Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UPS virus


  • This topic is locked This topic is locked
20 replies to this topic

#1 ferbw

ferbw

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 19 November 2010 - 08:24 PM

In June (I think), i received the malicious UPS email but mine had an HTML attachment not an exe or zip. Since it was HTML, I double clicked on it and my machine hasn't run the same since. the help desk at work has been upable to resolve the problem despite re-imaging the laptop 3 times and replacing about overy other component -- new hard drive, new motherboard, new graphics card, etc.

I am on a Dell Latitude D630C with 4BG of RAM running Windows XP.

I have startup issues, undocking issues, have softward I have been unable to install since the first re-image, applications that shut down mid-use or provide erroneous data as well as other general performance issues:

At startup, after pressing the On button, it blinks then has a blank screen for several minutes. I then have to turn off the laptop then on again. th elights then flash and it looks like it is going to startup but then I hear what sounds like it shuting down but then a moment later it starts up.

I use a blackberry application called Money and occassionally the values don't calculate correctly. Once I run cleanup utilities it goes away for a little while then comes back.

According to our help desk, it reconnects to the network almost continuously.

Outlook will occasionally show chinese characters all the way across the window title bar.

Here is the helps desk history at my company:
June 29th
• Ticket entered ( 5567566) because laptop would shut self down and not start up unless I waited an hour or so. Figured I had a virus.
• Reimaged July 1st
• Excel crashes when working with large data sets and formulas (lie mass loads to Oracle table)
• After reimage, unable to re-install Visio (flowchart software) and help desk can’t figure out why
• Has issues each the time I undock – have to reboot to use, can’t just undock and go

July 6th
• STARS# 000000005575888
· Client called stating that she had her hard drive on her D630 laptop reimaged due to a spyware/virus issue and now when she has Outlook open the CPU usage is between 35 and 100% and if she just opens Internet Explorer, the CPU pegs at 100%. task manager shows 3 largest memory files in use as outlook.exe, ttimer.exe for spybot and rtvscan.exe for sysmantec.
• Reimaged and rebuilt my profile on July 8th
· Graphics card was also replaced around this time…
• Excel still crashes when working with large data sets and formulas (lie mass loads to Oracle table)
• Still can’t install Visio (flowchart software) and help desk can’t figure out why
• Has issues most the time I undock – have to reboot to use, can’t just undock and go
• Sent follow-up message to Alan Starr, who had been assigned my ticket entered July 6th: “I rebooted the laptop and now it won't start up again..... which is exactly what happened last week before it got re-imaged.”

July 12th
• Problem turning on and when running CPU usage is @ 100% even with just Outlook running
• Help desk not sure what the problem is so reimaged again and replaced mother/system board (ticket 5583900) on July 16th
• Excel still crashes when working with large data sets and formulas (lie mass loads to Oracle table)
• Still can’t install Visio (flowchart software) and help desk can’t figure out why
• Occasional issues when I undock – have to reboot to use, can’t just undock and go

July 16th
• Antivirus would request a reboot during start up and then would shut down during reboot. Ticket # 5591516.
• While working and the laptop hung, if I restarted the laptop, it shuts down after the PointSec message and would not successfully reboot for about an hour. If I shut down rather than restart it would boot up ok.
• Seeing weird stuff in Office apps (email not being sent in Outlook and duplicate entries in Excel that don't show up on another machine in the same file).
• Excel crashes when working with large data sets and formulas (lie mass loads to Oracle table)
• Still can’t install Visio (flowchart software) and help desk can’t figure out why
• Occasional issues when I undock – have to reboot to use, can’t just undock and go
• New hard drive installed, heat sink replaced. (July 27th)


Oct 1st
• Memory upgraded to 4GB
• Excel still crashes when working with large data sets and formulas (lie mass loads to Oracle table)
• Still can’t install Visio (flowchart software) and help desk can’t figure out why
• Occasional issues when I undock – have to reboot to use, can’t just undock and go
• Occasional issues at startup – just shuts down during restart.


Oct 27th
• Blue screened twice within last week while working. PC start up then it turns off by itself, and sometimes it takes about 30 minutes to boot up.
• Disabled smartcard driver based on blue screen log file

Oct 29th
• Excel doing funky stuff – ran Office diagnostics cleared up some issues.
• I was working in a pretty big Excel file with only Outlook and Excel open. Was doing a lookup from a file with about 55k rows (and about 30 columns) to a file with a couple of hundred rows. I started getting the error message about not enough resources continue without undo. That kept happening so I restarted my laptop. It has been sitting at the blue screen (just before you after the login) for about 10 minutes..... turned laptop off, restarted ok.
• Turned a 2 hour project into a 6 hour project.
• Occasional issues when I undock – have to reboot to use, can’t just undock and go


Would appreciate any help you can give to get rid of this virus!

Cheers,
Jennifer



DDS (Ver_10-11-10.01) - NTFSx86
Run by a0187216 at 17:51:24.58 on Fri 11/19/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3518.2651 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: CyberArmor Client *enabled* {E503B27E-6391-4e17-B2CA-F910AF011E23}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect 3\iPassPeriodicUpdateService.exe
C:\Program Files\netDeploy\Launcher\ndserv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\CyberArmor\casvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\Program Files\iPass\iPassConnect 3\iPassPeriodicUpdateApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\CyberArmor\pcshelp.exe
C:\PROGRA~1\CYBERG~1\cgahelp.exe
C:\PROGRA~1\CYBERG~1\cgav.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\WINDOWS\system32\CCM\SMSCliUI.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Superior View\Change Proxy Settings\Change Proxy Settings.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\PROGRA~1\CYBERG~1\cgahelp.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\Documents and Settings\a0187216\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://infolinknews.ti.com/tinews/infolinkhome.html
uWindow Title = Windows Internet Explorer provided by Texas Instruments Incorporated
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://infolink.ti.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [sdsetup[1]] c:\documents and settings\a0187216\desktop\sdsetup[1].exe -min
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [CyberArmorHelper] c:\program files\cyberarmor\pcshelp.exe -check
mRun: [CgaHelper] c:\progra~1\cyberg~1\cgahelp.exe -check
mRun: [CgaViewer] c:\progra~1\cyberg~1\cgav.exe -check
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\change~1.lnk - c:\program files\superior view\change proxy settings\Change Proxy Settings.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\connec~1.lnk - c:\program files\connected\CBSysTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-system: HideLogoffScripts = 1 (0x1)
uPolicies-system: HideLogonScripts = 1 (0x1)
mPolicies-system: HideStartupScripts = 1 (0x1)
mPolicies-system: HideShutdownScripts = 1 (0x1)
IE: Add to Google Photos Screensa&ver
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: 401k.com
Trusted Zone: advancerx.com
Trusted Zone: aetna.com
Trusted Zone: bbrown.com
Trusted Zone: cexp.com
Trusted Zone: cigna.com
Trusted Zone: collegeboundfund.com
Trusted Zone: computershare.com
Trusted Zone: dell.com
Trusted Zone: deltadentalins.com
Trusted Zone: eway.com
Trusted Zone: fidelity.com
Trusted Zone: fishersci.com
Trusted Zone: hcsc.net
Trusted Zone: iqnavigator.com
Trusted Zone: itg.ti.com
Trusted Zone: jtb-cwt.com
Trusted Zone: kaiserpermanente.org
Trusted Zone: linux.omap.com
Trusted Zone: mamsi.com
Trusted Zone: members.hcsc.net
Trusted Zone: netbenefits.com
Trusted Zone: newark.com
Trusted Zone: pacificare.com
Trusted Zone: plms-edu.com
Trusted Zone: resources.hewitt.com
Trusted Zone: shi.com
Trusted Zone: ssi1.com
Trusted Zone: surveymonkey.com
Trusted Zone: ti.com
Trusted Zone: ti.cwconnect.com
Trusted Zone: ticonferencing.com
Trusted Zone: tiws.proactcorp.com
Trusted Zone: ubs.com
Trusted Zone: unitrode.com
Trusted Zone: vsp.com
Trusted Zone: webex.com
Trusted Zone: webmd.com
Trusted Zone: webmdhealth.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266252249763
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266252239868
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://ti.webex.com/client/T27LB/webex/ieatgpc.cab
TCP: {D83CDB61-9C5C-41A7-9A4E-202512BD2B09} = 157.170.1.5,157.170.147.7
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: cahooknt.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\a0187216\applic~1\mozilla\firefox\profiles\epasslcx.default\
FF - prefs.js: browser.startup.homepage - hxxp://infolinknews.ti.com/tinews/infolinkhome.html
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJPI142_13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2009-1-23 17968]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 CGAgent;CyberGatekeeper Agent;c:\progra~1\cyberg~1\cgasvc.exe [2010-7-12 73788]
R2 CyberArmorRunService;CyberArmor Run Service;c:\program files\cyberarmor\casvc.exe [2010-7-12 65536]
R2 ndserv;ndserv;c:\program files\netdeploy\launcher\ndserv.exe [2009-1-29 859648]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-8-3 1807600]
R2 Viexca2k;CyberArmor Registry Driver;c:\windows\system32\drivers\viexca2k.sys [2010-7-12 21504]
R2 Viexpf2k;CyberArmor W2KDriver;c:\windows\system32\drivers\viexpf2k.sys [2010-7-12 424479]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-21 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101119.002\naveng.sys [2010-11-19 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101119.002\navex15.sys [2010-11-19 1371184]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2009-1-23 63920]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2009-1-23 36400]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-8-3 115952]

=============== Created Last 30 ================

2010-11-19 19:53:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-11-08 21:23:53 410 ----a-w- c:\windows\.exe
2010-11-06 17:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-06 17:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-10-26 04:25:32 -------- d-----w- c:\docume~1\a0187216\applic~1\GlarySoft
2010-10-25 18:33:19 -------- d-----w- c:\docume~1\a0187216\applic~1\Sammsoft
2010-10-25 18:31:07 -------- d-----w- c:\docume~1\a0187216\locals~1\applic~1\AskToolbar
2010-10-25 18:30:34 -------- d-----w- c:\program files\Glary Utilities
2010-10-22 05:39:59 -------- d-----w- c:\docume~1\a0187216\applic~1\TuneUp Software
2010-10-22 05:39:35 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-10-22 05:39:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
2010-10-22 05:38:49 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-10-22 05:30:13 -------- d-----w- c:\docume~1\a0187216\applic~1\IObit

==================== Find3M ====================

2010-11-09 18:32:54 2852 ----a-w- c:\windows\LTA0187216_Visio2002.exe

============= FINISH: 17:52:01.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:33 PM

Posted 29 November 2010 - 03:18 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 ferbw

ferbw
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 30 November 2010 - 09:53 AM

Thanks for the reply, and after looking at the forum understand, the delay due to the shear volume of questions y'all get -- I appreciate any help I can get here as I and our corporate help desk have made no prgress resolving my problems.

I have successfully re-run DDS but am having trouble running the GMER again. My laptop has locked up a second time running it and it has taken about 30 minutes just to get it booted up again after each lock up. I am posting this reply from another machine. I just restarted the scan and I will post the 3 output files once I have successfully run the GMER again -- let's hope that the 3rd time works.......

I provided quite a bit of detail in my original email about the problems I am experiencing so will keep any further details about my problems focused on new stuff since this posts will get quite long with the DDS log details. Please let me know if you have any questions or need additional detail about the problems listed in my original posting.

Thanks in advance for any help you can provide.

Best regards,
Jennifer

#4 ferbw

ferbw
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 30 November 2010 - 04:11 PM

i have tried 12 times to re-run GMER but my laptop keeps locking up. Here are the new attachments I can provide. Can you please use the gmer log file I attached to my original post?



DDS (Ver_10-11-10.01) - NTFSx86
Run by a0187216 at 10:54:55.54 on Tue 11/30/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3518.2803 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: CyberArmor Client *enabled* {E503B27E-6391-4e17-B2CA-F910AF011E23}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect 3\iPassPeriodicUpdateService.exe
C:\Program Files\netDeploy\Launcher\ndserv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\CyberArmor\casvc.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\CyberArmor\pcshelp.exe
C:\PROGRA~1\CYBERG~1\cgahelp.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\PROGRA~1\CYBERG~1\cgav.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPass\iPassConnect 3\iPassPeriodicUpdateApp.exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Superior View\Change Proxy Settings\Change Proxy Settings.exe
C:\Program Files\Connected\CBSysTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\a0187216\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://infolinknews.ti.com/tinews/infolinkhome.html
uWindow Title = Windows Internet Explorer provided by Texas Instruments Incorporated
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://infolink.ti.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [sdsetup[1]] c:\documents and settings\a0187216\desktop\sdsetup[1].exe -min
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [CyberArmorHelper] c:\program files\cyberarmor\pcshelp.exe -check
mRun: [CgaHelper] c:\progra~1\cyberg~1\cgahelp.exe -check
mRun: [CgaViewer] c:\progra~1\cyberg~1\cgav.exe -check
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\change~1.lnk - c:\program files\superior view\change proxy settings\Change Proxy Settings.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\connec~1.lnk - c:\program files\connected\CBSysTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-system: HideLogoffScripts = 1 (0x1)
uPolicies-system: HideLogonScripts = 1 (0x1)
mPolicies-system: HideStartupScripts = 1 (0x1)
mPolicies-system: HideShutdownScripts = 1 (0x1)
IE: Add to Google Photos Screensa&ver
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: 401k.com
Trusted Zone: advancerx.com
Trusted Zone: aetna.com
Trusted Zone: bbrown.com
Trusted Zone: cexp.com
Trusted Zone: cigna.com
Trusted Zone: collegeboundfund.com
Trusted Zone: computershare.com
Trusted Zone: dell.com
Trusted Zone: deltadentalins.com
Trusted Zone: eway.com
Trusted Zone: fidelity.com
Trusted Zone: fishersci.com
Trusted Zone: hcsc.net
Trusted Zone: iqnavigator.com
Trusted Zone: itg.ti.com
Trusted Zone: jtb-cwt.com
Trusted Zone: kaiserpermanente.org
Trusted Zone: linux.omap.com
Trusted Zone: mamsi.com
Trusted Zone: members.hcsc.net
Trusted Zone: netbenefits.com
Trusted Zone: newark.com
Trusted Zone: pacificare.com
Trusted Zone: plms-edu.com
Trusted Zone: resources.hewitt.com
Trusted Zone: shi.com
Trusted Zone: ssi1.com
Trusted Zone: surveymonkey.com
Trusted Zone: ti.com
Trusted Zone: ti.cwconnect.com
Trusted Zone: ticonferencing.com
Trusted Zone: tiws.proactcorp.com
Trusted Zone: ubs.com
Trusted Zone: unitrode.com
Trusted Zone: vsp.com
Trusted Zone: webex.com
Trusted Zone: webmd.com
Trusted Zone: webmdhealth.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266252249763
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266252239868
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://ti.webex.com/client/T27LB/webex/ieatgpc.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: cahooknt.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\a0187216\applic~1\mozilla\firefox\profiles\epasslcx.default\
FF - prefs.js: browser.startup.homepage - hxxp://infolinknews.ti.com/tinews/infolinkhome.html
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJPI142_13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2009-1-23 17968]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 CGAgent;CyberGatekeeper Agent;c:\progra~1\cyberg~1\cgasvc.exe [2010-7-12 73788]
R2 CyberArmorRunService;CyberArmor Run Service;c:\program files\cyberarmor\casvc.exe [2010-7-12 65536]
R2 ndserv;ndserv;c:\program files\netdeploy\launcher\ndserv.exe [2009-1-29 859648]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-8-3 1807600]
R2 Viexca2k;CyberArmor Registry Driver;c:\windows\system32\drivers\viexca2k.sys [2010-7-12 21504]
R2 Viexpf2k;CyberArmor W2KDriver;c:\windows\system32\drivers\viexpf2k.sys [2010-7-12 424479]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-21 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101128.002\naveng.sys [2010-11-29 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101128.002\navex15.sys [2010-11-29 1371184]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2009-1-23 63920]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2009-1-23 36400]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-8-3 115952]

=============== Created Last 30 ================

2010-11-25 18:55:03 -------- d-----w- c:\program files\Paint Shop Pro
2010-11-19 19:53:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-11-08 21:23:53 410 ----a-w- c:\windows\.exe
2010-11-06 17:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-06 17:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2010-11-09 18:32:54 2852 ----a-w- c:\windows\LTA0187216_Visio2002.exe

============= FINISH: 10:56:21.70 ===============

Attached Files



#5 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:33 AM

Posted 02 December 2010 - 09:08 PM

Hi ferbw,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. :welcome:
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.


Step2

  • Please download OTL and save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste the following bolded text:


    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    svchost.exe
    /md5stop
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90


  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  • Copy and paste both logs back here in your next reply.


In your next reply, please post back:


1.TDSSKiller.txt
2.OTListIt.txt and Extra.txt Thanks

Edited by sundavis, 02 December 2010 - 09:33 PM.


#6 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:33 AM

Posted 02 December 2010 - 09:09 PM

Sorry looks like we posted at the sametime

Edited by sjpritch25, 02 December 2010 - 09:20 PM.

Microsoft MVP Consumer Security--2007-2010

#7 ferbw

ferbw
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 03 December 2010 - 12:31 PM

I am just now seeing that I got 2 different replies on from sjpritch25 and one from sundavis. I got email regarding
sjpritch25's and downloaded mbr.exe from http://www2.gmer.net/mbr/mbr.exe) to my root drive (usually C;) and ran 'c:\mbr.exe –t c:\mbr.log'. Below is the resulting log. Is this all of it?

I will now follow the steps detailed by sundavis.

Thanks!!!
Jennifer




Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHZ2160BJ_FFS_G2 rev.0085001C -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-9

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#8 ferbw

ferbw
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 03 December 2010 - 12:49 PM

The OTL site is blocked by my company so will downlaod and run that this afternoon when I get home.

Here is the TDSSKiller log:


2010/12/03 11:39:33.0038 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01
2010/12/03 11:39:33.0038 ================================================================================
2010/12/03 11:39:33.0038 SystemInfo:
2010/12/03 11:39:33.0038
2010/12/03 11:39:33.0038 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/03 11:39:33.0038 Product type: Workstation
2010/12/03 11:39:33.0038 ComputerName: LTA0187216
2010/12/03 11:39:33.0038 UserName: a0187216
2010/12/03 11:39:33.0038 Windows directory: C:\WINDOWS
2010/12/03 11:39:33.0038 System windows directory: C:\WINDOWS
2010/12/03 11:39:33.0038 Processor architecture: Intel x86
2010/12/03 11:39:33.0038 Number of processors: 2
2010/12/03 11:39:33.0038 Page size: 0x1000
2010/12/03 11:39:33.0038 Boot type: Normal boot
2010/12/03 11:39:33.0038 ================================================================================
2010/12/03 11:39:33.0569 Initialize success
2010/12/03 11:39:40.0085 ================================================================================
2010/12/03 11:39:40.0085 Scan started
2010/12/03 11:39:40.0085 Mode: Manual;
2010/12/03 11:39:40.0085 ================================================================================
2010/12/03 11:39:42.0007 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/03 11:39:42.0507 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/03 11:39:43.0413 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/03 11:39:44.0007 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/03 11:39:44.0523 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/03 11:39:46.0882 ApfiltrService (350f19eb5fe4ec37a2414df56cde1aa8) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2010/12/03 11:39:47.0726 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2010/12/03 11:39:48.0195 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/03 11:39:49.0757 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/03 11:39:50.0273 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/03 11:39:51.0195 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/03 11:39:51.0617 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/03 11:39:52.0054 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/03 11:39:52.0492 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/03 11:39:53.0273 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/03 11:39:53.0742 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/03 11:39:54.0289 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/03 11:39:55.0070 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/12/03 11:39:55.0867 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/12/03 11:39:56.0664 CSRBC (8e1945984e147562f9f08e1d344a69cc) C:\WINDOWS\system32\Drivers\csrbcxp.sys
2010/12/03 11:39:57.0164 ctxusbm (cb6ff7012bb5d59d7c12350db795ce1f) C:\WINDOWS\system32\DRIVERS\ctxusbm.sys
2010/12/03 11:39:57.0664 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2010/12/03 11:39:58.0257 CVPNDRVA (465ced77e7c4f9d71b81ba600edafac1) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2010/12/03 11:39:59.0445 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/03 11:40:00.0320 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/03 11:40:01.0398 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/03 11:40:01.0898 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/03 11:40:02.0398 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/03 11:40:02.0898 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2010/12/03 11:40:03.0726 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/03 11:40:04.0164 DXEC01 (549734664886d91222969845e4311d1b) C:\WINDOWS\system32\drivers\dxec01.sys
2010/12/03 11:40:04.0804 e1express (33dc2a5b6298633f4dd8e4d407cdf8b4) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/12/03 11:40:05.0164 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/12/03 11:40:05.0304 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/12/03 11:40:05.0867 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/03 11:40:06.0383 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/03 11:40:06.0820 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/03 11:40:07.0336 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/03 11:40:07.0820 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/03 11:40:08.0570 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/03 11:40:09.0211 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/03 11:40:09.0726 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/03 11:40:10.0211 guardian2 (c0bdab85f3e8b2138c513255e2bcc4d8) C:\WINDOWS\system32\Drivers\oz776.sys
2010/12/03 11:40:10.0726 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/03 11:40:11.0211 HECI (982da8edc8e2680ba8e39dc1ad54a04e) C:\WINDOWS\system32\DRIVERS\HECI.sys
2010/12/03 11:40:11.0617 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/03 11:40:12.0476 HSFHWAZL (290cdbb05903742ea06b7203c5a662f5) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2010/12/03 11:40:13.0476 HSF_DPV (7ab812355f98858b9ecdd46e6fcc221f) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/12/03 11:40:14.0586 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/03 11:40:15.0945 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/03 11:40:16.0633 iaStor (baabb0301949774a66b955c65319635a) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2010/12/03 11:40:17.0133 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/03 11:40:17.0883 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/03 11:40:18.0383 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/03 11:40:18.0805 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/03 11:40:19.0289 iPassP (468422b9137c884ab8fba05a590989d7) C:\WINDOWS\system32\DRIVERS\iPassP.sys
2010/12/03 11:40:19.0789 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/03 11:40:20.0242 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/03 11:40:20.0727 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/03 11:40:21.0492 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/03 11:40:21.0899 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/03 11:40:22.0336 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/03 11:40:22.0758 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/03 11:40:23.0305 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/03 11:40:23.0852 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/03 11:40:24.0664 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/03 11:40:25.0055 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/03 11:40:25.0742 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/03 11:40:26.0149 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/03 11:40:26.0602 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/03 11:40:27.0117 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/03 11:40:28.0055 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/03 11:40:28.0727 MRxSmb (421f7b922cec5a5f340e7574a98f7b7c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/03 11:40:29.0164 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/03 11:40:29.0602 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/03 11:40:30.0024 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/03 11:40:30.0461 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/03 11:40:30.0867 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/03 11:40:31.0305 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/03 11:40:31.0617 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101202.002\naveng.sys
2010/12/03 11:40:32.0383 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101202.002\navex15.sys
2010/12/03 11:40:32.0992 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/03 11:40:33.0586 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/03 11:40:33.0993 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/03 11:40:34.0446 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/03 11:40:34.0899 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/03 11:40:35.0352 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/03 11:40:35.0977 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/03 11:40:37.0649 NETw4x32 (88100ebdd10309fbd445ef8e42452eae) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
2010/12/03 11:40:39.0289 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/03 11:40:39.0680 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/03 11:40:40.0446 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/03 11:40:41.0211 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/03 11:40:45.0118 nv (0390b9368ea20dfb9e416a520b28a555) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/03 11:40:49.0196 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/03 11:40:49.0680 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/03 11:40:50.0212 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/03 11:40:50.0712 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/03 11:40:51.0165 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/03 11:40:51.0696 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/03 11:40:52.0165 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/03 11:40:52.0962 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/03 11:40:53.0430 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/12/03 11:40:56.0415 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/03 11:40:56.0930 prepdrvr (3909be53ad8e2bfcac9d9148e4b2b270) C:\WINDOWS\system32\CCM\prepdrv.sys
2010/12/03 11:40:57.0368 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/03 11:40:57.0837 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/03 11:41:00.0165 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/03 11:41:00.0649 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/03 11:41:01.0149 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/03 11:41:01.0618 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/03 11:41:02.0087 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/03 11:41:02.0618 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/03 11:41:03.0165 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/03 11:41:03.0727 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/03 11:41:04.0196 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/03 11:41:04.0649 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2010/12/03 11:41:05.0087 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/12/03 11:41:05.0587 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/12/03 11:41:06.0165 rspndr (a3b23fb3f295694091f51865f98588b2) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2010/12/03 11:41:06.0509 SAVRT (cdb565c093b0105086cc630b32f9e6e6) C:\Program Files\Symantec AntiVirus\savrt.sys
2010/12/03 11:41:06.0571 SAVRTPEL (1042cb5a003f9aed8d6cec56a0fc6c49) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2010/12/03 11:41:07.0009 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/03 11:41:07.0493 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/03 11:41:08.0009 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/03 11:41:08.0743 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/03 11:41:09.0665 smsmdd (4b4ab78e866bbecf93f6eabc3270178a) C:\WINDOWS\system32\DRIVERS\smsmdm.sys
2010/12/03 11:41:10.0368 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2010/12/03 11:41:11.0009 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/03 11:41:11.0571 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/03 11:41:12.0212 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/03 11:41:13.0259 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
2010/12/03 11:41:13.0650 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/03 11:41:14.0103 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/03 11:41:15.0087 SymEvent (3c6790d26d03fe5163e2bec490e51a7e) C:\Program Files\Symantec\SYMEVENT.SYS
2010/12/03 11:41:16.0228 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/03 11:41:16.0853 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/03 11:41:17.0259 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/03 11:41:17.0759 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/03 11:41:18.0196 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/03 11:41:19.0040 tosporte (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\WINDOWS\system32\DRIVERS\tosporte.sys
2010/12/03 11:41:19.0556 tosrfbd (399c5e4db7bdd5a83a7d26c96389b85a) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
2010/12/03 11:41:20.0040 tosrfbnp (181e217a7a326817d97946d045b3cb46) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
2010/12/03 11:41:20.0462 Tosrfcom (e90ace3b4fa7a85f992bc21eb779c407) C:\WINDOWS\system32\Drivers\tosrfcom.sys
2010/12/03 11:41:20.0993 Tosrfhid (efc95c0dc6f96b228f58319776006548) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
2010/12/03 11:41:21.0462 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
2010/12/03 11:41:21.0978 tosrfusb (98c04a6432ce9c2ad328f57b9384d348) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
2010/12/03 11:41:22.0478 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/03 11:41:23.0493 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/03 11:41:24.0150 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/03 11:41:24.0587 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/03 11:41:25.0072 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/03 11:41:25.0572 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/03 11:41:25.0978 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/03 11:41:26.0400 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/03 11:41:27.0212 Viexca2k (aecefb86fa79de9c829e4d82c748ca1e) C:\WINDOWS\system32\drivers\viexca2k.sys
2010/12/03 11:41:27.0837 Viexpf2k (87304b85614aca21ab2979c81e295e93) C:\WINDOWS\system32\drivers\viexpf2k.sys
2010/12/03 11:41:28.0306 vmscsi (82132036ee4d3e8aa3e73feebe1a9741) C:\WINDOWS\system32\DRIVERS\vmscsi.sys
2010/12/03 11:41:28.0775 vmxnet (2c49f1230493c1853755cfe8b10f4c85) C:\WINDOWS\system32\DRIVERS\vmxnet.sys
2010/12/03 11:41:29.0228 vmx_svga (177870fe830776383489e383cfec016d) C:\WINDOWS\system32\DRIVERS\vmx_svga.sys
2010/12/03 11:41:29.0697 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/03 11:41:30.0244 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
2010/12/03 11:41:30.0884 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/03 11:41:31.0619 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/12/03 11:41:32.0447 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/03 11:41:33.0244 winachsf (a8596cf86d445269a42ecc08b7066a4c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/12/03 11:41:34.0072 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/12/03 11:41:34.0587 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/03 11:41:35.0072 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/03 11:41:35.0197 ================================================================================
2010/12/03 11:41:35.0197 Scan finished
2010/12/03 11:41:35.0197 ================================================================================

#9 ferbw

ferbw
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 03 December 2010 - 11:10 PM

and here are the 2 logs from the OTL scan:



OTL logfile created on: 12/3/2010 6:41:27 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\a0187216\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 79.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 94.15 Gb Free Space | 63.17% Space Free | Partition Type: NTFS

Computer Name: LTA0187216 | User Name: a0187216 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/03 18:40:27 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\a0187216\Desktop\OTL.exe
PRC - [2009/09/12 22:09:10 | 000,103,768 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
PRC - [2009/09/12 22:09:04 | 000,550,232 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
PRC - [2008/09/01 15:38:08 | 000,098,304 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect 3\iPassPeriodicUpdateService.exe
PRC - [2008/09/01 15:38:06 | 000,155,648 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect 3\iPassPeriodicUpdateApp.exe
PRC - [2008/08/26 15:14:20 | 000,114,688 | ---- | M] (Connected Corporation) -- C:\Program Files\Connected\CBSysTray.exe
PRC - [2008/08/26 14:52:28 | 000,258,048 | ---- | M] (Connected Corporation) -- C:\Program Files\Connected\AGENTSRV.EXE
PRC - [2008/08/21 13:51:06 | 000,450,674 | ---- | M] (InfoExpress Inc) -- C:\Program Files\CyberGatekeeper Agent\cgagent.exe
PRC - [2008/06/19 17:08:44 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2008/05/20 03:00:00 | 000,757,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/22 14:29:24 | 002,572,288 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
PRC - [2008/02/22 11:40:20 | 000,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2008/02/22 09:04:42 | 002,938,184 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PRC - [2008/01/22 19:13:08 | 000,288,072 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
PRC - [2008/01/09 09:38:44 | 000,288,072 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
PRC - [2007/10/29 13:30:14 | 000,278,528 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PRC - [2007/10/04 17:39:42 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
PRC - [2007/09/28 15:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/08/23 10:55:06 | 000,311,296 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
PRC - [2007/07/02 12:29:22 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2007/06/06 15:44:44 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2007/05/22 13:18:56 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2007/05/10 09:23:50 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\stacsv.exe
PRC - [2006/11/02 13:05:50 | 000,282,624 | ---- | M] (Knowles Acoustics) -- C:\WINDOWS\system32\KADxMain.exe
PRC - [2006/09/08 14:10:22 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2006/08/03 09:48:44 | 000,124,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/08/03 09:48:34 | 001,807,600 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/08/03 09:48:26 | 000,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/07/19 20:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/07/19 20:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/07/19 20:26:04 | 000,052,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2005/05/19 13:33:54 | 000,069,632 | ---- | M] (InfoExpress) -- C:\Program Files\CyberArmor\pcshelp.exe
PRC - [2005/05/19 13:33:40 | 000,933,936 | ---- | M] (InfoExpress) -- C:\Program Files\CyberArmor\pcs.exe
PRC - [2005/05/19 13:33:30 | 000,065,536 | ---- | M] (InfoExpress) -- C:\Program Files\CyberArmor\casvc.exe
PRC - [2005/05/18 07:26:46 | 000,114,688 | ---- | M] (Superior View) -- C:\Program Files\Superior View\Change Proxy Settings\Change Proxy Settings.exe
PRC - [2005/04/14 10:43:24 | 000,073,788 | ---- | M] (InfoExpress) -- C:\Program Files\CyberGatekeeper Agent\cgasvc.exe
PRC - [2005/04/14 10:42:56 | 000,081,976 | ---- | M] (InfoExpress Inc.) -- C:\Program Files\CyberGatekeeper Agent\cgav.exe
PRC - [2005/04/14 10:42:28 | 000,090,174 | ---- | M] (InfoExpress) -- C:\Program Files\CyberGatekeeper Agent\cgahelp.exe
PRC - [2000/10/24 15:43:04 | 000,859,648 | ---- | M] (Open Software Associates Ltd.) -- C:\Program Files\netDeploy\Launcher\ndserv.exe


========== Modules (SafeList) ==========

MOD - [2010/12/03 18:40:27 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\a0187216\Desktop\OTL.exe
MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/14 04:42:12 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wsock32.dll
MOD - [2005/05/19 13:33:20 | 000,135,168 | ---- | M] (InfoExpress) -- C:\WINDOWS\system32\cahooknt.dll
MOD - [2005/05/19 13:33:18 | 000,151,552 | ---- | M] (InfoExpress) -- C:\WINDOWS\system32\cahookd.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2008/09/26 11:51:38 | 001,712,128 | ---- | M] (iPass, Inc.) [On_Demand | Stopped] -- C:\Program Files\iPass\iPassConnect 3\iPassConnectEngine.exe -- (iPassConnectEngine)
SRV - [2008/09/01 15:38:08 | 000,098,304 | ---- | M] (iPass, Inc.) [Auto | Running] -- C:\Program Files\iPass\iPassConnect 3\iPassPeriodicUpdateService.exe -- (iPassPeriodicUpdateService)
SRV - [2008/09/01 15:38:06 | 000,155,648 | ---- | M] (iPass, Inc.) [On_Demand | Running] -- C:\Program Files\iPass\iPassConnect 3\iPassPeriodicUpdateApp.exe -- (iPassPeriodicUpdateApp)
SRV - [2008/08/26 14:52:28 | 000,258,048 | ---- | M] (Connected Corporation) [Auto | Running] -- C:\Program Files\Connected\AgentSrv.EXE -- (AgentSrv)
SRV - [2008/06/19 17:08:44 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2008/05/20 03:00:00 | 000,757,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2008/05/20 03:00:00 | 000,249,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
SRV - [2008/02/22 11:40:20 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2007/09/28 15:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/05/10 09:23:50 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)
SRV - [2006/08/03 09:48:38 | 000,115,952 | ---- | M] (symantec) [Disabled | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/08/03 09:48:34 | 001,807,600 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/08/03 09:48:26 | 000,031,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/07/19 20:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/07/19 20:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/04/11 16:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2006/02/23 11:41:02 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2005/05/19 13:33:30 | 000,065,536 | ---- | M] (InfoExpress) [Auto | Running] -- C:\Program Files\CyberArmor\casvc.exe -- (CyberArmorRunService)
SRV - [2005/04/14 10:43:24 | 000,073,788 | ---- | M] (InfoExpress) [Auto | Running] -- C:\Program Files\CyberGatekeeper Agent\cgasvc.exe -- (CGAgent)
SRV - [2000/10/24 15:43:04 | 000,859,648 | ---- | M] (Open Software Associates Ltd.) [Auto | Running] -- C:\Program Files\netDeploy\Launcher\ndserv.exe -- (ndserv)


========== Driver Services (SafeList) ==========

DRV - [2010/09/29 02:00:00 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101203.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/09/29 02:00:00 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101203.003\NAVENG.SYS -- (NAVENG)
DRV - [2010/07/12 16:59:37 | 000,021,393 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\iPassP.sys -- (iPassP) iPass Protocol (IEEE 802.1x)
DRV - [2010/06/17 02:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\eeCtrl.sys -- (eeCtrl)
DRV - [2010/06/17 02:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/09/08 17:13:16 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2008/12/04 12:34:52 | 000,328,728 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2008/09/26 14:22:08 | 000,238,736 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2008/09/18 18:35:37 | 000,017,968 | ---- | M] (VMware, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vmscsi.sys -- (vmscsi)
DRV - [2008/09/18 16:32:00 | 000,063,920 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vmx_svga.sys -- (vmx_svga)
DRV - [2008/09/18 16:32:00 | 000,036,400 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vmxnet.sys -- (vmxnet)
DRV - [2008/06/19 17:07:50 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2008/05/20 03:00:00 | 000,023,584 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2008/04/13 21:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/08 16:27:04 | 000,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)
DRV - [2008/03/29 16:36:28 | 000,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2008/02/22 04:46:00 | 006,658,592 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/02/15 14:01:06 | 000,131,712 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (tosrfbd)
DRV - [2008/01/31 14:55:06 | 000,074,240 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tosrfhid.sys -- (Tosrfhid)
DRV - [2007/12/23 16:18:48 | 000,068,696 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2007/11/29 08:45:44 | 000,036,608 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (tosrfbnp)
DRV - [2007/10/18 13:25:00 | 000,041,856 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (tosrfusb)
DRV - [2007/10/02 10:43:22 | 000,064,128 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2007/09/26 01:01:00 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/09/04 10:50:00 | 000,031,744 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\csrbcxp.sys -- (CSRBC)
DRV - [2007/08/30 10:08:16 | 000,045,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2007/08/02 16:35:12 | 000,989,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/08/02 16:34:30 | 000,211,200 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2007/08/02 16:34:26 | 000,731,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2007/06/25 17:53:10 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/05/10 09:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/01/18 16:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/11/02 11:32:32 | 000,097,536 | ---- | M] (Knowles Acoustics) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dxec01.sys -- (DXEC01)
DRV - [2006/10/10 18:33:00 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2006/05/05 15:19:50 | 000,107,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/04/11 16:13:34 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/12/19 19:41:58 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/12/19 19:41:56 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/08/12 15:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/05/19 14:55:28 | 000,424,479 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\viexpf2k.sys -- (Viexpf2k)
DRV - [2005/05/19 12:51:02 | 000,021,504 | ---- | M] (InfoExpress) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\viexca2k.sys -- (Viexca2k)
DRV - [2005/01/26 10:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2005/01/07 04:42:00 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.ti.com/
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://proxyconfig.itg.ti.com/proxy.pac

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.ti.com/
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://proxyconfig.itg.ti.com/proxy.pac

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.ti.com/
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://proxyconfig.itg.ti.com/proxy.pac

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.ti.com/
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://proxyconfig.itg.ti.com/proxy.pac

IE - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://infolinknews.ti.com/tinews/infolinkhome.html
IE - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://proxyconfig.itg.ti.com/proxy.pac

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://infolinknews.ti.com/tinews/infolinkhome.html"
FF - prefs.js..network.proxy.autoconfig_url: "http://proxyconfig.itg.ti.com/proxy.pac"
FF - prefs.js..network.proxy.type: 2

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/05 14:19:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/16 13:39:15 | 000,000,000 | ---D | M]

[2010/08/05 10:32:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\a0187216\Application Data\Mozilla\Extensions
[2010/11/19 15:20:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\a0187216\Application Data\Mozilla\Firefox\Profiles\epasslcx.default\extensions
[2010/08/12 15:14:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\a0187216\Application Data\Mozilla\Firefox\Profiles\epasslcx.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/05 10:32:10 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll (TechSmith Corporation)
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll (TechSmith Corporation)
O3 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [CgaHelper] C:\Program Files\CyberGatekeeper Agent\cgahelp.exe (InfoExpress)
O4 - HKLM..\Run: [CgaViewer] C:\Program Files\CyberGatekeeper Agent\cgav.exe (InfoExpress Inc.)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [CyberArmorHelper] C:\Program Files\CyberArmor\pcshelp.exe (InfoExpress)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe (Knowles Acoustics)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe File not found
O4 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841..\Run: [sdsetup[1]] C:\Documents and Settings\a0187216\Desktop\sdsetup[1].exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Change Proxy Settings.lnk = C:\Program Files\Superior View\Change Proxy Settings\Change Proxy Settings.exe (Superior View)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe (Connected Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico ()
O4 - Startup: C:\Documents and Settings\PCUPDATEMGR\Start Menu\Programs\Startup\TIOutlookPRF.bat ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Security present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideShutdownScripts = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
O7 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 1
O7 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O15 - HKLM\..Trusted Domains: 401k.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: 401k.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: advancerx.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: advancerx.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: aetna.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: aetna.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: bbrown.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: bbrown.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: cexp.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: cexp.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: cigna.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: cigna.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: collegeboundfund.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: collegeboundfund.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: computershare.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: computershare.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: dell.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: dell.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: deltadentalins.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: deltadentalins.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: eway.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: eway.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: fidelity.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: fidelity.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: fishersci.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: fishersci.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: hcsc.net ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: hcsc.net ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: iqnavigator.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: iqnavigator.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: itg.ti.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: itg.ti.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: jtb-cwt.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: jtb-cwt.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: kaiserpermanente.org ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: kaiserpermanente.org ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: linux.omap.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: linux.omap.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: mamsi.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: mamsi.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: members.hcsc.net ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: members.hcsc.net ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: netbenefits.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: netbenefits.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: newark.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: newark.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: pacificare.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: pacificare.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: plms-edu.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: plms-edu.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: resources.hewitt.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: resources.hewitt.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: shi.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: shi.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: ssi1.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: ssi1.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: surveymonkey.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: surveymonkey.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: ti.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: ti.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: ti.com ([CNSMIT01.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DAOS29.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DAOS41.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DB5S05.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DB5SMS.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DBAS18.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DBAS42.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DBDS06.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DC4S02.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DCLSMS01.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DCLSMS02.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DEES01.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DFLS31.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DFRS113.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DFRS19.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DGSS21.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DHIS02.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DHISMS01.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DHKS1.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DHUS2.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DHZS1.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DILSMS.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DKLS27.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DKLS37.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES145.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES286.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES30.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES324.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES336.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES338.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES339.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES340.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES355.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES372.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES69.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES70.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES71.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES76.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES77.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES78.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLES80.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLEV119.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DLEV140.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DMHS14.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DMHS18.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DMHSMS01.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DMLESD.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DMYS07.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DNCS12.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DNTS46.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DNTS48.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DPAESD.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DPTS02.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DSANDS01.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DSANDS02.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DSANDSSMS.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DSES12.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DSHS03.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DSHS10.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DSIS73.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DSKS94.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DSTS3.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DSTS4.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DTAP31.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DTAS19.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DTES01.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DTHS01.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([DTSS3.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([TNINT06.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.com ([TORSMSSRV.itg] * in Local intranet)
O15 - HKLM\..Trusted Domains: ti.cwconnect.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: ti.cwconnect.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: ticonferencing.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: ticonferencing.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: tiws.proactcorp.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: tiws.proactcorp.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: ubs.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: ubs.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: unitrode.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: unitrode.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: vsp.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: vsp.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: webex.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: webex.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: webmd.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: webmd.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: webmdhealth.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: webmdhealth.com ([]https in Trusted sites)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266252249763 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266252239868 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_13)
O16 - DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://ti.webex.com/client/T27LB/webex/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.94.156.1 151.164.8.201
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = am.dhcp.ti.com
O18 - Protocol\Handler\saphtmlp {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - C:\Program Files\SAP\FrontEnd\Controls\SAPHTMLP.DLL (SAP AG, Walldorf)
O18 - Protocol\Handler\sapr3 {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - C:\Program Files\SAP\FrontEnd\Controls\SAPHTMLP.DLL (SAP AG, Walldorf)
O20 - AppInit_DLLs: (cahooknt.dll) - C:\WINDOWS\System32\cahooknt.dll (InfoExpress)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/23 16:18:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{018e38aa-fe4e-11df-b87d-002186834c55}\Shell - "" = AutoRun
O33 - MountPoints2\{018e38aa-fe4e-11df-b87d-002186834c55}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{018e38aa-fe4e-11df-b87d-002186834c55}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/03 18:40:28 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\a0187216\Desktop\OTL.exe
[2010/12/03 11:39:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\a0187216\Desktop\tdsskiller
[2010/11/25 13:12:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\a0187216\My Documents\BlackBerry
[2010/11/25 12:55:03 | 000,000,000 | ---D | C] -- C:\Program Files\Paint Shop Pro
[2010/11/19 17:55:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\a0187216\Desktop\gmer
[2010/11/19 13:53:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/11/10 11:02:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/03 18:40:27 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\a0187216\Desktop\OTL.exe
[2010/12/03 17:59:09 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2010/12/03 17:58:29 | 000,357,758 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/12/03 17:58:19 | 000,169,472 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/12/03 17:57:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/03 17:56:19 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/12/03 17:41:58 | 000,000,463 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2010/12/03 17:38:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/03 17:38:01 | 3688,857,600 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/03 14:46:39 | 000,000,758 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Connected TaskBar Icon.LNK
[2010/12/03 14:02:36 | 000,123,192 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/12/03 12:12:34 | 226,459,648 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010/12/03 11:52:05 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\a0187216\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2007.lnk
[2010/12/03 11:33:22 | 001,230,433 | ---- | M] () -- C:\Documents and Settings\a0187216\Desktop\tdsskiller.zip
[2010/12/03 11:15:00 | 000,089,088 | ---- | M] () -- C:\mbr.exe
[2010/12/03 10:50:18 | 000,001,735 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/12/01 21:00:57 | 000,197,752 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/01 20:52:35 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/01 10:31:03 | 000,002,433 | ---- | M] () -- C:\Documents and Settings\a0187216\Desktop\VPN Client.lnk
[2010/11/29 19:02:17 | 000,004,975 | ---- | M] () -- C:\Documents and Settings\a0187216\Desktop\Attach.zip
[2010/11/29 18:39:41 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\a0187216\Desktop\gmer.zip
[2010/11/29 18:34:59 | 000,630,272 | ---- | M] () -- C:\Documents and Settings\a0187216\Desktop\dds.pif
[2010/11/29 18:34:34 | 000,630,272 | ---- | M] () -- C:\Documents and Settings\a0187216\Desktop\dds.scr
[2010/11/29 12:56:40 | 000,560,128 | ---- | M] () -- C:\Documents and Settings\a0187216\My Documents\Money.dat
[2010/11/23 14:32:44 | 000,002,259 | ---- | M] () -- C:\Documents and Settings\a0187216\Application Data\Microsoft\Internet Explorer\Quick Launch\Lotus Notes.lnk
[2010/11/22 11:49:20 | 000,018,944 | ---- | M] () -- C:\jbw_uploadEU.xls
[2010/11/22 11:49:20 | 000,001,872 | ---- | M] () -- C:\filename1.csv
[2010/11/22 10:46:57 | 000,004,393 | ---- | M] () -- C:\error.csv
[2010/11/22 10:41:06 | 000,028,672 | ---- | M] () -- C:\jbw_uploadAS.xls
[2010/11/19 17:49:07 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\a0187216\defogger_reenable
[2010/11/19 17:17:02 | 003,912,337 | ---- | M] () -- C:\Documents and Settings\a0187216\Desktop\ComboFix.exe
[2010/11/18 20:42:21 | 000,001,998 | -H-- | M] () -- C:\Documents and Settings\a0187216\My Documents\Default.rdp
[2010/11/18 16:51:20 | 000,000,173 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[2010/11/17 16:40:55 | 000,020,992 | ---- | M] () -- C:\jbw_uploadJP.xls
[2010/11/17 14:17:17 | 000,028,013 | ---- | M] () -- C:\error2.csv
[2010/11/17 14:10:51 | 000,068,857 | ---- | M] () -- C:\Documents and Settings\a0187216\Desktop\library.xlsx
[2010/11/17 11:10:21 | 000,357,758 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/11/09 12:32:54 | 000,002,852 | ---- | M] () -- C:\WINDOWS\LTA0187216_Visio2002.exe
[2010/11/09 12:32:52 | 000,001,776 | ---- | M] () -- C:\WINDOWS\LTA0187216_Visio2002.mif
[2010/11/09 11:57:32 | 000,001,706 | ---- | M] () -- C:\WINDOWS\n4Visio.mif
[2010/11/08 15:23:54 | 000,000,410 | ---- | M] () -- C:\WINDOWS\.exe
[2010/11/08 15:21:10 | 000,010,218 | RHS- | M] () -- C:\Documents and Settings\a0187216\ntuser.pol
[2010/11/08 14:44:00 | 000,467,362 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/08 14:44:00 | 000,079,936 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/03 11:33:14 | 001,230,433 | ---- | C] () -- C:\Documents and Settings\a0187216\Desktop\tdsskiller.zip
[2010/12/03 11:14:59 | 000,089,088 | ---- | C] () -- C:\mbr.exe
[2010/11/29 19:02:17 | 000,004,975 | ---- | C] () -- C:\Documents and Settings\a0187216\Desktop\Attach.zip
[2010/11/29 18:34:45 | 000,630,272 | ---- | C] () -- C:\Documents and Settings\a0187216\Desktop\dds.pif
[2010/11/27 21:44:33 | 000,122,368 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/11/25 13:12:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\a0187216\Application Data\Rim.Desktop.Exception.log
[2010/11/19 17:54:30 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\a0187216\Desktop\gmer.zip
[2010/11/19 17:50:29 | 000,630,272 | ---- | C] () -- C:\Documents and Settings\a0187216\Desktop\dds.scr
[2010/11/19 17:49:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\a0187216\defogger_reenable
[2010/11/19 17:17:02 | 003,912,337 | ---- | C] () -- C:\Documents and Settings\a0187216\Desktop\ComboFix.exe
[2010/11/17 14:10:50 | 000,068,857 | ---- | C] () -- C:\Documents and Settings\a0187216\Desktop\library.xlsx
[2010/11/08 15:23:53 | 000,000,410 | ---- | C] () -- C:\WINDOWS\.exe
[2010/11/08 15:03:14 | 3688,857,600 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/20 12:42:45 | 000,000,054 | ---- | C] () -- C:\WINDOWS\Money.INI
[2010/08/11 08:42:06 | 000,000,857 | ---- | C] () -- C:\Documents and Settings\a0187216\Application Data\Rim.Desktop.HttpServerSetup.log
[2010/08/09 12:13:25 | 000,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
[2010/08/06 09:07:09 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2010/07/28 14:32:33 | 000,000,173 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2010/07/16 15:23:49 | 000,095,744 | ---- | C] () -- C:\WINDOWS\System32\h5rtf32.dll
[2010/07/16 15:23:49 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\h5tool32.dll
[2010/07/16 15:23:48 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\h5menu32.dll
[2010/07/16 15:23:47 | 001,064,960 | ---- | C] () -- C:\WINDOWS\System32\h5krnl32.dll
[2010/07/16 15:23:46 | 000,188,928 | ---- | C] () -- C:\WINDOWS\System32\h5icon32.dll
[2010/07/16 15:23:33 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\vtssm32.dll
[2010/07/16 15:22:24 | 000,006,024 | ---- | C] () -- C:\WINDOWS\Saplogon.ini
[2010/07/16 15:22:24 | 000,000,487 | ---- | C] () -- C:\WINDOWS\Sapmsg.ini
[2010/07/12 18:56:09 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2010/07/12 18:56:09 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2010/07/12 18:56:08 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2010/07/12 18:56:05 | 001,482,752 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2010/07/12 17:03:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2010/07/12 16:58:50 | 000,424,479 | ---- | C] () -- C:\WINDOWS\System32\drivers\viexpf2k.sys
[2010/07/12 16:58:50 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\vsctool.dll
[2010/07/12 16:57:26 | 000,000,059 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2010/05/25 11:59:03 | 000,000,463 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/26 10:09:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/01/29 10:55:24 | 000,000,540 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/23 15:06:52 | 000,000,852 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/01/23 10:13:20 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/06/19 17:08:52 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/06/19 17:08:44 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/12/21 15:46:32 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/09/19 18:11:22 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[2005/07/22 20:30:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2002/03/19 18:30:00 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\mag.dll

========== LOP Check ==========

[2010/10/25 22:25:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\a0187216\Application Data\GlarySoft
[2010/08/03 08:33:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\a0187216\Application Data\ICAClient
[2010/10/21 23:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\a0187216\Application Data\IObit
[2010/11/25 13:12:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\a0187216\Application Data\Research In Motion
[2010/10/25 12:33:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\a0187216\Application Data\Sammsoft
[2010/10/21 23:39:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\a0187216\Application Data\TuneUp Software
[2010/09/30 13:35:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\a0187216\Application Data\webex
[2010/07/28 19:25:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\a0187216\Application Data\Windows Desktop Search
[2010/07/28 19:25:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\a0187216\Application Data\Windows Search
[2010/11/08 14:53:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ICAClient
[2010/11/08 14:53:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2010/08/03 08:34:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2010/07/18 09:16:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iPass
[2010/08/11 08:42:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2010/08/10 08:50:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2010/10/21 23:39:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2010/10/21 23:38:49 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
[2010/11/05 14:15:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\x0051606adm\Application Data\ICAClient
[2010/10/21 07:53:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\x0051606adm\Application Data\Windows Desktop Search
[2010/11/05 14:15:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xkmaragnadm\Application Data\ICAClient
[2010/11/05 13:43:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\xkmaragnadm\Application Data\Windows Desktop Search
[2010/12/03 17:56:19 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: EXPLORER.EXE >
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 05:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2004/08/04 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/14 04:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/14 04:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/04/14 04:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 04:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 04:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 04:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %SYSTEMDRIVE%\*.exe >
[2007/11/07 07:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe
[2010/12/03 11:15:00 | 000,089,088 | ---- | M] () -- C:\mbr.exe

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1997/06/25 14:24:16 | 000,040,448 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\regobj.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/01/23 10:12:02 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/01/23 10:12:02 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/01/23 10:12:02 | 000,880,640 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 7424 bytes -> C:\WINDOWS\System32\OEMLOGO.BMP:Q30lsldxJoudresxAaaqpcawXc

< End of report >




OTL Extras logfile created on: 12/3/2010 6:42:16 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\a0187216\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 79.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 94.15 Gb Free Space | 63.17% Space Free | Partition Type: NTFS

Computer Name: LTA0187216 | User Name: a0187216 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5 -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BCA9EFD-F2D6-4638-B053-8693BA0404BE}" = Citrix online plug-in (Web)
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{23E5032B-56CA-4C19-A72E-B50161DB82CA}" = Shadow Copy Client
"{2FBF04DC-404C-4FA4-BA28-99903080D2B9}" = Magnifier Powertoy for Windows XP
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{385711B4-DF9A-427A-A48C-F1D65C0A8F5D}" = iPassConnect
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{55392E52-1AAD-44C4-BE49-258FFE72434F}" = Citrix online plug-in (USB)
"{5C47C8B6-77FF-4FC7-A388-66FCF9CFC24C}" = Snagit 9.1.3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}" = Oracle Data Provider for .NET Help
"{70D040E8-C756-4B59-A1FC-B758D9A0792D}" = Lotus Notes 6.5.3
"{7148F0A8-6813-11D6-A77B-00B0D0142130}" = Java 2 Runtime Environment, SE v1.4.2_13
"{721ABC3B-5F12-4332-9C0C-C11424EF666C}" = WIMGAPI
"{78D891EF-9E2D-4FC8-A71F-E6F897BA1B21}" = Symantec AntiVirus
"{812424AC-A8B5-44E6-8D48-07E939D1AD9A}" = Citrix online plug-in (HDX)
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{C3086AF2-777A-4B0D-8FB8-0C4B01A83BEB}" =
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARD_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARD_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARD_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_STANDARD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_STANDARD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90150409-6000-11D3-8CFE-0050048383C9}" = Microsoft Access 2002
"{9DF095E1-8EC2-4892-8740-93769DB1E944}" = User Agent String Utility
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A7091E1D-36A4-47F1-A739-173CC341414F}" = Cisco Systems VPN Client 5.0.03.0560
"{AB6FFA58-F491-11D3-8951-000000015799}" = iPassConnect 3
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE6A85D8-D6B9-479A-9FE9-A06E56881E61}" = Configuration Manager Client
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{CF53CF7C-D996-43EB-9904-DBED57C25625}" = Citrix online plug-in (DV)
"{D25F26E6-7F37-4580-9E83-2BDD9BE9E0CE}" = BlackBerry Desktop Software 6.0
"{D9FCA292-1186-421F-8D93-9A5D272AD5D0}" = IntelliSonic Speech Enhancement
"{EDC2B89F-3F72-48EA-B63E-985BC51622E4}" = OZ776 SCR Driver V1.1.4.202
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FB3B43A2-CA2A-11D5-A718-0050DAE02D76}" = SAPsetup System Update
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"5D81FBED6E61194F43FF1556F43BD8309BA44634" = Windows Driver Package - Intel (NETw4x32) net (09/26/2007 11.5.0.32)
"Access2002 [Common] (netDeploy)" = Access 2002 [Common] (via netDeploy)
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Application_Change Proxy Settings_1.2.2" = Change Proxy Settings 1.2.2
"Ascendo Money" = Ascendo Money 3.4.1
"BlackBerry_Desktop" = BlackBerry Desktop Software 6.0
"CitrixOnlinePluginPackWeb" = Citrix online plug-in - web
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"Connected" = Connected DataProtector
"CutePDF Writer Installation" = CutePDF Writer 2.8
"CyberArmor" = CyberArmor
"CyberGatekeeper Agent" = CyberGatekeeper Agent
"HECI" = Intel® Management Engine Interface
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IE7 [Common] (netDeploy)" = Internet Explorer 7.x... [Common] (via netDeploy)
"InstallShield_{EDC2B89F-3F72-48EA-B63E-985BC51622E4}" = OZ776 SCR Driver V1.1.4.202
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MicrosoftUserAgentStringUtil [Common] (netDeploy)" = User Agent String Utility [Common] (via netDeploy)
"MicrosoftUserAgentStringUtil.osd [Common] (netDeploy)" = ESD Applications [Common] (via netDeploy)
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"n4office2003 [Common] (netDeploy)" = Office 2003 [Common] (via netDeploy)
"n4oracle10 [Common] (netDeploy)" = n4oracle10 [Common] (via netDeploy)
"n4oracle10.osd [Common] (netDeploy)" = ESD Applications [Common] (via netDeploy)
"n4sav10144010 [Common] (netDeploy)" = Symantec AntiVirus 10.1.4.4010 [Common] (via netDeploy)
"n4tcw730 [Common] (netDeploy)" = TI-COMM for Windows 7.3.6.193... [Common] (via netDeploy)
"n4Visio [Common] (netDeploy)" = Visio 2002 [Common] (via netDeploy)
"n4VisioUpDate [Common] (netDeploy)" = Visio UpDate [Common] (via netDeploy)
"n4w5accessxp [Common] (netDeploy)" = Access Xp Advertisement [Common] (via netDeploy)
"n4w5accessxp.osd [Common] (netDeploy)" = ESD Applications [Common] (via netDeploy)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Office2007 [Common] (netDeploy)" = Office2007 [Common] (via netDeploy)
"Paint Shop Pro 4.12" = Paint Shop Pro 4.12
"PL/SQL Developer [80687277]" = PL/SQL Developer
"RDC" = RDC
"SAPFrontend" = SAP Front End
"STANDARD" = Microsoft Office Standard 2007
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WebEx QuickStart" = WebEx QuickStart
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/11/2010 11:38:49 PM | Computer Name = LTA0187216 | Source = UserInit | ID = 1000
Description = Could not execute the following script exceptioncheck.vbs. The system
cannot find the file specified. .

Error - 10/11/2010 11:38:49 PM | Computer Name = LTA0187216 | Source = UserInit | ID = 1000
Description = Could not execute the following script TimeServices.vbs. The system
cannot find the file specified. .

Error - 10/11/2010 11:38:49 PM | Computer Name = LTA0187216 | Source = UserInit | ID = 1000
Description = Could not execute the following script ITSec-ClientGPO.bat. The system
cannot find the file specified. .

Error - 10/11/2010 11:38:49 PM | Computer Name = LTA0187216 | Source = UserInit | ID = 1000
Description = Could not execute the following script hds.start.vbe. The system cannot
find the file specified. .

Error - 10/11/2010 11:38:49 PM | Computer Name = LTA0187216 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 10/11/2010 11:38:51 PM | Computer Name = LTA0187216 | Source = UserInit | ID = 1000
Description = Could not execute the following script adoberegkeys.bat. The system
cannot find the file specified. .

Error - 10/11/2010 11:38:51 PM | Computer Name = LTA0187216 | Source = UserInit | ID = 1000
Description = Could not execute the following script Reg_Backup.vbs. The system
cannot find the file specified. .

Error - 10/11/2010 11:38:51 PM | Computer Name = LTA0187216 | Source = UserInit | ID = 1000
Description = Could not execute the following script adoberegkeys.bat. The system
cannot find the file specified. .

Error - 10/11/2010 11:38:51 PM | Computer Name = LTA0187216 | Source = UserInit | ID = 1000
Description = Could not execute the following script Reg_Backup.vbs. The system
cannot find the file specified. .

Error - 10/11/2010 11:38:51 PM | Computer Name = LTA0187216 | Source = UserInit | ID = 1000
Description = Could not execute the following script HDSMachinePolicy.vbs. The system
cannot find the file specified. .

[ OSession Events ]
Error - 7/19/2010 4:30:18 PM | Computer Name = LTA0187216 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6425.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6767
seconds with 1800 seconds of active time. This session ended with a crash.

Error - 9/30/2010 4:08:25 PM | Computer Name = LTA0187216 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 188738
seconds with 8760 seconds of active time. This session ended with a crash.

Error - 9/30/2010 4:58:12 PM | Computer Name = LTA0187216 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 2822
seconds with 840 seconds of active time. This session ended with a crash.

Error - 10/29/2010 3:28:05 PM | Computer Name = LTA0187216 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 134
seconds with 120 seconds of active time. This session ended with a crash.

Error - 11/22/2010 2:01:24 PM | Computer Name = LTA0187216 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6757
seconds with 2280 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 12/3/2010 2:19:17 PM | Computer Name = LTA0187216 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {7E89FF0B-F649-4F9A-A9C3-F05DFAAA3DA1}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 12/3/2010 2:22:42 PM | Computer Name = LTA0187216 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 12/3/2010 4:07:11 PM | Computer Name = LTA0187216 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 12/3/2010 4:15:11 PM | Computer Name = LTA0187216 | Source = Service Control Manager | ID = 7034
Description = The iPassPeriodicUpdateApp service terminated unexpectedly. It has
done this 1 time(s).

Error - 12/3/2010 7:39:07 PM | Computer Name = LTA0187216 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain ENT due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 12/3/2010 7:39:49 PM | Computer Name = LTA0187216 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 12/3/2010 7:39:49 PM | Computer Name = LTA0187216 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 12/3/2010 7:42:50 PM | Computer Name = LTA0187216 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 12/3/2010 7:55:08 PM | Computer Name = LTA0187216 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.

Error - 12/3/2010 8:24:51 PM | Computer Name = LTA0187216 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 59 minutes. NtpClient has no source of accurate
time.


< End of report >

#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:33 AM

Posted 04 December 2010 - 02:23 AM

Hi ferbw,




After performing the following fix, i would like you to check this thread to fix your Event Log Error,(Event ID: 10016), which was present on your logs. BTW, Did you place proxy server to access the Texas Instruments?

  • Please start OTL on your desktop.
  • Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.

    :OTL
    O3 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe File not found
    O4 - HKU\S-1-5-21-1315882459-817801392-1359842108-89841..\Run: [sdsetup[1]] C:\Documents and Settings\a0187216\Desktop\sdsetup[1].exe File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Security present
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
    O15 - HKLM\..Trusted Domains: 401k.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: 401k.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: advancerx.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: advancerx.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: aetna.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: aetna.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: bbrown.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: bbrown.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: cexp.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: cexp.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: cigna.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: cigna.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: collegeboundfund.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: collegeboundfund.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: computershare.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: computershare.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: dell.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: dell.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: deltadentalins.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: deltadentalins.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: eway.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: eway.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: fidelity.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: fidelity.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: fishersci.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: fishersci.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: hcsc.net ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: hcsc.net ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: iqnavigator.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: iqnavigator.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: itg.ti.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: itg.ti.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: jtb-cwt.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: jtb-cwt.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: kaiserpermanente.org ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: kaiserpermanente.org ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: linux.omap.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: linux.omap.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: mamsi.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: mamsi.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: members.hcsc.net ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: members.hcsc.net ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: netbenefits.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: netbenefits.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: newark.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: newark.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: pacificare.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: pacificare.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: plms-edu.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: plms-edu.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: resources.hewitt.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: resources.hewitt.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: shi.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: shi.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: ssi1.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: ssi1.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: surveymonkey.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: surveymonkey.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: ubs.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: ubs.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: unitrode.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: unitrode.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: vsp.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: vsp.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: webex.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: webex.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: webmd.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: webmd.com ([]https in Trusted sites)
    O15 - HKLM\..Trusted Domains: webmdhealth.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: webmdhealth.com ([]https in Trusted sites)
    O33 - MountPoints2\{018e38aa-fe4e-11df-b87d-002186834c55}\Shell - "" = AutoRun
    O33 - MountPoints2\{018e38aa-fe4e-11df-b87d-002186834c55}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{018e38aa-fe4e-11df-b87d-002186834c55}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- File not found
    O33 - MountPoints2\E\Shell - "" = AutoRun
    O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    [2010/11/08 14:44:00 | 000,467,362 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/11/08 14:44:00 | 000,079,936 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    @Alternate Data Stream - 7424 bytes -> C:\WINDOWS\System32\OEMLOGO.BMP:Q30lsldxJoudresxAaaqpcawXc
    
    :Files
    C:\WINDOWS\.exe
    ipconfig /flushdns /c 
    
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [resethosts]
    [start explorer]
    [Reboot]
    
  • Click Run Fix button on the top.
  • Click OK and let it run unhindered.
  • OTL will ask to reboot the machine. Please OK the prompt.
  • A report will open. Copy and Paste that report in your next reply.


Step2

Please download Malwarebytes' Anti-Malware from Here or Here

  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


In your next reply, please post back:

1.OTL delete log
2.MBAM log

Let me know if you have any remaining issues on your pc.

#11 ferbw

ferbw
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 04 December 2010 - 12:03 PM

Regarding your comment.... "After performing the following fix, i would like you to check this thread to fix your Event Log Error,(Event ID: 10016), which was present on your logs. BTW, Did you place proxy server to access the Texas Instruments? "

I work at TI and my laptop automatically launches the proxy server. I was not connected to the TI network when I ran the scan. Should I still try to fix the Event Log error or was it simply caused by not being connected to TI's network?

Thanks!
Jennifer


Here is the OTL log....

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1315882459-817801392-1359842108-89841\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1315882459-817801392-1359842108-89841\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1315882459-817801392-1359842108-89841\Software\Microsoft\Windows\CurrentVersion\Run\\ISUSPM deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1315882459-817801392-1359842108-89841\Software\Microsoft\Windows\CurrentVersion\Run\\sdsetup[1 not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\New Windows\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\401k.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\401k.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\advancerx.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\advancerx.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aetna.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aetna.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bbrown.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bbrown.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cexp.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cexp.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cigna.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cigna.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\collegeboundfund.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\collegeboundfund.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\computershare.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\computershare.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dell.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dell.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\deltadentalins.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\deltadentalins.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\eway.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\eway.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fidelity.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fidelity.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fishersci.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fishersci.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hcsc.net\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hcsc.net\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\iqnavigator.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\iqnavigator.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\itg.ti.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\itg.ti.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\jtb-cwt.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\jtb-cwt.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kaiserpermanente.org\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kaiserpermanente.org\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\linux.omap.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\linux.omap.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mamsi.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mamsi.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\members.hcsc.net\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\members.hcsc.net\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\netbenefits.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\netbenefits.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\newark.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\newark.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pacificare.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pacificare.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\plms-edu.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\plms-edu.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\resources.hewitt.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\resources.hewitt.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\shi.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\shi.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ssi1.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ssi1.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\surveymonkey.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\surveymonkey.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ubs.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ubs.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unitrode.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\unitrode.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vsp.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vsp.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webex.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webex.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webmd.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webmd.com\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webmdhealth.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webmdhealth.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{018e38aa-fe4e-11df-b87d-002186834c55}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{018e38aa-fe4e-11df-b87d-002186834c55}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{018e38aa-fe4e-11df-b87d-002186834c55}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{018e38aa-fe4e-11df-b87d-002186834c55}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{018e38aa-fe4e-11df-b87d-002186834c55}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{018e38aa-fe4e-11df-b87d-002186834c55}\ not found.
File D:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.
File E:\LaunchU3.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully.
C:\WINDOWS\system32\perfh009.dat moved successfully.
C:\WINDOWS\system32\perfc009.dat moved successfully.
ADS C:\WINDOWS\System32\OEMLOGO.BMP:Q30lsldxJoudresxAaaqpcawXc deleted successfully.
========== FILES ==========
C:\WINDOWS\.exe moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\a0187216\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\a0187216\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: a0187216
->Temp folder emptied: 3320226 bytes
->Temporary Internet Files folder emptied: 47884423 bytes
->Java cache emptied: 752243 bytes
->FireFox cache emptied: 100608349 bytes
->Flash cache emptied: 33351 bytes

User: a0187216Jen

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 725190 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 321 bytes

User: All Users

User: Default User
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 321 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 101409 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: PCUPDATEMGR
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 321 bytes

User: x0051606adm
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 488306 bytes
->Flash cache emptied: 321 bytes

User: xjoephanadm
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 321 bytes

User: xkmaragnadm
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 429989 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 321 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 169076 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23375968 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 170.00 mb


[EMPTYFLASH]

User: a0187216
->Flash cache emptied: 0 bytes

User: a0187216Jen

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: PCUPDATEMGR
->Flash cache emptied: 0 bytes

User: x0051606adm
->Flash cache emptied: 0 bytes

User: xjoephanadm
->Flash cache emptied: 0 bytes

User: xkmaragnadm
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.17.3 log created on 12042010_101405

Files\Folders moved on Reboot...
C:\Documents and Settings\a0187216\Local Settings\Temp\ExchangePerflog_8484fa31109d3ac3dcd6c672.dat moved successfully.
File\Folder C:\Documents and Settings\a0187216\Local Settings\Temporary Internet Files\Content.Word\~WRS{788C1E5C-100D-47AC-BFD9-318336B68CA3}.tmp not found!
File\Folder C:\Documents and Settings\a0187216\Local Settings\Temporary Internet Files\Content.Word\~WRS{9B8628C4-1722-4360-8983-BA595985A8D9}.tmp not found!
File\Folder C:\Documents and Settings\a0187216\Local Settings\Temporary Internet Files\Content.Word\~WRS{C4C3B9DB-5E65-4782-A7A6-2579AA348B4C}.tmp not found!
C:\Documents and Settings\a0187216\Local Settings\Temporary Internet Files\Content.IE5\EO7CEQ5D\page__gopid__2042631[1].htm moved successfully.
C:\Documents and Settings\a0187216\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...






And here is the Malwarebytes log....


Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5243

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/4/2010 10:59:28 AM
mbam-log-2010-12-04 (10-59-28).txt

Scan type: Quick scan
Objects scanned: 185011
Time elapsed: 12 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:33 AM

Posted 04 December 2010 - 12:56 PM

Hi ferbw,



or was it simply caused by not being connected to TI's network?

OK. Lets hold off for the time being.



Step1


Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:

    Java 2 Runtime Environment, SE v1.4.2_13

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.
  • After that, please clear your java cache as instructed in the following:
  • Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave both Checked

    Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files Window
  • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


Step2


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.



Step3


Please run the ESET Online Scanner
Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt .
  • Copy and paste that log as a reply to this topic and also let me know how things are now.


In your next reply, please post back:

1.Eset Online Scanner Report.

Tell me if you have any remaining issues on your pc.

#13 ferbw

ferbw
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 04 December 2010 - 07:01 PM

Java updated. Ran ATF Cleaner and ESET Online Scanner. Log is below.

I haven't been dong anything on my laptop except running these scans so rally no comment on how it is running just yet. It hasn't locked up on me though which is a good sign and the scans have all run successfully.



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.17091 (vista_gdr.100824-1500)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c6e3050221efa4498b7e895b110635e1
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-04 11:27:26
# local_time=2010-12-04 05:27:26 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=102554
# found=1
# cleaned=0
# scan_time=13252
C:\Program Files\Connected\MAIL\personal072005_B19973A700C3DB07\E2810000_848E2000_C105 Win32/Joke.ScreenMate application 00000000000000000000000000000000 I

#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:33 AM

Posted 04 December 2010 - 10:49 PM

Hi ferbw,




Please navigate to the following filepath to delete or empty that mail folder contents manually since online scanner service can't tell which mail names were infected specifically.

C:\Program Files\Connected\MAIL\personal072005_B19973A700C3DB07\E2810000_848E2000_C105

Other than that, your log appears to be clean now. :thumbsup: If you have no remaining concerns on your pc, lets do some tidy up and we can send you on your way.


Step1

  • Start OTL from your desktop.
  • Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.
    :Commands
    [CLEARALLRESTOREPOINTS]
    [emptytemp]
    [EMPTYFLASH]
    [start explorer]
    [Reboot]
    
  • Click Run Fix button on the top. After reboot, please do the following:
  • Double click OTL and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Please delete all the logs and tools we have used. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:


  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#15 ferbw

ferbw
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 05 December 2010 - 10:38 AM

Thanks for all your help! I will test everything out tomorrow at work and will respond again if I am still having problems.

Best regards,
Jennifer




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users