin3286.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:

Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
Please do not install, update, or run any programs for the duration of the fix.
If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for
Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT

Download random's system information tool (RSIT) by random/random and save it to your desktop.
Double click on RSIT.exe.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run a GMER scan

Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
Close all other open programs as there is a slight chance your computer will crash.
Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
Make sure all options are checked except:
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive, which is typically C:\
- Show All (This is important, so do not miss it.)
Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
Log.txt
info.txt
gmer.txt

My website: http://aommaster.com

Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#3 martin3286

Topic Starter

Members
6 posts
OFFLINE

Local time:03:53 AM

Posted 01 March 2010 - 09:21 AM

Hi aommaster, thanks for your response.

As requested logs to follow:

Logfile of random's system information tool 1.06 (written by random/random)
Run by vikki.latto at 2010-03-01 11:43:26
Microsoft Windows XP Professional Service Pack 3
System drive C: has 34 GB (45%) free of 76 GB
Total RAM: 1023 MB (32% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:38, on 01/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Emerson VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateService.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\PIPC\BIN\pilogsrv.exe
C:\Program Files\PIPC\BIN\pinetmgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\PIPC\BIN\pimsgss.exe
C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateApp.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\vikki.latto\Desktop\RSIT.exe
C:\Program Files\trend micro\vikki.latto.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://portal.metco-uk.com/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 172.26.58.225 Europisrv1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Emerson VPN Client.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://portal.metco-uk.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emrsn.org
O17 - HKLM\Software\..\Telephony: DomainName = emrsn.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emrsn.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emrsn.org
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PI-Buffer Server (bufserv) - OSI Software Inc. - C:\Program Files\PIPC\BIN\bufserv.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Emerson VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Emerson VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect ERAS\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PIPC Log Server (pilogsrv) - OSI Software - C:\Program Files\PIPC\BIN\pilogsrv.exe
O23 - Service: PI Message Subsystem (pimsgss) - OSI Software, Inc. - C:\Program Files\PIPC\BIN\pimsgss.exe
O23 - Service: PI Network Manager (pinetmgr) - OSI Software, Inc. - C:\Program Files\PIPC\BIN\pinetmgr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11155 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-12-19 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-12-19 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-07-06 344064]
"Apoint"=C:\Program Files\Apoint\Apoint.exe [2005-10-07 176128]
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2007-02-21 819200]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2007-02-21 970752]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2007-05-14 1191936]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2009-03-16 115560]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-12-19 149280]
"Communicator"=C:\Program Files\Microsoft Office Communicator\communicator.exe [2008-12-16 5160288]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-11-10 417792]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-11-12 141600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2009-11-10 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-11-23 2001648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Emerson VPN Client.lnk - C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-07-06 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccEvtMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccSetMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SmcService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Symantec Antivirus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Symantec Antvirus]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"disablecad"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDesktopCleanupWizard"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office Communicator\communicator.exe"="C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Office Communicator"
"C:\Program Files\LANDesk\Shared Files\residentagent.exe"="C:\Program Files\LANDesk\Shared Files\residentagent.exe:*:Enabled:LANDesk® Management Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe"="C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service"
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE"="C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service"
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\system32\cba\pds.exe"="C:\WINDOWS\system32\cba\pds.exe:*:Enabled:LANDesk Ping Discovery Service"
"C:\WINDOWS\system32\msgsys.exe"="C:\WINDOWS\system32\msgsys.exe:*:Enabled:LANDesk Message Service"
"C:\Program Files\LANDesk\LDClient\issuser.exe"="C:\Program Files\LANDesk\LDClient\issuser.exe:*:Enabled:LANDesk Remote Control Agent"
"C:\Program Files\LANDesk\LDClient\tmcsvc.exe"="C:\Program Files\LANDesk\LDClient\tmcsvc.exe:*:Enabled:LANDesk Targeted Multicast"
"C:\Program Files\Microsoft Office Communicator\communicator.exe"="C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Office Communicator"
"C:\Program Files\LANDesk\Shared Files\residentagent.exe"="C:\Program Files\LANDesk\Shared Files\residentagent.exe:*:Enabled:LANDesk® Management Agent"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##gbabz-fs1#Central]
shell\AutoRun\command - F:\RECYCLER\recycld.exe
shell\open\command - F:\RECYCLER\recycld.exe

======List of files/folders created in the last 1 months======

2010-03-01 11:43:26 ----D---- C:\rsit
2010-03-01 11:43:26 ----D---- C:\Program Files\trend micro
2010-02-26 15:33:09 ----D---- C:\Program Files\Common Files\Adobe
2010-02-26 15:32:35 ----SHD---- C:\Config.Msi
2010-02-26 11:53:11 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-02-26 11:53:11 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-25 14:34:00 ----D---- C:\Program Files\TrendMicro
2010-02-25 12:24:26 ----D---- C:\WINDOWS\LMI11.tmp
2010-02-25 10:29:38 ----D---- C:\Documents and Settings\vikki.latto\Application Data\Malwarebytes
2010-02-25 10:29:08 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-02-25 10:29:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-25 10:28:21 ----D---- C:\Documents and Settings\vikki.latto\Application Data\Sunbelt
2010-02-25 10:27:56 ----D---- C:\Documents and Settings\All Users\Application Data\Sunbelt
2010-02-25 10:22:31 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2010-02-22 13:54:27 ----A---- C:\WINDOWS\system32\wmpns.dll
2010-02-22 13:45:36 ----A---- C:\WINDOWS\system32\_000006_.tmp.dll
2010-02-22 13:45:27 ----A---- C:\WINDOWS\system32\_000012_.tmp.dll
2010-02-22 13:45:27 ----A---- C:\WINDOWS\_000013_.tmp.dll
2010-02-22 13:45:27 ----A---- C:\WINDOWS\_000004_.tmp.dll
2010-02-22 13:45:22 ----A---- C:\WINDOWS\system32\_000005_.tmp.dll
2010-02-22 13:45:22 ----A---- C:\WINDOWS\_000006_.tmp.dll
2010-02-22 13:45:21 ----A---- C:\WINDOWS\_000011_.tmp.dll
2010-02-22 13:45:20 ----A---- C:\WINDOWS\system32\_000019_.tmp.dll
2010-02-22 13:45:20 ----A---- C:\WINDOWS\system32\_000008_.tmp.dll
2010-02-22 13:45:20 ----A---- C:\WINDOWS\_000020_.tmp.dll
2010-02-22 13:45:20 ----A---- C:\WINDOWS\_000009_.tmp.dll
2010-02-22 13:45:18 ----A---- C:\WINDOWS\_000067_.tmp.dll
2010-02-22 13:45:15 ----A---- C:\WINDOWS\system32\_000010_.tmp.dll
2010-02-22 13:45:15 ----A---- C:\WINDOWS\system32\_000009_.tmp.dll
2010-02-22 13:45:15 ----A---- C:\WINDOWS\system32\_000007_.tmp.dll
2010-02-22 13:45:15 ----A---- C:\WINDOWS\_000008_.tmp.dll
2010-02-22 13:45:15 ----A---- C:\WINDOWS\_000002_.tmp.dll
2010-02-22 13:45:11 ----A---- C:\WINDOWS\system32\_000054_.tmp.dll
2010-02-22 13:45:11 ----A---- C:\WINDOWS\_000055_.tmp.dll
2010-02-22 13:45:10 ----A---- C:\WINDOWS\system32\_000004_.tmp.dll
2010-02-22 13:45:10 ----A---- C:\WINDOWS\_000005_.tmp.dll
2010-02-22 13:44:49 ----A---- C:\WINDOWS\system32\gpprefcl.dll
2010-02-22 13:44:45 ----A---- C:\WINDOWS\system32\WsmWmiPl.dll
2010-02-22 13:44:45 ----A---- C:\WINDOWS\system32\WsmSvc.dll
2010-02-22 13:44:45 ----A---- C:\WINDOWS\system32\WsmRes.dll
2010-02-22 13:44:45 ----A---- C:\WINDOWS\system32\WsmAuto.dll
2010-02-22 13:44:45 ----A---- C:\WINDOWS\system32\wsmanhttpconfig.exe
2010-02-22 13:44:45 ----A---- C:\WINDOWS\system32\winrssrv.dll
2010-02-22 13:44:45 ----A---- C:\WINDOWS\system32\winrsmgr.dll
2010-02-22 13:44:45 ----A---- C:\WINDOWS\system32\winrshost.exe
2010-02-22 13:44:45 ----A---- C:\WINDOWS\system32\winrscmd.dll
2010-02-22 13:44:45 ----A---- C:\WINDOWS\system32\winrs.exe
2010-02-22 13:44:45 ----A---- C:\WINDOWS\system32\winrm.vbs
2010-02-22 13:44:45 ----A---- C:\WINDOWS\system32\winrm.cmd
2010-02-22 13:44:44 ----A---- C:\WINDOWS\system32\wsmprovhost.exe
2010-02-22 13:44:44 ----A---- C:\WINDOWS\system32\wsmplpxy.dll
2010-02-22 13:44:44 ----A---- C:\WINDOWS\system32\winrmprov.dll
2010-02-22 13:44:44 ----A---- C:\WINDOWS\system32\wevtfwd.dll
2010-02-22 13:44:44 ----A---- C:\WINDOWS\system32\pwrshplugin.dll
2010-02-22 13:44:30 ----A---- C:\WINDOWS\system32\wksprtPS.dll
2010-02-22 13:44:30 ----A---- C:\WINDOWS\system32\wksprt.exe
2010-02-22 13:44:30 ----A---- C:\WINDOWS\system32\TSWbPrxy.exe
2010-02-22 13:44:30 ----A---- C:\WINDOWS\system32\MsRdpWebAccess.dll
2010-02-22 13:43:51 ----HD---- C:\ErdUndoCache
2010-02-22 09:13:30 ----D---- C:\VIPRERESCUE
2010-02-22 09:09:19 ----D---- C:\WINDOWS\pss
2010-02-17 16:54:06 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-17 16:53:37 ----DC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-17 16:53:30 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2010-02-17 16:53:07 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2010-02-17 16:51:07 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-02-17 16:51:00 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-02-17 16:49:20 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-17 16:49:04 ----HDC---- C:\WINDOWS\$NtUninstallKB969084$
2010-02-17 16:48:59 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-02-17 16:48:53 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-02-17 16:48:21 ----DC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-17 16:48:14 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-17 16:48:03 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2010-02-17 16:47:19 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2010-02-17 16:47:10 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-02-17 16:47:03 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2010-02-17 16:46:51 ----HDC---- C:\WINDOWS\$NtUninstallKB971513$
2010-02-17 16:46:43 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-17 16:46:06 ----D---- C:\WINDOWS\system32\GroupPolicy
2010-02-17 16:45:59 ----DC---- C:\WINDOWS\$968930Uinstall_KB968930$
2010-02-17 16:45:57 ----D---- C:\WINDOWS\$NtUninstallKB968930$
2010-02-17 16:45:22 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-02-17 16:45:13 ----DC---- C:\WINDOWS\$NtUninstallKB977165$
2010-02-17 16:45:04 ----DC---- C:\WINDOWS\$NtUninstallKB943729$
2010-02-17 16:44:18 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2010-02-05 12:56:28 ----D---- C:\Program Files\MSECache
2010-02-05 12:47:20 ----D---- C:\Program Files\Microsoft Office Communicator

======List of files/folders modified in the last 1 months======

2010-03-01 11:43:38 ----D---- C:\WINDOWS\Temp
2010-03-01 11:43:26 ----RD---- C:\Program Files
2010-03-01 10:44:38 ----A---- C:\WINDOWS\PIPC.INI
2010-03-01 10:09:40 ----D---- C:\WINDOWS\security
2010-03-01 09:15:00 ----D---- C:\Documents and Settings\All Users\Application Data\vulScan
2010-03-01 09:06:08 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-28 22:10:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-26 15:34:23 ----SHD---- C:\WINDOWS\Installer
2010-02-26 15:33:22 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-02-26 15:33:09 ----D---- C:\Program Files\Common Files
2010-02-26 15:31:56 ----D---- C:\WINDOWS\system32
2010-02-26 15:28:57 ----D---- C:\Program Files\Common Files\Adobe AIR
2010-02-26 08:33:09 ----D---- C:\Program Files\SUPERAntiSpyware
2010-02-25 15:30:21 ----D---- C:\WINDOWS
2010-02-25 14:40:35 ----D---- C:\WINDOWS\system32\appmgmt
2010-02-25 11:31:17 ----D---- C:\WINDOWS\system32\drivers
2010-02-25 11:17:52 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2010-02-25 11:16:26 ----SD---- C:\WINDOWS\Tasks
2010-02-25 10:32:53 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-02-25 10:27:22 ----D---- C:\Program Files\Google
2010-02-25 10:24:41 ----A---- C:\WINDOWS\win.ini
2010-02-25 10:24:41 ----A---- C:\WINDOWS\system.ini
2010-02-25 10:24:41 ----A---- C:\boot.ini
2010-02-25 09:42:17 ----D---- C:\WINDOWS\Prefetch
2010-02-24 08:28:00 ----D---- C:\WINDOWS\system32\wbem
2010-02-24 08:24:55 ----D---- C:\Program Files\Microsoft Silverlight
2010-02-24 08:24:54 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-02-24 08:24:54 ----D---- C:\WINDOWS\AppPatch
2010-02-23 16:52:47 ----HD---- C:\WINDOWS\inf
2010-02-23 16:52:46 ----D---- C:\WINDOWS\system32\CatRoot
2010-02-23 16:52:16 ----A---- C:\WINDOWS\imsins.BAK
2010-02-23 16:44:46 ----D---- C:\WINDOWS\system32\en-US
2010-02-23 16:44:46 ----D---- C:\Program Files\Internet Explorer
2010-02-22 13:54:25 ----A---- C:\WINDOWS\OEWABLog.txt
2010-02-22 13:52:37 ----SHD---- C:\System Volume Information
2010-02-22 13:47:14 ----D---- C:\WINDOWS\system32\config
2010-02-22 13:47:09 ----D---- C:\Documents and Settings\vikki.latto\Application Data\ICAClient
2010-02-22 13:47:07 ----D---- C:\Program Files\Emerson VPN Client
2010-02-22 09:52:33 ----D---- C:\WINDOWS\Registration
2010-02-22 09:49:15 ----D---- C:\WINDOWS\system32\Restore
2010-02-20 18:50:27 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-02-17 16:54:06 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-17 16:49:08 ----D---- C:\WINDOWS\Microsoft.NET
2010-02-17 16:49:07 ----RSD---- C:\WINDOWS\assembly
2010-02-17 16:46:16 ----D---- C:\WINDOWS\Help
2010-02-17 16:44:30 ----D---- C:\WINDOWS\WinSxS
2010-02-06 23:42:39 ----A---- C:\WINDOWS\king-uninstall.exe
2010-02-05 12:56:51 ----RSD---- C:\WINDOWS\Fonts
2010-02-05 12:56:46 ----D---- C:\Program Files\Microsoft Office
2010-02-05 12:56:45 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-02-05 12:50:54 ----SD---- C:\Documents and Settings\vikki.latto\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SBRE;SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SRTSP;SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [2009-03-16 280112]
R1 SRTSPX;SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [2009-03-16 43824]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2009-03-16 191536]
R1 WPS;WPS; \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys []
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.6.0.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-11-30 21425]
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver; \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys []
R2 iPassP;iPass Protocol (IEEE 802.1x) v3.7.4.0; C:\WINDOWS\system32\DRIVERS\iPassP.sys [2009-11-30 21393]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2007-02-21 12416]
R2 WGX;Extend WG Protocol Driver; C:\WINDOWS\System32\Drivers\WGX.SYS [2009-03-16 38056]
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2005-09-28 113847]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-07-06 1132544]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-08-23 121472]
R3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-14 17024]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-14 101120]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-14 18944]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2008-03-29 125328]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 GTIPCI21;GTIPCI21; C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-04-06 88192]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS [2005-05-03 1033728]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2005-05-03 208384]
R3 ldblank;Screen Blanking driver for Remote Control; C:\WINDOWS\system32\DRIVERS\ldblank.sys [2007-05-30 11904]
R3 ldmirror;ldmirror; C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2007-05-30 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall; C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2007-05-30 3712]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100228.035\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100228.035\NAVEX15.SYS []
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-14 59136]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 STAC97;SigmaTel C-Major Audio; C:\WINDOWS\system32\drivers\STAC97.sys [2005-03-10 273168]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2009-03-16 27696]
R3 Teefer2;Teefer2 Miniport; C:\WINDOWS\system32\DRIVERS\teefer2.sys [2009-03-16 49536]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 w29n51;Intel® PRO/Wireless 2915ABG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2007-02-08 2209408]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-05-03 705408]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 COH_Mon;COH_Mon; \??\C:\WINDOWS\system32\Drivers\COH_Mon.sys []
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2007-01-18 5275]
S3 SRTSPL;SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [2009-03-16 319792]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\drivers\UIUSys.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []
S3 WpsHelper;WpsHelper; \??\C:\WINDOWS\system32\drivers\WpsHelper.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 SysPlant;SysPlant for NT; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [2009-03-16 91976]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-07-06 364544]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 CBA8;LANDesk® Management Agent; C:\Program Files\LANDesk\Shared Files\residentagent.exe [2009-03-23 155648]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2009-03-16 108392]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2009-03-16 108392]
R2 CVPND;Emerson VPN Service; C:\Program Files\Emerson VPN Client\cvpnd.exe [2008-04-17 1528608]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2007-02-21 643072]
R2 Intel Local Scheduler Service;Intel Local Scheduler Service; C:\Program Files\LANDesk\LDClient\LocalSch.EXE [2009-03-10 196608]
R2 Intel PDS;Intel PDS; C:\WINDOWS\system32\CBA\pds.exe [2008-01-29 32825]
R2 Intel Targeted Multicast;LANDesk Targeted Multicast; C:\Program Files\LANDesk\LDClient\tmcsvc.exe [2007-11-30 192512]
R2 iPassPeriodicUpdateService;iPassPeriodicUpdateService; C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateService.exe [2008-02-07 98304]
R2 ISSUSER;LANDesk Remote Control Service; C:\PROGRA~1\LANDesk\LDClient\issuser.exe [2009-04-15 406528]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-12-19 153376]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker; C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [2009-03-24 139264]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2006-03-10 322120]
R2 NICCONFIGSVC;NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [2007-05-14 475136]
R2 pilogsrv;PIPC Log Server; C:\Program Files\PIPC\BIN\pilogsrv.exe [2005-11-17 151552]
R2 pimsgss;PI Message Subsystem; C:\Program Files\PIPC\BIN\pimsgss.exe [2004-11-11 724992]
R2 pinetmgr;PI Network Manager; C:\Program Files\PIPC\BIN\pinetmgr.exe [2005-05-05 798720]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2007-02-21 327680]
R2 S24EventMonitor;Intel® PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2007-02-21 983040]
R2 SmcService;Symantec Management Client; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [2009-03-16 1799496]
R2 SNAC;Symantec Network Access Control; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [2009-03-16 320840]
R2 Softmon;LANDesk® Software Monitoring Service; C:\Program Files\LANDesk\LDClient\softmon.exe [2009-04-08 335872]
R2 Symantec AntiVirus;Symantec Endpoint Protection; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2009-03-16 2440120]
R2 WLANKEEPER;Intel® PROSet/Wireless SSO Service; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [2007-02-21 294912]
R3 iPassPeriodicUpdateApp;iPassPeriodicUpdateApp; C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateApp.exe [2008-02-07 155648]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 bufserv;PI-Buffer Server; C:\Program Files\PIPC\BIN\bufserv.exe [2005-11-17 393216]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPassConnectEngine;iPassConnectEngine; C:\Program Files\iPass\iPassConnect ERAS\iPassConnectEngine.exe [2008-02-07 1687552]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-11-12 545568]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2008-12-10 3093880]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-03-10 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-03-01 11:43:40

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->msiexec /qb /x {628C2C7D-8AD1-E614-E8E2-6EEAD8D5F2D0}
Acrobat.com-->MsiExec.exe /I{628C2C7D-8AD1-E614-E8E2-6EEAD8D5F2D0}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
ALPS Touch Pad Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Broadcom Gigabit Integrated Controller-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
Citrix XenApp Web Plugin-->MsiExec.exe /X{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}
C-Major Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Conexant D110 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Emerson VPN Client-->MsiExec.exe /X{4C271126-C295-4828-A901-5910AE0C258B}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB969084)-->"C:\WINDOWS\$NtUninstallKB969084$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Intel® PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
iPassConnect 3.60 EN-->Wscript.exe C:\WINDOWS\INS\AddRemoveMsg.vbs
iPassConnect ERAS-->"C:\Program Files\InstallShield Installation Information\{AB6FFA58-F491-11D3-8951-000000015799}\Setup.exe" -runfromtemp -l0x0009 -removeonly
iTunes-->MsiExec.exe /I{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}
Java™ 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
LANDesk Advance Agent-->MsiExec.exe /I{7E8833A1-AF24-4CAE-82DF-CFE14C14B94D}
LiveUpdate 3.3 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mathcad 14.0 M011 Help-->MsiExec.exe /I{205ACCD7-5342-4694-91F3-3A99E4FD5AA6}
Mathcad 14.0 M011 Resource Center-->MsiExec.exe /I{EBD38AE9-D52D-448D-9DB4-4D5F66E1DAFC}
Mathcad 14.0 M011-->MsiExec.exe /I{CB220938-2571-4030-AB7B-A1C38A4866FF}
mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver-->MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi-->MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell-->MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Communicator 2007 R2-->MsiExec.exe /X{0D1CBBB9-F4A8-45B6-95E7-202BA61D7AF4}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
mIWA-->MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView-->MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz-->MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSCfg-->MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538}
MsOfficeCommunicator2007R2-EN-->Wscript.exe C:\WINDOWS\INS\AddRemoveMsg.vbs
mSSO-->MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI-->MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mZConfig-->MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
PDFCreator-->C:\Program Files\PDFCreator\unins000.exe
PI DataLink 3.1.5-->MsiExec.exe /I{61298418-C1F5-400D-843A-903598CCC60A}
PI ProcessBook 3.0.15.2-->MsiExec.exe /I{855A0CC6-B710-49F5-98AE-C7BF6E7C8DF5}
PI ProcessBook SVG Add-In 3.0.0.21-->MsiExec.exe /I{7204A268-C827-4D89-B34A-1046A9580C58}
PI Software Development Kit (PI-SDK)-->MsiExec.exe /I{33B43291-29C7-4C0A-8678-D96E56F7C630}
QuickSet-->C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB978207)-->"C:\WINDOWS\ie7updates\KB978207-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec Endpoint Protection-->MsiExec.exe /I{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}
Texas Instruments PCIxx21/x515/xx12 drivers.-->C:\Program Files\InstallShield Installation Information\{0E0479F8-180F-4054-B4F7-17EE657F90BF}\setup.exe -runfromtemp -l0x0409
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Windows (KB971513)-->"C:\WINDOWS\$NtUninstallKB971513$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows PowerShell™ 1.0 MUI pack-->"C:\WINDOWS\$NtUninstallKB926141$\spuninst\spuninst.exe"
Windows PowerShell™ 1.0-->"C:\WINDOWS\$NtUninstallKB926139-v2$\spuninst\spuninst.exe"

======Hosts File======

172.26.58.225 Europisrv1

======Security center information======

AV: Symantec Endpoint Protection
FW: Symantec Endpoint Protection

======System event log======

Computer Name: GBABZ-LT24
Event Code: 18
Message: Windows cannot store Bluetooth link keys on the local transceiver because it cannot determine whether proper security is enabled for the device.

Record Number: 98
Source Name: BTHUSB
Time Written: 20091130150356.000000+000
Event Type: warning
User:

Computer Name: GBABZ-LT24
Event Code: 18
Message: Windows cannot store Bluetooth link keys on the local transceiver because it cannot determine whether proper security is enabled for the device.

Record Number: 81
Source Name: BTHUSB
Time Written: 20091130150235.000000+000
Event Type: warning
User:

Computer Name: GBABZ-LT24
Event Code: 18
Message: Windows cannot store Bluetooth link keys on the local transceiver because it cannot determine whether proper security is enabled for the device.

Record Number: 60
Source Name: BTHUSB
Time Written: 20091130150039.000000+000
Event Type: warning
User:

Computer Name: GBABZ-LT24
Event Code: 18
Message: Windows cannot store Bluetooth link keys on the local transceiver because it cannot determine whether proper security is enabled for the device.

Record Number: 11
Source Name: BTHUSB
Time Written: 20091130114652.000000+000
Event Type: warning
User:

Computer Name: MACHINENAME
Event Code: 18
Message: Windows cannot store Bluetooth link keys on the local transceiver because it cannot determine whether proper security is enabled for the device.

Record Number: 4
Source Name: BTHUSB
Time Written: 20091130112428.000000+000
Event Type: warning
User:

=====Application event log=====

Computer Name: GBABZ-LT24
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 15
Source Name: WinMgmt
Time Written: 20091130113537.000000+000
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: GBABZ-LT24
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 14
Source Name: WinMgmt
Time Written: 20091130113537.000000+000
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: GBABZ-LT24
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 13
Source Name: WinMgmt
Time Written: 20091130113536.000000+000
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: GBABZ-LT24
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 12
Source Name: WinMgmt
Time Written: 20091130113536.000000+000
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: GBABZ-LT24
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 11
Source Name: WinMgmt
Time Written: 20091130113535.000000+000
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\;C:\WINDOWS\system32\WindowsPowerShell\v1.0
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"_NT_SYMBOL_PATH"=%SystemRoot%\symbols;%SystemRoot%\symbols\dll
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
"LDMS_LOCAL_DIR"=C:\Program Files\LANDesk\LDClient\Data

-----------------EOF-----------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-01 13:58:20
Windows 5.1.2600 Service Pack 3
Running: u220804d.exe; Driver: C:\DOCUME~1\VIKKI~1.LAT\LOCALS~1\Temp\pgtorpoc.sys

---- System - GMER 1.0.15 ----

SSDT 86588FD0 ZwAlertResumeThread
SSDT 8659A0B0 ZwAlertThread
SSDT 86431B50 ZwAllocateVirtualMemory
SSDT 865D55B8 ZwConnectPort
SSDT 866843F8 ZwCreateMutant
SSDT 8654B108 ZwCreateThread
SSDT 863A0A88 ZwFreeVirtualMemory
SSDT 865887E0 ZwImpersonateAnonymousToken
SSDT 86588EF8 ZwImpersonateThread
SSDT 86708ED8 ZwMapViewOfSection
SSDT 86588708 ZwOpenEvent
SSDT 86679598 ZwOpenProcessToken
SSDT 863A8A90 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF76B0840]
SSDT 865CEE70 ZwResumeThread
SSDT 865AEEA8 ZwSetContextThread
SSDT 86266A88 ZwSetInformationProcess
SSDT 862F6A90 ZwSetInformationThread
SSDT 86597160 ZwSuspendProcess
SSDT 865A17B8 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xED9710B0]
SSDT 865ACE30 ZwTerminateThread
SSDT 865A03E8 ZwUnmapViewOfSection
SSDT 86686658 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\BTHUSB \Device\000000b0 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000b0 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F744FB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F744FB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F744FB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F744FB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000ae bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000ae bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device BA367D20

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00164119e45a
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00164119e45a (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\vikki.latto\Cookies\vikki.latto@bleepingcomputer[2].txt 0 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Hope you can help

Regards
Martin

#4 aommaster

I !<3 malware

Malware Response Team
5,289 posts
OFFLINE

Gender:Male
Location:Dubai
Local time:07:53 AM

Posted 01 March 2010 - 09:56 AM

Hello, martin3286.
Glad to help

We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.

Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
If prompted with a legal dialog, accept the warning.
ClickMode and then on "Advanced Mode"
You may be presented with a warning dialog. If so, press yes
Click on Tools
Click on Resident
Uncheck the following checkboxes:
- Resident "SDHelper" (Internet Explorer bad download blocker) active.
- Resident "TeaTimer" (Protection for over-all system settings) active.
Close/Exit Spybot Search and Destroy

NEXT:

We need to run TDSSKiller

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks and do not include the word "Code") Then press OK.
CODE
"%userprofile%\Desktop\TDSSKiller.exe" -l "%userprofile%\Desktop\TDSSKiller.txt" -v

**Note:If it says "Hidden service detected" DO NOT type anything in. Just press Enter.
When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here

NEXT:

Please answer the following questions

I see that you have custom entries in your hosts file. Is this intentional?
Are you familiar with the URL "https://portal.metco-uk.com"?
Are you familiar with the domain "emrsn.org"?

If you are not aware of any of those listed above, don't worry, we'll remove them on the next fix

In your next reply, please include the following:
TDSSKiller.txt
Answers to my questions above

#5 martin3286

Topic Starter

Members
6 posts
OFFLINE

Local time:03:53 AM

Posted 01 March 2010 - 10:40 AM

I have removed Spybot completely so it shouldnt be an issue now...

Yes I am familiar with those listing in the hosts file, they shouldnt be casuing any problems but they can be removed if need be.

TDSS Log to follow:

15:29:23:626 1464 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
15:29:23:626 1464 ================================================================================
15:29:23:626 1464 SystemInfo:

15:29:23:626 1464 OS Version: 5.1.2600 ServicePack: 3.0
15:29:23:626 1464 Product type: Workstation
15:29:23:626 1464 ComputerName: GBABZ-LT24
15:29:23:626 1464 UserName: vikki.latto
15:29:23:626 1464 Windows directory: C:\WINDOWS
15:29:23:626 1464 Processor architecture: Intel x86
15:29:23:626 1464 Number of processors: 1
15:29:23:626 1464 Page size: 0x1000
15:29:23:641 1464 Boot type: Normal boot
15:29:23:641 1464 ================================================================================
15:29:23:641 1464 UnloadDriverW: NtUnloadDriver error 1
15:29:23:641 1464 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
15:29:23:673 1464 LoadDriverW: Driver already loaded
15:29:23:673 1464 KLMD_DropNLoadW: LoadDriverW(klmd21) error 1056
15:29:23:673 1464 Initialize success
15:29:23:673 1464
15:29:23:673 1464 Scanning Services ...
15:29:23:673 1464 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:29:23:673 1464 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:29:23:673 1464 wfopen_ex: Trying to KLMD file open
15:29:23:673 1464 wfopen_ex: File opened ok (Flags 2)
15:29:23:673 1464 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:29:23:673 1464 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:29:23:673 1464 wfopen_ex: Trying to KLMD file open
15:29:23:673 1464 wfopen_ex: File opened ok (Flags 2)
15:29:24:188 1464 GetAdvancedServicesInfo: Raw services enum returned 389 services
15:29:24:188 1464 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:29:24:188 1464 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:29:24:188 1464
15:29:24:188 1464 Scanning Kernel memory ...
15:29:24:188 1464 Devices to scan: 3
15:29:24:188 1464
15:29:24:188 1464 Driver Name: Disk
15:29:24:188 1464 IRP_MJ_CREATE : F7621BB0
15:29:24:188 1464 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
15:29:24:188 1464 IRP_MJ_CLOSE : F7621BB0
15:29:24:188 1464 IRP_MJ_READ : F761BD1F
15:29:24:188 1464 IRP_MJ_WRITE : F761BD1F
15:29:24:188 1464 IRP_MJ_QUERY_INFORMATION : 804F355A
15:29:24:188 1464 IRP_MJ_SET_INFORMATION : 804F355A
15:29:24:188 1464 IRP_MJ_QUERY_EA : 804F355A
15:29:24:188 1464 IRP_MJ_SET_EA : 804F355A
15:29:24:188 1464 IRP_MJ_FLUSH_BUFFERS : F761C2E2
15:29:24:188 1464 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
15:29:24:188 1464 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
15:29:24:188 1464 IRP_MJ_DIRECTORY_CONTROL : 804F355A
15:29:24:188 1464 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
15:29:24:188 1464 IRP_MJ_DEVICE_CONTROL : F761C3BB
15:29:24:188 1464 IRP_MJ_INTERNAL_DEVICE_CONTROL : F761FF28
15:29:24:188 1464 IRP_MJ_SHUTDOWN : F761C2E2
15:29:24:188 1464 IRP_MJ_LOCK_CONTROL : 804F355A
15:29:24:188 1464 IRP_MJ_CLEANUP : 804F355A
15:29:24:188 1464 IRP_MJ_CREATE_MAILSLOT : 804F355A
15:29:24:188 1464 IRP_MJ_QUERY_SECURITY : 804F355A
15:29:24:188 1464 IRP_MJ_SET_SECURITY : 804F355A
15:29:24:188 1464 IRP_MJ_POWER : F761DC82
15:29:24:188 1464 IRP_MJ_SYSTEM_CONTROL : F762299E
15:29:24:188 1464 IRP_MJ_DEVICE_CHANGE : 804F355A
15:29:24:188 1464 IRP_MJ_QUERY_QUOTA : 804F355A
15:29:24:188 1464 IRP_MJ_SET_QUOTA : 804F355A
15:29:24:204 1464 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:29:24:204 1464 sion
15:29:24:204 1464 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:29:24:204 1464
15:29:24:204 1464 Driver Name: Disk
15:29:24:204 1464 IRP_MJ_CREATE : F7621BB0
15:29:24:204 1464 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
15:29:24:204 1464 IRP_MJ_CLOSE : F7621BB0
15:29:24:204 1464 IRP_MJ_READ : F761BD1F
15:29:24:204 1464 IRP_MJ_WRITE : F761BD1F
15:29:24:204 1464 IRP_MJ_QUERY_INFORMATION : 804F355A
15:29:24:204 1464 IRP_MJ_SET_INFORMATION : 804F355A
15:29:24:204 1464 IRP_MJ_QUERY_EA : 804F355A
15:29:24:204 1464 IRP_MJ_SET_EA : 804F355A
15:29:24:204 1464 IRP_MJ_FLUSH_BUFFERS : F761C2E2
15:29:24:204 1464 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
15:29:24:204 1464 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
15:29:24:204 1464 IRP_MJ_DIRECTORY_CONTROL : 804F355A
15:29:24:204 1464 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
15:29:24:204 1464 IRP_MJ_DEVICE_CONTROL : F761C3BB
15:29:24:204 1464 IRP_MJ_INTERNAL_DEVICE_CONTROL : F761FF28
15:29:24:204 1464 IRP_MJ_SHUTDOWN : F761C2E2
15:29:24:204 1464 IRP_MJ_LOCK_CONTROL : 804F355A
15:29:24:204 1464 IRP_MJ_CLEANUP : 804F355A
15:29:24:204 1464 IRP_MJ_CREATE_MAILSLOT : 804F355A
15:29:24:204 1464 IRP_MJ_QUERY_SECURITY : 804F355A
15:29:24:204 1464 IRP_MJ_SET_SECURITY : 804F355A
15:29:24:204 1464 IRP_MJ_POWER : F761DC82
15:29:24:204 1464 IRP_MJ_SYSTEM_CONTROL : F762299E
15:29:24:204 1464 IRP_MJ_DEVICE_CHANGE : 804F355A
15:29:24:204 1464 IRP_MJ_QUERY_QUOTA : 804F355A
15:29:24:204 1464 IRP_MJ_SET_QUOTA : 804F355A
15:29:24:204 1464 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:29:24:204 1464 sion
15:29:24:204 1464 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:29:24:204 1464
15:29:24:204 1464 Driver Name: atapi
15:29:24:204 1464 IRP_MJ_CREATE : F744FB3A
15:29:24:204 1464 IRP_MJ_CREATE_NAMED_PIPE : F744FB3A
15:29:24:204 1464 IRP_MJ_CLOSE : F744FB3A
15:29:24:204 1464 IRP_MJ_READ : F744FB3A
15:29:24:204 1464 IRP_MJ_WRITE : F744FB3A
15:29:24:204 1464 IRP_MJ_QUERY_INFORMATION : F744FB3A
15:29:24:204 1464 IRP_MJ_SET_INFORMATION : F744FB3A
15:29:24:204 1464 IRP_MJ_QUERY_EA : F744FB3A
15:29:24:204 1464 IRP_MJ_SET_EA : F744FB3A
15:29:24:204 1464 IRP_MJ_FLUSH_BUFFERS : F744FB3A
15:29:24:204 1464 IRP_MJ_QUERY_VOLUME_INFORMATION : F744FB3A
15:29:24:204 1464 IRP_MJ_SET_VOLUME_INFORMATION : F744FB3A
15:29:24:204 1464 IRP_MJ_DIRECTORY_CONTROL : F744FB3A
15:29:24:204 1464 IRP_MJ_FILE_SYSTEM_CONTROL : F744FB3A
15:29:24:204 1464 IRP_MJ_DEVICE_CONTROL : F744FB3A
15:29:24:204 1464 IRP_MJ_INTERNAL_DEVICE_CONTROL : F744FB3A
15:29:24:204 1464 IRP_MJ_SHUTDOWN : F744FB3A
15:29:24:204 1464 IRP_MJ_LOCK_CONTROL : F744FB3A
15:29:24:204 1464 IRP_MJ_CLEANUP : F744FB3A
15:29:24:204 1464 IRP_MJ_CREATE_MAILSLOT : F744FB3A
15:29:24:204 1464 IRP_MJ_QUERY_SECURITY : F744FB3A
15:29:24:204 1464 IRP_MJ_SET_SECURITY : F744FB3A
15:29:24:204 1464 IRP_MJ_POWER : F744FB3A
15:29:24:204 1464 IRP_MJ_SYSTEM_CONTROL : F744FB3A
15:29:24:204 1464 IRP_MJ_DEVICE_CHANGE : F744FB3A
15:29:24:204 1464 IRP_MJ_QUERY_QUOTA : F744FB3A
15:29:24:204 1464 IRP_MJ_SET_QUOTA : F744FB3A
15:29:24:220 1464 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
15:29:24:220 1464 TDL3_IrpHookDetect: New IrpHandler addr: 867618C8
15:29:24:220 1464 ihd1
15:29:24:220 1464 siohd: 0
15:29:24:235 1464 C:\WINDOWS\system32\drivers\tsk88.tmp - Verdict: Clean
15:29:24:235 1464
15:29:24:235 1464 Completed
15:29:24:235 1464
15:29:24:235 1464 Results:
15:29:24:235 1464 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
15:29:24:235 1464 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:29:24:235 1464 File objects infected / cured / cured on reboot: 0 / 0 / 0
15:29:24:235 1464
15:29:24:235 1464 UnloadDriverW: NtUnloadDriver error 1
15:29:24:235 1464 KLMD_Unload: UnloadDriverW(klmd21) error 1
15:29:24:235 1464 KLMD(ARK) unloaded successfully

Regards
Martin

#6 aommaster

I !<3 malware

Malware Response Team
5,289 posts
OFFLINE

Gender:Male
Location:Dubai
Local time:07:53 AM

Posted 01 March 2010 - 01:24 PM

Hello, martin3286.

QUOTE

Yes I am familiar with those listing in the hosts file, they shouldnt be casuing any problems but they can be removed if need be.

Well, since you're familiar with them, we don't need to remove them. Only reason I asked is because at times, infections like to add entries to the hosts file, etc.

We need to download and run ComboFix (by sUBs)

Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
Please download ComboFix from one of these locations:
Link 1
Link 2
** IMPORTANT !!! Save ComboFix.exe to your Desktop
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.

**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper

In your next reply, please include the following:
ComboFix.txt
Fresh HijackThis Log

#7 martin3286

Topic Starter

Members
6 posts
OFFLINE

Local time:03:53 AM

Posted 02 March 2010 - 04:50 AM

here's the combofix log and the fresh hijhackthis log:

ComboFix 10-03-01.03 - vikki.latto 02/03/2010 9:31.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.472 [GMT 0:00]
Running from: c:\documents and settings\vikki.latto\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\_000002_.tmp.dll
c:\windows\_000006_.tmp.dll
c:\windows\_000008_.tmp.dll
c:\windows\_000009_.tmp.dll
c:\windows\_000011_.tmp.dll
c:\windows\_000013_.tmp.dll
c:\windows\system32\_000004_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\_000019_.tmp.dll
c:\windows\system32\_000054_.tmp.dll

----- BITS: Possible infected sites -----

hxxp://gbabz-fs1:8530
.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 09:21 . 2010-03-02 09:21 -------- d-----w- c:\documents and settings\martin.clifton\Tracing
2010-03-02 09:21 . 2010-03-02 09:21 -------- d-----w- c:\documents and settings\martin.clifton\Application Data\Dell
2010-03-02 09:21 . 2010-03-02 09:21 -------- d-----w- c:\documents and settings\martin.clifton\Local Settings\Application Data\Symantec
2010-03-01 11:43 . 2010-03-01 11:43 -------- d-----w- C:\rsit
2010-03-01 11:43 . 2010-03-01 11:43 -------- d-----w- c:\program files\trend micro
2010-02-26 15:33 . 2010-02-26 15:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-26 11:53 . 2010-02-26 12:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-26 11:53 . 2010-02-26 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-25 14:34 . 2010-02-25 14:34 -------- d-----w- c:\program files\TrendMicro
2010-02-25 12:24 . 2010-02-25 12:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2010-02-25 12:24 . 2010-02-26 08:26 -------- d-----w- c:\windows\LMI11.tmp
2010-02-25 11:31 . 2009-08-05 14:58 93872 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-25 10:29 . 2010-02-25 10:29 -------- d-----w- c:\documents and settings\vikki.latto\Application Data\Malwarebytes
2010-02-25 10:29 . 2010-02-25 10:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-25 10:28 . 2010-02-25 10:28 -------- d-----w- c:\documents and settings\vikki.latto\Application Data\Sunbelt
2010-02-25 10:27 . 2010-02-25 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-02-24 13:03 . 2010-02-24 13:03 52224 ----a-w- c:\documents and settings\vikki.latto\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-22 13:55 . 2010-02-22 13:55 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-02-22 13:55 . 2010-02-22 13:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-02-22 13:54 . 2010-02-22 13:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-02-22 13:54 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-02-22 13:54 . 2010-02-22 13:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-02-22 13:45 . 2008-12-11 10:57 333952 ----a-w- c:\windows\system32\drivers\_000005_.tmp.dll
2010-02-22 13:45 . 2008-04-14 12:00 264832 ----a-w- c:\windows\system32\drivers\_000007_.tmp.dll
2010-02-22 13:45 . 2010-01-08 14:26 7391 ----a-w- c:\windows\_000004_.tmp.dll
2010-02-22 13:45 . 2008-10-24 11:21 455296 ----a-w- c:\windows\system32\drivers\_000006_.tmp.dll
2010-02-22 13:45 . 2009-10-08 14:57 8559 ----a-w- c:\windows\_000020_.tmp.dll
2010-02-22 13:45 . 2009-10-09 16:26 59602 ----a-w- c:\windows\_000067_.tmp.dll
2010-02-22 13:45 . 2010-01-05 11:08 31991 ----a-w- c:\windows\_000055_.tmp.dll
2010-02-22 13:45 . 2009-10-29 02:21 7407 ----a-w- c:\windows\_000005_.tmp.dll
2010-02-22 13:43 . 2010-02-22 13:47 -------- d-----w- C:\ErdUndoCache
2010-02-22 09:52 . 2010-02-22 09:52 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-22 09:13 . 2010-02-26 10:31 -------- d-----w- C:\VIPRERESCUE
2010-02-17 16:46 . 2010-02-17 16:46 -------- d-----w- c:\windows\system32\GroupPolicy
2010-02-17 16:45 . 2010-02-22 13:44 -------- dc----w- c:\windows\$968930Uinstall_KB968930$
2010-02-11 11:18 . 2010-02-11 11:18 54600 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-05 12:56 . 2010-02-05 12:56 -------- d-----w- c:\program files\MSECache
2010-02-05 12:50 . 2010-03-02 09:24 -------- d-----w- c:\documents and settings\vikki.latto\Tracing
2010-02-05 12:47 . 2010-02-05 12:47 -------- d-----w- c:\program files\Microsoft Office Communicator
2010-01-31 19:22 . 2010-01-31 19:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-31 19:17 . 2010-01-31 19:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 09:22 . 2009-12-02 11:56 -------- d-----w- c:\documents and settings\All Users\Application Data\vulScan
2010-03-01 15:32 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-01 15:27 . 2009-12-01 12:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-01 09:43 . 2009-12-01 12:11 117760 ----a-w- c:\documents and settings\vikki.latto\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-26 15:28 . 2009-12-01 09:56 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-26 15:28 . 2010-03-02 09:20 38784 ----a-w- c:\documents and settings\martin.clifton\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-26 15:28 . 2009-12-01 09:57 38784 ----a-w- c:\documents and settings\vikki.latto\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-26 15:28 . 2009-12-01 09:57 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-25 10:27 . 2009-12-01 11:28 -------- d-----w- c:\program files\Google
2010-02-24 08:24 . 2009-11-30 16:35 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-23 11:26 . 2009-12-01 11:08 63592 ----a-w- c:\documents and settings\vikki.latto\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-22 13:47 . 2009-12-01 12:10 -------- d-----w- c:\documents and settings\vikki.latto\Application Data\ICAClient
2010-02-22 13:47 . 2009-11-30 17:17 -------- d-----w- c:\program files\Emerson VPN Client
2010-02-18 08:27 . 2009-03-16 11:25 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-02-06 23:42 . 2010-01-09 16:58 33061 ----a-w- c:\windows\king-uninstall.exe
2010-01-05 20:08 . 2010-01-05 20:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-05 10:00 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet(2).dll
2010-01-05 10:00 . 2008-04-14 12:00 1168384 ----a-w- c:\windows\system32\urlmon(2).dll
2010-01-05 10:00 . 2008-04-14 12:00 105984 ----a-w- c:\windows\system32\url(2).dll
2010-01-05 10:00 . 2007-08-13 18:34 268288 ----a-w- c:\windows\system32\iertutil(2).dll
2010-01-05 10:00 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 12:10 . 2009-12-01 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-19 20:11 . 2009-12-19 20:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-19 20:10 . 2009-12-19 20:10 152576 ----a-w- c:\documents and settings\vikki.latto\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-19 20:08 . 2009-12-19 20:08 79488 ----a-w- c:\documents and settings\vikki.latto\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-16 18:43 . 2009-11-30 11:34 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv(2).dll
2009-12-08 19:27 . 2008-04-14 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-04-14 00:01 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 09:23 . 2008-04-14 12:00 474112 ----a-w- c:\windows\system32\shlwapi(2).dll
2009-12-05 19:50 . 2009-12-05 19:50 134 ----a-w- c:\documents and settings\vikki.latto\Local Settings\Application Data\fusioncache.dat
2009-12-04 18:22 . 2008-04-14 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-02 12:39 . 2009-12-02 12:39 10134 ----a-r- c:\documents and settings\vikki.latto\Application Data\Microsoft\Installer\{EBD38AE9-D52D-448D-9DB4-4D5F66E1DAFC}\ARPPRODUCTICON.exe
2009-12-02 12:38 . 2009-12-02 12:38 10134 ----a-r- c:\documents and settings\vikki.latto\Application Data\Microsoft\Installer\{205ACCD7-5342-4694-91F3-3A99E4FD5AA6}\ARPPRODUCTICON.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 344064]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-16 115560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-19 149280]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-16 5160288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Emerson VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-11-30 6144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 16:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [25/02/2010 11:31 93872]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [23/03/2009 10:03 155648]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [02/12/2009 11:55 139264]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [02/12/2009 11:55 335872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01/12/2009 09:52 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [30/11/2009 15:44 88192]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [02/12/2009 11:55 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [02/12/2009 11:55 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [02/12/2009 11:55 3712]
S0 cerc6;cerc6; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [16/03/2009 11:25 23888]
.
.
------- Supplementary Scan -------
.
uStart Page = https://portal.metco-uk.com/default.aspx
uInternet Settings,ProxyOverride = *.local
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
SafeBoot-Symantec Antvirus
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 09:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1776)
c:\windows\system32\Ati2evxx.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'lsass.exe'(1832)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-03-02 09:37:19
ComboFix-quarantined-files.txt 2010-03-02 09:37

Pre-Run: 35,405,783,040 bytes free
Post-Run: 35,422,871,552 bytes free

- - End Of File - - 81F0FD8AB5A9E6EA5554B3F3FA8CB1E5

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:44:30, on 02/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Emerson VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateService.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\PIPC\BIN\pilogsrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\PIPC\BIN\pinetmgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\PIPC\BIN\pimsgss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateApp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\vikki.latto\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://portal.metco-uk.com/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 172.26.58.225 Europisrv1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Emerson VPN Client.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://portal.metco-uk.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emrsn.org
O17 - HKLM\Software\..\Telephony: DomainName = emrsn.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emrsn.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emrsn.org
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PI-Buffer Server (bufserv) - OSI Software Inc. - C:\Program Files\PIPC\BIN\bufserv.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Emerson VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Emerson VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect ERAS\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PIPC Log Server (pilogsrv) - OSI Software - C:\Program Files\PIPC\BIN\pilogsrv.exe
O23 - Service: PI Message Subsystem (pimsgss) - OSI Software, Inc. - C:\Program Files\PIPC\BIN\pimsgss.exe
O23 - Service: PI Network Manager (pinetmgr) - OSI Software, Inc. - C:\Program Files\PIPC\BIN\pinetmgr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10606 bytes

Regards
Martin

#8 aommaster

I !<3 malware

Malware Response Team
5,289 posts
OFFLINE

Gender:Male
Location:Dubai
Local time:07:53 AM

Posted 02 March 2010 - 09:50 AM

Hello, martin3286.
Looks like you have some temporary windows update files. We'll remove them on this fix

We need to run a Combofix script

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
CODE
http://www.bleepingcomputer.com/forums/t/298444/google-redirect-problem/

Collect::
c:\windows\system32\drivers\_000005_.tmp.dll
c:\windows\system32\drivers\_000007_.tmp.dll
c:\windows\_000004_.tmp.dll
c:\windows\system32\drivers\_000006_.tmp.dll
c:\windows\_000020_.tmp.dll
c:\windows\_000067_.tmp.dll
c:\windows\_000055_.tmp.dll
c:\windows\_000005_.tmp.dll
Save this as CFScript.txt, in the same location as ComboFix.exe
Now, drag and drop CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
ComboFix.txt
Fresh HijackThis Log

#9 martin3286

Topic Starter

Members
6 posts
OFFLINE

Local time:03:53 AM

Posted 02 March 2010 - 11:30 AM

Hi aommaster

Here are the two new logs as requested:

ComboFix 10-03-01.04 - vikki.latto 02/03/2010 16:18:37.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.448 [GMT 0:00]
Running from: C:\Documents and Settings\vikki.latto\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\vikki.latto\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

file zipped: c:\windows\_000004_.tmp.dll
file zipped: c:\windows\_000005_.tmp.dll
file zipped: c:\windows\_000020_.tmp.dll
file zipped: c:\windows\_000055_.tmp.dll
file zipped: c:\windows\_000067_.tmp.dll
file zipped: c:\windows\system32\drivers\_000005_.tmp.dll
file zipped: c:\windows\system32\drivers\_000006_.tmp.dll
file zipped: c:\windows\system32\drivers\_000007_.tmp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\_000004_.tmp.dll
c:\windows\_000005_.tmp.dll
C:\WINDOWS\_000020_.tmp.dll
c:\windows\_000055_.tmp.dll
c:\windows\_000067_.tmp.dll
c:\windows\system32\drivers\_000005_.tmp.dll
c:\windows\system32\drivers\_000006_.tmp.dll
c:\windows\system32\drivers\_000007_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 16:07:42 . 2010-03-02 16:07:52 -------- d-----w- C:\WINDOWS\LMI4.tmp
2010-03-02 16:07:33 . 2010-03-02 16:08:21 -------- d-----w- C:\WINDOWS\LMI3.tmp
2010-03-02 10:10:43 . 2008-04-14 00:15:40 26368 -c--a-w- C:\WINDOWS\system32\dllcache\usbstor.sys
2010-03-02 10:10:20 . 2010-03-02 10:10:20 -------- d-----w- C:\Documents and Settings\vikki.latto\Application Data\dvdcss
2010-03-02 10:10:03 . 2010-03-02 10:38:25 -------- d-----w- C:\Documents and Settings\vikki.latto\Application Data\vlc
2010-03-02 10:08:40 . 2010-03-02 10:08:40 -------- d-----w- C:\Program Files\VideoLAN
2010-03-02 09:21:55 . 2010-03-02 09:21:56 -------- d-----w- C:\Documents and Settings\martin.clifton\Tracing
2010-03-02 09:21:46 . 2010-03-02 09:21:46 -------- d-----w- C:\Documents and Settings\martin.clifton\Application Data\Dell
2010-03-02 09:21:26 . 2010-03-02 09:21:26 -------- d-----w- C:\Documents and Settings\martin.clifton\Local Settings\Application Data\Symantec
2010-03-01 11:43:26 . 2010-03-01 11:43:40 -------- d-----w- C:\rsit
2010-03-01 11:43:26 . 2010-03-01 11:43:38 -------- d-----w- C:\Program Files\trend micro
2010-02-26 15:33:09 . 2010-02-26 15:33:23 -------- d-----w- C:\Program Files\Common Files\Adobe
2010-02-26 11:53:11 . 2010-02-26 12:14:03 -------- d-----w- C:\Program Files\Spybot - Search & Destroy
2010-02-26 11:53:11 . 2010-02-26 12:14:03 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-25 14:34:00 . 2010-02-25 14:34:00 -------- d-----w- C:\Program Files\TrendMicro
2010-02-25 12:24:51 . 2010-02-25 12:24:51 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\ICS
2010-02-25 12:24:26 . 2010-02-26 08:26:40 -------- d-----w- C:\WINDOWS\LMI11.tmp
2010-02-25 11:31:17 . 2009-08-05 14:58:40 93872 ----a-w- C:\WINDOWS\system32\drivers\SBREDrv.sys
2010-02-25 10:29:38 . 2010-02-25 10:29:38 -------- d-----w- C:\Documents and Settings\vikki.latto\Application Data\Malwarebytes
2010-02-25 10:29:08 . 2010-02-25 10:29:08 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-02-25 10:28:21 . 2010-02-25 10:28:21 -------- d-----w- C:\Documents and Settings\vikki.latto\Application Data\Sunbelt
2010-02-25 10:27:56 . 2010-02-25 10:27:56 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Sunbelt
2010-02-24 13:03:42 . 2010-02-24 13:03:42 52224 ----a-w- C:\Documents and Settings\vikki.latto\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-22 13:55:10 . 2010-02-22 13:55:12 -------- d-----w- C:\Documents and Settings\Administrator\Tracing
2010-02-22 13:55:00 . 2010-02-22 13:55:00 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
2010-02-22 13:54:47 . 2010-02-22 13:54:47 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
2010-02-22 13:54:27 . 2008-04-14 12:00:00 221184 ----a-w- C:\WINDOWS\system32\wmpns.dll
2010-02-22 13:54:21 . 2010-02-22 13:54:21 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Symantec
2010-02-22 13:43:51 . 2010-02-22 13:47:15 -------- d-----w- C:\ErdUndoCache
2010-02-22 09:52:33 . 2010-02-22 09:52:33 -------- d-----w- C:\WINDOWS\system32\wbem\Repository
2010-02-22 09:13:30 . 2010-02-26 10:31:40 -------- d-----w- C:\VIPRERESCUE
2010-02-17 16:46:06 . 2010-02-17 16:46:06 -------- d-----w- C:\WINDOWS\system32\GroupPolicy
2010-02-17 16:45:59 . 2010-02-22 13:44:46 -------- dc----w- C:\WINDOWS\$968930Uinstall_KB968930$
2010-02-11 11:18:51 . 2010-02-11 11:18:51 54600 ---ha-w- C:\WINDOWS\system32\mlfcache.dat
2010-02-05 12:56:28 . 2010-02-05 12:56:28 -------- d-----w- C:\Program Files\MSECache
2010-02-05 12:50:51 . 2010-03-02 16:05:45 -------- d-----w- C:\Documents and Settings\vikki.latto\Tracing
2010-02-05 12:47:20 . 2010-02-05 12:47:23 -------- d-----w- C:\Program Files\Microsoft Office Communicator
2010-01-31 19:22:01 . 2010-01-31 19:22:01 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
2010-01-31 19:17:50 . 2010-01-31 19:17:50 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 16:12:17 . 2009-12-02 11:56:28 -------- d-----w- C:\Documents and Settings\All Users\Application Data\vulScan
2010-03-01 15:32:28 . 2008-04-14 12:00:00 96512 ------w- C:\WINDOWS\system32\drivers\atapi.sys
2010-03-01 15:27:40 . 2009-12-01 12:09:03 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-03-01 09:43:42 . 2009-12-01 12:11:02 117760 ----a-w- C:\Documents and Settings\vikki.latto\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-26 15:28:57 . 2009-12-01 09:56:46 -------- d-----w- C:\Program Files\Common Files\Adobe AIR
2010-02-26 15:28:45 . 2010-03-02 09:20:52 38784 ----a-w- C:\Documents and Settings\martin.clifton\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-26 15:28:45 . 2009-12-01 09:57:37 38784 ----a-w- C:\Documents and Settings\vikki.latto\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-26 15:28:45 . 2009-12-01 09:57:21 38784 ----a-w- C:\Documents and Settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-25 10:27:22 . 2009-12-01 11:28:28 -------- d-----w- C:\Program Files\Google
2010-02-24 08:24:55 . 2009-11-30 16:35:34 -------- d-----w- C:\Program Files\Microsoft Silverlight
2010-02-23 11:26:41 . 2009-12-01 11:08:37 63592 ----a-w- C:\Documents and Settings\vikki.latto\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-22 13:47:09 . 2009-12-01 12:10:06 -------- d-----w- C:\Documents and Settings\vikki.latto\Application Data\ICAClient
2010-02-22 13:47:07 . 2009-11-30 17:17:56 -------- d-----w- C:\Program Files\Emerson VPN Client
2010-02-18 08:27:09 . 2009-03-16 11:25:16 162048 ----a-w- C:\WINDOWS\system32\drivers\wpshelper.sys
2010-02-06 23:42:39 . 2010-01-09 16:58:45 33061 ----a-w- C:\WINDOWS\king-uninstall.exe
2010-01-05 20:08:07 . 2010-01-05 20:08:07 664 ----a-w- C:\WINDOWS\system32\d3d9caps.dat
2010-01-05 10:00:29 . 2008-04-14 12:00:00 832512 ----a-w- C:\WINDOWS\system32\wininet(2).dll
2010-01-05 10:00:29 . 2008-04-14 12:00:00 832512 ------w- C:\WINDOWS\system32\wininet.dll
2010-01-05 10:00:28 . 2008-04-14 12:00:00 1168384 ----a-w- C:\WINDOWS\system32\urlmon(2).dll
2010-01-05 10:00:28 . 2008-04-14 12:00:00 105984 ----a-w- C:\WINDOWS\system32\url(2).dll
2010-01-05 10:00:24 . 2007-08-13 18:34:04 268288 ----a-w- C:\WINDOWS\system32\iertutil(2).dll
2010-01-05 10:00:21 . 2008-04-14 12:00:00 78336 ----a-w- C:\WINDOWS\system32\ieencode.dll
2010-01-05 10:00:20 . 2008-04-14 12:00:00 17408 ----a-w- C:\WINDOWS\system32\corpol.dll
2010-01-04 12:10:08 . 2009-12-01 09:54:42 -------- d-----w- C:\Documents and Settings\All Users\Application Data\NOS
2009-12-31 16:50:03 . 2008-04-14 12:00:00 353792 ----a-w- C:\WINDOWS\system32\drivers\srv.sys
2009-12-19 20:11:37 . 2009-12-19 20:12:00 411368 ----a-w- C:\WINDOWS\system32\deploytk.dll
2009-12-19 20:10:56 . 2009-12-19 20:10:56 152576 ----a-w- C:\Documents and Settings\vikki.latto\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-19 20:08:15 . 2009-12-19 20:08:15 79488 ----a-w- C:\Documents and Settings\vikki.latto\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-16 18:43:27 . 2009-11-30 11:34:08 343040 ----a-w- C:\WINDOWS\system32\mspaint.exe
2009-12-14 07:08:23 . 2008-04-14 12:00:00 33280 ----a-w- C:\WINDOWS\system32\csrsrv.dll
2009-12-14 07:08:23 . 2008-04-14 12:00:00 33280 ----a-w- C:\WINDOWS\system32\csrsrv(2).dll
2009-12-08 19:27:51 . 2008-04-14 12:00:00 2189184 ------w- C:\WINDOWS\system32\ntoskrnl.exe
2009-12-08 18:43:50 . 2008-04-14 00:01:22 2066048 ------w- C:\WINDOWS\system32\ntkrnlpa.exe
2009-12-08 09:23:28 . 2008-04-14 12:00:00 474112 ----a-w- C:\WINDOWS\system32\shlwapi(2).dll
2009-12-05 19:50:30 . 2009-12-05 19:50:30 134 ----a-w- C:\Documents and Settings\vikki.latto\Local Settings\Application Data\fusioncache.dat
2009-12-04 18:22:22 . 2008-04-14 12:00:00 455424 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-02_09.35.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-02 16:05:16 . 2010-03-02 16:05:16 16384 C:\WINDOWS\Temp\Perflib_Perfdata_68c.dat
+ 2010-03-02 10:10:43 . 2008-04-14 00:15:40 26368 C:\WINDOWS\system32\drivers\USBSTOR.SYS
+ 2010-03-02 16:08:04 . 2010-03-02 16:08:04 73640 C:\WINDOWS\LMI3.tmp\unlock64.dll
+ 2010-03-02 16:08:04 . 2010-03-02 16:08:04 75176 C:\WINDOWS\LMI3.tmp\unlock.dll
+ 2010-03-02 12:37:17 . 2010-03-02 12:37:17 37888 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\87a11190cb0c9ecfd20b607bff6690fb\System.Windows.Presentation.ni.dll
+ 2010-03-02 12:37:03 . 2010-03-02 12:37:03 36864 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\6a6a72d2ee8849a5ad7a80af36563ed5\System.Web.DynamicData.Design.ni.dll
+ 2010-03-02 12:35:10 . 2010-03-02 12:35:10 94208 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\1c25e1eb925bf9c0b526ead78e3e1abc\System.ComponentModel.DataAnnotations.ni.dll
+ 2010-03-02 12:35:10 . 2010-03-02 12:35:10 82944 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\96443722953c690747a82d31bd1c549f\System.AddIn.Contract.ni.dll
+ 2010-03-02 12:36:36 . 2010-03-02 12:36:36 55296 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\6c4bf544cfa75f913df49142acab1b7c\Microsoft.Vsa.ni.dll
+ 2010-03-02 11:36:41 . 2010-03-02 11:36:41 15872 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f557a86223e3622629cce620e5d5615c\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-03-02 11:36:40 . 2010-03-02 11:36:40 17920 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\e8004f4d8ec8a1bd131d10826939c3d4\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-03-02 11:36:31 . 2010-03-02 11:36:31 36352 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\e7c09f2f6031744dbf8c87c9e482fac7\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-03-02 11:36:31 . 2010-03-02 11:36:31 35328 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\d91557a8d7da1b1377ff12bf695d2977\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-03-02 11:36:32 . 2010-03-02 11:36:32 36352 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\d7e3f822df90750bbbd5397ea0829cf6\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-03-02 11:36:39 . 2010-03-02 11:36:39 16384 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\d531e1ad1f8278ede189614618978ee3\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-03-02 11:36:23 . 2010-03-02 11:36:23 18432 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\bcebf038559d2b61a953caa6efb335ac\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-03-02 11:36:19 . 2010-03-02 11:36:19 19456 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\ba5cb8e68159a50a1aee54dd0a632c70\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-03-02 11:36:27 . 2010-03-02 11:36:27 30208 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b3842fe4b155ccb8ad47b7caa05c4efb\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-03-02 11:36:26 . 2010-03-02 11:36:26 30720 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b19d9c792c910a6839c6822d9a5c9a5b\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-03-02 11:36:40 . 2010-03-02 11:36:40 16384 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b1132beff74f67ef0f971de2c93ccc13\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-03-02 11:36:33 . 2010-03-02 11:36:33 36864 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\ab724083569ad4df4366e22a63b3cac0\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-03-02 11:36:27 . 2010-03-02 11:36:27 32768 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a7ac84e0437ddc69da3a3c7217443bb1\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-03-02 11:36:38 . 2010-03-02 11:36:38 16896 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a59e1585973c1bd445f50faf1f1da607\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-03-02 11:36:41 . 2010-03-02 11:36:41 15872 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a347a3aeed43e8c79ff0d1c6f1274c77\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-03-02 11:36:36 . 2010-03-02 11:36:36 33280 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\98654704b6ee75d176a2b7c615daa842\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-03-02 11:36:39 . 2010-03-02 11:36:39 16896 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\925dda0ce843a83384437e362ea376c9\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-03-02 11:36:37 . 2010-03-02 11:36:37 16896 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\91d1bc8f07a1249c54e2a8be8fd0bd00\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-03-02 11:36:37 . 2010-03-02 11:36:37 17408 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\8c02349f1eddb48ec8c45f4d1e3fa457\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-03-02 11:36:32 . 2010-03-02 11:36:32 37888 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\80eca55dd9d1ae96594685b7f98616b4\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-03-02 11:36:30 . 2010-03-02 11:36:30 28672 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\7e257052484fc73e496c94d6faad8ef8\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-03-02 11:36:18 . 2010-03-02 11:36:18 18944 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\71e8e8835fd50399055c7b5716a96081\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-03-02 11:36:33 . 2010-03-02 11:36:33 39936 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\6e89046881efddc52c4bea4ced1e8b16\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-03-02 11:36:28 . 2010-03-02 11:36:28 31232 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\65a30ad9fcd0f5ab2632e792aa553ad8\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-03-02 11:36:22 . 2010-03-02 11:36:22 20992 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\5e8c72ed9c23ad6a556bd5b1ceda7eac\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-03-02 11:36:22 . 2010-03-02 11:36:22 17920 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\5d99fbbefe8c7cb89d220c92a3f3c97e\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-03-02 11:36:35 . 2010-03-02 11:36:35 33792 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\563aeda031c8c73dfdeeee258d4e53bd\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-03-02 11:36:20 . 2010-03-02 11:36:20 18944 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\51c11a1c28aea32c39d24c10e2c4ae73\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-03-02 11:36:34 . 2010-03-02 11:36:34 35840 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\4ea3d0dd77c25ae3d6f5d7531fec135b\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-03-02 11:36:21 . 2010-03-02 11:36:21 19456 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\4ac467ec4aacc9f357bf9dbf0461389f\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-03-02 11:36:21 . 2010-03-02 11:36:21 18944 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\45330074194c2ce3f788e26d85d3a580\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-03-02 11:36:22 . 2010-03-02 11:36:22 18944 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\39a00c2b298cdb91e233d03769fba0f7\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-03-02 11:36:25 . 2010-03-02 11:36:25 30208 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\347c32079ed04f5cd475bc1854ec50b7\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-03-02 11:36:35 . 2010-03-02 11:36:35 45568 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\33cef4305c2ab1762004af88efff77f8\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-03-02 11:36:29 . 2010-03-02 11:36:29 28672 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\2f402df8b47ae125c06a4c81f5f2c0ac\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-03-02 11:36:34 . 2010-03-02 11:36:34 37376 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\2d3b9f2b161b0ad1157ac115412d7ca7\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2010-03-02 11:36:26 . 2010-03-02 11:36:27 31232 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\287f4976b4ea35f373f696121d24027a\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-03-02 11:36:19 . 2010-03-02 11:36:19 18944 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\185284868454771aec8c5c4874d4dacb\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-03-02 11:36:20 . 2010-03-02 11:36:20 19456 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\173d2d4d9ea9b8b6a2e8dd9cd632ac30\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2010-03-02 11:36:28 . 2010-03-02 11:36:28 30720 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\158a2580ced9f9a3fee754396e54f020\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-03-02 11:36:38 . 2010-03-02 11:36:38 16384 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\13d02cb87a472ae281e095ec9c715120\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-03-02 11:36:39 . 2010-03-02 11:36:39 16384 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\07aef82c3d4b06be126d58af4a9a8125\Microsoft.PowerShell.Security.resources.ni.dll
+ 2010-03-02 11:36:25 . 2010-03-02 11:36:25 31232 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0663de6addbe6cd7497f2f4c34b0cd29\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-03-02 11:36:29 . 2010-03-02 11:36:29 35840 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0372e727bfa18a36be641facccc3ce5e\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2010-03-02 11:35:59 . 2010-03-02 11:35:59 74752 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\5754fc85021b2f65836ba422521631eb\Microsoft.Build.Framework.ni.dll
+ 2010-03-02 11:36:11 . 2010-03-02 11:36:11 65024 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\0cb37ad30660eed74e9f8e28640c019f\Microsoft.Build.Framework.ni.dll
+ 2010-03-02 11:35:57 . 2010-03-02 11:35:57 14336 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\36bb2dd711974ad0bce057d2bc9c4592\dfsvc.ni.exe
+ 2010-03-02 11:35:53 . 2010-03-02 11:35:53 25600 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\16548a271b624211b7d1bd2956faed85\Accessibility.ni.dll
+ 2010-03-02 16:03:25 . 2010-03-02 16:07:28 2210 C:\WINDOWS\SoftwareDistribution\EventCache\{66E1846E-F0D1-4702-9C50-E605441CFEDA}.bin
+ 2010-03-02 16:07:46 . 2010-03-02 16:07:46 180784 C:\WINDOWS\LMI4.tmp\rahook.dll
+ 2010-03-02 16:07:47 . 2010-03-02 16:07:47 210816 C:\WINDOWS\LMI4.tmp\ra64app.exe
+ 2010-03-02 16:07:36 . 2010-03-02 16:07:37 180784 C:\WINDOWS\LMI3.tmp\rahook.dll
+ 2010-03-02 16:07:37 . 2010-03-02 16:07:39 210816 C:\WINDOWS\LMI3.tmp\ra64app.exe
+ 2010-03-02 16:08:21 . 2010-03-02 16:07:37 180784 C:\WINDOWS\LMI3.tmp\LMIRhook.000.dll
+ 2010-03-02 11:35:52 . 2010-03-02 11:35:52 321536 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WsatConfig\76212f0eaf908ddc457b7c09fdc00013\WsatConfig.ni.exe
+ 2010-03-02 14:26:12 . 2010-03-02 14:26:12 400896 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\43dff2d60cc1e2d83207d115d6ebd5da\System.Xml.Linq.ni.dll
+ 2010-03-02 12:36:59 . 2010-03-02 12:36:59 129536 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\bbbbee6aee8efc2a3fe36297df61558c\System.Web.Routing.ni.dll
+ 2010-03-02 12:37:11 . 2010-03-02 12:37:11 202240 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\4918daec30cc88a92e9089d6e6ddf65b\System.Web.RegularExpressions.ni.dll
+ 2010-03-02 12:37:08 . 2010-03-02 12:37:08 859648 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\1abbdbd4a1de53b702bae22e4714b95d\System.Web.Extensions.Design.ni.dll
+ 2010-03-02 12:37:04 . 2010-03-02 12:37:04 328704 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\adaa9f715be2debd2b11674077f3afda\System.Web.Entity.ni.dll
+ 2010-03-02 12:37:06 . 2010-03-02 12:37:06 301056 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\23a843aedd80a0f43e0baa1986bcd83f\System.Web.Entity.Design.ni.dll
+ 2010-03-02 12:37:02 . 2010-03-02 12:37:03 547328 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\a68617197d12be5a9a8bb91b4e7873ec\System.Web.DynamicData.ni.dll
+ 2010-03-02 12:36:58 . 2010-03-02 12:36:58 141312 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\8ff474534be27f40db5c17fee04a9fe7\System.Web.Abstractions.ni.dll
+ 2010-03-02 12:36:44 . 2010-03-02 12:36:44 627200 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\9aa6ef5e5d40a8b8fb2850ee4a3e7bb3\System.Transactions.ni.dll
+ 2010-03-02 12:36:43 . 2010-03-02 12:36:43 212992 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\b74d61184e254ac814bb3ceae5cc1095\System.ServiceProcess.ni.dll
+ 2010-03-02 11:36:07 . 2010-03-02 11:36:07 676352 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\3ef9383bddd7283406d0ba7303f38e46\System.Security.ni.dll
+ 2010-03-02 12:36:32 . 2010-03-02 12:36:32 311296 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\aab1f5149537a106a50b1508d9b18eb5\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2010-03-02 12:36:37 . 2010-03-02 12:36:37 621056 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Net\90e7b21b6f94a25cb4470ac854999479\System.Net.ni.dll
+ 2010-03-02 12:36:34 . 2010-03-02 12:36:34 998400 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\d7ad7924159136fb7e13cfdf3d01cf21\System.Management.ni.dll
+ 2010-03-02 12:36:31 . 2010-03-02 12:36:31 330752 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.I#\7081191709ba39f5b18f2f52f61c6aab\System.Management.Instrumentation.ni.dll
+ 2010-03-02 12:36:26 . 2010-03-02 12:36:26 181248 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.A#\fafc03597676e65dfb8f4697ac647c62\System.Management.Automation.resources.ni.dll
+ 2010-03-02 12:36:27 . 2010-03-02 12:36:27 188928 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.A#\f32313a8dec56494438c80f5d54305f6\System.Management.Automation.resources.ni.dll
+ 2010-03-02 12:36:26 . 2010-03-02 12:36:26 169984 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.A#\ea77ee92b00cbefb83da28fce1b67019\System.Management.Automation.resources.ni.dll
+ 2010-03-02 12:36:28 . 2010-03-02 12:36:28 169472 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.A#\ddc0417f8addef49288190f918af1dac\System.Management.Automation.resources.ni.dll
+ 2010-03-02 12:36:29 . 2010-03-02 12:36:29 154624 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.A#\c6e875d1a64aea766fbdd75037851222\System.Management.Automation.resources.ni.dll
+ 2010-03-02 12:36:30 . 2010-03-02 12:36:30 154112 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.A#\c5de04699aa38a2dabea09019dea086d\System.Management.Automation.resources.ni.dll
+ 2010-03-02 12:36:27 . 2010-03-02 12:36:27 177664 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.A#\892b5420690274f0e84073f1e52428bf\System.Management.Automation.resources.ni.dll
+ 2010-03-02 12:36:28 . 2010-03-02 12:36:28 221184 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.A#\84b0a0d2a43a3e3d7a530b46bb49bdee\System.Management.Automation.resources.ni.dll
+ 2010-03-02 12:36:25 . 2010-03-02 12:36:25 160256 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.A#\646fab05d237a943021a9ceaa6c32c7b\System.Management.Automation.resources.ni.dll
+ 2010-03-02 12:36:25 . 2010-03-02 12:36:25 172544 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.A#\0d8ad65fa89646d47bfc0fd29a015f6e\System.Management.Automation.resources.ni.dll
+ 2010-03-02 12:36:24 . 2010-03-02 12:36:24 175104 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.A#\09c54e2aad75149a41492bd38567ae26\System.Management.Automation.resources.ni.dll
+ 2010-03-02 11:35:04 . 2010-03-02 11:35:04 381440 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IO.Log\c88bdc0770617f2bec70e82b2877712e\System.IO.Log.ni.dll
+ 2010-03-02 11:35:57 . 2010-03-02 11:35:57 212992 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\9830b36108b5acc8bfecd4b523ae6422\System.IdentityModel.Selectors.ni.dll
+ 2010-03-02 12:36:17 . 2010-03-02 12:36:17 280064 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\34bd8d1c5589efe26dfd69cfef05888c\System.EnterpriseServices.Wrapper.dll
+ 2010-03-02 12:36:17 . 2010-03-02 12:36:17 627712 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\34bd8d1c5589efe26dfd69cfef05888c\System.EnterpriseServices.ni.dll
+ 2010-03-02 12:36:15 . 2010-03-02 12:36:15 881152 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\2e171d3863d31c9760be4a76d7a41842\System.DirectoryServices.AccountManagement.ni.dll
+ 2010-03-02 12:36:16 . 2010-03-02 12:36:16 455680 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\26c2dd48768ead8ab6981c502c33a16b\System.DirectoryServices.Protocols.ni.dll
+ 2010-03-02 12:36:09 . 2010-03-02 12:36:09 939008 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\a157c98a0bd61c92cc324ccb085c0c2f\System.Data.Services.Client.ni.dll
+ 2010-03-02 12:36:10 . 2010-03-02 12:36:10 354816 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\43ebb69f9f13b4d50877a718fe7e2fec\System.Data.Services.Design.ni.dll
+ 2010-03-02 12:36:03 . 2010-03-02 12:36:03 756736 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\6f40c0b03a35585ad314a0459ebd3721\System.Data.Entity.Design.ni.dll
+ 2010-03-02 12:35:12 . 2010-03-02 12:35:12 135680 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\67b8b52a93087400d9c8efa36d28ba0f\System.Data.DataSetExtensions.ni.dll
+ 2010-03-02 11:36:02 . 2010-03-02 11:36:02 971264 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\33f46842f1687b027c3471ca1ba6e929\System.Configuration.ni.dll
+ 2010-03-02 12:36:32 . 2010-03-02 12:36:32 141312 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\d5f4012b6c896418365813c53c5e46ce\System.Configuration.Install.ni.dll
+ 2010-03-02 12:35:09 . 2010-03-02 12:35:09 633856 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.AddIn\338d4c7d84af692ae64bdee6e66bd04a\System.AddIn.ni.dll
+ 2010-03-02 11:35:51 . 2010-03-02 11:35:51 366080 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMSvcHost\57b773ae9a151b61e0d669e8bbc64275\SMSvcHost.ni.exe
+ 2010-03-02 11:35:49 . 2010-03-02 11:35:49 256000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\c047fb6624ebfd95bdbc916e0068e6e9\SMDiagnostics.ni.dll
+ 2010-03-02 11:35:49 . 2010-03-02 11:35:49 320512 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\ce9e424d230401a889211771dec6b896\ServiceModelReg.ni.exe
+ 2010-03-02 11:35:58 . 2010-03-02 11:35:58 133632 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\MSBuild\9f2d92e6bde466705c09e3ecf53878a5\MSBuild.ni.exe
+ 2010-03-02 11:35:47 . 2010-03-02 11:35:47 386560 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\49805534376724ae137ff41cda393d19\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2010-03-02 11:36:18 . 2010-03-02 11:36:18 433664 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\9e64552e502e83ea9f36a635da673f2a\Microsoft.PowerShell.Commands.Management.ni.dll
+ 2010-03-02 11:36:24 . 2010-03-02 11:36:25 968192 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\7a87e180c6853689a6962cfabf5a4a22\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2010-03-02 11:36:31 . 2010-03-02 11:36:31 492032 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\263801f28bdfc6390257bfd325c791d4\Microsoft.PowerShell.ConsoleHost.ni.dll
+ 2010-03-02 11:36:36 . 2010-03-02 11:36:36 148480 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0b22303173840a037788ee88b4f664cc\Microsoft.PowerShell.Security.ni.dll
+ 2010-03-02 11:36:16 . 2010-03-02 11:36:16 144384 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\caf2207b404aa5bcb77833e3302fc5b6\Microsoft.Build.Utilities.ni.dll
+ 2010-03-02 11:36:17 . 2010-03-02 11:36:17 175104 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\74290c786353b8f4341550847169adb1\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2010-03-02 11:36:10 . 2010-03-02 11:36:10 839680 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\ecad09aa540d7011ff615077bba756c9\Microsoft.Build.Engine.ni.dll
+ 2010-03-02 11:36:09 . 2010-03-02 11:36:09 222720 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\d326c3841b68b469dc70eab552dc0764\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2010-03-02 11:36:08 . 2010-03-02 11:36:08 220672 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\7966bb0eeae06d6e0a0999f7e57945c3\CustomMarshalers.ni.dll
+ 2010-03-02 11:35:43 . 2010-03-02 11:35:43 410112 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\aa863a2ee18166e2c56f9b310352b160\ComSvcConfig.ni.exe
+ 2010-03-02 11:35:56 . 2010-03-02 11:35:56 842240 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\ab21507db0a8b7a8b8bd86f468bed2d4\AspNetMMCExt.ni.dll
+ 2010-03-02 16:07:47 . 2010-03-02 16:07:46 1881976 C:\WINDOWS\LMI4.tmp\LMI_Rescue_srv.exe
+ 2010-03-02 16:07:43 . 2010-03-02 16:07:46 1881976 C:\WINDOWS\LMI4.tmp\lmi_rescue.exe
+ 2010-03-02 16:08:04 . 2010-03-02 16:08:04 1672592 C:\WINDOWS\LMI3.tmp\unattended.exe
+ 2010-03-02 16:08:10 . 2010-03-02 16:08:10 1668992 C:\WINDOWS\LMI3.tmp\rarcc.dll
+ 2010-03-02 16:07:39 . 2010-03-02 16:07:36 1881976 C:\WINDOWS\LMI3.tmp\LMI_Rescue_srv.exe
+ 2010-03-02 16:07:33 . 2010-03-02 16:07:36 1881976 C:\WINDOWS\LMI3.tmp\lmi_rescue.exe
+ 2010-03-02 16:08:07 . 2010-03-02 16:08:07 1235280 C:\WINDOWS\LMI3.tmp\ICSAgent32.dll
+ 2010-03-02 14:26:11 . 2010-03-02 14:26:11 1356288 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\ad2b413a977164493c9498e6eea9836a\System.WorkflowServices.ni.dll
+ 2010-03-02 14:26:05 . 2010-03-02 14:26:05 1908224 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\56f5b5b7fbb513b20a8c42d6ede20716\System.Workflow.Runtime.ni.dll
+ 2010-03-02 14:26:00 . 2010-03-02 14:26:01 4514304 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\4428b243d69bdd25c325fcf5a4d9f1eb\System.Workflow.ComponentModel.ni.dll
+ 2010-03-02 14:25:52 . 2010-03-02 14:25:52 2992640 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\1133d8b77e7e94edc069d95e93eb0531\System.Workflow.Activities.ni.dll
+ 2010-03-02 12:37:14 . 2010-03-02 12:37:14 1840640 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\affca324d68452f7827a9be5e355e445\System.Web.Services.ni.dll
+ 2010-03-02 12:37:11 . 2010-03-02 12:37:11 2209280 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\dec2660e1581be57dacf9c6104e8d252\System.Web.Mobile.ni.dll
+ 2010-03-02 12:37:01 . 2010-03-02 12:37:01 2403328 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\9c987fc21a6763c2bd5b1f7ec5b5b153\System.Web.Extensions.ni.dll
+ 2010-03-02 12:36:42 . 2010-03-02 12:36:43 1706496 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\9195677eb52d4545a918a70636cacaac\System.ServiceModel.Web.ni.dll
+ 2010-03-02 11:35:08 . 2010-03-02 11:35:08 2344960 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\0f1d3fc0f9bd72295c053a66090472e1\System.Runtime.Serialization.ni.dll
+ 2010-03-02 12:36:23 . 2010-03-02 12:36:24 4949504 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.A#\a61c36c0207c5c67294c2e53fb3f55c7\System.Management.Automation.ni.dll
+ 2010-03-02 11:35:02 . 2010-03-02 11:35:03 1056768 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\3b589e5c7262c5564668e893ed5fa347\System.IdentityModel.ni.dll
+ 2010-03-02 12:36:14 . 2010-03-02 12:36:14 1116672 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\3102dd31a0e81701ab4c3e3627210885\System.DirectoryServices.ni.dll
+ 2010-03-02 12:36:12 . 2010-03-02 12:36:12 1801216 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\299b46ce8a9cd708aad0b34a6817c3c9\System.Deployment.ni.dll
+ 2010-03-02 11:36:06 . 2010-03-02 11:36:06 2510336 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\0f4ca76e1a55a8b10a169e26fb5ae852\System.Data.SqlXml.ni.dll
+ 2010-03-02 12:36:07 . 2010-03-02 12:36:07 1328128 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.Services\6d3af39f54f52966f62c89d88ea2d106\System.Data.Services.ni.dll
+ 2010-03-02 12:35:59 . 2010-03-02 12:36:00 9924096 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\f0ffa7c1091f11d9b3442926e44f2756\System.Data.Entity.ni.dll
+ 2010-03-02 12:35:07 . 2010-03-02 12:35:07 1712128 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\16fc2faef3984a77e7ee02cafd94c5f4\Microsoft.VisualBasic.ni.dll
+ 2010-03-02 11:35:46 . 2010-03-02 11:35:46 1093120 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\01bf250452829c199bdc583e3e007685\Microsoft.Transactions.Bridge.ni.dll
+ 2010-03-02 12:36:36 . 2010-03-02 12:36:36 2332160 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\1d4ab5c6748b01243403b915fb76e068\Microsoft.JScript.ni.dll
+ 2010-03-02 11:36:15 . 2010-03-02 11:36:15 1966080 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\e5581e288bb26364dc6d4987251dfdf5\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2010-03-02 11:36:13 . 2010-03-02 11:36:13 1620992 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\19627bc5e3955d69e007b4c4f49489db\Microsoft.Build.Tasks.ni.dll
+ 2010-03-02 11:36:01 . 2010-03-02 11:36:01 1888768 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\e25766aa55cbe4b36e3c6b1a498beb0d\Microsoft.Build.Engine.ni.dll
+ 2010-03-02 12:36:55 . 2010-03-02 12:36:56 11796992 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\3d959bc1e5bef926783107fd981701b6\System.Web.ni.dll
+ 2010-03-02 11:35:38 . 2010-03-02 11:35:39 17317888 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\737db428238916034602919cb948166c\System.ServiceModel.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 12:00:00 110592]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 21:00:00 344064]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13:38 176128]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 11:19:58 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 11:17:42 970752]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 14:23:32 1191936]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2009-03-16 11:25:12 115560]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-12-19 20:11:39 149280]
"Communicator"="C:\Program Files\Microsoft Office Communicator\communicator.exe" [2008-12-16 23:05:00 5160288]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2009-11-10 23:08:18 417792]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 01:57:28 35760]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 15:57:56 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 12:00:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Emerson VPN Client.lnk - C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-11-30 6144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57:28 35760 ----a-w- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 16:33:10 141600 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08:18 417792 ----a-w- C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

R1 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREDrv.sys [25/02/2010 11:31:17 93872]
R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentAgent.exe [23/03/2009 10:03:08 155648]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [02/12/2009 11:55:46 139264]
R2 LMIRescue_1fefd280-ef7b-47e6-9fda-8c82b06676a3;LogMeIn Rescue (1fefd280-ef7b-47e6-9fda-8c82b06676a3);C:\WINDOWS\LMI3.tmp\LMI_Rescue_srv.exe [02/03/2010 16:07:39 1881976]
R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files\LANDesk\LDClient\SoftMon.exe [02/12/2009 11:55:43 335872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01/12/2009 09:52:22 102448]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\drivers\gtipci21.sys [30/11/2009 15:44:24 88192]
R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\drivers\ldblank.sys [02/12/2009 11:55:21 11904]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\drivers\ldmirror.sys [02/12/2009 11:55:21 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\drivers\mirrorflt.sys [02/12/2009 11:55:21 3712]
S0 cerc6;cerc6; [x]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\drivers\COH_Mon.sys [16/03/2009 11:25:08 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - LMIRESCUE_1FEFD280-EF7B-47E6-9FDA-8C82B06676A3
.
.
------- Supplementary Scan -------
.
uStart Page = https://portal.metco-uk.com/default.aspx
uInternet Settings,ProxyOverride = *.local
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - C:\Documents and Settings\vikki.latto\Local Settings\Temporary Internet Files\Content.IE5\EHESSBIE\HijackThis.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:27:34, on 02/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Emerson VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\PIPC\BIN\pilogsrv.exe
C:\Program Files\PIPC\BIN\pinetmgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PIPC\BIN\pimsgss.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateApp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\LMI3.tmp\lmi_rescue.exe
C:\WINDOWS\LMI3.tmp\LMI_Rescue_srv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\LMI3.tmp\LMI_Rescue_srv.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\vikki.latto\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://portal.metco-uk.com/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 172.26.58.225 Europisrv1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Emerson VPN Client.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://portal.metco-uk.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emrsn.org
O17 - HKLM\Software\..\Telephony: DomainName = emrsn.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emrsn.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emrsn.org
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PI-Buffer Server (bufserv) - OSI Software Inc. - C:\Program Files\PIPC\BIN\bufserv.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Emerson VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Emerson VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect ERAS\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect ERAS\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Rescue (1fefd280-ef7b-47e6-9fda-8c82b06676a3) (LMIRescue_1fefd280-ef7b-47e6-9fda-8c82b06676a3) - LogMeIn, Inc. - C:\WINDOWS\LMI3.tmp\LMI_Rescue_srv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PIPC Log Server (pilogsrv) - OSI Software - C:\Program Files\PIPC\BIN\pilogsrv.exe
O23 - Service: PI Message Subsystem (pimsgss) - OSI Software, Inc. - C:\Program Files\PIPC\BIN\pimsgss.exe
O23 - Service: PI Network Manager (pinetmgr) - OSI Software, Inc. - C:\Program Files\PIPC\BIN\pinetmgr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10263 bytes

Regards
Martin

#10 aommaster

I !<3 malware

Malware Response Team
5,289 posts
OFFLINE

Gender:Male
Location:Dubai
Local time:07:53 AM

Posted 02 March 2010 - 01:41 PM

Hello, martin3286.
Hmm.. doesn't look like Combofix wants to fix your rootkit

Let's use another program.

We need to run TDSSKiller

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks and do not include the word "Code") Then press OK.
CODE
"%userprofile%\Desktop\TDSSKiller.exe" -l "%userprofile%\Desktop\TDSSKiller.txt" -v

**Note:If it says "Hidden service detected" DO NOT type anything in. Just press Enter.
When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here

In your next reply, please include the following:
TDSSKiller.txt

#11 martin3286

Topic Starter

Members
6 posts
OFFLINE

Local time:03:53 AM

Posted 03 March 2010 - 04:39 AM

Hi aommaster

The symptoms seeme to be gone but as it wasnt redirecting everytime I did search i cant be sure....

Here's the log you requested

09:36:53:842 3512 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
09:36:53:842 3512 ================================================================================
09:36:53:842 3512 SystemInfo:

09:36:53:842 3512 OS Version: 5.1.2600 ServicePack: 3.0
09:36:53:842 3512 Product type: Workstation
09:36:53:842 3512 ComputerName: GBABZ-LT24
09:36:53:842 3512 UserName: vikki.latto
09:36:53:842 3512 Windows directory: C:\WINDOWS
09:36:53:842 3512 Processor architecture: Intel x86
09:36:53:842 3512 Number of processors: 1
09:36:53:842 3512 Page size: 0x1000
09:36:53:842 3512 Boot type: Normal boot
09:36:53:842 3512 ================================================================================
09:36:53:842 3512 UnloadDriverW: NtUnloadDriver error 2
09:36:53:842 3512 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
09:36:53:905 3512 Initialize success
09:36:53:905 3512
09:36:53:905 3512 Scanning Services ...
09:36:53:905 3512 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
09:36:53:905 3512 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:36:53:905 3512 wfopen_ex: Trying to KLMD file open
09:36:53:905 3512 wfopen_ex: File opened ok (Flags 2)
09:36:53:905 3512 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
09:36:53:905 3512 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:36:53:905 3512 wfopen_ex: Trying to KLMD file open
09:36:53:920 3512 wfopen_ex: File opened ok (Flags 2)
09:36:54:483 3512 GetAdvancedServicesInfo: Raw services enum returned 389 services
09:36:54:499 3512 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
09:36:54:499 3512 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
09:36:54:499 3512
09:36:54:499 3512 Scanning Kernel memory ...
09:36:54:499 3512 Devices to scan: 3
09:36:54:499 3512
09:36:54:499 3512 Driver Name: Disk
09:36:54:499 3512 IRP_MJ_CREATE : F7621BB0
09:36:54:499 3512 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
09:36:54:499 3512 IRP_MJ_CLOSE : F7621BB0
09:36:54:499 3512 IRP_MJ_READ : F761BD1F
09:36:54:499 3512 IRP_MJ_WRITE : F761BD1F
09:36:54:499 3512 IRP_MJ_QUERY_INFORMATION : 804F355A
09:36:54:499 3512 IRP_MJ_SET_INFORMATION : 804F355A
09:36:54:499 3512 IRP_MJ_QUERY_EA : 804F355A
09:36:54:499 3512 IRP_MJ_SET_EA : 804F355A
09:36:54:499 3512 IRP_MJ_FLUSH_BUFFERS : F761C2E2
09:36:54:499 3512 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
09:36:54:499 3512 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
09:36:54:499 3512 IRP_MJ_DIRECTORY_CONTROL : 804F355A
09:36:54:499 3512 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
09:36:54:499 3512 IRP_MJ_DEVICE_CONTROL : F761C3BB
09:36:54:499 3512 IRP_MJ_INTERNAL_DEVICE_CONTROL : F761FF28
09:36:54:499 3512 IRP_MJ_SHUTDOWN : F761C2E2
09:36:54:499 3512 IRP_MJ_LOCK_CONTROL : 804F355A
09:36:54:499 3512 IRP_MJ_CLEANUP : 804F355A
09:36:54:499 3512 IRP_MJ_CREATE_MAILSLOT : 804F355A
09:36:54:499 3512 IRP_MJ_QUERY_SECURITY : 804F355A
09:36:54:499 3512 IRP_MJ_SET_SECURITY : 804F355A
09:36:54:499 3512 IRP_MJ_POWER : F761DC82
09:36:54:499 3512 IRP_MJ_SYSTEM_CONTROL : F762299E
09:36:54:499 3512 IRP_MJ_DEVICE_CHANGE : 804F355A
09:36:54:499 3512 IRP_MJ_QUERY_QUOTA : 804F355A
09:36:54:499 3512 IRP_MJ_SET_QUOTA : 804F355A
09:36:54:514 3512 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
09:36:54:514 3512 sion
09:36:54:514 3512 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
09:36:54:514 3512
09:36:54:514 3512 Driver Name: Disk
09:36:54:514 3512 IRP_MJ_CREATE : F7621BB0
09:36:54:514 3512 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
09:36:54:514 3512 IRP_MJ_CLOSE : F7621BB0
09:36:54:514 3512 IRP_MJ_READ : F761BD1F
09:36:54:514 3512 IRP_MJ_WRITE : F761BD1F
09:36:54:514 3512 IRP_MJ_QUERY_INFORMATION : 804F355A
09:36:54:514 3512 IRP_MJ_SET_INFORMATION : 804F355A
09:36:54:514 3512 IRP_MJ_QUERY_EA : 804F355A
09:36:54:514 3512 IRP_MJ_SET_EA : 804F355A
09:36:54:514 3512 IRP_MJ_FLUSH_BUFFERS : F761C2E2
09:36:54:514 3512 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
09:36:54:514 3512 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
09:36:54:514 3512 IRP_MJ_DIRECTORY_CONTROL : 804F355A
09:36:54:514 3512 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
09:36:54:514 3512 IRP_MJ_DEVICE_CONTROL : F761C3BB
09:36:54:514 3512 IRP_MJ_INTERNAL_DEVICE_CONTROL : F761FF28
09:36:54:514 3512 IRP_MJ_SHUTDOWN : F761C2E2
09:36:54:514 3512 IRP_MJ_LOCK_CONTROL : 804F355A
09:36:54:514 3512 IRP_MJ_CLEANUP : 804F355A
09:36:54:514 3512 IRP_MJ_CREATE_MAILSLOT : 804F355A
09:36:54:514 3512 IRP_MJ_QUERY_SECURITY : 804F355A
09:36:54:514 3512 IRP_MJ_SET_SECURITY : 804F355A
09:36:54:514 3512 IRP_MJ_POWER : F761DC82
09:36:54:514 3512 IRP_MJ_SYSTEM_CONTROL : F762299E
09:36:54:514 3512 IRP_MJ_DEVICE_CHANGE : 804F355A
09:36:54:514 3512 IRP_MJ_QUERY_QUOTA : 804F355A
09:36:54:514 3512 IRP_MJ_SET_QUOTA : 804F355A
09:36:54:514 3512 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
09:36:54:514 3512 sion
09:36:54:514 3512 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
09:36:54:514 3512
09:36:54:514 3512 Driver Name: atapi
09:36:54:514 3512 IRP_MJ_CREATE : F74506F2
09:36:54:514 3512 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
09:36:54:514 3512 IRP_MJ_CLOSE : F74506F2
09:36:54:514 3512 IRP_MJ_READ : 804F355A
09:36:54:514 3512 IRP_MJ_WRITE : 804F355A
09:36:54:514 3512 IRP_MJ_QUERY_INFORMATION : 804F355A
09:36:54:514 3512 IRP_MJ_SET_INFORMATION : 804F355A
09:36:54:514 3512 IRP_MJ_QUERY_EA : 804F355A
09:36:54:514 3512 IRP_MJ_SET_EA : 804F355A
09:36:54:514 3512 IRP_MJ_FLUSH_BUFFERS : 804F355A
09:36:54:514 3512 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
09:36:54:514 3512 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
09:36:54:514 3512 IRP_MJ_DIRECTORY_CONTROL : 804F355A
09:36:54:514 3512 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
09:36:54:514 3512 IRP_MJ_DEVICE_CONTROL : F7450712
09:36:54:514 3512 IRP_MJ_INTERNAL_DEVICE_CONTROL : F744C852
09:36:54:514 3512 IRP_MJ_SHUTDOWN : 804F355A
09:36:54:514 3512 IRP_MJ_LOCK_CONTROL : 804F355A
09:36:54:514 3512 IRP_MJ_CLEANUP : 804F355A
09:36:54:514 3512 IRP_MJ_CREATE_MAILSLOT : 804F355A
09:36:54:514 3512 IRP_MJ_QUERY_SECURITY : 804F355A
09:36:54:514 3512 IRP_MJ_SET_SECURITY : 804F355A
09:36:54:514 3512 IRP_MJ_POWER : F745073C
09:36:54:514 3512 IRP_MJ_SYSTEM_CONTROL : F7457336
09:36:54:514 3512 IRP_MJ_DEVICE_CHANGE : 804F355A
09:36:54:514 3512 IRP_MJ_QUERY_QUOTA : 804F355A
09:36:54:514 3512 IRP_MJ_SET_QUOTA : 804F355A
09:36:54:530 3512 siohd: 0
09:36:54:577 3512 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: Clean
09:36:54:577 3512
09:36:54:577 3512 Completed
09:36:54:577 3512
09:36:54:577 3512 Results:
09:36:54:577 3512 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
09:36:54:577 3512 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:36:54:577 3512 File objects infected / cured / cured on reboot: 0 / 0 / 0
09:36:54:577 3512
09:36:54:592 3512 KLMD(ARK) unloaded successfully

Regards
Martin

#12 aommaster

I !<3 malware

Malware Response Team
5,289 posts
OFFLINE

Gender:Male
Location:Dubai
Local time:07:53 AM

Posted 03 March 2010 - 08:40 AM

Hi!

Please post up a fresh GMER log. I'd like to make sure that this is really gone

#13 aommaster

I !<3 malware

Malware Response Team
5,289 posts
OFFLINE

Gender:Male
Location:Dubai
Local time:07:53 AM

Posted 06 March 2010 - 01:53 AM

Hello martin3286
Are you still with us?

#14 aommaster

I !<3 malware

Malware Response Team
5,289 posts
OFFLINE

Gender:Male
Location:Dubai
Local time:07:53 AM

Posted 08 March 2010 - 12:29 AM

Due to lack of feedback, this topic has been closed. If you need this topic reopened, please send me a PM with the address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.