Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    McAfee Tech Support Scam Harvesting Credit Card Information

Featured Deal: Get 95% Off the Certified Information Systems Security Professional Training Course

Photo

rootkit problem?

Started by kingarthur2 , Jun 08 2010 11:24 PM

  • This topic is locked This topic is locked
19 replies to this topic

#1 kingarthur2

kingarthur2

  • Members
  • 33 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:10:11 AM

Posted 08 June 2010 - 11:24 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/322388/how-to-delete-a-couple-sys-files-that-have-corrupted-my-laptop/ ~ OB

My computer has recently gone corrupt, to say the least. I have run AVG, Avast and Symantec which found a couple of trojans on there. Also, I have run CrapCleaner to delete the temp internet files etc. Also, I've run Malawarebytes which got rid of some infections. The last thing that I ran was GMER and it found 2 suspicious items in the system32\drivers\iastor.sys and atapi.sys. After running (http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller), I can now update via windows update but I still have problems.
This evening, I followed the steps under http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/, I am attaching the files requested to see if someone can help resolve this issue with my computer. I had a previous post going but it said to create a new post??
1. Windows still has a differnet appearance than before (icons, color, etc). Looks like an older version
2. Its really slow now.
3. It stalls




DDS (Ver_10-03-17.01) - NTFSx86
Run by 9UXG at 21:52:05.67 on Tue 06/08/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1503 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\hkeyman.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe
C:\Program Files\AClient\Bin\XcListener.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\WINDOWS\Dll32Agent.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AClient\Bin\XCGSTask.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\IdleProc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\1000\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://login.yahoo.com/config/login?.src=m...mp;.partner=sbc
uInternet Connection Wizard,ShellNext = hxxp://www.aflac.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_14\bin\ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [WSPPurge] c:\program files\aflac\common\WSPPurge.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [Hotkey] c:\windows\system32\hkeyman.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Afaria Client File Differencing] c:\program files\aclient\bin\XCDiffCache.exe
mRun: [Aflac_Do_Not_Remove] c:\aflac2000\WSPInfo.exe
mRun: [!SysInit] c:\windows\system32\mschksys.exe
mRun: [Afaria Client Listener] c:\program files\aclient\bin\XcListener.exe
mRun: [Afaria Client Generic Scheduler] c:\program files\aclient\bin\XCGSTask.exe /startup
mRun: [CmgShieldUI] c:\windows\system32\CMGShieldUI.exe
mRun: [VerifyAfariaDownload] c:\program files\aflac\sng\VerifyAfariadownload.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\afaria~1.lnk - c:\program files\aclient\bin\XCGSTask.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_14\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173465087258
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {C73881A0-E7F5-4CE4-B199-307EB127FE15} - hxxp://download.humanconcepts.com/downloads/op5/ov5/hcinstall5.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2007-11-1 9344]
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [2008-4-29 195128]
R0 CMGShieldReg;CMGShieldReg;c:\windows\system32\drivers\CmgShREG.sys [2008-4-29 89656]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-7-8 34176]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-9-23 28544]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R1 SafDskNT;SafDskNT;c:\windows\system32\drivers\SafDskNT.sys [2006-10-31 77824]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [2008-4-29 1103152]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [2008-4-29 644400]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-31 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-8-29 35968]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100606.003\naveng.sys [2010-6-7 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100606.003\navex15.sys [2010-6-7 1347504]
S0 wogp;wogp;c:\windows\system32\drivers\sqodbnhs.sys --> c:\windows\system32\drivers\sqodbnhs.sys [?]
S2 awhost32dsNcService;pcAnywhere Host Service awhost32dsNcService;c:\windows\system32\accwizd.exe srv --> c:\windows\system32\accwizd.exe srv [?]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2006-11-7 10368]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [2008-4-29 156976]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-10-31 176896]
S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 16984]
S4 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [2007-11-1 389888]

=============== Created Last 30 ================

2010-06-09 01:49:08 0 ----a-w- c:\documents and settings\1000\defogger_reenable
2010-05-30 12:38:58 0 d-----w- c:\program files\AVG
2010-05-28 18:24:24 145 --s-a-w- c:\windows\system32\3415658313.dat
2010-05-22 01:15:05 0 d-----w- c:\program files\Shared

==================== Find3M ====================

2010-06-08 13:58:02 247808 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2006-10-31 12:17:45 143360 --sha-r- c:\windows\IdleProc.exe
2006-10-31 12:17:45 200704 --sha-r- c:\windows\MsCae32.dll
2006-10-31 12:17:45 172032 --sha-r- c:\windows\system32\MsChkSys.dll
2006-10-31 12:17:44 339968 --sha-r- c:\windows\system32\MsChkSys.exe
2006-10-31 12:17:45 22528 --sha-r- c:\windows\system32\Optic32.dll
2006-10-31 12:17:45 176128 --sha-r- c:\windows\system32\SafPwd32.dll
2006-10-31 12:17:45 77824 --sha-r- c:\windows\system32\SdwChang.exe
2006-10-31 12:17:45 90112 --sha-r- c:\windows\system32\SdwCreat.exe
2006-10-31 12:17:45 77824 --sha-r- c:\windows\system32\SdwExpan.exe
2006-10-31 12:17:45 282624 --sha-r- c:\windows\system32\SdwLib.dll
2006-10-31 12:17:45 110592 --sha-r- c:\windows\system32\SdwMap32.exe
2009-05-14 14:11:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051420090515\index.dat
2006-10-31 12:17:45 77824 --sha-w- c:\windows\system32\drivers\SafDskNT.sys

============= FINISH: 21:52:55.25 ===============

Attached Files


Edited by Orange Blossom, 09 June 2010 - 05:51 PM.

BC AdBot (Login to Remove)

 

#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:11 AM

Posted 13 June 2010 - 07:03 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 kingarthur2

kingarthur2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:10:11 AM

Posted 13 June 2010 - 11:02 AM

Do I run everything in Safe Mode? When I go to run GMER NOT in Safe Mode, I can't get Symantec RTVirus Scan to stop. I've tried going to task manager and stopping the process. In safe mode it isn't running. Just want to check with you. thanks,

#4 kingarthur2

kingarthur2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:10:11 AM

Posted 13 June 2010 - 02:03 PM

About three weeks ago when clicking on a pop up to "x" it out (I knew better), a couple of viruses were downloaded. I have Symantec and Malawarebytes (free version), both up to date and they still did not get rid of my infection. I ran them and was able to get rid of a few fake alerts, vundo virus, etc., however, my computer was still infected.
1. This infection changed the appearance to window's classic style v/s windows XP style
2. When searching for anything via google, it would redirect me to random sites, some of which would begin to install malware.
3. When trying to do a windows update, it said "page can not be displayed"
4. My wireless connection would say "trying to acquire address" but would never allow me to connect However, my computer would begin to instal malware even though it said it was connecting
5. The computer would run really slow and get a blue screen

After using the advise of one of your moderators (Budapest), I ran a GMER and it found a
File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

Then, I was advised to go to this site: http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller

After running this, it did find one file and asked me to reboot. I've since run it again and have found nothing. This seemed to eliminate the windows update problem and wireless issue AND the redirecting to random sites. Since then, I've connected to windows update and download several updates and restarted. I also ran a scandsk. I also re-ran malawarebytes quick scan, Symantec full scan, GMER and DDS all IN SAFE MODE. If you need me to run in normal mode, let me know. Computer seems to be working fine but if you have a few minutes to look at the log file and see something suspicious, please let me know. If you see Aflac in a lot of the files, those are my companies files on the computer. I will not add/delete anything until I hear from you on this computer. Thanks, I look forward to hearing from you.

Attached Files


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:11:11 AM

Posted 15 June 2010 - 05:25 PM

Hello, kingarthur2.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.











Step 1

Let's get an OTL log in normal mode.

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#6 kingarthur2

kingarthur2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:10:11 AM

Posted 15 June 2010 - 07:39 PM

Thank you. I do have one question. What file in the log told you it had this? Just curious. I do use my computer for my company to send in insurance policies via a VPN connection. Credant is installed on there and is supposed to encrypt an data. This being said, would it be best for me to send it in to my IT department and have it reimaged or should I try this first to see if it removes it? Thanks,

#7 kingarthur2

kingarthur2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:10:11 AM

Posted 15 June 2010 - 08:39 PM

I had 2 more questions. I took all of my documents (word, pdf, quickbook back up, excel and ppt) off of this computer, scanned them by symantec and malawarbytes and put on my other computer's desktop. Could this now be a potential problem for my other computer? Do I need to do a gmer scan of it?
My second question. You mentioned that I need to subscribe to this topic. What does this mean. I check every day under "forums" then "my topics". Is this what you are referring to? Thanks

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:11:11 AM

Posted 16 June 2010 - 05:10 PM

TDSSKiller detected the TDSS rootkit and removed it. The TDSS infection is a backdoor rootkit. That's one of a few ways I know that you had a backdoor rootkit installed. It's up to you about reimaging. It may be the best plan given the amount of personal information I'm guessing you have on your computer.

Backing up your files is fine, and scanning them with Symantec and MBAM is a great step. Just make sure you updated the definitions before you did that. Copy program files (.exe, .com, .bat, .pif, .com, .scr, etc.) results in a much higher risk of reinfection. You should be ok. It's unlikely we need to do a GMER scan on that, unless you have issues on it, such as redirects, pop ups, etc.

Subscribing to this topic means that you get an email notification when someone replies to this thread. As long as you check every other day at a minimum, you'll be fine.

Please let me know how you want to proceed...OTL and clean; or reimage.




If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#9 kingarthur2

kingarthur2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:10:11 AM

Posted 16 June 2010 - 06:08 PM

Thanks for replying back. I went ahead and ran the scan for you to look at. Here it is:

OTL Extras logfile created on: 6/16/2010 6:27:19 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\1000\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 50.62 Gb Free Space | 67.92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AFLAC9UXG
Current User Name: 9UXG
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\pcAnywhere\Winaw32.exe" = C:\Program Files\Symantec\pcAnywhere\Winaw32.exe:*:Enabled:pcAnywhere Main Executable -- (Symantec Corporation)
"C:\Program Files\Symantec\pcAnywhere\awhost32.exe" = C:\Program Files\Symantec\pcAnywhere\awhost32.exe:*:Enabled:pcAnywhere Host Service -- (Symantec Corporation)
"C:\Program Files\Symantec\pcAnywhere\awrem32.exe" = C:\Program Files\Symantec\pcAnywhere\awrem32.exe:*:Enabled:pcAnywhere Remote Service -- (Symantec Corporation)
"C:\Program Files\AClient\Bin\XcListener.exe" = C:\Program Files\AClient\Bin\XcListener.exe:*:Enabled:Afaria Client Listener -- (iAnywhere Solutions, Inc.)
"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager -- (Intuit, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{19C64880-BBCA-11D4-9EEE-0004ACDDDB3B}" = B's CLiP
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20749F76-4228-43AD-8AB5-E7B20D8040C4}" = hph_readme
"{2C6F48C2-0A1D-478B-8AED-B5DB2ABD14FB}" = WorksitePro
"{3248F0A8-6813-11D6-A77B-00B0D0150140}" = J2SE Runtime Environment 5.0 Update 14
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{391651FA-D9B3-476E-AE37-6E0A22A27735}" = SmartPremium
"{3AE87269-BD57-4A58-B13D-FC67664BCFB8}" = BlackBerry Desktop Software 4.3
"{46B63F23-2B4A-4525-A827-688026BE5E40}" = Symantec AntiVirus
"{4A9D3562-9842-4061-A59A-BFE8C9943A8A}" = WorkSiteProUpdate
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}" = VPN Client
"{56364334-9530-11D2-BFFC-00C04FA329AA}" = Microsoft Works 2000
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{71D74FCD-8DB9-4BEB-9C9D-1D19F2E02AE3}" = Microsoft Report Viewer Redistributable 2005
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{87CFE0AD-EAF0-40D1-B5CF-EDC527DAB7D2}" = BHA B's Recorder GOLD 5.27
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91490409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Primary Interop Assemblies
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD
"{9A2F0810-3622-4E86-9072-973FBE1679C5}" = QuickBooks Pro 2009
"{9A2F0810-369F-4E86-9072-973FBE1679C5}" = QuickBooks
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{B19F9155-9337-4807-B5EF-ED471DDB2CCE}" = hph_software_req
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BE365801-FB4B-49D7-87D2-9477EE371F1C}" = D1300_Help
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5AEDF10-D314-41FF-BC2E-DF704505DFD0}" = BlackBoxInstall
"{C5BED10B-42A9-4142-B4C2-008C0FDE27D5}" = O2Micro Smartcard Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB462BC7-4D16-44E9-AA8F-F8BB3A39DF60}" = SmartApp Next Generation
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DE37B13A-972B-46C3-8555-AC2F15D1604D}" = SmartAppRemoval
"{E05E8183-866A-11D3-97DF-0000F8D8F2E9}" = Symantec pcAnywhere
"{E1E58954-D885-44E7-B8C2-F0E9A6DA1652}" = O2Micro Flash Memory Card Windows Driver
"{E7FA5A9F-BAE0-499B-8CEA-48A502D2896D}" = CMG Windows Shield
"{EE267D8A-CC91-4DB4-A389-89776359046D}" = EncryptionByCredant
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F5AD8A16-56B5-4D92-AD8A-6DD7058D081B}" = SNG Prerequisites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Afaria Client" = Afaria Client
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"ATT-RC" = ATT-RC Self Support Tool
"BlackBerry_{3AE87269-BD57-4A58-B13D-FC67664BCFB8}" = BlackBerry Desktop Software 4.3
"CANONBJ_Deinstall_CNMCP27.DLL" = BJC-85
"CANONBJ_Deinstall_CNMCP71.DLL" = Canon iP90
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10F70000" = HDAUDIO V.92 Soft Data Fax Modem with SmartCP
"HumanConcepts OrgViewer 5" = HumanConcepts OrgViewer 5
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{391651FA-D9B3-476E-AE37-6E0A22A27735}" = SmartPremium
"InstallShield_{4A9D3562-9842-4061-A59A-BFE8C9943A8A}" = WorkSiteProUpdate
"InstallShield_{C5AEDF10-D314-41FF-BC2E-DF704505DFD0}" = BlackBoxInstall
"InstallShield_{C5BED10B-42A9-4142-B4C2-008C0FDE27D5}" = O2Micro Smartcard Driver
"InstallShield_{DE37B13A-972B-46C3-8555-AC2F15D1604D}" = SmartAppRemoval
"InstallShield_{E1E58954-D885-44E7-B8C2-F0E9A6DA1652}" = O2Micro Flash Memory Card Windows Driver
"InstallShield_{EE267D8A-CC91-4DB4-A389-89776359046D}" = EncryptionByCredant
"Juniper Network Connect 6.0.0" = Juniper Networks Network Connect 6.0.0
"Juniper Network Connect 6.3.0" = Juniper Networks Network Connect 6.3.0
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Report Viewer Redistributable 2005" = Microsoft Report Viewer Redistributable 2005
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PanasonicHotkeyDriver" = Hotkey Driver for Panasonic PC
"Premium Quote" = Premium Quote
"QuickLink Mobile" = QuickLink Mobile
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TomTom HOME" = TomTom HOME 2.7.3.1894
"Topaz 4X5 WinTab Driver v2.20" = Topaz 4X5 WinTab Driver v2.20
"Topaz 4X5 Tablet WinTab Driver" = Topaz 4X5 Tablet WinTab Driver
"Topaz e-Signatures SigPlus 3.55" = Topaz e-Signatures SigPlus 3.55
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-184708185-3649356386-1762526241-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"WeatherTAP.com - RadarLab HD" = WeatherTAP.com - RadarLab HD

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/7/2010 9:35:47 AM | Computer Name = AFLAC9UXG | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 6/7/2010 9:40:48 AM | Computer Name = AFLAC9UXG | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 6/7/2010 10:05:58 AM | Computer Name = AFLAC9UXG | Source = MPSampleSubmission | ID = 5000
Description =

Error - 6/7/2010 10:06:00 AM | Computer Name = AFLAC9UXG | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 6/7/2010 11:48:59 AM | Computer Name = AFLAC9UXG | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 0.0.0.0, faulting module
iexplore.exe, version 0.0.0.0, fault address 0x0008d560.

Error - 6/8/2010 10:36:03 AM | Computer Name = AFLAC9UXG | Source = Application Hang | ID = 1002
Description = Hanging application 9s4tpcuv.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/8/2010 11:52:23 PM | Computer Name = AFLAC9UXG | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15281, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/8/2010 11:52:40 PM | Computer Name = AFLAC9UXG | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17023, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/13/2010 9:21:13 PM | Computer Name = AFLAC9UXG | Source = Application Hang | ID = 1002
Description = Hanging application javaw.exe, version 5.0.140.3, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/13/2010 9:21:18 PM | Computer Name = AFLAC9UXG | Source = Application Hang | ID = 1001
Description = Fault bucket 565066144.

[ System Events ]
Error - 6/13/2010 11:27:15 AM | Computer Name = AFLAC9UXG | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 6/13/2010 11:27:15 AM | Computer Name = AFLAC9UXG | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 6/13/2010 11:27:15 AM | Computer Name = AFLAC9UXG | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 6/13/2010 11:27:15 AM | Computer Name = AFLAC9UXG | Source = Service Control Manager | ID = 7001
Description = The Cisco Systems, Inc. VPN Service service depends on the TCP/IP
Protocol Driver service which failed to start because of the following error: %%31

Error - 6/13/2010 11:27:15 AM | Computer Name = AFLAC9UXG | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 6/13/2010 11:27:15 AM | Computer Name = AFLAC9UXG | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD awlegacy eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SAVRTPEL SYMTDI
Tcpip

Error - 6/13/2010 11:28:00 AM | Computer Name = AFLAC9UXG | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 6/13/2010 2:39:54 PM | Computer Name = AFLAC9UXG | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 6/13/2010 2:40:20 PM | Computer Name = AFLAC9UXG | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 6/13/2010 2:40:27 PM | Computer Name = AFLAC9UXG | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >
OTL logfile created on: 6/16/2010 6:27:19 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\1000\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 50.62 Gb Free Space | 67.92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AFLAC9UXG
Current User Name: 9UXG
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/16 18:26:56 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1000\Desktop\OTL.exe
PRC - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/07/16 21:03:26 | 000,024,576 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2008/11/21 04:33:32 | 000,431,472 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2008/04/29 14:01:22 | 000,210,224 | ---- | M] (Credant Technologies, Inc.) -- C:\WINDOWS\system32\CmgShieldUI.exe
PRC - [2008/04/29 14:01:08 | 001,103,152 | ---- | M] (Credant Technologies, Inc.) -- C:\WINDOWS\system32\CmgShieldSvc.exe
PRC - [2008/04/29 14:00:14 | 000,644,400 | ---- | M] (CREDANT Technologies, Inc.) -- C:\WINDOWS\system32\EmsService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/10 17:51:10 | 000,106,496 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\AClient\Bin\XcListener.exe
PRC - [2007/09/14 14:20:42 | 000,552,960 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\AClient\Bin\XCGSTask.exe
PRC - [2006/11/30 23:03:50 | 000,167,936 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\AClient\Bin\XCDiffCache.exe
PRC - [2006/10/31 08:17:45 | 000,143,360 | RHS- | M] () -- C:\WINDOWS\IdleProc.exe
PRC - [2006/10/31 08:17:44 | 000,339,968 | RHS- | M] () -- C:\WINDOWS\system32\MsChkSys.exe
PRC - [2006/05/11 11:47:24 | 000,151,552 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/05/11 11:46:54 | 000,090,112 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2006/02/27 05:00:30 | 000,094,208 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2005/11/15 13:28:04 | 000,085,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005/11/15 13:27:54 | 001,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2005/11/15 13:27:44 | 000,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/10/04 12:42:50 | 000,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/10/04 12:42:42 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/09/13 14:30:14 | 000,057,344 | ---- | M] (O2Micro International) -- C:\WINDOWS\system32\o2flash.exe
PRC - [2004/06/28 10:56:12 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Hidfind.exe
PRC - [2003/07/18 16:02:18 | 001,422,528 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2003/03/14 12:05:08 | 000,851,968 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\HKEYMAN.EXE


========== Modules (SafeList) ==========

MOD - [2010/06/16 18:26:56 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1000\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (awhost32dsNcService)
SRV - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/07/16 21:03:26 | 000,024,576 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/11/21 04:33:32 | 000,431,472 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2008/08/08 21:10:46 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/04/29 14:01:08 | 001,103,152 | ---- | M] (Credant Technologies, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\CmgShieldSvc.exe -- (CMGShield)
SRV - [2008/04/29 14:00:14 | 000,644,400 | ---- | M] (CREDANT Technologies, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\EmsService.exe -- (EMS)
SRV - [2006/05/11 11:46:54 | 000,090,112 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/11/15 13:27:56 | 000,169,200 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2005/11/15 13:27:54 | 001,756,912 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2005/11/15 13:27:44 | 000,020,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2005/10/19 17:39:34 | 000,214,672 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/10/04 12:42:50 | 000,177,776 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/10/04 12:42:48 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/10/04 12:42:42 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/09/13 14:30:14 | 000,057,344 | ---- | M] (O2Micro International) [Auto | Running] -- C:\WINDOWS\system32\o2flash.exe -- (O2Flash)
SRV - [2005/03/30 21:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2003/10/31 11:01:00 | 000,106,496 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\pcAnywhere\awhost32.exe -- (awhost32)
SRV - [2003/07/18 16:02:18 | 001,422,528 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)


========== Driver Services (SafeList) ==========

DRV - [2010/06/12 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\eeCtrl.sys -- (eeCtrl)
DRV - [2010/06/08 09:58:02 | 000,247,808 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2010/06/06 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/17 04:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100612.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/17 04:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100612.003\NAVENG.SYS -- (NAVENG)
DRV - [2008/06/24 17:35:06 | 000,023,552 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2008/04/29 14:05:34 | 000,089,656 | ---- | M] (Credant Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\CmgShREG.sys -- (CMGShieldReg)
DRV - [2008/04/29 14:05:26 | 000,195,128 | ---- | M] (Credant Technologies, Inc.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\CMGShCEF.sys -- (CmgShieldCEF)
DRV - [2008/04/29 14:04:58 | 000,156,976 | ---- | M] (CREDANT Technologies, Inc.) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\CmgShieldNP.dll -- (CmgShieldNP)
DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/10/31 08:17:45 | 000,077,824 | -HS- | M] (PC Dynamics, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SafDskNT.sys -- (SafDskNT)
DRV - [2006/02/26 00:43:00 | 001,428,480 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2005/12/27 05:21:38 | 001,099,336 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/12/12 03:08:44 | 001,124,097 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/12/09 03:48:40 | 004,123,136 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/12/08 19:48:00 | 000,243,712 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/11/25 11:50:44 | 000,010,112 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HOTKEY.SYS -- (HOTKEY)
DRV - [2005/11/08 11:12:18 | 000,997,376 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/11/08 11:11:34 | 000,202,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/11/08 11:11:30 | 000,723,712 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/10/19 17:39:04 | 000,195,728 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/10/19 17:38:58 | 000,024,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/09/23 07:48:44 | 000,028,544 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\o2sd.sys -- (O2SDRDR)
DRV - [2005/09/17 00:20:06 | 000,108,168 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/08/26 14:22:50 | 000,053,896 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/08/26 14:22:48 | 000,334,984 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/07/28 14:13:14 | 000,190,592 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/07/08 14:06:50 | 000,034,176 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\o2media.sys -- (O2MDRDR)
DRV - [2005/06/10 09:26:00 | 000,035,968 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2005/03/30 21:48:20 | 000,372,832 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/02/23 15:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/07/04 19:25:54 | 000,103,391 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2003/10/24 09:53:08 | 000,016,984 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\AW_HOST5.sys -- (AW_HOST)
DRV - [2003/07/18 16:01:28 | 000,268,360 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2003/05/01 14:26:34 | 000,005,220 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2003/04/21 14:08:44 | 000,010,901 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\awlegacy.sys -- (awlegacy)
DRV - [2003/04/21 13:00:32 | 000,013,898 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\GERNUWA.sys -- (Gernuwa)
DRV - [2003/03/19 15:42:02 | 000,389,888 | ---- | M] (B.H.A Co.,Ltd.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\BsUDF.sys -- (BsUDF)
DRV - [2003/03/03 15:08:56 | 000,176,896 | ---- | M] (Zone Labs Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2002/12/09 02:44:32 | 000,010,270 | ---- | M] (B.H.A Co.,Ltd.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrbsvsd.sys -- (cdrbsvsd)
DRV - [2002/08/26 18:09:42 | 000,138,916 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2002/06/06 01:07:00 | 000,009,344 | ---- | M] (B.H.A Co.,Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\BsStor.sys -- (BsStor)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 08:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-184708185-3649356386-1762526241-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login?.src=m...mp;.partner=sbc
IE - HKU\S-1-5-21-184708185-3649356386-1762526241-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2009/12/28 23:06:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1000\Application Data\Mozilla\Extensions
[2009/12/28 23:06:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1000\Application Data\Mozilla\Extensions\home2@tomtom.com

O1 HOSTS File: ([2010/05/08 00:12:02 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_14\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [!SysInit] C:\WINDOWS\system32\MsChkSys.exe ()
O4 - HKLM..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [Afaria Client Generic Scheduler] C:\Program Files\AClient\Bin\XCGSTask.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [Afaria Client Listener] C:\Program Files\AClient\Bin\XcListener.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [Aflac_Do_Not_Remove] C:\Aflac2000\WSPInfo.exe (AFLAC)
O4 - HKLM..\Run: [CmgShieldUI] C:\WINDOWS\system32\CmgShieldUI.exe (Credant Technologies, Inc.)
O4 - HKLM..\Run: [Hotkey] C:\WINDOWS\system32\HKEYMAN.EXE (Matsubleepa Electric Industrial Co., Ltd.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [VerifyAfariaDownload] C:\Program Files\AFLAC\SNG\VerifyAfariaDownload.exe ( )
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [WSPPurge] C:\Program Files\AFLAC\Common\WSPPurge.exe (AFLAC)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe (iAnywhere Solutions, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-184708185-3649356386-1762526241-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_14\bin\NPJPI150_14.dll (Sun Microsystems, Inc.)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.microsoft.com/download/0/f...tualEarth3D.cab (Reg Error: Key error.)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www2.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1173465087258 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {C73881A0-E7F5-4CE4-B199-307EB127FE15} http://download.humanconcepts.com/download.../hcinstall5.cab (HumanConcepts Organization(5))
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (CmgShieldGina.dll) - C:\WINDOWS\System32\CmgShieldGina.dll (Credant Technologies, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\PCANotify: DllName - PCANotify.dll - C:\WINDOWS\System32\PCANotify.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\AFLAC Logo 3.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\AFLAC Logo 3.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/11 14:32:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{dc5b47d4-37bf-11db-aa28-001302327d89}\Shell\AutoRun\command - "" = E:\Programs\nu2menu\nu2menu.exe -- File not found
O33 - MountPoints2\{dc5b47d7-37bf-11db-aa28-001302327d89}\Shell\AutoRun\command - "" = H:\Programs\nu2menu\nu2menu.exe -- File not found
O33 - MountPoints2\{ee73ab3e-f425-11de-b637-000b97a06038}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/16 18:26:49 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\1000\Desktop\OTL.exe
[2010/06/13 12:47:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\1000\Desktop\Log Files
[2010/06/13 11:13:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\1000\Recent
[2010/06/07 16:07:03 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/06/01 10:34:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/05/31 14:58:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2010/05/30 08:38:58 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/05/28 17:42:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/28 17:29:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/21 21:15:05 | 000,000,000 | ---D | C] -- C:\Program Files\Shared
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/16 18:26:56 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1000\Desktop\OTL.exe
[2010/06/16 18:22:42 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/16 18:22:38 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/16 18:22:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/16 18:22:26 | 2137,051,136 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/13 23:49:05 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\1000\NTUSER.DAT
[2010/06/13 23:49:05 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\1000\ntuser.ini
[2010/06/13 23:48:58 | 004,308,000 | -H-- | M] () -- C:\Documents and Settings\1000\Local Settings\Application Data\IconCache.db
[2010/06/13 19:40:11 | 000,001,681 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Afaria Client Generic Scheduler.lnk
[2010/06/13 11:11:43 | 000,278,152 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/13 11:04:41 | 000,506,068 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/13 11:04:41 | 000,444,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/13 11:04:41 | 000,072,306 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/13 10:48:59 | 000,000,917 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/13 10:18:52 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\gmer.zip
[2010/06/13 10:17:49 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\dds.scr
[2010/06/09 12:24:00 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\WebReg Deskjet D1300 series.job
[2010/06/08 21:49:08 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\1000\defogger_reenable
[2010/06/08 14:17:30 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\jwzb2r0x.exe
[2010/06/08 09:58:02 | 000,247,808 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys
[2010/06/08 09:47:33 | 000,966,213 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\tdsskiller.zip
[2010/06/07 07:34:15 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\Suspicious modification c windows.doc
[2010/06/01 12:28:57 | 2097,156,096 | ---- | M] () -- C:\Protected.sdsk
[2010/05/31 15:05:45 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/31 09:28:16 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\State Call In Report.xls
[2010/05/30 08:30:51 | 000,162,531 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\Listening .pdf
[2010/05/29 12:04:10 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/05/29 12:04:09 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/28 14:25:44 | 000,000,145 | --S- | M] () -- C:\WINDOWS\System32\3415658313.dat
[2010/05/27 17:24:49 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\CCleaner.lnk
[2010/05/27 15:58:22 | 000,014,468 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\Regnotes Kredensor may 21 2010].docx
[2010/05/25 17:14:14 | 000,206,630 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\STRATEGIC_INVENTORY_MANAGEMENT__BUSINESS_PLAN[1].pdf
[2010/05/25 15:39:26 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\Books to Read.doc
[2010/05/25 14:47:30 | 000,034,304 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\King Arthur Court Asset Management Plan.doc
[2010/05/20 11:46:54 | 000,190,464 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\kickoff May 2010.ppt
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/13 14:41:34 | 2137,051,136 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/13 10:18:50 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\gmer.zip
[2010/06/13 10:17:46 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\dds.scr
[2010/06/08 21:49:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\1000\defogger_reenable
[2010/06/08 14:17:14 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\jwzb2r0x.exe
[2010/06/08 09:47:16 | 000,966,213 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\tdsskiller.zip
[2010/06/07 07:34:15 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\Suspicious modification c windows.doc
[2010/05/31 15:05:42 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/30 08:30:47 | 000,162,531 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\Listening .pdf
[2010/05/28 14:24:24 | 000,000,145 | --S- | C] () -- C:\WINDOWS\System32\3415658313.dat
[2010/05/27 15:58:21 | 000,014,468 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\Regnotes Kredensor may 21 2010].docx
[2010/05/25 17:14:11 | 000,206,630 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\STRATEGIC_INVENTORY_MANAGEMENT__BUSINESS_PLAN[1].pdf
[2010/05/25 15:39:26 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\Books to Read.doc
[2010/05/23 22:24:24 | 000,034,304 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\King Arthur Court Asset Management Plan.doc
[2010/05/20 11:46:54 | 000,190,464 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\kickoff May 2010.ppt
[2009/09/05 21:28:59 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/04/07 10:46:56 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2007/11/05 14:52:16 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2007/11/05 14:50:11 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EP_CX5000.ini
[2007/10/19 20:56:16 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/10/19 20:54:28 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/10/19 20:54:28 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/10/18 05:02:34 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/08/26 14:22:45 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2007/08/26 14:22:42 | 000,000,638 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/11/21 12:50:49 | 000,031,936 | ---- | C] () -- C:\WINDOWS\System32\Wintab.dll
[2006/11/07 16:37:57 | 000,002,646 | ---- | C] () -- C:\WINDOWS\BRMFBIDI.INI
[2006/10/31 08:17:45 | 000,200,704 | RHS- | C] () -- C:\WINDOWS\MsCae32.dll
[2006/10/31 08:17:45 | 000,172,032 | RHS- | C] () -- C:\WINDOWS\System32\MsChkSys.dll
[2006/10/31 08:17:45 | 000,022,528 | RHS- | C] () -- C:\WINDOWS\System32\Optic32.dll
[2006/09/08 22:42:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/09/08 22:05:13 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/09/06 15:07:47 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS71.DLL
[2006/09/06 15:00:17 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS27.DLL
[2006/07/19 13:11:36 | 000,135,168 | ---- | C] () -- C:\WINDOWS\InstShDialog.dll
[2006/07/18 22:08:19 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/07/18 21:35:08 | 000,004,379 | ---- | C] () -- C:\WINDOWS\SigPlus.ini
[2006/07/18 20:02:16 | 000,000,294 | ---- | C] () -- C:\WINDOWS\SA_ESS32.ini
[2006/07/18 19:31:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/07/11 15:48:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/11 14:44:39 | 000,000,524 | ---- | C] () -- C:\WINDOWS\WinTab.ini
[2006/07/11 14:41:52 | 000,136,384 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2006/05/16 09:28:53 | 000,247,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys
[2005/01/21 12:02:28 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\RMDevice.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:11:11 AM

Posted 16 June 2010 - 06:31 PM

Hello, kingarthur2.
OK, let's clean up some orphans and get a second opinion, but you look OK after taking out the TDSS infection.





Step 1

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :OTL
    SRV - File not found [Auto | Stopped] -- -- (awhost32dsNcService)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    :files
    C:\32788R22FWJFW
    c:\windows\system32\3415658313.dat
    :Commands
    [EmptyTemp]
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. A report will open, copy and paste it in a reply here.



Step 2

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#11 kingarthur2

kingarthur2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:10:11 AM

Posted 16 June 2010 - 08:32 PM

Ok. I did the steps you listed. When I did run OTL this time, I received a message that said "must restart windows because the CMG Shield Terminated unexpectedly". The computer restarted and nothing happened. I did it again and the same message showed up but this time before everything loaded, it asked me to run and a log was created this time.
I then ran OTL again and only 1 log file showed up. I will list it below. Now, I am running ESET online and checked on "scan archive". I did not check fix. Hope this was correct. The three threats that it found seem to be related to the Credant security shield that my company Aflac has installed on our laptops to encrypt personal information, etc. Just wanted to let you know in case it thinks its a virus but really isnt.


Files\Folders moved on Reboot...
C:\Documents and Settings\1000\Local Settings\Temporary Internet Files\Content.IE5\WT5UHVFL\topic322848[1].htm moved successfully.
C:\Documents and Settings\1000\Local Settings\Temporary Internet Files\Content.IE5\S2CRRFB2\iframe[1].htm moved successfully.

Registry entries deleted on Reboot...

OTL logfile created on: 6/16/2010 8:27:22 PM - Run 3
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\1000\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 50.65 Gb Free Space | 67.96% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AFLAC9UXG
Current User Name: 9UXG
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/16 18:26:56 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1000\Desktop\OTL.exe
PRC - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/07/16 21:03:26 | 000,024,576 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2008/11/21 04:33:32 | 000,431,472 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2008/04/29 14:01:22 | 000,210,224 | ---- | M] (Credant Technologies, Inc.) -- C:\WINDOWS\system32\CmgShieldUI.exe
PRC - [2008/04/29 14:01:08 | 001,103,152 | ---- | M] (Credant Technologies, Inc.) -- C:\WINDOWS\system32\CmgShieldSvc.exe
PRC - [2008/04/29 14:00:14 | 000,644,400 | ---- | M] (CREDANT Technologies, Inc.) -- C:\WINDOWS\system32\EmsService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/10 17:51:10 | 000,106,496 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\AClient\Bin\XcListener.exe
PRC - [2007/09/14 14:20:42 | 000,552,960 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\AClient\Bin\XCGSTask.exe
PRC - [2006/11/30 23:03:50 | 000,167,936 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\AClient\Bin\XCDiffCache.exe
PRC - [2006/10/31 08:17:45 | 000,143,360 | RHS- | M] () -- C:\WINDOWS\IdleProc.exe
PRC - [2006/10/31 08:17:44 | 000,339,968 | ---- | M] () -- C:\WINDOWS\Dll32Agent.Exe
PRC - [2006/05/11 11:47:24 | 000,151,552 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/05/11 11:46:54 | 000,090,112 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2006/02/27 05:00:30 | 000,094,208 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2005/11/15 13:28:04 | 000,085,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005/11/15 13:27:54 | 001,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2005/11/15 13:27:44 | 000,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/10/04 12:42:50 | 000,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/10/04 12:42:42 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/09/13 14:30:14 | 000,057,344 | ---- | M] (O2Micro International) -- C:\WINDOWS\system32\o2flash.exe
PRC - [2004/06/28 10:56:12 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Hidfind.exe
PRC - [2003/07/18 16:02:18 | 001,422,528 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2003/03/14 12:05:08 | 000,851,968 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\HKEYMAN.EXE


========== Modules (SafeList) ==========

MOD - [2010/06/16 18:26:56 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1000\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/07/16 21:03:26 | 000,024,576 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/11/21 04:33:32 | 000,431,472 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2008/08/08 21:10:46 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/04/29 14:01:08 | 001,103,152 | ---- | M] (Credant Technologies, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\CmgShieldSvc.exe -- (CMGShield)
SRV - [2008/04/29 14:00:14 | 000,644,400 | ---- | M] (CREDANT Technologies, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\EmsService.exe -- (EMS)
SRV - [2006/05/11 11:46:54 | 000,090,112 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/11/15 13:27:56 | 000,169,200 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2005/11/15 13:27:54 | 001,756,912 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2005/11/15 13:27:44 | 000,020,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2005/10/19 17:39:34 | 000,214,672 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/10/04 12:42:50 | 000,177,776 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/10/04 12:42:48 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/10/04 12:42:42 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/09/13 14:30:14 | 000,057,344 | ---- | M] (O2Micro International) [Auto | Running] -- C:\WINDOWS\system32\o2flash.exe -- (O2Flash)
SRV - [2005/03/30 21:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2003/10/31 11:01:00 | 000,106,496 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\pcAnywhere\awhost32.exe -- (awhost32)
SRV - [2003/07/18 16:02:18 | 001,422,528 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)


========== Driver Services (SafeList) ==========

DRV - [2010/06/12 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\eeCtrl.sys -- (eeCtrl)
DRV - [2010/06/08 09:58:02 | 000,247,808 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2010/06/06 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/17 04:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100612.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/17 04:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100612.003\NAVENG.SYS -- (NAVENG)
DRV - [2008/06/24 17:35:06 | 000,023,552 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2008/04/29 14:05:34 | 000,089,656 | ---- | M] (Credant Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\CmgShREG.sys -- (CMGShieldReg)
DRV - [2008/04/29 14:05:26 | 000,195,128 | ---- | M] (Credant Technologies, Inc.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\CMGShCEF.sys -- (CmgShieldCEF)
DRV - [2008/04/29 14:04:58 | 000,156,976 | ---- | M] (CREDANT Technologies, Inc.) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\CmgShieldNP.dll -- (CmgShieldNP)
DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/10/31 08:17:45 | 000,077,824 | -HS- | M] (PC Dynamics, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SafDskNT.sys -- (SafDskNT)
DRV - [2006/02/26 00:43:00 | 001,428,480 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2005/12/27 05:21:38 | 001,099,336 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/12/12 03:08:44 | 001,124,097 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/12/09 03:48:40 | 004,123,136 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/12/08 19:48:00 | 000,243,712 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/11/25 11:50:44 | 000,010,112 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HOTKEY.SYS -- (HOTKEY)
DRV - [2005/11/08 11:12:18 | 000,997,376 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/11/08 11:11:34 | 000,202,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/11/08 11:11:30 | 000,723,712 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/10/19 17:39:04 | 000,195,728 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/10/19 17:38:58 | 000,024,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/09/23 07:48:44 | 000,028,544 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\o2sd.sys -- (O2SDRDR)
DRV - [2005/09/17 00:20:06 | 000,108,168 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/08/26 14:22:50 | 000,053,896 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/08/26 14:22:48 | 000,334,984 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/07/28 14:13:14 | 000,190,592 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/07/08 14:06:50 | 000,034,176 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\o2media.sys -- (O2MDRDR)
DRV - [2005/06/10 09:26:00 | 000,035,968 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2005/03/30 21:48:20 | 000,372,832 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/02/23 15:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/07/04 19:25:54 | 000,103,391 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2003/10/24 09:53:08 | 000,016,984 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\AW_HOST5.sys -- (AW_HOST)
DRV - [2003/07/18 16:01:28 | 000,268,360 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2003/05/01 14:26:34 | 000,005,220 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2003/04/21 14:08:44 | 000,010,901 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\awlegacy.sys -- (awlegacy)
DRV - [2003/04/21 13:00:32 | 000,013,898 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\GERNUWA.sys -- (Gernuwa)
DRV - [2003/03/19 15:42:02 | 000,389,888 | ---- | M] (B.H.A Co.,Ltd.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\BsUDF.sys -- (BsUDF)
DRV - [2003/03/03 15:08:56 | 000,176,896 | ---- | M] (Zone Labs Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2002/12/09 02:44:32 | 000,010,270 | ---- | M] (B.H.A Co.,Ltd.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrbsvsd.sys -- (cdrbsvsd)
DRV - [2002/08/26 18:09:42 | 000,138,916 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2002/06/06 01:07:00 | 000,009,344 | ---- | M] (B.H.A Co.,Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\BsStor.sys -- (BsStor)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 08:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-184708185-3649356386-1762526241-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login?.src=m...mp;.partner=sbc
IE - HKU\S-1-5-21-184708185-3649356386-1762526241-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2009/12/28 23:06:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1000\Application Data\Mozilla\Extensions
[2009/12/28 23:06:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1000\Application Data\Mozilla\Extensions\home2@tomtom.com

O1 HOSTS File: ([2010/05/08 00:12:02 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_14\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [!SysInit] C:\WINDOWS\system32\MsChkSys.exe ()
O4 - HKLM..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [Afaria Client Generic Scheduler] C:\Program Files\AClient\Bin\XCGSTask.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [Afaria Client Listener] C:\Program Files\AClient\Bin\XcListener.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [Aflac_Do_Not_Remove] C:\Aflac2000\WSPInfo.exe (AFLAC)
O4 - HKLM..\Run: [CmgShieldUI] C:\WINDOWS\system32\CmgShieldUI.exe (Credant Technologies, Inc.)
O4 - HKLM..\Run: [Hotkey] C:\WINDOWS\system32\HKEYMAN.EXE (Matsubleepa Electric Industrial Co., Ltd.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [VerifyAfariaDownload] C:\Program Files\AFLAC\SNG\VerifyAfariaDownload.exe ( )
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [WSPPurge] C:\Program Files\AFLAC\Common\WSPPurge.exe (AFLAC)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe (iAnywhere Solutions, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-184708185-3649356386-1762526241-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_14\bin\NPJPI150_14.dll (Sun Microsystems, Inc.)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.microsoft.com/download/0/f...tualEarth3D.cab (Reg Error: Key error.)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www2.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1173465087258 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {C73881A0-E7F5-4CE4-B199-307EB127FE15} http://download.humanconcepts.com/download.../hcinstall5.cab (HumanConcepts Organization(5))
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_14)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (CmgShieldGina.dll) - C:\WINDOWS\System32\CmgShieldGina.dll (Credant Technologies, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\PCANotify: DllName - PCANotify.dll - C:\WINDOWS\System32\PCANotify.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\AFLAC Logo 3.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\AFLAC Logo 3.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/11 14:32:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{dc5b47d4-37bf-11db-aa28-001302327d89}\Shell\AutoRun\command - "" = E:\Programs\nu2menu\nu2menu.exe -- File not found
O33 - MountPoints2\{dc5b47d7-37bf-11db-aa28-001302327d89}\Shell\AutoRun\command - "" = H:\Programs\nu2menu\nu2menu.exe -- File not found
O33 - MountPoints2\{ee73ab3e-f425-11de-b637-000b97a06038}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/16 19:59:24 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/06/16 18:26:49 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\1000\Desktop\OTL.exe
[2010/06/13 12:47:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\1000\Desktop\Log Files
[2010/06/13 11:13:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\1000\Recent
[2010/06/01 10:34:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/05/31 14:58:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2010/05/30 08:38:58 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/05/28 17:42:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/28 17:29:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/21 21:15:05 | 000,000,000 | ---D | C] -- C:\Program Files\Shared
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/16 20:24:03 | 000,001,681 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Afaria Client Generic Scheduler.lnk
[2010/06/16 20:22:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/16 20:22:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/16 20:22:33 | 2137,051,136 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/16 20:21:34 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\1000\NTUSER.DAT
[2010/06/16 20:21:11 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\1000\ntuser.ini
[2010/06/16 18:26:56 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1000\Desktop\OTL.exe
[2010/06/16 18:22:38 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/13 23:48:58 | 004,308,000 | -H-- | M] () -- C:\Documents and Settings\1000\Local Settings\Application Data\IconCache.db
[2010/06/13 11:11:43 | 000,278,152 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/13 11:04:41 | 000,506,068 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/13 11:04:41 | 000,444,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/13 11:04:41 | 000,072,306 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/13 10:48:59 | 000,000,917 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/13 10:18:52 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\gmer.zip
[2010/06/13 10:17:49 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\dds.scr
[2010/06/09 12:24:00 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\WebReg Deskjet D1300 series.job
[2010/06/08 21:49:08 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\1000\defogger_reenable
[2010/06/08 09:58:02 | 000,247,808 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys
[2010/06/08 09:47:33 | 000,966,213 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\tdsskiller.zip
[2010/06/07 07:34:15 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\Suspicious modification c windows.doc
[2010/06/01 12:28:57 | 2097,156,096 | ---- | M] () -- C:\Protected.sdsk
[2010/05/31 15:05:45 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/31 09:28:16 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\State Call In Report.xls
[2010/05/30 08:30:51 | 000,162,531 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\Listening .pdf
[2010/05/29 12:04:10 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/05/29 12:04:09 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/27 17:24:49 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\CCleaner.lnk
[2010/05/27 15:58:22 | 000,014,468 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\Regnotes Kredensor may 21 2010].docx
[2010/05/25 17:14:14 | 000,206,630 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\STRATEGIC_INVENTORY_MANAGEMENT__BUSINESS_PLAN[1].pdf
[2010/05/25 15:39:26 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\Books to Read.doc
[2010/05/25 14:47:30 | 000,034,304 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\King Arthur Court Asset Management Plan.doc
[2010/05/20 11:46:54 | 000,190,464 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\kickoff May 2010.ppt
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/13 14:41:34 | 2137,051,136 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/13 10:18:50 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\gmer.zip
[2010/06/13 10:17:46 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\dds.scr
[2010/06/08 21:49:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\1000\defogger_reenable
[2010/06/08 09:47:16 | 000,966,213 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\tdsskiller.zip
[2010/06/07 07:34:15 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\Suspicious modification c windows.doc
[2010/05/31 15:05:42 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/30 08:30:47 | 000,162,531 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\Listening .pdf
[2010/05/27 15:58:21 | 000,014,468 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\Regnotes Kredensor may 21 2010].docx
[2010/05/25 17:14:11 | 000,206,630 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\STRATEGIC_INVENTORY_MANAGEMENT__BUSINESS_PLAN[1].pdf
[2010/05/25 15:39:26 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\Books to Read.doc
[2010/05/23 22:24:24 | 000,034,304 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\King Arthur Court Asset Management Plan.doc
[2010/05/20 11:46:54 | 000,190,464 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\kickoff May 2010.ppt
[2009/09/05 21:28:59 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/04/07 10:46:56 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2007/11/05 14:52:16 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2007/11/05 14:50:11 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EP_CX5000.ini
[2007/10/19 20:56:16 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/10/19 20:54:28 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/10/19 20:54:28 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/10/18 05:02:34 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/08/26 14:22:45 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2007/08/26 14:22:42 | 000,000,638 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/11/21 12:50:49 | 000,031,936 | ---- | C] () -- C:\WINDOWS\System32\Wintab.dll
[2006/11/07 16:37:57 | 000,002,646 | ---- | C] () -- C:\WINDOWS\BRMFBIDI.INI
[2006/10/31 08:17:45 | 000,200,704 | RHS- | C] () -- C:\WINDOWS\MsCae32.dll
[2006/10/31 08:17:45 | 000,172,032 | RHS- | C] () -- C:\WINDOWS\System32\MsChkSys.dll
[2006/10/31 08:17:45 | 000,022,528 | RHS- | C] () -- C:\WINDOWS\System32\Optic32.dll
[2006/09/08 22:42:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/09/08 22:05:13 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/09/06 15:07:47 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS71.DLL
[2006/09/06 15:00:17 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS27.DLL
[2006/07/19 13:11:36 | 000,135,168 | ---- | C] () -- C:\WINDOWS\InstShDialog.dll
[2006/07/18 22:08:19 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/07/18 21:35:08 | 000,004,379 | ---- | C] () -- C:\WINDOWS\SigPlus.ini
[2006/07/18 20:02:16 | 000,000,294 | ---- | C] () -- C:\WINDOWS\SA_ESS32.ini
[2006/07/18 19:31:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/07/11 15:48:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/11 14:44:39 | 000,000,524 | ---- | C] () -- C:\WINDOWS\WinTab.ini
[2006/07/11 14:41:52 | 000,136,384 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2006/05/16 09:28:53 | 000,247,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys
[2005/01/21 12:02:28 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\RMDevice.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >

Attached Files


Edited by kingarthur2, 17 June 2010 - 07:46 AM.

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:11:11 AM

Posted 17 June 2010 - 05:56 PM

Hello, kingarthur2.

OK, looks like it ran OK. I did see the security shield before...looks like ESET is only picking up false positives. How is your computer running?



Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 20 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 20 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.



Step 2

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=0
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. A report will open, copy and paste it in a reply here.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#13 kingarthur2

kingarthur2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:10:11 AM

Posted 17 June 2010 - 06:00 PM

Thanks. Computer is running fine. I am currently running the same ESET scan on my other laptop, same laptop with credant security on it to see if the same 3 infections show up (just ttrying to be thorough). I'll run what you suggested within the next 2 hours. Thanks

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:11:11 AM

Posted 17 June 2010 - 06:06 PM

Even if it's not detected there, I'm confident it's just a FP. Lots of security programs get detected since they do similar types of things as viruses (e.g. lock things down, change values, etc.)


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 

#15 kingarthur2

kingarthur2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:10:11 AM

Posted 17 June 2010 - 08:32 PM

Ok. Here are the scans. Also, I'm posting the ELSET scan from my other computer. It picked up2 of the 3 threats.


========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\"DisableMonitoring"|0 /E : value set successfully!

OTL by OldTimer - Version 3.2.6.0 log created on 06172010_211029

OTL logfile created on: 6/17/2010 9:15:11 PM - Run 4
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\1000\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 50.45 Gb Free Space | 67.69% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AFLAC9UXG
Current User Name: 9UXG
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/16 18:26:56 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1000\Desktop\OTL.exe
PRC - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/07/16 21:03:26 | 000,024,576 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2008/11/21 04:33:32 | 000,431,472 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2008/04/29 14:01:22 | 000,210,224 | ---- | M] (Credant Technologies, Inc.) -- C:\WINDOWS\system32\CmgShieldUI.exe
PRC - [2008/04/29 14:01:08 | 001,103,152 | ---- | M] (Credant Technologies, Inc.) -- C:\WINDOWS\system32\CmgShieldSvc.exe
PRC - [2008/04/29 14:00:14 | 000,644,400 | ---- | M] (CREDANT Technologies, Inc.) -- C:\WINDOWS\system32\EmsService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/10 17:51:10 | 000,106,496 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\AClient\Bin\XcListener.exe
PRC - [2007/09/14 14:20:42 | 000,552,960 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\AClient\Bin\XCGSTask.exe
PRC - [2006/11/30 23:03:50 | 000,167,936 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\AClient\Bin\XCDiffCache.exe
PRC - [2006/10/31 08:17:45 | 000,143,360 | RHS- | M] () -- C:\WINDOWS\IdleProc.exe
PRC - [2006/10/31 08:17:44 | 000,339,968 | ---- | M] () -- C:\WINDOWS\Dll32Agent.Exe
PRC - [2006/05/11 11:47:24 | 000,151,552 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/05/11 11:46:54 | 000,090,112 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2006/02/27 05:00:30 | 000,094,208 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2005/11/15 13:28:04 | 000,085,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005/11/15 13:27:54 | 001,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2005/11/15 13:27:46 | 000,018,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DoScan.exe
PRC - [2005/11/15 13:27:44 | 000,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/10/04 12:42:50 | 000,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/10/04 12:42:42 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/09/13 14:30:14 | 000,057,344 | ---- | M] (O2Micro International) -- C:\WINDOWS\system32\o2flash.exe
PRC - [2004/06/28 10:56:12 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Hidfind.exe
PRC - [2003/07/18 16:02:18 | 001,422,528 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2003/03/14 12:05:08 | 000,851,968 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\HKEYMAN.EXE


========== Modules (SafeList) ==========

MOD - [2010/06/16 18:26:56 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1000\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/07/16 21:03:26 | 000,024,576 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/11/21 04:33:32 | 000,431,472 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2008/08/08 21:10:46 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/04/29 14:01:08 | 001,103,152 | ---- | M] (Credant Technologies, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\CmgShieldSvc.exe -- (CMGShield)
SRV - [2008/04/29 14:00:14 | 000,644,400 | ---- | M] (CREDANT Technologies, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\EmsService.exe -- (EMS)
SRV - [2006/05/11 11:46:54 | 000,090,112 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/11/15 13:27:56 | 000,169,200 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2005/11/15 13:27:54 | 001,756,912 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2005/11/15 13:27:44 | 000,020,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2005/10/19 17:39:34 | 000,214,672 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/10/04 12:42:50 | 000,177,776 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/10/04 12:42:48 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/10/04 12:42:42 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/09/13 14:30:14 | 000,057,344 | ---- | M] (O2Micro International) [Auto | Running] -- C:\WINDOWS\system32\o2flash.exe -- (O2Flash)
SRV - [2005/03/30 21:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2003/10/31 11:01:00 | 000,106,496 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\pcAnywhere\awhost32.exe -- (awhost32)
SRV - [2003/07/18 16:02:18 | 001,422,528 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)


========== Driver Services (SafeList) ==========

DRV - [2010/06/12 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\eeCtrl.sys -- (eeCtrl)
DRV - [2010/06/08 09:58:02 | 000,247,808 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2010/06/06 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/17 04:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100612.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/17 04:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100612.003\NAVENG.SYS -- (NAVENG)
DRV - [2008/06/24 17:35:06 | 000,023,552 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2008/04/29 14:05:34 | 000,089,656 | ---- | M] (Credant Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\CmgShREG.sys -- (CMGShieldReg)
DRV - [2008/04/29 14:05:26 | 000,195,128 | ---- | M] (Credant Technologies, Inc.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\CMGShCEF.sys -- (CmgShieldCEF)
DRV - [2008/04/29 14:04:58 | 000,156,976 | ---- | M] (CREDANT Technologies, Inc.) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\CmgShieldNP.dll -- (CmgShieldNP)
DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/10/31 08:17:45 | 000,077,824 | -HS- | M] (PC Dynamics, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SafDskNT.sys -- (SafDskNT)
DRV - [2006/02/26 00:43:00 | 001,428,480 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2005/12/27 05:21:38 | 001,099,336 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/12/12 03:08:44 | 001,124,097 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/12/09 03:48:40 | 004,123,136 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/12/08 19:48:00 | 000,243,712 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/11/25 11:50:44 | 000,010,112 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HOTKEY.SYS -- (HOTKEY)
DRV - [2005/11/08 11:12:18 | 000,997,376 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/11/08 11:11:34 | 000,202,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/11/08 11:11:30 | 000,723,712 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/10/19 17:39:04 | 000,195,728 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/10/19 17:38:58 | 000,024,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/09/23 07:48:44 | 000,028,544 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\o2sd.sys -- (O2SDRDR)
DRV - [2005/09/17 00:20:06 | 000,108,168 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/08/26 14:22:50 | 000,053,896 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/08/26 14:22:48 | 000,334,984 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/07/28 14:13:14 | 000,190,592 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/07/08 14:06:50 | 000,034,176 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\o2media.sys -- (O2MDRDR)
DRV - [2005/06/10 09:26:00 | 000,035,968 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2005/03/30 21:48:20 | 000,372,832 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/02/23 15:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/07/04 19:25:54 | 000,103,391 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2003/10/24 09:53:08 | 000,016,984 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\AW_HOST5.sys -- (AW_HOST)
DRV - [2003/07/18 16:01:28 | 000,268,360 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2003/05/01 14:26:34 | 000,005,220 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2003/04/21 14:08:44 | 000,010,901 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\awlegacy.sys -- (awlegacy)
DRV - [2003/04/21 13:00:32 | 000,013,898 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\GERNUWA.sys -- (Gernuwa)
DRV - [2003/03/19 15:42:02 | 000,389,888 | ---- | M] (B.H.A Co.,Ltd.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\BsUDF.sys -- (BsUDF)
DRV - [2003/03/03 15:08:56 | 000,176,896 | ---- | M] (Zone Labs Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2002/12/09 02:44:32 | 000,010,270 | ---- | M] (B.H.A Co.,Ltd.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrbsvsd.sys -- (cdrbsvsd)
DRV - [2002/08/26 18:09:42 | 000,138,916 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2002/06/06 01:07:00 | 000,009,344 | ---- | M] (B.H.A Co.,Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\BsStor.sys -- (BsStor)
DRV - [2001/08/17 14:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 08:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-184708185-3649356386-1762526241-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login?.src=m...mp;.partner=sbc
IE - HKU\S-1-5-21-184708185-3649356386-1762526241-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2009/12/28 23:06:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1000\Application Data\Mozilla\Extensions
[2009/12/28 23:06:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\1000\Application Data\Mozilla\Extensions\home2@tomtom.com

O1 HOSTS File: ([2010/05/08 00:12:02 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [!SysInit] C:\WINDOWS\system32\MsChkSys.exe ()
O4 - HKLM..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [Afaria Client Generic Scheduler] C:\Program Files\AClient\Bin\XCGSTask.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [Afaria Client Listener] C:\Program Files\AClient\Bin\XcListener.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [Aflac_Do_Not_Remove] C:\Aflac2000\WSPInfo.exe (AFLAC)
O4 - HKLM..\Run: [CmgShieldUI] C:\WINDOWS\system32\CmgShieldUI.exe (Credant Technologies, Inc.)
O4 - HKLM..\Run: [Hotkey] C:\WINDOWS\system32\HKEYMAN.EXE (Matsubleepa Electric Industrial Co., Ltd.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [VerifyAfariaDownload] C:\Program Files\AFLAC\SNG\VerifyAfariaDownload.exe ( )
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [WSPPurge] C:\Program Files\AFLAC\Common\WSPPurge.exe (AFLAC)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe (iAnywhere Solutions, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-184708185-3649356386-1762526241-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.microsoft.com/download/0/f...tualEarth3D.cab (Reg Error: Key error.)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www2.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1173465087258 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {C73881A0-E7F5-4CE4-B199-307EB127FE15} http://download.humanconcepts.com/download.../hcinstall5.cab (HumanConcepts Organization(5))
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (CmgShieldGina.dll) - C:\WINDOWS\System32\CmgShieldGina.dll (Credant Technologies, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\PCANotify: DllName - PCANotify.dll - C:\WINDOWS\System32\PCANotify.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\AFLAC Logo 3.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\AFLAC Logo 3.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/11 14:32:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{dc5b47d4-37bf-11db-aa28-001302327d89}\Shell\AutoRun\command - "" = E:\Programs\nu2menu\nu2menu.exe -- File not found
O33 - MountPoints2\{dc5b47d7-37bf-11db-aa28-001302327d89}\Shell\AutoRun\command - "" = H:\Programs\nu2menu\nu2menu.exe -- File not found
O33 - MountPoints2\{ee73ab3e-f425-11de-b637-000b97a06038}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/17 21:06:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/06/17 21:06:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/17 21:06:10 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/17 21:06:10 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/17 21:06:10 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/17 21:06:10 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/17 21:06:10 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/17 21:05:36 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/06/17 20:47:20 | 016,295,712 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\1000\Desktop\jre-6u20-windows-i586.exe
[2010/06/16 20:42:36 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/06/16 19:59:24 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/06/16 18:26:49 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\1000\Desktop\OTL.exe
[2010/06/13 12:47:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\1000\Desktop\Log Files
[2010/06/13 11:13:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\1000\Recent
[2010/06/01 10:34:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/05/31 14:58:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2010/05/30 08:38:58 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/05/28 17:42:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/28 17:29:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/21 21:15:05 | 000,000,000 | ---D | C] -- C:\Program Files\Shared
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/17 21:14:30 | 000,001,681 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Afaria Client Generic Scheduler.lnk
[2010/06/17 21:13:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/17 21:13:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/17 21:13:17 | 2137,051,136 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/17 21:11:59 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\1000\NTUSER.DAT
[2010/06/17 21:11:59 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\1000\ntuser.ini
[2010/06/17 21:11:37 | 004,838,342 | -H-- | M] () -- C:\Documents and Settings\1000\Local Settings\Application Data\IconCache.db
[2010/06/17 21:05:46 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/17 21:05:46 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/17 21:05:46 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/17 21:05:46 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/17 21:05:46 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/17 20:47:20 | 016,295,712 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\1000\Desktop\jre-6u20-windows-i586.exe
[2010/06/17 20:37:17 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/16 18:26:56 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\1000\Desktop\OTL.exe
[2010/06/13 11:11:43 | 000,278,152 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/13 11:04:41 | 000,506,068 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/13 11:04:41 | 000,444,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/13 11:04:41 | 000,072,306 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/13 10:48:59 | 000,000,917 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/13 10:18:52 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\gmer.zip
[2010/06/13 10:17:49 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\dds.scr
[2010/06/09 12:24:00 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\WebReg Deskjet D1300 series.job
[2010/06/08 21:49:08 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\1000\defogger_reenable
[2010/06/08 09:58:02 | 000,247,808 | ---- | M] () -- C:\WINDOWS\System32\drivers\iaStor.sys
[2010/06/08 09:47:33 | 000,966,213 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\tdsskiller.zip
[2010/06/07 07:34:15 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\Suspicious modification c windows.doc
[2010/06/01 12:28:57 | 2097,156,096 | ---- | M] () -- C:\Protected.sdsk
[2010/05/31 15:05:45 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/31 09:28:16 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\State Call In Report.xls
[2010/05/30 08:30:51 | 000,162,531 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\Listening .pdf
[2010/05/29 12:04:10 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/05/29 12:04:09 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/27 17:24:49 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\1000\Desktop\CCleaner.lnk
[2010/05/27 15:58:22 | 000,014,468 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\Regnotes Kredensor may 21 2010].docx
[2010/05/25 17:14:14 | 000,206,630 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\STRATEGIC_INVENTORY_MANAGEMENT__BUSINESS_PLAN[1].pdf
[2010/05/25 15:39:26 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\Books to Read.doc
[2010/05/25 14:47:30 | 000,034,304 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\King Arthur Court Asset Management Plan.doc
[2010/05/20 11:46:54 | 000,190,464 | ---- | M] () -- C:\Documents and Settings\1000\My Documents\kickoff May 2010.ppt
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/13 14:41:34 | 2137,051,136 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/13 10:18:50 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\gmer.zip
[2010/06/13 10:17:46 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\dds.scr
[2010/06/08 21:49:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\1000\defogger_reenable
[2010/06/08 09:47:16 | 000,966,213 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\tdsskiller.zip
[2010/06/07 07:34:15 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\1000\Desktop\Suspicious modification c windows.doc
[2010/05/31 15:05:42 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/30 08:30:47 | 000,162,531 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\Listening .pdf
[2010/05/27 15:58:21 | 000,014,468 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\Regnotes Kredensor may 21 2010].docx
[2010/05/25 17:14:11 | 000,206,630 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\STRATEGIC_INVENTORY_MANAGEMENT__BUSINESS_PLAN[1].pdf
[2010/05/25 15:39:26 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\Books to Read.doc
[2010/05/23 22:24:24 | 000,034,304 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\King Arthur Court Asset Management Plan.doc
[2010/05/20 11:46:54 | 000,190,464 | ---- | C] () -- C:\Documents and Settings\1000\My Documents\kickoff May 2010.ppt
[2009/09/05 21:28:59 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/04/07 10:46:56 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2007/11/05 14:52:16 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2007/11/05 14:50:11 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EP_CX5000.ini
[2007/10/19 20:56:16 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/10/19 20:54:28 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/10/19 20:54:28 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/10/18 05:02:34 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/08/26 14:22:45 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2007/08/26 14:22:42 | 000,000,638 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/11/21 12:50:49 | 000,031,936 | ---- | C] () -- C:\WINDOWS\System32\Wintab.dll
[2006/11/07 16:37:57 | 000,002,646 | ---- | C] () -- C:\WINDOWS\BRMFBIDI.INI
[2006/10/31 08:17:45 | 000,200,704 | RHS- | C] () -- C:\WINDOWS\MsCae32.dll
[2006/10/31 08:17:45 | 000,172,032 | RHS- | C] () -- C:\WINDOWS\System32\MsChkSys.dll
[2006/10/31 08:17:45 | 000,022,528 | RHS- | C] () -- C:\WINDOWS\System32\Optic32.dll
[2006/09/08 22:42:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/09/08 22:05:13 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/09/06 15:07:47 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS71.DLL
[2006/09/06 15:00:17 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS27.DLL
[2006/07/19 13:11:36 | 000,135,168 | ---- | C] () -- C:\WINDOWS\InstShDialog.dll
[2006/07/18 22:08:19 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/07/18 21:35:08 | 000,004,379 | ---- | C] () -- C:\WINDOWS\SigPlus.ini
[2006/07/18 20:02:16 | 000,000,294 | ---- | C] () -- C:\WINDOWS\SA_ESS32.ini
[2006/07/18 19:31:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/07/11 15:48:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/11 14:44:39 | 000,000,524 | ---- | C] () -- C:\WINDOWS\WinTab.ini
[2006/07/11 14:41:52 | 000,136,384 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2006/05/16 09:28:53 | 000,247,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys
[2005/01/21 12:02:28 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\RMDevice.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >

C:\Aflac2000\Credant\wssetup.exe probably a variant of Win32/Genetik trojan
C:\WINDOWS\system32\CredantTools\Encryption.zip probably a variant of Win32/Genetik trojan

Edited by kingarthur2, 17 June 2010 - 08:50 PM.

Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·