Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remains of a Security Tool Trojan Infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 jareif

jareif

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 26 February 2010 - 09:14 AM

Last week I inadvertently allowed the highly annoying Security Tool trojan to install itself on my laptop (Dell Latitude E6400). I quickly found a few forum posts describing ways to delete this infection. I installed Malwarebyte's Anti-Malware and it was able to locate and delete the files responsible for blocking my antivirus software and for launching those annoying fake virus alert popups. (Just for information, I am using Windows XP Pro SP 3, and IE7 for a browser.)

However, there are still some malicious files clearly hiding somewhere, because I'm still having problems. I repeatedly clear my browser cache, and every day I can see a huge number of new temporary internet files from an address containing the string <www.google-analytics.com>. Also, many times that I try to load Google's homepage, I am redirected to <sorry.google.com>, where I receive a warning stating that my computer is sending automated querries to Google. Also, strangely, my Google homepage now contains a link that provides me with the option to redirect myself to <www.google.de> (not a big deal, but rather strange, as I'm not in Germany). Performance of web searches has also now been compromised, as it is far, far slower. Finally, the biggest and most frustrating problem is a very unwanted web popup that has forced itself onto my screen every day this week.

Following is my DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by reifj at 13:47:11.79 on Thu 02/25/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.1214 [GMT 2:00]

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
AV: Security Antivirus *On-access scanning enabled* (Updated) {65936377-F1F4-4D6C-9E47-BD60011D2C88}
FW: Security Antivirus *enabled* {00A09283-6E14-4D54-BECB-6459C87E4851}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r190031\stacsv.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\reifj\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1081215
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Microsoft Internet Explorer provided by AECOM
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\PDFXCviewIEPlugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BGInfo] "c:\program files\bginfo\bginfo.vbs"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
mPolicies-system: MaxGPOScriptWait = 3600 (0xe10)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: aeairweb.com
Trusted Zone: aecom.com
Trusted Zone: asap.com
Trusted Zone: brainshark.com
Trusted Zone: cisco.com
Trusted Zone: dell.com
Trusted Zone: edaw.com
Trusted Zone: getthere.net
Trusted Zone: microsoft.com
Trusted Zone: midicorp.com
Trusted Zone: skillport.com
Trusted Zone: softscape.com
DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://webvpn.na.aecom.com/+CSCOL+/relayp.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1253462252853
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth
IFEO: image file execution options - svchost.exe
Hosts: 172.21.150.19 LYTPL1AP002
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\reifj\applic~1\mozilla\firefox\profiles\1js0v724.default\
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\sony online entertainment\npsoe.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-14 64288]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2007-2-7 18832]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2008-9-9 69632]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-12-15 108160]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2008-12-15 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-12-15 244368]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-9-20 67784]
S2 FcsSas;Microsoft Forefront Client Security State Assessment Service; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-21 135664]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-15 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-23 280344]
S4 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-6-3 386328]
S4 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-8-1 808296]
S4 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-8-1 21352]
S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-8-18 455960]

=============== Created Last 30 ================

2010-02-24 21:21:53 0 d-----w- c:\program files\KingsIsle Entertainment
2010-02-18 22:58:21 0 d-----w- c:\docume~1\reifj\applic~1\Malwarebytes
2010-02-18 22:58:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 22:58:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 22:58:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 22:58:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-15 10:59:55 0 d-----w- c:\program files\common files\PC Tools
2010-02-14 02:23:43 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-14 02:23:16 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-14 01:45:00 0 d-----w- c:\windows\system32\NtmsData
2010-02-14 01:09:58 0 d-sh--w- c:\docume~1\alluse~1\applic~1\SAYQDDBV

==================== Find3M ====================

2010-02-24 23:30:14 106991 ----a-w- c:\windows\system32\nvModes.dat
2010-02-24 07:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 16:40:34 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-02-22 16:40:32 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-02-20 15:02:12 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2010-02-20 14:56:31 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2010-01-29 16:39:54 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-11 22:00:13 274432 ----a-w- C:\ajvented.exe
2010-01-11 21:59:55 249856 ----a-w- C:\ajsealed.exe
2010-01-11 21:59:37 249856 ----a-w- C:\ajbandpass.exe

============= FINISH: 13:47:34.38 ===============

Any help you might be able to provide would be extremely appreciated. Thanks in advance!

jareif


Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 28 February 2010 - 02:43 PM

Hello,

Ok, there are definitely leftovers. Let's get started.

My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as CF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on CF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares

Edited by etavares, 28 February 2010 - 02:44 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 jareif

jareif
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 01 March 2010 - 02:35 AM

Thank you very much for your reply, etavares! I have run ComboFix, as directed. Following is the log it produced:

ComboFix 10-02-27.04 - reifj 03/01/2010 9:12.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.1446 [GMT 2:00]
Running from: c:\documents and settings\reifj\Desktop\CF.exe
AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\EventSystem.log
c:\windows\system32\bin
c:\windows\system32\bin\MSVCRT.DLL

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-02-25 22:10 . 2010-02-25 22:10 -------- d--h--w- c:\windows\PIF
2010-02-25 15:07 . 2010-02-26 11:08 -------- d-----w- c:\documents and settings\reifj\Local Settings\Application Data\Temp
2010-02-25 00:10 . 2010-02-25 00:10 388096 ----a-r- c:\documents and settings\reifj\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-22 17:39 . 2010-02-22 17:39 0 ----a-w- c:\windows\nsreg.dat
2010-02-22 17:39 . 2010-02-22 17:39 -------- d-----w- c:\documents and settings\reifj\Local Settings\Application Data\Mozilla
2010-02-18 22:59 . 2010-02-18 22:59 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-18 22:58 . 2010-02-18 22:58 -------- d-----w- c:\documents and settings\reifj\Application Data\Malwarebytes
2010-02-18 22:58 . 2010-01-07 14:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 22:58 . 2010-02-18 22:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 22:58 . 2010-02-18 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-18 22:58 . 2010-01-07 14:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-15 16:56 . 2010-02-15 16:57 -------- d-----w- c:\documents and settings\reifj\Application Data\CyberLink
2010-02-15 10:59 . 2010-02-15 17:16 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-15 10:58 . 2010-02-15 11:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-14 02:23 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-14 02:23 . 2010-02-14 02:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-14 02:23 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-02-14 01:45 . 2010-02-14 01:45 -------- d-----w- c:\windows\system32\NtmsData
2010-02-14 01:09 . 2010-02-14 01:09 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SAYQDDBV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 05:50 . 2008-12-15 01:18 121271 ----a-w- c:\windows\system32\nvModes.dat
2010-02-28 21:22 . 2009-08-25 20:21 -------- d-----w- c:\documents and settings\reifj\Application Data\Skype
2010-02-28 21:02 . 2009-09-09 18:12 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-02-28 21:02 . 2009-09-09 18:11 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-02-28 14:01 . 2009-09-08 01:05 -------- d-----w- c:\documents and settings\reifj\Application Data\skypePM
2010-02-28 08:51 . 2009-01-08 11:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-25 00:10 . 2008-12-15 01:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-24 07:16 . 2009-10-02 07:35 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 15:02 . 2009-10-25 16:13 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2010-02-20 14:56 . 2009-10-25 16:11 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-02-05 22:36 . 2009-11-16 04:29 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-05 16:37 . 2009-11-16 04:27 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-04 22:38 . 2009-11-16 04:35 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-04 22:37 . 2009-11-16 04:26 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-29 16:40 . 2009-11-16 04:36 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-29 16:39 . 2009-11-16 07:12 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-29 16:39 . 2009-11-16 04:36 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-29 16:39 . 2009-11-16 04:36 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-29 16:39 . 2009-11-16 04:36 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-29 16:39 . 2009-11-16 04:35 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-29 16:39 . 2009-11-16 04:35 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-29 16:39 . 2009-11-16 04:35 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-29 16:39 . 2009-11-16 04:31 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-29 16:39 . 2009-11-16 04:31 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-29 16:39 . 2009-11-16 04:30 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-29 16:39 . 2009-11-16 04:30 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-29 16:39 . 2009-11-16 04:27 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-29 16:38 . 2009-11-16 04:27 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-29 16:38 . 2009-11-16 04:27 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-15 00:51 . 2008-12-23 20:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-11 22:00 . 2010-01-11 22:00 274432 ----a-w- C:\ajvented.exe
2010-01-11 21:59 . 2010-01-11 21:59 249856 ----a-w- C:\ajsealed.exe
2010-01-11 21:59 . 2010-01-11 21:59 249856 ----a-w- C:\ajbandpass.exe
2010-01-10 18:10 . 2010-01-10 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2010-01-09 20:44 . 2010-01-09 20:44 -------- d-----w- c:\program files\Linearteam
2009-12-15 08:08 . 2009-12-14 19:43 12432728 ----a-w- c:\documents and settings\reifj\Application Data\Sony Online Entertainment\Installed Games\Free Realms\FreeRealms.exe
2009-12-15 08:03 . 2009-12-14 19:41 102400 ----a-w- c:\documents and settings\reifj\Application Data\Sony Online Entertainment\Installed Games\Free Realms\GraphicsDriver.dll
2009-12-15 08:03 . 2009-12-14 19:41 2854912 ----a-w- c:\documents and settings\reifj\Application Data\Sony Online Entertainment\Installed Games\Free Realms\GFxWrap.dll
2009-12-10 00:23 . 2009-12-14 19:41 868352 ----a-w- c:\documents and settings\reifj\Application Data\Sony Online Entertainment\Installed Games\Free Realms\T4Lib.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"
[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]
2008-07-25 09:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"
[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]
2008-07-25 09:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-04 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-07-01 196608]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-31 30192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-28 13537280]
"BGInfo"="c:\program files\bginfo\bginfo.vbs" [2008-04-01 322]
"NvMediaCenter"="NvMCTray.dll" [2008-08-28 86016]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-04-30 2396160]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2007-02-07 1037200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-12-23 1528880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 3600 (0xe10)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-790525478-1284227242-1417001333-113195\Scripts\Logon\0\0]
"Script"=NA-SEC-CleanLocalUsers_v2.2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-790525478-1284227242-1417001333-113195\Scripts\Logon\1\0]
"Script"=DefaultDomain.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-790525478-1284227242-1417001333-155215\Scripts\Logon\0\0]
"Script"=DefaultDomain.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-790525478-1284227242-1417001333-17948\Scripts\Logon\0\0]
"Script"=NA-SEC-CleanLocalUsers_v2.2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-790525478-1284227242-1417001333-17948\Scripts\Logon\1\0]
"Script"=DefaultDomain.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell ControlPoint System Manager.lnk]
backup=c:\windows\pss\Dell ControlPoint System Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^reifj^Start Menu^Programs^Startup^Nikon Monitor.lnk]
backup=c:\windows\pss\Nikon Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr]
2008-06-30 00:57 466944 ----a-w- c:\windows\system32\AESTFltr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2009-04-30 12:51 2396160 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChangeTPMAuth]
2008-05-30 15:37 180224 ----a-w- c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DCPstrApp]
2008-08-04 23:21 6656 ----a-w- c:\program files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellConnectionManager]
2008-09-09 20:18 1486848 ----a-w- c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellControlPoint]
2008-05-30 09:29 593920 ----a-w- c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmbassySecurityCheck]
2008-06-24 13:16 79160 ----a-w- c:\program files\Wave Systems Corp\EMBASSY Security Setup\EmbassySecurityCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-06-15 12:12 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPassConnect]
2008-09-26 11:53 1437696 ----a-w- c:\program files\iPass\iPassConnect\iPassConnectGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 10:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-01-06 11:06 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-12-20 05:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-08-28 00:06 13537280 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2008-08-28 00:07 90112 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-08-28 00:07 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-08-28 00:07 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-05-23 20:06 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 14:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureUpgrade]
2008-06-24 13:16 243000 ----a-w- c:\program files\Wave Systems Corp\SecureUpgrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-01-08 06:32 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2008-06-30 00:57 442467 ----a-w- c:\program files\IDT\WDM\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WavXMgr]
2008-05-14 23:42 105472 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"dcpsysmgrsvc"=2 (0x2)
"Credential Vault Host Storage"=2 (0x2)
"Credential Vault Host Control Service"=2 (0x2)
"buttonsvc32"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/14/2010 4:23 AM 64288]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 1:56 PM 133968]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [2/7/2007 8:21 PM 18832]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 11:14 AM 134656]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [9/9/2008 10:21 PM 69632]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [12/15/2008 5:12 AM 108160]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [12/15/2008 5:13 AM 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [12/15/2008 5:12 AM 244368]
S2 FcsSas;Microsoft Forefront Client Security State Assessment Service; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2009 9:01 PM 135664]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/15/2008 3:33 AM 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 1:17 PM 1181328]
S4 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [6/3/2008 11:28 PM 386328]
S4 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [8/1/2008 5:41 AM 808296]
S4 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [8/1/2008 5:41 AM 21352]
S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [8/18/2008 6:39 PM 455960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-03-01 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:37]

2010-02-28 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:37]

2010-02-28 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:37]

2010-02-28 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:37]

2010-03-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:37]

2010-03-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-03 20:16]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 19:01]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 19:01]

2010-03-01 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2007-02-07 18:21]

2010-03-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2007-02-07 18:21]

2010-03-01 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2007-02-07 18:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: aeairweb.com
Trusted Zone: aecom.com
Trusted Zone: asap.com
Trusted Zone: brainshark.com
Trusted Zone: cisco.com
Trusted Zone: dell.com
Trusted Zone: edaw.com
Trusted Zone: getthere.net
Trusted Zone: microsoft.com
Trusted Zone: midicorp.com
Trusted Zone: skillport.com
Trusted Zone: softscape.com
DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://webvpn.na.aecom.com/+CSCOL+/relayp.cab
FF - ProfilePath - c:\documents and settings\reifj\Application Data\Mozilla\Firefox\Profiles\1js0v724.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Sony Online Entertainment\npsoe.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-SearchAssist - c:\dell\SearchAssist\UninstSA.bat



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 09:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1416)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(10020)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmUserInterface.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\drivers\audio\r190031\stacsv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\windows\system32\msiexec.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\system32\RunDLL32.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-03-01 09:21:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-01 07:21

Pre-Run: 51,885,047,808 bytes free
Post-Run: 51,893,743,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A4220FD4C38CA034CA9F68E04628C006



So far, no odd symptoms to speak of. I don't know if I'm all fixed up after running ComboFix, I'll wait for your opinion on that, but I have seen an improvement in Google. The link to <www.google.de> is no longer there, so that is at least one little sign of a return to normalcy.

I will await your next reply for any further steps you think I may need to perform. Thanks again for your help!

jareif

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 01 March 2010 - 06:47 PM

Hello, jareif.
OK, still some leftovers, including some that are likely the cause of other redirects.

Please pull anything you want to save out of your recycle bin...we need to clear temp files.

Do you know these websites?
Trusted Zone: aeairweb.com
Trusted Zone: aecom.com
Trusted Zone: asap.com
Trusted Zone: brainshark.com
Trusted Zone: cisco.com
Trusted Zone: dell.com
Trusted Zone: edaw.com
Trusted Zone: getthere.net
Trusted Zone: microsoft.com
Trusted Zone: midicorp.com
Trusted Zone: skillport.com
Trusted Zone: softscape.com



O15 Entries Warning (Sites in your Trusted Zones)

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1
  1. Please open Notepad.
  2. Copy and paste the text in the box below into Notepad, excluding the word code.
    CODE
    @ECHO OFF
    sc delete FcsSas > C:\BClog.txt
    dir "c:\documents and settings\All Users\Application Data\SAYQDDBV" >> C:\BClog.txt
    start c:\BClog.txt
    del %0

    This fix is custom made for this user's computer.
  3. Select File-->Save As
  4. Select File as Type: All Types (*.*)
  5. Save it to your desktop as fixme.bat
  6. Double-click fixme.bat on your desktop to run the fix.
  7. A window will briefly pop up then close.
  8. A log will open, please copy and paste it into your response.



Step 2

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
    [-HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
    :Commands
    [ResetHosts]
    [EmptyTemp]
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized




Step 3

In your reply, please post the answers to my questions, the log from Step 1, and both OTL logs from Step 2 (the one with the script, then the quick scan one).

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 jareif

jareif
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 01 March 2010 - 08:22 PM

This post was made in error. It may be deleted.

Edited by jareif, 02 March 2010 - 06:06 AM.


#6 jareif

jareif
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 01 March 2010 - 08:24 PM

This post was made in error, it may be deleted.

Edited by jareif, 02 March 2010 - 06:04 AM.


#7 jareif

jareif
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 01 March 2010 - 08:40 PM

OK, first the sites in my Trusted Zone:

All sites removed from Trusted Zone.

Step 1:

This is the log resulting from step 1:


[SC] DeleteService SUCCESS
Volume in drive C is OS
Volume Serial Number is 2070-E0A4

Directory of c:\documents and settings\All Users\Application Data\SAYQDDBV

Step 2:

These are the logs resulting from step 2. First up is the log from the Custom Fix in OTL:


All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: reifj
->Temp folder emptied: 506190 bytes
->Temporary Internet Files folder emptied: 31110448 bytes
->Java cache emptied: 2395850 bytes
->FireFox cache emptied: 18001110 bytes
->Flash cache emptied: 87529 bytes

User: wanj
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 511 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 32000 bytes
Windows Temp folder emptied: 1764481 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 52.00 mb


OTL by OldTimer - Version 3.1.32.0 log created on 03022010_024913

Files\Folders moved on Reboot...
C:\Documents and Settings\reifj\Local Settings\Temp\~DF42A5.tmp moved successfully.
File\Folder C:\Documents and Settings\reifj\Local Settings\Temp\~DFDD27.tmp not found!
File\Folder C:\Documents and Settings\reifj\Local Settings\Temp\~DFDD35.tmp not found!
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\SN11IS9T\1CAOOXEPYCA6B8R1NCA3P0Z59CAFDQT2BCA8QF7AGCAMOZX8XCAG9SH8ICA32JS1ICAGJMH72CAOK99D9CA8XZXXHCAILUVKDCAQVRIUBCA9SYRI2CAJNMR3VCAOB307BCALWSPTLCAIN83N2CABTSIUYCAFUMFD9 moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\SN11IS9T\ads[2].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\SN11IS9T\game[4].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\SN11IS9T\google_com_ly[1].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\SN11IS9T\md[2].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\SN11IS9T\NCAY8VHQ7CAV29LQDCA76ILINCADV40DOCA4BGEQFCALXO1LFCAP2BT7DCAUYL3SACAOYJVAQCAAGOJJQCABY4039CAQY1BFLCALUOF4VCA9MC2D6CA1WYAFECAS007XECAOJQIKGCA735O99CACHJXATCAO5KFHH moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\SN11IS9T\st[10] moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\SN11IS9T\topic298708[1].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\SN11IS9T\UCABIUSF2CA0RUOYCCA29LR3JCAW08DP1CA8Z98X7CAZCUFL4CAMASEYKCA67B37SCAAXDXNPCAVDTRYGCAWF3UFPCAX9IWGVCA38IPJFCAH0F6MFCAXV1J18CARMBI2ZCAG7Q8ZZCAER73UPCATP8LMYCAFFGS04 moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\SN11IS9T\XCAVLLFXTCA06L8C8CA8V20DJCA5SPIB0CAUFSZL7CA50K5G6CACX38XCCAEZYQLDCAFYRQYTCA19WZTSCAWGBPY5CAHY086HCA0ZPB02CANJRG3XCALJA5SFCAHEGONACAIARWJZCA38AVFFCAQ9WANLCA3YJ84D moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\F4OVQJ0F\6CA5YKGVPCA7B8G1KCA7UZFTRCAUSMUQHCA7C3EVNCAYF1R05CAQ4ZFOECASXZGQPCAF5ME2YCAYN7W0NCARJ55JNCAKEQMUBCAJGE6P6CASPAQ0ICAWVN66MCAEQIM4YCA3VDLUICACCF40DCA8P5Q3MCA1OE2C5 moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\F4OVQJ0F\CCAHYZHX5CA0FTZO8CAXADQLTCA3IOQE4CAMVY7DDCA9D40TUCAT4IM61CA2MU4S4CAPDPC9TCAUWAHWECALVCXZACAPWQMA1CAOA9N2KCAP1PVJECAPRJATWCAP41H5VCAKSCUZOCAXM6HB5CAEFZAT7CA8SN31N moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\F4OVQJ0F\navbar[1].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\F4OVQJ0F\welcome[1].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\C3903WH2\ads[2].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\C3903WH2\building_main[1].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\C3903WH2\comment-iframe[1].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\C3903WH2\iepngfix[1].htc moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\C3903WH2\iframe[1].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\C3903WH2\OCA6X6X7TCABZRB1ICANPGS1GCASUAZFMCA7PT94JCAORLDI6CAJE749KCATSSROCCAHVOB3QCA2XYQ9MCAKBK728CA3F8I6ECAGS13UOCAWRKX40CALNKQ8ECABUJFONCAXHZB7ECAIZ4VZICA2GEPXRCAPBGUQ2 moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\C3903WH2\XCARG6DNJCAT1MX4QCACZ36W4CAY26SL7CAENAL7LCA53U7INCAQAHAO8CAR9UN9KCA2B6E2NCA7MGA3ACAZQUZKOCAR4U1VTCAEEGD8ECA04WQW7CAR0V7EJCAQFUOPGCAK5SSQ3CA2EEZDMCALXAEY6CAXGAKZ9 moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\7FB0FPX2\1CA90D5GZCA5KQ7ZWCA10I0NKCAMHX27FCAX4YEK5CA2XRYLMCAI6SFF5CAZEI0I0CA15LNQVCAKJT0LZCAZNM6H0CAJJBU3HCAIE7D0PCAPCUIJJCAKTZ4DZCAGJVYADCAU2JHLMCAO780MPCAWCYDDFCAC2F20I moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\7FB0FPX2\5CAWFB07GCA1O20TACAOGGJ7ECAQQG01ZCAVFCVKCCA9K04BQCAK5AF12CAM8SWX7CAEEO2KICA5WVF9KCA043QA9CA7H9CZQCAQ4RVABCAKBTE9PCAIEOSS3CAI6S77WCA881TIQCA4NNSVMCARJUJKHCA7H1RG1 moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\7FB0FPX2\8CA5BG7CTCAUNTDH1CANZGLHUCAFBMBVSCAE36R5FCAV16HGHCAAG12LQCAQMHXRUCAFHN60TCAIWC988CAQN5WQWCA93G2URCA19LF27CA0IZ57WCAAUJD03CARN329VCAQGY0RGCAK0KTRTCAR4770FCAL90SR3 moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\7FB0FPX2\ad_sky[1].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\7FB0FPX2\google-suggest-enabled-by-default[1].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\7FB0FPX2\staemme[1].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\Content.IE5\7FB0FPX2\Techtree[1].htm moved successfully.
C:\Documents and Settings\reifj\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...


This is the OTL log from the Scan All Users scan:


OTL logfile created on: 3/2/2010 2:58:15 AM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\reifj\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.49 Gb Total Space | 48.33 Gb Free Space | 64.88% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USHOU1LT201
Current User Name: reifj
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/02 02:43:19 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\reifj\Desktop\OTL.exe
PRC - [2009/12/22 01:57:28 | 000,035,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
PRC - [2009/10/31 19:06:33 | 000,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2009/04/30 14:51:36 | 002,396,160 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\WLTRAY.EXE
PRC - [2009/04/30 14:51:36 | 000,025,088 | ---- | M] () -- C:\WINDOWS\system32\WLTRYSVC.EXE
PRC - [2009/04/30 14:51:22 | 002,134,016 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2009/01/04 22:13:32 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/12/16 21:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/11/19 00:31:04 | 021,633,320 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
PRC - [2008/11/19 00:31:04 | 000,076,744 | R--- | M] (Skype Technologies) -- C:\Program Files\Skype\Plugin Manager\skypePM.exe
PRC - [2008/09/09 22:21:16 | 000,069,632 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
PRC - [2008/09/01 17:38:08 | 000,098,304 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
PRC - [2008/09/01 17:38:06 | 000,155,648 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
PRC - [2008/07/01 23:22:34 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2008/07/01 23:22:18 | 000,196,608 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2008/07/01 23:22:16 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2008/07/01 23:22:16 | 000,046,376 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2008/06/30 02:57:24 | 000,221,273 | ---- | M] (IDT, Inc.) -- c:\drivers\audio\R190031\stacsv.exe
PRC - [2008/06/15 14:12:20 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/06/12 16:59:58 | 000,786,432 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
PRC - [2008/04/14 14:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/19 13:56:36 | 000,133,968 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe
PRC - [2007/02/07 20:36:28 | 001,037,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
PRC - [2007/02/07 20:21:08 | 000,018,832 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
PRC - [2006/04/20 16:34:26 | 001,520,688 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2006/02/09 10:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2005/07/21 11:14:58 | 000,134,656 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe


========== Modules (SafeList) ==========

MOD - [2010/03/02 02:43:19 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\reifj\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/02/05 00:37:21 | 001,181,328 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/10/31 19:06:33 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-093009-130223)
SRV - [2009/04/30 14:51:36 | 000,025,088 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2008/12/16 21:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/09/26 13:51:38 | 001,712,128 | ---- | M] (iPass, Inc.) [On_Demand | Stopped] -- C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe -- (iPassConnectEngine)
SRV - [2008/09/09 22:21:16 | 000,069,632 | ---- | M] (Smith Micro Software, Inc.) [Auto | Running] -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe -- (SMManager)
SRV - [2008/09/01 17:38:08 | 000,098,304 | ---- | M] (iPass, Inc.) [Auto | Running] -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe -- (iPassPeriodicUpdateService)
SRV - [2008/09/01 17:38:06 | 000,155,648 | ---- | M] (iPass, Inc.) [On_Demand | Running] -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe -- (iPassPeriodicUpdateApp)
SRV - [2008/08/18 18:39:28 | 000,455,960 | ---- | M] (Dell Inc.) [Disabled | Stopped] -- C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe -- (dcpsysmgrsvc)
SRV - [2008/08/01 05:41:50 | 000,808,296 | ---- | M] (Broadcom Corporation) [Disabled | Stopped] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe -- (Credential Vault Host Control Service)
SRV - [2008/08/01 05:41:50 | 000,021,352 | ---- | M] (Broadcom Corporation) [Disabled | Stopped] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe -- (Credential Vault Host Storage)
SRV - [2008/06/30 02:57:24 | 000,221,273 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\drivers\audio\R190031\stacsv.exe -- (STacSV)
SRV - [2008/06/15 14:12:20 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/06/12 16:59:58 | 000,786,432 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe -- (TdmService)
SRV - [2008/06/03 23:28:50 | 000,386,328 | ---- | M] (Dell Inc.) [Disabled | Stopped] -- C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe -- (buttonsvc32)
SRV - [2008/04/25 23:45:40 | 000,638,976 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)
SRV - [2008/03/10 23:48:48 | 001,249,280 | ---- | M] () [Auto | Stopped] -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2007/07/11 17:33:28 | 000,069,632 | R--- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2007/04/19 13:56:36 | 000,133,968 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe -- (ASFAgent)
SRV - [2007/02/07 20:21:08 | 000,018,832 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe -- (FCSAM)
SRV - [2006/04/20 16:34:26 | 001,520,688 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2006/02/09 10:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2005/07/21 11:14:58 | 000,134,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe -- (MOM)
SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2009/09/23 14:55:23 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/08/20 20:52:21 | 000,021,393 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\iPassP.sys -- (iPassP) iPass Protocol (IEEE 802.1x)
DRV - [2009/04/30 14:51:28 | 001,952,512 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/12/17 08:02:08 | 000,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2008/12/17 08:01:44 | 006,364,440 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2008/12/17 08:01:22 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/12/17 08:00:14 | 000,768,024 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2008/12/16 21:58:54 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/08/28 02:06:52 | 006,600,160 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/08/08 02:55:42 | 000,318,488 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/08/01 05:39:26 | 000,032,808 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cvusbdrv.sys -- (cvusbdrv)
DRV - [2008/07/01 23:22:14 | 000,170,032 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/07/01 23:12:18 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/07/01 00:47:30 | 000,244,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2008/06/30 02:57:26 | 001,381,914 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2008/06/30 02:57:16 | 000,108,160 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2008/06/24 15:16:52 | 000,172,344 | ---- | M] (Wave Systems Corp.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\WavxDMgr.sys -- (WavxDMgr)
DRV - [2008/06/04 22:14:00 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\PBADRV.sys -- (PBADRV)
DRV - [2008/04/17 13:12:54 | 000,015,464 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/04/14 14:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 14:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/14 14:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 14:00:00 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/14 14:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/02/21 05:19:56 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2007/07/26 11:00:00 | 000,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/07/23 23:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 23:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 23:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 23:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 23:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 23:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 23:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 23:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 22:55:44 | 000,099,808 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2007/07/23 22:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 22:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/07/23 22:43:42 | 000,052,000 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2007/03/08 06:20:50 | 000,021,568 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2007/03/08 06:20:49 | 000,016,496 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2007/03/08 06:20:48 | 000,049,920 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2007/01/09 17:25:04 | 000,067,784 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2006/06/14 11:53:00 | 000,029,184 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbccid.sys -- (USBCCID)
DRV - [2006/04/20 16:33:40 | 000,303,740 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2006/02/09 10:50:00 | 000,020,704 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2005/06/30 03:50:30 | 000,110,080 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2005/05/17 12:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/01/26 14:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2001/08/18 04:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 04:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 04:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 04:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 04:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/18 03:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/18 03:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/18 03:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/18 03:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/18 03:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/18 03:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/18 03:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/18 03:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/18 03:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/18 03:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1081215
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1081215


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1081215
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1081215
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\S-1-5-21-790525478-1284227242-1417001333-155215\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/22 19:39:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/22 19:37:49 | 000,000,000 | ---D | M]

[2010/02/22 19:40:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\reifj\Application Data\Mozilla\Extensions
[2010/02/22 20:43:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\reifj\Application Data\Mozilla\Firefox\Profiles\1js0v724.default\extensions
[2010/02/22 20:43:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\reifj\Application Data\Mozilla\Firefox\Profiles\1js0v724.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/22 19:37:49 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/03/02 02:49:15 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (PDF-XChange Viewer IE-Plugin) - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll (Tracker Software Products Ltd.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [BGInfo] C:\program files\bginfo\bginfo.vbs ()
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [Microsoft Forefront Client Security Antimalware Service] c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: MaxGPOScriptWait = 3600
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215_Classes\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215_Classes\Software\Policies\Microsoft\Internet Explorer\New Windows present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Domains: aeairweb.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: aecom.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: aecomeur.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: aecomnet.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: asap.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: brainshark.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: cisco.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: dell.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: earthtech.ca ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: earthtech.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: edaw.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: ensr.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: ensr.net ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: getthere.net ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: midicorp.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: skillport.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: softscape.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: aeairweb.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: aecom.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: aecomeur.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: aecomnet.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: asap.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: brainshark.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: cisco.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: dell.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: earthtech.ca ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: earthtech.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: edaw.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: ensr.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: ensr.net ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: getthere.net ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: midicorp.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: skillport.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: softscape.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: aecomeur.com ([]* in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: aecomnet.com ([]* in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: earthtech.ca ([]* in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: earthtech.com ([]* in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: ensr.com ([]* in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: ensr.net ([]* in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} https://webvpn.na.aecom.com/+CSCOL+/relayp.cab (Cisco Systems WebVPN Relay Loader)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www2.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com/v7/sit...b?1253462252853 (MUCatalogWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.239.64.2 209.239.73.41
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.aecomnet.com
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\dell.bmp
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 23:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/02 02:49:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/02 02:49:13 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/03/02 02:43:10 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\reifj\Desktop\OTL.exe
[2010/03/01 09:11:31 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/01 09:08:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/01 09:08:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/01 09:08:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/01 09:08:43 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/01 09:08:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/28 23:26:23 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/26 00:10:02 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/02/25 17:07:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\reifj\Local Settings\Application Data\Temp
[2010/02/25 13:51:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\reifj\Desktop\gmer
[2010/02/25 02:10:06 | 000,000,000 | ---D | C] -- C:\Program Files\HiJackThis
[2010/02/22 19:39:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\reifj\Local Settings\Application Data\Mozilla
[2010/02/22 19:39:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\reifj\Application Data\Mozilla
[2010/02/22 19:37:48 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/02/19 00:58:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\reifj\Application Data\Malwarebytes
[2010/02/19 00:58:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/19 00:58:16 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/19 00:58:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/19 00:58:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/15 18:56:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\reifj\Application Data\CyberLink
[2010/02/15 12:59:55 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/02/15 12:58:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/14 04:23:43 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/02/14 04:23:16 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2010/02/14 03:45:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/02/14 03:09:58 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\SAYQDDBV
[2009/12/21 21:06:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/12/21 21:01:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/10/07 17:25:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2009/09/12 03:00:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/03/11 21:14:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/12/15 03:26:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\NTRU Cryptosystems
[2008/04/25 23:32:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/04/25 23:29:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/04/25 23:29:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/03/02 02:56:08 | 000,550,474 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/02 02:56:08 | 000,464,244 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/02 02:56:08 | 000,076,324 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/02 02:54:24 | 004,096,054 | ---- | M] () -- C:\WINDOWS\BGInfo.bmp
[2010/03/02 02:54:14 | 000,121,247 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/03/02 02:54:11 | 000,189,747 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/03/02 02:54:07 | 000,000,430 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
[2010/03/02 02:54:07 | 000,000,412 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Signature Update.job
[2010/03/02 02:54:07 | 000,000,406 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/03/02 02:53:54 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/02 02:53:52 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/02 02:51:42 | 000,000,454 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2010/03/02 02:51:10 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/03/02 02:50:56 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/02 02:50:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/02 02:50:50 | 2134,794,240 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/02 02:50:21 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\reifj\NTUSER.DAT
[2010/03/02 02:49:35 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/03/02 02:49:35 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/03/02 02:49:35 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/03/02 02:49:35 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/03/02 02:49:35 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/03/02 02:49:15 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/03/02 02:43:19 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\reifj\Desktop\OTL.exe
[2010/03/02 02:20:49 | 000,440,085 | ---- | M] () -- C:\Documents and Settings\reifj\Desktop\Program Budget Curve.xlsx
[2010/03/02 02:14:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/01 17:30:20 | 000,121,247 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/03/01 15:03:54 | 000,000,062 | ---- | M] () -- C:\WINDOWS\iltwain.ini
[2010/03/01 09:17:59 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/01 09:15:18 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\reifj\ntuser.ini
[2010/03/01 09:11:34 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/28 23:25:34 | 003,874,477 | R--- | M] () -- C:\Documents and Settings\reifj\Desktop\CF.exe
[2010/02/28 23:02:30 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2010/02/28 23:02:28 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2010/02/28 19:42:29 | 000,561,062 | ---- | M] () -- C:\Documents and Settings\reifj\Desktop\Master - JR.xlsx
[2010/02/25 13:43:51 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\reifj\Desktop\dds.scr
[2010/02/25 02:10:07 | 000,002,004 | ---- | M] () -- C:\Documents and Settings\reifj\Desktop\HiJackThis.lnk
[2010/02/24 09:16:06 | 000,181,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/02/22 19:54:46 | 000,061,743 | ---- | M] () -- C:\Documents and Settings\reifj\Desktop\Avis- Rent a Car.pdf
[2010/02/22 19:39:30 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/02/22 19:37:51 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/21 12:49:26 | 000,000,269 | ---- | M] () -- C:\WINDOWS\ViewNX.INI
[2010/02/20 17:02:12 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2010/02/20 16:56:31 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2010/02/15 13:27:58 | 000,000,869 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/02/07 00:02:51 | 000,031,790 | ---- | M] () -- C:\Documents and Settings\reifj\My Documents\Student Loan Revised 11-09 v2.xlsx

========== Files Created - No Company Name ==========

[2010/03/01 11:13:21 | 000,440,085 | ---- | C] () -- C:\Documents and Settings\reifj\Desktop\Program Budget Curve.xlsx
[2010/03/01 09:11:34 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/03/01 09:11:31 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/01 09:08:43 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/01 09:08:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/01 09:08:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/01 09:08:43 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/01 09:08:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/28 23:25:31 | 003,874,477 | R--- | C] () -- C:\Documents and Settings\reifj\Desktop\CF.exe
[2010/02/28 18:33:12 | 000,561,062 | ---- | C] () -- C:\Documents and Settings\reifj\Desktop\Master - JR.xlsx
[2010/02/25 13:43:47 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\reifj\Desktop\dds.scr
[2010/02/25 02:10:07 | 000,002,004 | ---- | C] () -- C:\Documents and Settings\reifj\Desktop\HiJackThis.lnk
[2010/02/22 19:54:40 | 000,061,743 | ---- | C] () -- C:\Documents and Settings\reifj\Desktop\Avis- Rent a Car.pdf
[2010/02/22 19:39:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/02/22 19:37:51 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/12/02 12:23:31 | 011,194,368 | R--- | C] () -- C:\WINDOWS\System32\ZHHP_RES.DLL
[2009/12/02 12:23:30 | 000,749,568 | R--- | C] () -- C:\WINDOWS\System32\AGISSI.DLL
[2009/10/25 19:27:51 | 000,000,269 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2009/10/25 18:13:54 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Ambience
[2009/10/25 18:13:54 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\reifj\Application Data\AccountTypes
[2009/10/25 18:13:54 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2009/10/25 18:11:11 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Action Clauses
[2009/10/25 18:11:10 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\reifj\Application Data\vhosts
[2009/10/25 18:11:10 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2009/10/08 00:00:12 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/09/10 11:56:21 | 000,000,062 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2009/09/09 20:12:07 | 000,081,110 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/09/08 00:06:15 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\reifj\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/20 21:07:24 | 000,000,051 | ---- | C] () -- C:\Documents and Settings\reifj\Local Settings\Application Data\setup.txt
[2009/08/20 21:07:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\reifj\Local Settings\Application Data\WavXMapDrive.bat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/17 16:45:34 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/12/23 22:09:38 | 000,029,752 | ---- | C] () -- C:\WINDOWS\System32\InstHelper.dll
[2008/12/23 22:09:14 | 000,197,680 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/12/23 22:09:13 | 000,193,584 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2008/12/23 22:02:07 | 000,036,962 | ---- | C] () -- C:\WINDOWS\System32\ActPanel.dll
[2008/12/23 21:35:28 | 000,019,179 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2008/12/16 21:58:54 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2008/12/16 21:50:56 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLgFT.dll
[2008/12/15 05:13:25 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/12/15 05:13:25 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/12/15 05:13:25 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/12/15 05:13:25 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/12/15 05:11:34 | 000,001,157 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/12/15 03:36:00 | 000,000,454 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/12/15 03:33:29 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/12/15 03:32:18 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/12/15 03:25:43 | 000,157,008 | ---- | C] () -- C:\WINDOWS\System32\brcmbsp.dll
[2008/12/15 03:25:38 | 000,080,368 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
[2008/09/10 15:15:00 | 000,618,496 | R--- | C] () -- C:\WINDOWS\System32\stlpmt45.dll
[2008/09/09 22:17:12 | 000,652,800 | ---- | C] () -- C:\WINDOWS\System32\SMgina.dll
[2008/07/29 02:03:06 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\Wavx_ESC_Logging.dll
[2008/06/13 19:18:56 | 000,512,000 | ---- | C] () -- C:\WINDOWS\System32\AmRes_sv.dll
[2008/06/13 19:18:56 | 000,507,904 | ---- | C] () -- C:\WINDOWS\System32\AmRes_no.dll
[2008/06/13 19:18:54 | 000,536,576 | ---- | C] () -- C:\WINDOWS\System32\AmRes_nl.dll
[2008/06/13 19:18:54 | 000,507,904 | ---- | C] () -- C:\WINDOWS\System32\AmRes_da.dll
[2008/06/13 19:18:52 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
[2008/06/13 19:18:52 | 000,536,576 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
[2008/06/13 19:18:52 | 000,507,904 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
[2008/06/13 19:18:50 | 000,532,480 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
[2008/06/13 19:18:50 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
[2008/06/13 19:18:48 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
[2008/06/13 19:18:48 | 000,503,808 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
[2008/06/13 19:18:46 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
[2008/06/13 19:18:44 | 000,475,136 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
[2008/06/13 19:18:44 | 000,475,136 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
[2008/06/13 19:18:42 | 000,532,480 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
[2008/06/13 19:16:16 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pl.dll
[2008/05/30 17:38:24 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll
[2008/05/30 17:38:14 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_sv.dll
[2008/05/30 17:37:52 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll
[2008/05/30 17:37:24 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll
[2008/05/30 17:37:22 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll
[2008/05/30 17:37:20 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pl.dll
[2008/05/30 17:37:18 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_no.dll
[2008/05/30 17:37:16 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_nl.dll
[2008/05/30 17:37:14 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll
[2008/05/30 17:37:12 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_da.dll
[2008/05/30 17:37:12 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll
[2008/05/30 17:37:10 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll
[2008/05/30 17:37:08 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll
[2008/05/30 17:37:06 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll
[2008/05/30 17:37:04 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll
[2008/05/15 01:40:30 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\wxvault.dll
[2008/04/25 23:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/03/18 21:02:52 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/02/25 20:04:48 | 000,835,584 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
[2007/04/19 13:52:16 | 000,080,720 | ---- | C] () -- C:\WINDOWS\System32\AsfBios.dll
[2007/04/19 13:28:10 | 000,025,424 | ---- | C] () -- C:\WINDOWS\System32\drivers\netamsg.dll
[2007/02/09 03:39:34 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\KOAZJJ_L.DLL
[2006/08/14 19:02:10 | 000,072,192 | ---- | C] () -- C:\WINDOWS\System32\xltZlib.dll
[2006/07/31 15:45:20 | 000,086,528 | ---- | C] () -- C:\WINDOWS\System32\libjnbzip2.dll
[2006/06/30 20:58:44 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2006/06/30 20:58:44 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
[2006/06/12 16:01:16 | 000,348,160 | ---- | C] () -- C:\WINDOWS\tsp.dll
[2005/07/21 11:01:04 | 000,008,527 | ---- | C] () -- C:\WINDOWS\System32\MOMCounters.ini
[2005/07/21 11:01:04 | 000,005,295 | ---- | C] () -- C:\WINDOWS\System32\MomAgntCtrs.ini
[2004/09/10 20:34:00 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
[2004/09/10 20:34:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >


And finally, this is the Extras log from the OTL Scan All Users scan:


OTL Extras logfile created on: 3/2/2010 2:58:36 AM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\reifj\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.49 Gb Total Space | 48.33 Gb Free Space | 64.88% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USHOU1LT201
Current User Name: reifj
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "c:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "c:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"36031:TCP" = 36031:TCP:*:Enabled:Trend Micro OfficeScan Listener

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{041F04B1-F985-44E8-A070-C3EB1A39369F}" = Dell ControlPoint Connection Manager
"{066D25F6-8B8B-433C-88B4-EDF41D604E7E}" = Broadcom USH Host Components
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software
"{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2220CF3A-EBD6-4070-94D0-0C7337B537A7}" = All Day Battery Life Configuration
"{2223FC2F-B862-4F83-BC9E-DDF2DADF2859}" = Intel® Network Connections 13.0.42.0
"{24A494F3-5B5F-4183-9F7D-9CE82812C1FC}" = tsp patch
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{3393CDDB-27F0-4869-BED4-BE478598F0FF}" = Dell Control Point
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A6BE9F4-5FC8-44BB-BE7B-32A29607FEF6}" = Preboot Manager
"{436028CD-6476-4224-9274-8F0320F30FD1}" = Microsoft Forefront Client Security Antimalware Service
"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
"{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
"{52D299D8-F84E-497E-B4A4-D8F02782BFAA}" = Dell ControlPoint System Manager
"{53333479-6A52-4816-8497-5C52B67ED339}" = EMBASSY Security Setup
"{53735ECE-E461-4FD0-B742-23A352436D3A}" = Logitech Updater
"{558B86E5-CFAC-447C-99EE-5BB1C068706D}" = NTRU TCG Software Stack
"{55D9E026-DCB0-46FF-B60A-68B972228CF6}" = Autodesk Design Review 2010
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}" = VPN Client
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6EA8A52B-8EA1-4A59-85AB-48132299061A}" = Intel® PRO Alerting Agent
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{765E3652-47E1-43BB-AD8A-B2BA259C4376}" = Primavera 6.2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7EA69B5E-EE96-44A1-BDD6-F9C193CDDAF9}" = Wave Infrastructure Installer
"{83AD5E71-80C0-4818-B6E4-CA2607B6A141}" = SMS Advanced Client
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{87D6CF41-5817-4725-8AB2-90E6B20EDE02}" = Bentley View V8i 08.11.05.24
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D273DE5-ABFA-4BD0-A9D7-EE9C971438C4}_is1" = PDF-Viewer
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{937B232D-9776-471E-92BD-D424E514EF14}" = Logitech QuickCam
"{9593C6E5-205E-45C3-B785-05CF146CA76A}" = biolsp patch
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A093D83F-429A-4AB2-A0CD-1F7E9C7B764A}" = Trusted Drive Manager
"{A13D16C5-38A9-4D96-9647-59FCCAB12A85}" = Visual Basic for Applications ® Core - English
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB6FFA58-F491-11D3-8951-000000015799}" = iPassConnect
"{ABBA2EA4-740E-4052-902B-9CA70B081E3F}" = Dell Embassy Trust Suite by Wave Systems
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AF7E4468-E364-4991-BC2A-6E8293E1055B}" = BioAPI Framework
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CAFECAFE-0013-0001-0125-ABCDEFABCDEF}" = Oracle JInitiator 1.3.1.25
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
"{D21688A0-26B7-46D0-B602-93A2CE585679}" = iPassConnect
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D8C8D2CE-1F87-4A2A-8FAE-FA41B7860D19}" = BGInfo
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E38531EE-318C-4EFB-A36B-1A57BFBDAB3C}_is1" = PDF-XChange 4 Pro
"{E738A392-F690-4A9D-808E-7BAF80E0B398}" = ESC Home Page Plugin
"{E8B56B38-A826-11DB-8C83-0011430C73A4}" = Microsoft Forefront Client Security State Assessment Service
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
"{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"{EF05BA0F-AC15-4D12-AC5C-276225F5E751}" = Gemalto
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"{F4487649-7368-4217-AEA3-1E04DB3E2C5C}" = Dell ControlPoint Security Manager
"{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}" = iTunes
"{F692770D-0E27-4D3F-8386-F04C6F434040}" = Microsoft Operations Manager 2005 Agent
"{FB97C283-1F3C-42D4-AE01-ADC1DC12F774}" = Visual Basic for Applications ® Core
"{FF1DDCF4-3A28-4F7F-96D8-E3F4BD1C1702}" = Dell Security Device Driver Pack
"9D57DE505B6D8C710EF3B74BE638DBB936EED8A3" = Windows Driver Package - Dell Inc. PBADRV System (01/07/2008 1.0.1.5)
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Autodesk Design Review 2010" = Autodesk Design Review 2010
"Broadcom 802.11 Application" = Dell Wireless WLAN Card Utility
"CutePDF Writer Installation" = CutePDF Writer 2.8
"Diner Dash" = Diner Dash
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software
"InstallShield_{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"InstallShield_{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
"InstallShield_{53333479-6A52-4816-8497-5C52B67ED339}" = EMBASSY Security Setup
"InstallShield_{765E3652-47E1-43BB-AD8A-B2BA259C4376}" = Primavera 6.2
"InstallShield_{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
"InstallShield_{E738A392-F690-4A9D-808E-7BAF80E0B398}" = ESC Home Page Plugin
"InstallShield_{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
"InstallShield_{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"lvdrivers_11.90" = Logitech QuickCam Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PROPLUS" = Microsoft Office Professional Plus 2007
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinISD Pro [alpha]" = WinISD Pro [alpha]
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"1df0cdb088182ccc" = FOREXTraderPro
"309a46b1dc89b774" = Dell Driver Download Manager
"Free Realms Installer" = Free Realms Installer
"SOE-Free Realms" = Free Realms

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/1/2010 7:30:16 PM | Computer Name = USHOU1LT201 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80244019, P2 endsearch, P3 search, P4 1.5.1937.0,
P5 mpsigdwn.dll, P6 1.5.1937.0, P7 microsoft forefront client security, P8 NIL,
P9 NIL, P10 NIL.

Error - 3/1/2010 7:30:48 PM | Computer Name = USHOU1LT201 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for NA\reifj failed to contact the
active directory (0x8007054b). The specified domain either does not exist or could
not be contacted. Enrollment will not be performed.

Error - 3/1/2010 8:51:00 PM | Computer Name = USHOU1LT201 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 3/1/2010 8:51:00 PM | Computer Name = USHOU1LT201 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 3/1/2010 8:51:35 PM | Computer Name = USHOU1LT201 | Source = Microsoft Operations Manager | ID = 26008
Description = The agent could not resolve the IP of the MOM Server usden3av011.na.aecomnet.com.
The error reported is 'The requested name is valid and was found in the database,
but it does not have the correct associated data being resolved for.'.

Error - 3/1/2010 8:52:12 PM | Computer Name = USHOU1LT201 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 3/1/2010 8:52:31 PM | Computer Name = USHOU1LT201 | Source = Microsoft Operations Manager | ID = 21268
Description = The Agent incoming queue data submission has been blocked. This may
indicate that queue does not have sufficient space or is unavailable to accept
data. Management Group: ForefrontClientSecurity

Error - 3/1/2010 8:52:34 PM | Computer Name = USHOU1LT201 | Source = Microsoft Operations Manager | ID = 22061
Description = The Agent outgoing data processing has been blocked. This indicates
problems with communication or database processing. Management Group: ForefrontClientSecurity

Error - 3/1/2010 8:53:24 PM | Computer Name = USHOU1LT201 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for NA\reifj failed to contact the
active directory (0x8007054b). The specified domain either does not exist or could
not be contacted. Enrollment will not be performed.

Error - 3/1/2010 8:54:28 PM | Computer Name = USHOU1LT201 | Source = UserInit | ID = 1000
Description = Could not execute the following script DefaultDomain.vbs. The system
cannot find the file specified. .

[ OSession Events ]
Error - 11/11/2009 4:56:56 AM | Computer Name = USHOU1LT201 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 10599
seconds with 6960 seconds of active time. This session ended with a crash.

Error - 11/30/2009 6:54:48 PM | Computer Name = USHOU1LT201 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 95
seconds with 0 seconds of active time. This session ended with a crash.

Error - 11/30/2009 6:55:50 PM | Computer Name = USHOU1LT201 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 54
seconds with 0 seconds of active time. This session ended with a crash.

Error - 12/1/2009 1:57:32 AM | Computer Name = USHOU1LT201 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 69
seconds with 0 seconds of active time. This session ended with a crash.

Error - 12/1/2009 1:59:22 AM | Computer Name = USHOU1LT201 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 63
seconds with 0 seconds of active time. This session ended with a crash.

Error - 12/1/2009 2:06:15 AM | Computer Name = USHOU1LT201 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 112
seconds with 0 seconds of active time. This session ended with a crash.

Error - 1/20/2010 10:02:08 AM | Computer Name = USHOU1LT201 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 29151
seconds with 3000 seconds of active time. This session ended with a crash.

Error - 1/20/2010 10:08:06 AM | Computer Name = USHOU1LT201 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6341.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 6
seconds with 0 seconds of active time. This session ended with a crash.

Error - 1/20/2010 10:10:24 AM | Computer Name = USHOU1LT201 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6341.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 36
seconds with 0 seconds of active time. This session ended with a crash.

Error - 1/24/2010 8:31:44 PM | Computer Name = USHOU1LT201 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6341.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 19692
seconds with 3300 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 3/1/2010 8:49:14 PM | Computer Name = USHOU1LT201 | Source = Service Control Manager | ID = 7034
Description = The Cisco Systems, Inc. VPN Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/1/2010 8:49:14 PM | Computer Name = USHOU1LT201 | Source = Service Control Manager | ID = 7034
Description = The Intel® Matrix Storage Event Monitor service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/1/2010 8:49:14 PM | Computer Name = USHOU1LT201 | Source = Service Control Manager | ID = 7031
Description = The MOM service terminated unexpectedly. It has done this 1 time(s).
The following corrective action will be taken in 60000 milliseconds: Restart the
service.

Error - 3/1/2010 8:49:14 PM | Computer Name = USHOU1LT201 | Source = Service Control Manager | ID = 7034
Description = The Process Monitor service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/1/2010 8:49:14 PM | Computer Name = USHOU1LT201 | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/1/2010 8:49:14 PM | Computer Name = USHOU1LT201 | Source = Service Control Manager | ID = 7034
Description = The TdmService service terminated unexpectedly. It has done this
1 time(s).

Error - 3/1/2010 8:49:14 PM | Computer Name = USHOU1LT201 | Source = Service Control Manager | ID = 7034
Description = The iPassPeriodicUpdateApp service terminated unexpectedly. It has
done this 1 time(s).

Error - 3/1/2010 8:49:15 PM | Computer Name = USHOU1LT201 | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 3/1/2010 8:49:55 PM | Computer Name = USHOU1LT201 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {7E89FF0B-F649-4F9A-A9C3-F05DFAAA3DA1}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 3/1/2010 8:51:00 PM | Computer Name = USHOU1LT201 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain NA due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.


< End of report >


Thanks again for your help, etavares. I'm looking forward to your reply to see if you think there is any more that remains to be done.

jareif


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 02 March 2010 - 10:25 PM

Hello, jareif.
Ok, a few more items to remove, then we can close some security holes after this. How is it running now? Any more redirects or odd Googling?



Step 1

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :files
    c:\documents and settings\All Users\Application Data\SAYQDDBV
    :OTL
    @Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 jareif

jareif
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 03 March 2010 - 11:49 AM

Etavares:

Firstly, the computer seems to be doing rather well at this point. So far, I have noticed no more strange web searches or redirects. Thank you so much!

Next, this scan didn't run quite the way I expected. I first opened OTL and copied in the code you gave me. It ran instantly, and produced a log immediately thereafter. However, I waited a few moments and it did not automatically reboot, as it did in the previous fix we ran. I don't know if that's a problem. I went ahead and rebooted it myself.

This is the log it produced:


========== FILES ==========
c:\documents and settings\All Users\Application Data\SAYQDDBV folder moved successfully.
========== OTL ==========
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.

OTL by OldTimer - Version 3.1.32.0 log created on 03032010_180322


Once the machine had been rebooted, I reopened OTL, checked Scan All Users, and clicked Run Scan. When it was done, it only produced one log, named OTL.txt, just like with the other OTL scan. Is this a problem? At any rate, I have included the contents of this scan below:

OTL logfile created on: 3/3/2010 6:10:02 PM - Run 2
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\reifj\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 75.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.49 Gb Total Space | 48.06 Gb Free Space | 64.52% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USHOU1LT201
Current User Name: reifj
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/02 02:43:19 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\reifj\Desktop\OTL.exe
PRC - [2009/12/22 01:57:28 | 000,035,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
PRC - [2009/10/31 19:06:33 | 000,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2009/04/30 14:51:36 | 002,396,160 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\WLTRAY.EXE
PRC - [2009/04/30 14:51:36 | 000,025,088 | ---- | M] () -- C:\WINDOWS\system32\WLTRYSVC.EXE
PRC - [2009/04/30 14:51:22 | 002,134,016 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2009/01/04 22:13:32 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/12/16 21:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/09/09 22:21:16 | 000,069,632 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
PRC - [2008/09/01 17:38:08 | 000,098,304 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
PRC - [2008/09/01 17:38:06 | 000,155,648 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
PRC - [2008/07/01 23:22:34 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2008/07/01 23:22:18 | 000,196,608 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2008/07/01 23:22:16 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2008/07/01 23:22:16 | 000,046,376 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2008/06/30 02:57:24 | 000,221,273 | ---- | M] (IDT, Inc.) -- c:\drivers\audio\R190031\stacsv.exe
PRC - [2008/06/15 14:12:20 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/06/12 16:59:58 | 000,786,432 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
PRC - [2008/04/14 14:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/19 13:56:36 | 000,133,968 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe
PRC - [2007/02/07 20:36:28 | 001,037,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
PRC - [2007/02/07 20:21:08 | 000,018,832 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
PRC - [2006/04/20 16:34:26 | 001,520,688 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2006/02/09 10:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2005/07/21 11:14:58 | 000,134,656 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe


========== Modules (SafeList) ==========

MOD - [2010/03/02 02:43:19 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\reifj\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/02/05 00:37:21 | 001,181,328 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/10/31 19:06:33 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-093009-130223)
SRV - [2009/04/30 14:51:36 | 000,025,088 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2008/12/16 21:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/09/26 13:51:38 | 001,712,128 | ---- | M] (iPass, Inc.) [On_Demand | Stopped] -- C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe -- (iPassConnectEngine)
SRV - [2008/09/09 22:21:16 | 000,069,632 | ---- | M] (Smith Micro Software, Inc.) [Auto | Running] -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe -- (SMManager)
SRV - [2008/09/01 17:38:08 | 000,098,304 | ---- | M] (iPass, Inc.) [Auto | Running] -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe -- (iPassPeriodicUpdateService)
SRV - [2008/09/01 17:38:06 | 000,155,648 | ---- | M] (iPass, Inc.) [On_Demand | Running] -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe -- (iPassPeriodicUpdateApp)
SRV - [2008/08/18 18:39:28 | 000,455,960 | ---- | M] (Dell Inc.) [Disabled | Stopped] -- C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe -- (dcpsysmgrsvc)
SRV - [2008/08/01 05:41:50 | 000,808,296 | ---- | M] (Broadcom Corporation) [Disabled | Stopped] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe -- (Credential Vault Host Control Service)
SRV - [2008/08/01 05:41:50 | 000,021,352 | ---- | M] (Broadcom Corporation) [Disabled | Stopped] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe -- (Credential Vault Host Storage)
SRV - [2008/06/30 02:57:24 | 000,221,273 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\drivers\audio\R190031\stacsv.exe -- (STacSV)
SRV - [2008/06/15 14:12:20 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/06/12 16:59:58 | 000,786,432 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe -- (TdmService)
SRV - [2008/06/03 23:28:50 | 000,386,328 | ---- | M] (Dell Inc.) [Disabled | Stopped] -- C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe -- (buttonsvc32)
SRV - [2008/04/25 23:45:40 | 000,638,976 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)
SRV - [2008/03/10 23:48:48 | 001,249,280 | ---- | M] () [Auto | Stopped] -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2007/07/11 17:33:28 | 000,069,632 | R--- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2007/04/19 13:56:36 | 000,133,968 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe -- (ASFAgent)
SRV - [2007/02/07 20:21:08 | 000,018,832 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe -- (FCSAM)
SRV - [2006/04/20 16:34:26 | 001,520,688 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2006/02/09 10:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2005/07/21 11:14:58 | 000,134,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe -- (MOM)
SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2009/09/23 14:55:23 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/08/20 20:52:21 | 000,021,393 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\iPassP.sys -- (iPassP) iPass Protocol (IEEE 802.1x)
DRV - [2009/04/30 14:51:28 | 001,952,512 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/12/17 08:02:08 | 000,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2008/12/17 08:01:44 | 006,364,440 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2008/12/17 08:01:22 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/12/17 08:00:14 | 000,768,024 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2008/12/16 21:58:54 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/08/28 02:06:52 | 006,600,160 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/08/08 02:55:42 | 000,318,488 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/08/01 05:39:26 | 000,032,808 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cvusbdrv.sys -- (cvusbdrv)
DRV - [2008/07/01 23:22:14 | 000,170,032 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/07/01 23:12:18 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/07/01 00:47:30 | 000,244,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2008/06/30 02:57:26 | 001,381,914 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2008/06/30 02:57:16 | 000,108,160 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2008/06/24 15:16:52 | 000,172,344 | ---- | M] (Wave Systems Corp.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\WavxDMgr.sys -- (WavxDMgr)
DRV - [2008/06/04 22:14:00 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\PBADRV.sys -- (PBADRV)
DRV - [2008/04/17 13:12:54 | 000,015,464 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/04/14 14:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 14:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/14 14:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 14:00:00 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/14 14:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/02/21 05:19:56 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2007/07/26 11:00:00 | 000,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/07/23 23:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 23:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 23:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 23:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 23:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 23:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 23:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 23:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 22:55:44 | 000,099,808 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2007/07/23 22:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 22:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/07/23 22:43:42 | 000,052,000 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2007/03/08 06:20:50 | 000,021,568 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2007/03/08 06:20:49 | 000,016,496 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2007/03/08 06:20:48 | 000,049,920 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2007/01/09 17:25:04 | 000,067,784 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2006/06/14 11:53:00 | 000,029,184 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbccid.sys -- (USBCCID)
DRV - [2006/04/20 16:33:40 | 000,303,740 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2006/02/09 10:50:00 | 000,020,704 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2005/06/30 03:50:30 | 000,110,080 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2005/05/17 12:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/01/26 14:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2001/08/18 04:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 04:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 04:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 04:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 04:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/18 03:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/18 03:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/18 03:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/18 03:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/18 03:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/18 03:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/18 03:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/18 03:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/18 03:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/18 03:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1081215
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1081215


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1081215
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1081215
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\S-1-5-21-790525478-1284227242-1417001333-155215\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/22 19:39:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/22 19:37:49 | 000,000,000 | ---D | M]

[2010/02/22 19:40:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\reifj\Application Data\Mozilla\Extensions
[2010/02/22 20:43:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\reifj\Application Data\Mozilla\Firefox\Profiles\1js0v724.default\extensions
[2010/02/22 20:43:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\reifj\Application Data\Mozilla\Firefox\Profiles\1js0v724.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/22 19:37:49 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/03/02 02:49:15 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (PDF-XChange Viewer IE-Plugin) - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll (Tracker Software Products Ltd.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [BGInfo] C:\program files\bginfo\bginfo.vbs ()
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [Microsoft Forefront Client Security Antimalware Service] c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: MaxGPOScriptWait = 3600
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215_Classes\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215_Classes\Software\Policies\Microsoft\Internet Explorer\New Windows present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Domains: aeairweb.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: aecom.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: aecomeur.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: aecomnet.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: asap.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: brainshark.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: cisco.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: dell.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: earthtech.ca ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: earthtech.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: edaw.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: ensr.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: ensr.net ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: getthere.net ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: midicorp.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: skillport.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: softscape.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: aeairweb.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: aecom.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: aecomeur.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: aecomnet.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: asap.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: brainshark.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: cisco.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: dell.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: earthtech.ca ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: earthtech.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: edaw.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: ensr.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: ensr.net ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: getthere.net ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: midicorp.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: skillport.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: softscape.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: aecomeur.com ([]* in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: aecomnet.com ([]* in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: earthtech.ca ([]* in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: earthtech.com ([]* in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: ensr.com ([]* in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: ensr.net ([]* in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-790525478-1284227242-1417001333-155215\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} https://webvpn.na.aecom.com/+CSCOL+/relayp.cab (Cisco Systems WebVPN Relay Loader)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www2.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com/v7/sit...b?1253462252853 (MUCatalogWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.239.64.2 209.239.73.41
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.aecomnet.com
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\dell.bmp
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 23:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/02 02:49:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/02 02:49:13 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/03/02 02:43:10 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\reifj\Desktop\OTL.exe
[2010/03/01 09:11:31 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/01 09:08:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/01 09:08:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/01 09:08:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/01 09:08:43 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/01 09:08:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/28 23:26:23 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/26 00:10:02 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/02/25 17:07:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\reifj\Local Settings\Application Data\Temp
[2010/02/25 13:51:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\reifj\Desktop\gmer
[2010/02/25 02:10:06 | 000,000,000 | ---D | C] -- C:\Program Files\HiJackThis
[2010/02/22 19:39:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\reifj\Local Settings\Application Data\Mozilla
[2010/02/22 19:39:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\reifj\Application Data\Mozilla
[2010/02/22 19:37:48 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/02/19 00:58:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\reifj\Application Data\Malwarebytes
[2010/02/19 00:58:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/19 00:58:16 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/19 00:58:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/19 00:58:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/15 18:56:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\reifj\Application Data\CyberLink
[2010/02/15 12:59:55 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/02/15 12:58:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/14 04:23:43 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/02/14 04:23:16 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2010/02/14 03:45:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/12/21 21:06:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/12/21 21:01:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/10/07 17:25:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2009/09/12 03:00:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/03/11 21:14:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/12/15 03:26:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\NTRU Cryptosystems
[2008/04/25 23:32:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/04/25 23:29:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/04/25 23:29:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/03/03 18:11:50 | 000,550,474 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/03 18:11:50 | 000,464,244 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/03 18:11:50 | 000,076,324 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/03 18:10:07 | 000,000,430 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
[2010/03/03 18:10:07 | 000,000,412 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Signature Update.job
[2010/03/03 18:10:07 | 000,000,406 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/03/03 18:08:21 | 004,096,054 | ---- | M] () -- C:\WINDOWS\BGInfo.bmp
[2010/03/03 18:08:07 | 000,121,247 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/03/03 18:08:06 | 000,189,747 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/03/03 18:07:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/03 18:07:46 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/03 18:07:40 | 000,000,454 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2010/03/03 18:07:10 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/03/03 18:06:57 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/03 18:06:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/03 18:06:51 | 2134,794,240 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/03 18:06:18 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\reifj\NTUSER.DAT
[2010/03/03 18:05:56 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\reifj\ntuser.ini
[2010/03/03 17:19:12 | 000,121,247 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/03/03 16:14:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/03 15:41:34 | 000,000,062 | ---- | M] () -- C:\WINDOWS\iltwain.ini
[2010/03/03 14:58:50 | 000,426,183 | ---- | M] () -- C:\Documents and Settings\reifj\Desktop\Bell Curves3.pdf
[2010/03/03 13:23:15 | 000,477,645 | ---- | M] () -- C:\Documents and Settings\reifj\Desktop\Program Budget Curve.xlsx
[2010/03/03 12:36:46 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/03/03 10:06:47 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/03/03 10:06:47 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/03/03 10:06:47 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/03/03 10:06:47 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/03/02 03:44:10 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2010/03/02 03:44:08 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2010/03/02 02:49:15 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/03/02 02:43:19 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\reifj\Desktop\OTL.exe
[2010/03/01 09:17:59 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/01 09:11:34 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/28 23:25:34 | 003,874,477 | R--- | M] () -- C:\Documents and Settings\reifj\Desktop\CF.exe
[2010/02/28 19:42:29 | 000,561,062 | ---- | M] () -- C:\Documents and Settings\reifj\Desktop\Master - JR.xlsx
[2010/02/25 13:43:51 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\reifj\Desktop\dds.scr
[2010/02/25 02:10:07 | 000,002,004 | ---- | M] () -- C:\Documents and Settings\reifj\Desktop\HiJackThis.lnk
[2010/02/24 09:16:06 | 000,181,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/02/22 19:54:46 | 000,061,743 | ---- | M] () -- C:\Documents and Settings\reifj\Desktop\Avis- Rent a Car.pdf
[2010/02/22 19:39:30 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/02/22 19:37:51 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/21 12:49:26 | 000,000,269 | ---- | M] () -- C:\WINDOWS\ViewNX.INI
[2010/02/20 17:02:12 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2010/02/20 16:56:31 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2010/02/15 13:27:58 | 000,000,869 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/02/07 00:02:51 | 000,031,790 | ---- | M] () -- C:\Documents and Settings\reifj\My Documents\Student Loan Revised 11-09 v2.xlsx

========== Files Created - No Company Name ==========

[2010/03/03 14:58:47 | 000,426,183 | ---- | C] () -- C:\Documents and Settings\reifj\Desktop\Bell Curves3.pdf
[2010/03/01 11:13:21 | 000,477,645 | ---- | C] () -- C:\Documents and Settings\reifj\Desktop\Program Budget Curve.xlsx
[2010/03/01 09:11:34 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/03/01 09:11:31 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/01 09:08:43 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/01 09:08:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/01 09:08:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/01 09:08:43 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/01 09:08:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/28 23:25:31 | 003,874,477 | R--- | C] () -- C:\Documents and Settings\reifj\Desktop\CF.exe
[2010/02/28 18:33:12 | 000,561,062 | ---- | C] () -- C:\Documents and Settings\reifj\Desktop\Master - JR.xlsx
[2010/02/25 13:43:47 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\reifj\Desktop\dds.scr
[2010/02/25 02:10:07 | 000,002,004 | ---- | C] () -- C:\Documents and Settings\reifj\Desktop\HiJackThis.lnk
[2010/02/22 19:54:40 | 000,061,743 | ---- | C] () -- C:\Documents and Settings\reifj\Desktop\Avis- Rent a Car.pdf
[2010/02/22 19:39:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/02/22 19:37:51 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/12/02 12:23:31 | 011,194,368 | R--- | C] () -- C:\WINDOWS\System32\ZHHP_RES.DLL
[2009/12/02 12:23:30 | 000,749,568 | R--- | C] () -- C:\WINDOWS\System32\AGISSI.DLL
[2009/10/25 19:27:51 | 000,000,269 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2009/10/25 18:13:54 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Ambience
[2009/10/25 18:13:54 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\reifj\Application Data\AccountTypes
[2009/10/25 18:13:54 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2009/10/25 18:11:11 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Action Clauses
[2009/10/25 18:11:10 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\reifj\Application Data\vhosts
[2009/10/25 18:11:10 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2009/10/08 00:00:12 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/09/10 11:56:21 | 000,000,062 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2009/09/09 20:12:07 | 000,081,110 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/09/08 00:06:15 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\reifj\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/20 21:07:24 | 000,000,051 | ---- | C] () -- C:\Documents and Settings\reifj\Local Settings\Application Data\setup.txt
[2009/08/20 21:07:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\reifj\Local Settings\Application Data\WavXMapDrive.bat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/17 16:45:34 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/12/23 22:09:38 | 000,029,752 | ---- | C] () -- C:\WINDOWS\System32\InstHelper.dll
[2008/12/23 22:09:14 | 000,197,680 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/12/23 22:09:13 | 000,193,584 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2008/12/23 22:02:07 | 000,036,962 | ---- | C] () -- C:\WINDOWS\System32\ActPanel.dll
[2008/12/23 21:35:28 | 000,019,179 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2008/12/16 21:58:54 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2008/12/16 21:50:56 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLgFT.dll
[2008/12/15 05:13:25 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/12/15 05:13:25 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/12/15 05:13:25 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/12/15 05:13:25 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/12/15 05:11:34 | 000,001,157 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/12/15 03:36:00 | 000,000,454 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/12/15 03:33:29 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/12/15 03:32:18 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/12/15 03:25:43 | 000,157,008 | ---- | C] () -- C:\WINDOWS\System32\brcmbsp.dll
[2008/12/15 03:25:38 | 000,080,368 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
[2008/09/10 15:15:00 | 000,618,496 | R--- | C] () -- C:\WINDOWS\System32\stlpmt45.dll
[2008/09/09 22:17:12 | 000,652,800 | ---- | C] () -- C:\WINDOWS\System32\SMgina.dll
[2008/07/29 02:03:06 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\Wavx_ESC_Logging.dll
[2008/06/13 19:18:56 | 000,512,000 | ---- | C] () -- C:\WINDOWS\System32\AmRes_sv.dll
[2008/06/13 19:18:56 | 000,507,904 | ---- | C] () -- C:\WINDOWS\System32\AmRes_no.dll
[2008/06/13 19:18:54 | 000,536,576 | ---- | C] () -- C:\WINDOWS\System32\AmRes_nl.dll
[2008/06/13 19:18:54 | 000,507,904 | ---- | C] () -- C:\WINDOWS\System32\AmRes_da.dll
[2008/06/13 19:18:52 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
[2008/06/13 19:18:52 | 000,536,576 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
[2008/06/13 19:18:52 | 000,507,904 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
[2008/06/13 19:18:50 | 000,532,480 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
[2008/06/13 19:18:50 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
[2008/06/13 19:18:48 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
[2008/06/13 19:18:48 | 000,503,808 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
[2008/06/13 19:18:46 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
[2008/06/13 19:18:44 | 000,475,136 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
[2008/06/13 19:18:44 | 000,475,136 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
[2008/06/13 19:18:42 | 000,532,480 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
[2008/06/13 19:16:16 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pl.dll
[2008/05/30 17:38:24 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll
[2008/05/30 17:38:14 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_sv.dll
[2008/05/30 17:37:52 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll
[2008/05/30 17:37:24 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll
[2008/05/30 17:37:22 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll
[2008/05/30 17:37:20 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pl.dll
[2008/05/30 17:37:18 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_no.dll
[2008/05/30 17:37:16 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_nl.dll
[2008/05/30 17:37:14 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll
[2008/05/30 17:37:12 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_da.dll
[2008/05/30 17:37:12 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll
[2008/05/30 17:37:10 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll
[2008/05/30 17:37:08 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll
[2008/05/30 17:37:06 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll
[2008/05/30 17:37:04 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll
[2008/05/15 01:40:30 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\wxvault.dll
[2008/04/25 23:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/03/18 21:02:52 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/02/25 20:04:48 | 000,835,584 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
[2007/04/19 13:52:16 | 000,080,720 | ---- | C] () -- C:\WINDOWS\System32\AsfBios.dll
[2007/04/19 13:28:10 | 000,025,424 | ---- | C] () -- C:\WINDOWS\System32\drivers\netamsg.dll
[2007/02/09 03:39:34 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\KOAZJJ_L.DLL
[2006/08/14 19:02:10 | 000,072,192 | ---- | C] () -- C:\WINDOWS\System32\xltZlib.dll
[2006/07/31 15:45:20 | 000,086,528 | ---- | C] () -- C:\WINDOWS\System32\libjnbzip2.dll
[2006/06/30 20:58:44 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2006/06/30 20:58:44 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
[2006/06/12 16:01:16 | 000,348,160 | ---- | C] () -- C:\WINDOWS\tsp.dll
[2005/07/21 11:01:04 | 000,008,527 | ---- | C] () -- C:\WINDOWS\System32\MOMCounters.ini
[2005/07/21 11:01:04 | 000,005,295 | ---- | C] () -- C:\WINDOWS\System32\MomAgntCtrs.ini
[2004/09/10 20:34:00 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
[2004/09/10 20:34:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll
< End of report >


What do you make of this? Did I slip up somewhere?

Overall, things seem to be pretty good with the computer now, though. It's even booting up faster.

jareif


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 03 March 2010 - 07:26 PM

Hello, jareif.

QUOTE
Next, this scan didn't run quite the way I expected. I first opened OTL and copied in the code you gave me. It ran instantly, and produced a log immediately thereafter. However, I waited a few moments and it did not automatically reboot, as it did in the previous fix we ran. I don't know if that's a problem. I went ahead and rebooted it myself.


I didn't put a reboot in the script...probably should have, but you did the right thing and followed my instructions, so thanks!

QUOTE
What do you make of this? Did I slip up somewhere?

Nope...perfect. smile.gif

QUOTE
Overall, things seem to be pretty good with the computer now, though. It's even booting up faster.

Great...at the end, I'll shar ea program that can help you optimize bootup further if you want.

Let's just close a security hole or two.

First, I see trusted sites...these. If you do NOT recognize them, please remove them following the instructions below. If you do recognize them and trust them, please read the warning, then make your decision.
O15 - HKU\.DEFAULT\..Trusted Domains: aeairweb.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: aecom.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: aecomeur.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: aecomnet.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: asap.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: brainshark.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: cisco.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: dell.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: earthtech.ca ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: earthtech.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: edaw.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: ensr.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: ensr.net ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: getthere.net ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: midicorp.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: skillport.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: softscape.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: aeairweb.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: aecom.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: aecomeur.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: aecomnet.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: asap.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: brainshark.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: cisco.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: dell.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: earthtech.ca ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: earthtech.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: edaw.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: ensr.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: ensr.net ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: getthere.net ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: midicorp.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: skillport.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: softscape.com ([]* in Trusted sites)

O15 Entries Warning (Sites in your Trusted Zones)

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 18 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.



Step 2

Please post a fresh DDS log in your reply after the above steps.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 jareif

jareif
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 04 March 2010 - 02:42 PM

Good to know everything is still good. Thanks so much for all your help!

I'm not sure why so many of those sites are still showing up in the Trusted Zone. I had already removed them due to your suggestion in an earlier post. To be safe, I went back to Tools>Internet Options>Security>Trusted Sites>Sites, and it was still empty. I also checked Tools>Internet Options>Security>Local Intranet>Sites. This one demonstrated where a few of the sites listed in the OTL log came from. All of those sites related to the local network are corporate sites automatically detected when I'm on my company network. Do you think it is still best to remove these?

Next, I downloaded the Java JRE update 18 installer, removed the two old versions from my machine (I had version 6 and version 11), rebooted, and installed the new update.

This is the latest DDS log:



DDS (Ver_09-12-01.01) - NTFSx86
Run by reifj at 21:26:54.34 on Thu 03/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.1424 [GMT 2:00]

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r190031\stacsv.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\reifj\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\PDFXCviewIEPlugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BGInfo] "c:\program files\bginfo\bginfo.vbs"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
mPolicies-system: MaxGPOScriptWait = 3600 (0xe10)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://webvpn.na.aecom.com/+CSCOL+/relayp.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1253462252853
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\reifj\applic~1\mozilla\firefox\profiles\1js0v724.default\
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\sony online entertainment\npsoe.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-14 64288]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2007-2-7 18832]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2008-9-9 69632]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-12-15 108160]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2008-12-15 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-12-15 244368]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-9-20 67784]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-21 135664]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-15 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-23 280344]
S4 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-6-3 386328]
S4 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-8-1 808296]
S4 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-8-1 21352]
S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-8-18 455960]

=============== Created Last 30 ================

2010-03-04 19:21:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-02 00:49:13 0 d-----w- C:\_OTL
2010-03-01 07:11:31 0 d-sha-r- C:\cmdcons
2010-03-01 07:08:43 98816 ----a-w- c:\windows\sed.exe
2010-03-01 07:08:43 77312 ----a-w- c:\windows\MBR.exe
2010-03-01 07:08:43 261632 ----a-w- c:\windows\PEV.exe
2010-03-01 07:08:43 161792 ----a-w- c:\windows\SWREG.exe
2010-02-25 22:10:02 0 d--h--w- c:\windows\PIF
2010-02-18 22:58:21 0 d-----w- c:\docume~1\reifj\applic~1\Malwarebytes
2010-02-18 22:58:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 22:58:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 22:58:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 22:58:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-15 10:59:55 0 d-----w- c:\program files\common files\PC Tools
2010-02-14 02:23:43 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-14 02:23:16 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-14 01:45:00 0 d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-03-04 19:21:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-04 15:18:31 121247 ----a-w- c:\windows\system32\nvModes.dat
2010-03-03 20:30:36 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2010-03-02 01:44:10 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-02 01:44:08 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-02-24 07:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 14:56:31 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2010-01-29 16:39:54 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-11 22:00:13 274432 ----a-w- C:\ajvented.exe
2010-01-11 21:59:55 249856 ----a-w- C:\ajsealed.exe
2010-01-11 21:59:37 249856 ----a-w- C:\ajbandpass.exe

============= FINISH: 21:27:12.72 ===============


Well, how are things looking now? To be honest, I don't know how you see anything at all in the giant mess of code, but I'm glad it makes sense to you! thumbup.gif

Thanks again for your generosity, you've helped me immensely.

jareif


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 04 March 2010 - 07:09 PM

No problem...and you're looking much better! Let's get a second opinion before we clean up our mess.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 jareif

jareif
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 05 March 2010 - 07:03 AM

etavares:

The scanner stalled out with errors several times, saying something about proxy setttings, but I finally got it to run successfully. It found three files, according to the following log:


C:\Documents and Settings\reifj\Local Settings\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\FileTracker\{0F71B17D-FEDC-4125-BB0C-4E6A8177AB42} Win32/Qhost trojan cleaned by deleting - quarantined
C:\Documents and Settings\reifj\Local Settings\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\FileTracker\{47C8DAE4-8E4A-4D0A-B4E8-E59B6BC0F0F3} Win32/Qhost trojan cleaned by deleting - quarantined
C:\Documents and Settings\reifj\Local Settings\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\FileTracker\{ECC9882A-1B9F-4F80-82F2-9E35FBE4D448} Win32/Qhost trojan cleaned by deleting - quarantined


Notice that all three are actually located in my Microsoft Forefront folders. I'm not sure what you think of that, but my suspicion is that those are files already quarantined in that location by Microsoft Forefront. I presume they should be fully deleted?

As for why those might be there, despite all the work we've done, I think they just showed up two days ago. I'm working on an international job in North Africa and this laptop is used both at home and at work. The client's office I'm in is pretty high risk from an internet security standpoint. USB thumbdrives often come crawling with viruses, and Forefront snagged a couple bad files recently before the USB drive was opened. That is quite possibly the source of the three files found by this ESET scan.

jareif


#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 05 March 2010 - 07:02 PM

Hi jareif...

That's likely quarantined by Forefront. In the end, no worries as ESET took care of them.

With USB drives, you can semi-protect yourself in two ways. First, hold down Shift before and as you plug it in, and keep it pressed for about 30-60 seconds after you plug it in. This will keep it from autoplaying. Then, scan the files with your antivirus program to be safe. Many viruses jump from USB drives to your hard drive by running automatically.

Alternatively, you can install this program below that writes a folder called autorun.inf to the drive...it keeps malware from modifiying the autorun to run itself. It's handy. Of course, viruses can still be found on the thumbdrive...they just can't run automatically. I'd suggest scanning with your onboard A/V/ program (generally right-click the file then "Scan for viruses" or something to that effect) before running or copying any file from the drive.


Here's the program for the USB drives if you want to use it.


Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.




Other than that, everything looks good now. If it's running OK on your end, please do the following.



Step 1

Uninstall ComboFix and Clean Up
Click Start > Run and type combofix /Uninstall click OK (Note the space between combofix and /Uninstall) See below:

Please advise if this step is missed for any reason as it performs some important actions.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites
Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
  4. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.





Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 jareif

jareif
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 07 March 2010 - 11:13 AM

etavares:

I'd say this case is now closed. Everything has been resolved!

Thank you so much for all your help! Everything is all cleaned up now. And I have used the advice you gave me in your final post. You have been extremely helpful and generous. Your help is very much appreciated.


jareif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users