Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - Computer Slow - Google Re-Directs


  • This topic is locked This topic is locked
15 replies to this topic

#1 Silverlode

Silverlode

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 30 May 2011 - 08:46 AM

Google Re-Directs. Have run Symantec and DrWeb virus removal programs. Some things detected but problem not fixed. Don't recall specific names of any items identified other than they were referred to as trojan downloaders. Computer is Lenova Thinkpad X200 running XP Pro if it matters.

Thanks in advance for your time!

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by SwansonS at 9:18:09 on 2011-05-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2106 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\WINDOWS\system32\rpcnet.exe
c:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\SwansonS\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://home.medimmune.com
uDefault_Page_URL = hxxp://home.medimmune.com
mDefault_Page_URL = hxxp://home.medimmune.com
mStart Page = hxxp://www.medimmune.com
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [TrackPointSrv] tp4mon.exe
mRun: [SgeEcView] "c:\program files\utimaco\safeguard easy\Ecview.exe"
mRun: [EdWizard] "c:\program files\utimaco\safeguard easy\EdWizard.exe" as
mRun: [<NO NAME>]
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: NoDisconnect = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: astrazeneca.net
Trusted Zone: citrix.com\www
Trusted Zone: medimmune.com
Trusted Zone: medimmune.com\home
Trusted Zone: medimmune.com\remote
Trusted Zone: openair.com
Trusted Zone: medimmune.com
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {63427B88-346B-4348-969D-FBA42B83633C} - hxxp://aegis.medimmune.com/DocCompliance/framework/common/activex/qmcontrols.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1304963849168
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1304963844697
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C3A57B60-C117-11D2-BD9B-00105A0A7E89} - hxxp://aegis.medimmune.com/DocCompliance/framework/common/activex/saxfile.cab
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase81/OrgPubX.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://onthego.medimmune.com/dana-cached/sc/JuniperSetupClient.cab
DPF: {F77BA8AB-5ECF-4068-A393-8861AE213C85} - hxxp://aegis.medimmune.com/DocCompliance/framework/common/activex/q_ComplianceViewer.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {95994CCD-B1ED-4734-8A2B-B58142206E36} - msiexec /i {95994CCD-B1ED-4734-8A2B-B58142206E36} /qb
.
============= SERVICES / DRIVERS ===============
.
R0 AES-128;AES-128;c:\windows\system32\drivers\AES128.sys [2008-12-11 19712]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [2008-12-11 63488]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-12-18 189736]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2007-7-27 87416]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-12-8 2440120]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-5-15 475520]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-5-29 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-11 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110529.002\NAVENG.SYS [2011-5-29 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110529.002\NAVEX15.SYS [2011-5-29 1542392]
S3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [2009-5-29 72192]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-16 136176]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-4-15 14336]
.
=============== Created Last 30 ================
.
2011-05-30 13:04:56 388096 ----a-r- c:\documents and settings\swansons\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-30 13:04:55 -------- d-----w- c:\program files\Trend Micro
2011-05-25 16:19:37 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-05-17 14:23:01 -------- d-----w- c:\documents and settings\swansons\application data\Malwarebytes
2011-05-17 14:13:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-17 14:13:50 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-17 14:13:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-17 14:13:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-16 18:29:14 731000 ----a-w- C:\autoruns.exe
2011-05-16 15:06:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-16 14:59:34 -------- d-----w- c:\documents and settings\swansons\local settings\application data\Google
2011-05-16 14:44:39 133120 --sha-r- c:\windows\system32\l_exceptn.dll
2011-05-09 17:57:50 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-05-09 17:48:34 -------- d-----w- C:\~ErdUserProfile.$$$
2011-05-06 09:38:22 -------- d-----w- c:\windows\system32\VPCache
.
==================== Find3M ====================
.
2011-05-30 13:01:51 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-05-28 14:44:00 56680 ----a-w- c:\windows\system32\rpcnet.dll
2011-05-09 16:07:48 90112 ----a-w- c:\windows\DUMPb824.tmp
2011-05-09 12:32:35 98304 ----a-w- c:\windows\DUMP4611.tmp
2011-05-09 12:15:49 98304 ----a-w- c:\windows\DUMPaa88.tmp
2011-05-09 12:07:34 90112 ----a-w- c:\windows\DUMPa70d.tmp
2011-05-09 12:05:42 98304 ----a-w- c:\windows\DUMP46cd.tmp
2011-05-09 12:02:01 98304 ----a-w- c:\windows\DUMP5e4c.tmp
2011-05-09 11:59:32 98304 ----a-w- c:\windows\DUMP4da3.tmp
2011-05-09 11:57:49 90112 ----a-w- c:\windows\DUMP3cca.tmp
2011-05-09 11:56:19 90112 ----a-w- c:\windows\DUMP44f8.tmp
2011-05-09 11:55:19 98304 ----a-w- c:\windows\DUMP466f.tmp
2011-05-09 11:53:29 98304 ----a-w- c:\windows\DUMPa98e.tmp
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HITACHI_HTS722016K9SA00 rev.DCDZC75A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-9
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys splz.sys >>UNKNOWN [0x8ACC0938]<<
splz.sys
_asm { PUSH EBP; MOV EBP, ESP; JMP 0xfffffffff582ed9b; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AC26AB8]
3 CLASSPNP[0xBA158FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\000000b2[0x8AC37A98]
5 ACPI[0xB9E74620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP2T0L0-9[0x8AB5A940]
kernel: MBR read successfully
_asm { CLI ; JMP 0x7d; }
user != kernel MBR !!!
.
============= FINISH: 9:18:45.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:42 AM

Posted 02 June 2011 - 10:32 AM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Next, please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs and the RKU log. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 Silverlode

Silverlode
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 02 June 2011 - 11:01 AM

Thank you for the help Shannon

When I attempt to run the Root Kit Unhooker program it starts and then shuts down automatically before I can save a file.
Tried downloading it again and it does the same thing.

These are the OTL files.

OTL logfile created on: 6/2/2011 11:39:19 AM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\SwansonS\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 2.24 Gb Available Physical Memory | 75.82% Memory free
15.01 Gb Paging File | 14.41 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 12500 25000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 103.26 Gb Free Space | 69.28% Space Free | Partition Type: NTFS
Drive E: | 12021.30 Gb Total Space | 226.99 Gb Free Space | 1.89% Space Free | Partition Type: NTFS
Drive H: | 3723.87 Gb Total Space | 2148.39 Gb Free Space | 57.69% Space Free | Partition Type: NTFS
Drive K: | 3723.87 Gb Total Space | 2148.39 Gb Free Space | 57.69% Space Free | Partition Type: NTFS
Drive L: | 920.52 Gb Total Space | 313.45 Gb Free Space | 34.05% Space Free | Partition Type: NTFS
Drive S: | 3723.87 Gb Total Space | 2148.39 Gb Free Space | 57.69% Space Free | Partition Type: NTFS
Drive T: | 273.43 Gb Total Space | 0.01 Gb Free Space | 0.00% Space Free | Partition Type: NTFS

Computer Name: MD2L3-AEB2F | User Name: SwansonS | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/02 11:37:43 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\swansons\Desktop\OTL.exe
PRC - [2009/12/18 11:25:16 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
PRC - [2009/08/28 20:42:11 | 000,056,680 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\system32\rpcnet.exe
PRC - [2009/06/15 17:05:56 | 000,611,624 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2008/12/11 14:23:08 | 000,346,720 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
PRC - [2008/12/11 14:19:32 | 000,024,653 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\ecview.exe
PRC - [2008/12/11 14:13:00 | 000,163,931 | ---- | M] (Utimaco Safeware AG) -- c:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
PRC - [2008/12/11 14:12:24 | 000,114,773 | ---- | M] (Utimaco Safeware AG) -- c:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
PRC - [2008/12/08 17:01:54 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2008/12/08 16:42:34 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2008/12/08 16:42:32 | 001,795,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2008/08/14 09:45:52 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2008/08/14 09:45:28 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 05:42:40 | 000,082,944 | ---- | M] (IBM Corporation) -- C:\WINDOWS\system32\tp4mon.exe
PRC - [2007/07/27 15:38:26 | 000,087,416 | ---- | M] (Juniper Networks) -- C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
PRC - [2007/05/30 23:38:14 | 000,241,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
PRC - [2007/04/13 02:50:00 | 000,590,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2007/02/08 07:55:22 | 000,032,144 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\ssonsvr.exe


========== Modules (SafeList) ==========

MOD - [2011/06/02 11:37:43 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\swansons\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/12/11 14:12:18 | 000,028,752 | ---- | M] (Utimaco Safeware AG) -- c:\Program Files\Utimaco\SafeGuard Easy\SgMsgBhk.dll
MOD - [2008/12/08 16:43:34 | 000,357,704 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\sysfer.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/03/29 15:41:46 | 000,053,248 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2009/12/18 11:25:16 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2009/08/28 20:42:11 | 000,056,680 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\WINDOWS\system32\rpcnet.exe -- (Rpcnet) Remote Procedure Call (RPC)
SRV - [2009/06/15 17:05:56 | 000,611,624 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2008/12/11 14:23:08 | 000,346,720 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2008/12/11 14:13:00 | 000,163,931 | ---- | M] (Utimaco Safeware AG) [Auto | Running] -- c:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe -- (WksCfgSrv)
SRV - [2008/12/11 14:12:24 | 000,114,773 | ---- | M] (Utimaco Safeware AG) [Auto | Running] -- c:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe -- (SgeCtl)
SRV - [2008/12/08 17:01:54 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2008/12/08 16:42:32 | 001,795,400 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2008/12/08 16:01:28 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2008/08/14 09:45:28 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2008/08/14 09:45:28 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2008/06/30 11:36:35 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2007/07/27 15:38:26 | 000,087,416 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe -- (JuniperAccessService)
SRV - [2007/05/30 23:38:14 | 000,241,664 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe -- (Wuser32)
SRV - [2007/04/13 02:50:00 | 000,590,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)


========== Driver Services (SafeList) ==========

DRV - [2011/05/18 04:00:00 | 001,542,392 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110601.034\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/05/18 04:00:00 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110601.034\NAVENG.SYS -- (NAVENG)
DRV - [2011/05/09 04:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/05/09 04:00:00 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/09/10 22:32:20 | 000,167,936 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WpsHelper.sys -- (WpsHelper)
DRV - [2010/06/10 10:20:39 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/04/15 09:52:22 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/12/19 16:30:26 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/12/19 16:30:24 | 000,991,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/12/11 14:20:14 | 000,019,712 | ---- | M] (Utimaco Safeware AG) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AES128.SYS -- (AES-128)
DRV - [2008/12/11 14:20:08 | 000,063,488 | ---- | M] (Utimaco Safeware AG) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SGEFLT.SYS -- (SgeFlt)
DRV - [2008/12/08 16:45:28 | 000,092,488 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys -- (SysPlant)
DRV - [2008/12/08 16:43:46 | 000,042,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\WPSDRVnt.sys -- (WPS)
DRV - [2008/11/26 18:42:10 | 000,764,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)
DRV - [2008/11/18 13:17:08 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2008/10/14 06:24:18 | 000,049,536 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Teefer2.sys -- (Teefer2)
DRV - [2008/10/13 07:31:46 | 000,319,664 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2008/10/13 07:31:46 | 000,279,600 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2008/10/13 07:31:46 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2008/09/25 00:49:52 | 000,031,680 | R--- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2008/09/19 18:29:54 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2008/09/16 15:22:40 | 003,632,384 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2008/09/03 11:25:00 | 000,072,192 | ---- | M] (Ricoh co.,Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\5U875.sys -- (5U875UVC)
DRV - [2008/08/21 06:13:56 | 000,191,536 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2008/08/21 06:13:56 | 000,027,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2008/08/13 21:31:26 | 000,023,552 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2008/06/16 11:53:14 | 000,420,400 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/05/15 13:29:32 | 000,475,520 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF)
DRV - [2008/04/09 21:16:48 | 000,985,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2008/04/09 21:16:48 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2008/04/09 21:16:48 | 000,210,560 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2008/03/26 15:21:06 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2008/03/26 15:12:56 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2007/05/30 23:38:08 | 000,011,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\kbstuff5.sys -- (kbstuff)
DRV - [2007/05/30 23:38:08 | 000,008,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\idisw2km.sys -- (idisw2km)
DRV - [2007/04/13 02:50:00 | 000,023,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2001/08/17 13:48:14 | 000,011,520 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TwoTrack.sys -- (TwoTrack)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.medimmune.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.medimmune.com


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.medimmune.com
IE - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.medimmune.com
IE - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://wpad.medimmune.com/directconnect.pac



Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [EdWizard] c:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe (Utimaco Safeware AG)
O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
O4 - HKLM..\Run: [SgeEcView] c:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe (Utimaco Safeware AG)
O4 - HKLM..\Run: [TrackPointSrv] C:\WINDOWS\System32\tp4mon.exe (IBM Corporation)
O4 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2011/05/16 14:31:03 | 000,000,000 | -H-D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMSAppLogo5ChannelNotify = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDisconnect = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonType = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O15 - HKLM\..Trusted Domains: medimmune.com ([]https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: medimmune.com ([]http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: medimmune.com ([elements] https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: medimmune.com ([home] http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: medimmune.com ([remote] https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: openair.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: medimmune.com ([]http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: medimmune.com ([elements] https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: medimmune.com ([home] http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: medimmune.com ([remote] https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: openair.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\..Trusted Domains: astrazeneca.net ([]http in Trusted sites)
O15 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\..Trusted Domains: astrazeneca.net ([]https in Trusted sites)
O15 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\..Trusted Domains: citrix.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\..Trusted Domains: medimmune.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\..Trusted Domains: medimmune.com ([home] http in Trusted sites)
O15 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\..Trusted Domains: medimmune.com ([remote] https in Trusted sites)
O15 - HKU\S-1-5-21-85748401-1566917853-1811762917-2342\..Trusted Domains: openair.com ([]https in Trusted sites)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {63427B88-346B-4348-969D-FBA42B83633C} http://aegis.medimmune.com/DocCompliance/framework/common/activex/qmcontrols.cab (QMControls.DialogControls_4_0_0_0)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1304963849168 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1304963844697 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {C3A57B60-C117-11D2-BD9B-00105A0A7E89} http://aegis.medimmune.com/DocCompliance/framework/common/activex/saxfile.cab (SAXFile ActiveX Control)
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} http://www.aquire.com/codebase81/OrgPubX.cab (OrgPublisher PluginX)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://juniper.net/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupSP1 Control)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://onthego.medimmune.com/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O16 - DPF: {F77BA8AB-5ECF-4068-A393-8861AE213C85} http://aegis.medimmune.com/DocCompliance/framework/common/activex/q_ComplianceViewer.cab (q_CViewer Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.36.8.249 10.29.128.249 10.15.128.249 10.41.128.249
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = medimmune.com
O18 - Protocol\Handler\saphtmlp {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - C:\Program Files\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL (SAP AG, Walldorf)
O18 - Protocol\Handler\sapr3 {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - C:\Program Files\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL (SAP AG, Walldorf)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (SGGINA.DLL) - C:\WINDOWS\System32\Sggina.dll (Utimaco Safeware AG)
O24 - Desktop Components:AutorunsDisabled () -
O24 - Desktop WallPaper: C:\Documents and Settings\swansons\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\swansons\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/15 09:08:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/11/24 10:44:50 | 000,731,000 | ---- | M] (Sysinternals - www.sysinternals.com) - C:\autoruns.exe -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/02 11:37:41 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\SwansonS\Desktop\OTL.exe
[2011/05/30 09:23:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SwansonS\Desktop\Logs
[2011/05/30 09:16:50 | 000,606,738 | R--- | C] (Swearware) -- C:\Documents and Settings\SwansonS\Desktop\dds.scr
[2011/05/30 09:04:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\swansons\Start Menu\Programs\HiJackThis
[2011/05/30 09:04:55 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/05/25 12:19:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/05/22 15:17:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SwansonS\Desktop\Brake Pads
[2011/05/17 10:23:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\swansons\Application Data\Malwarebytes
[2011/05/17 10:13:50 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/17 10:13:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/05/17 10:13:47 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/17 10:13:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/16 15:24:10 | 001,930,720 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\SwansonS\My Documents\FixTDSS.exe
[2011/05/16 14:31:03 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
[2011/05/16 14:29:14 | 000,731,000 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\autoruns.exe
[2011/05/16 11:06:09 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/05/16 11:04:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2011/05/16 10:59:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2011/05/16 10:59:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\swansons\Local Settings\Application Data\Google
[2011/05/16 10:59:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2011/05/16 10:58:52 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2011/05/16 10:58:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2011/05/09 14:48:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/05/09 13:57:50 | 000,015,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2011/05/09 13:50:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/05/09 13:48:34 | 000,000,000 | ---D | C] -- C:\~ErdUserProfile.$$$
[2011/05/06 15:19:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\SwansonS\Desktop\thumbs
[2011/05/06 05:38:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\VPCache
[2007/07/27 15:37:24 | 000,069,632 | ---- | C] (Juniper Networks) -- C:\Documents and Settings\All Users\Application Data\NeoterisSetup.ocx
[12 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/02 11:40:00 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{E734EC0B-BF56-467E-9820-D18B0A72D498}.job
[2011/06/02 11:40:00 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{BA174D3E-5A5D-470B-815D-83AA317821BE}.job
[2011/06/02 11:40:00 | 000,000,390 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2FBA74C4-A5A4-466A-8E75-A393A9F7C0E9}.job
[2011/06/02 11:37:43 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\SwansonS\Desktop\OTL.exe
[2011/06/02 08:49:30 | 1550,140,416 | ---- | M] () -- C:\Documents and Settings\SwansonS\My Documents\SwansonEmailRecord.pst
[2011/06/02 07:46:07 | 000,437,550 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/02 07:46:07 | 000,069,134 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/02 07:45:35 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\Microsoft Office Outlook 2003.lnk
[2011/06/02 07:43:58 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/02 07:37:46 | 000,000,456 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2011/06/02 07:37:18 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.exe
[2011/06/02 07:37:17 | 000,000,314 | -HS- | M] () -- C:\WINDOWS\tasks\Rgflo.job
[2011/06/02 07:37:14 | 000,056,680 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.dll
[2011/06/02 07:37:11 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\tasks\QNURWK.job
[2011/06/02 07:36:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/01 15:03:01 | 004,148,893 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\nicecamodudep1.gif
[2011/06/01 07:37:58 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\Microsoft Office Word 2003.lnk
[2011/06/01 07:24:53 | 000,216,064 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/31 12:40:53 | 000,001,081 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\Shortcut to BI Batch Record Review Aids.lnk
[2011/05/31 08:04:13 | 000,247,202 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\June_2011_Newsletter.pdf
[2011/05/31 07:46:37 | 000,005,232 | RHS- | M] () -- C:\Documents and Settings\SwansonS\ntuser.pol
[2011/05/30 22:03:07 | 000,038,911 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\CyberPower Inc.pdf
[2011/05/30 22:01:11 | 000,372,614 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\CyberPower Inc Order.mht
[2011/05/30 09:27:09 | 000,293,977 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\gmer.zip
[2011/05/30 09:16:53 | 000,606,738 | R--- | M] (Swearware) -- C:\Documents and Settings\SwansonS\Desktop\dds.scr
[2011/05/30 09:05:44 | 000,002,453 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\HiJackThis.lnk
[2011/05/30 09:04:30 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\HijackThis.msi
[2011/05/29 12:32:00 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\gmer.exe
[2011/05/25 14:54:39 | 000,722,782 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\11B09-80 & 11B11-81 DP CoAs - NMF Fills.pdf
[2011/05/16 15:22:47 | 001,930,720 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\SwansonS\My Documents\FixTDSS.exe
[2011/05/16 14:54:11 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/16 14:31:27 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/16 14:31:25 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/16 12:40:53 | 000,001,509 | ---- | M] () -- C:\Documents and Settings\SwansonS\Desktop\Paint.lnk
[2011/05/16 11:06:09 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/05/16 10:44:39 | 000,133,120 | RHS- | M] () -- C:\WINDOWS\System32\l_exceptn.dll
[2011/05/12 07:22:31 | 000,034,111 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2011/05/10 08:51:13 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\SwansonS\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/05/09 15:06:14 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[12 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/01 15:03:36 | 004,148,893 | ---- | C] () -- C:\Documents and Settings\SwansonS\Desktop\nicecamodudep1.gif
[2011/05/31 12:40:56 | 000,001,081 | ---- | C] () -- C:\Documents and Settings\SwansonS\Desktop\Shortcut to BI Batch Record Review Aids.lnk
[2011/05/31 08:04:12 | 000,247,202 | ---- | C] () -- C:\Documents and Settings\SwansonS\Desktop\June_2011_Newsletter.pdf
[2011/05/30 22:02:54 | 000,038,911 | ---- | C] () -- C:\Documents and Settings\SwansonS\Desktop\CyberPower Inc.pdf
[2011/05/30 22:01:09 | 000,372,614 | ---- | C] () -- C:\Documents and Settings\SwansonS\Desktop\CyberPower Inc Order.mht
[2011/05/30 09:27:09 | 000,293,977 | ---- | C] () -- C:\Documents and Settings\SwansonS\Desktop\gmer.zip
[2011/05/30 09:04:56 | 000,002,453 | ---- | C] () -- C:\Documents and Settings\SwansonS\Desktop\HiJackThis.lnk
[2011/05/30 09:03:56 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\SwansonS\Desktop\HijackThis.msi
[2011/05/29 12:32:00 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\SwansonS\Desktop\gmer.exe
[2011/05/25 14:53:04 | 000,722,782 | ---- | C] () -- C:\Documents and Settings\SwansonS\Desktop\11B09-80 & 11B11-81 DP CoAs - NMF Fills.pdf
[2011/05/16 10:59:38 | 000,000,890 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/16 10:59:37 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/16 10:53:07 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/16 10:44:39 | 000,133,120 | RHS- | C] () -- C:\WINDOWS\System32\l_exceptn.dll
[2011/05/16 10:44:39 | 000,000,316 | -HS- | C] () -- C:\WINDOWS\tasks\QNURWK.job
[2011/05/16 10:44:39 | 000,000,314 | -HS- | C] () -- C:\WINDOWS\tasks\Rgflo.job
[2010/10/05 08:36:18 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\swansons\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/28 09:13:35 | 001,064,960 | ---- | C] () -- C:\WINDOWS\System32\h5krnl32.dll
[2009/08/28 09:13:35 | 000,188,928 | ---- | C] () -- C:\WINDOWS\System32\h5icon32.dll
[2009/08/28 09:13:35 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\h5menu32.dll
[2009/08/28 09:13:35 | 000,095,744 | ---- | C] () -- C:\WINDOWS\System32\h5rtf32.dll
[2009/08/28 09:13:35 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\h5tool32.dll
[2009/08/28 09:13:32 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\vtssm32.dll
[2009/08/28 09:13:32 | 000,003,510 | ---- | C] () -- C:\WINDOWS\saplogon.ini
[2009/08/28 09:13:32 | 000,000,301 | ---- | C] () -- C:\WINDOWS\sapmsg.ini
[2009/08/28 09:13:32 | 000,000,085 | ---- | C] () -- C:\WINDOWS\saproute.ini
[2009/08/27 15:04:44 | 000,557,003 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2009/08/27 15:04:32 | 000,811,835 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2009/08/27 15:03:52 | 004,456,201 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2009/08/25 14:07:36 | 000,328,334 | ---- | C] () -- C:\WINDOWS\System32\ff_kernelDeint.dll
[2009/08/25 13:38:04 | 000,425,040 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2009/08/25 12:56:56 | 000,829,781 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/08/25 12:37:02 | 000,146,098 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2009/08/11 16:21:26 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\ac3config.exe
[2009/06/02 13:15:44 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2009/06/02 13:15:18 | 000,146,944 | ---- | C] () -- C:\WINDOWS\System32\ff_tremor.dll
[2009/06/02 13:15:04 | 000,183,296 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2009/06/02 13:14:56 | 000,178,688 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2009/06/02 13:14:30 | 000,486,400 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2009/06/02 13:13:58 | 000,257,024 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2009/06/02 13:13:50 | 000,142,848 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2009/06/02 13:11:26 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2009/06/02 13:11:16 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/05/29 14:06:45 | 002,026,604 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin
[2009/05/29 14:06:43 | 000,442,964 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
[2009/05/29 14:06:43 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v5002.dll
[2009/05/13 12:55:30 | 000,000,456 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/04/16 12:05:08 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.dll
[2009/04/16 12:03:48 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.exe
[2009/04/15 17:52:25 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/04/15 17:52:20 | 000,437,550 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/15 17:52:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2009/04/15 17:52:20 | 000,069,134 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/15 17:52:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2009/04/15 17:52:18 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2009/04/15 17:52:18 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2009/04/15 17:52:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2009/04/15 17:52:08 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2009/04/15 17:52:08 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2009/04/15 17:51:48 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2009/04/15 17:51:43 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2009/04/15 10:02:51 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/04/15 10:01:46 | 000,216,064 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/15 09:47:45 | 000,000,078 | ---- | C] () -- C:\WINDOWS\init.ini
[2009/04/15 09:34:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/04/15 09:12:06 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/04/15 09:05:55 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/01/10 18:17:32 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2009/01/10 18:16:56 | 000,148,480 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2009/01/10 18:16:50 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2009/01/10 18:16:14 | 000,141,312 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2009/01/10 18:16:04 | 000,335,872 | ---- | C] () -- C:\WINDOWS\System32\gdsmux.exe
[2009/01/10 18:15:54 | 000,120,832 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2009/01/10 18:15:44 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\mmfinfo.dll
[2009/01/10 18:15:36 | 000,103,424 | ---- | C] () -- C:\WINDOWS\System32\dsmux.exe
[2009/01/10 18:15:32 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2009/01/10 18:15:28 | 000,246,784 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2009/01/10 18:15:12 | 000,097,280 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2009/01/10 18:15:06 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\mkv2vfr.exe
[2009/01/10 18:14:08 | 000,079,360 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2009/01/10 18:14:06 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2008/12/11 14:22:10 | 002,854,976 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008/12/11 14:19:40 | 000,020,575 | ---- | C] () -- C:\WINDOWS\System32\Sgegina040C.Dll
[2008/12/11 14:19:36 | 000,020,575 | ---- | C] () -- C:\WINDOWS\System32\SgeGina0407.Dll
[2008/12/03 18:11:50 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/11/06 12:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/10/13 05:30:20 | 000,000,137 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini
[2007/08/16 12:33:38 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\loaddlln.dll
[2003/01/07 10:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

< End of report >
OTL Extras logfile created on: 6/2/2011 11:39:19 AM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\SwansonS\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 2.24 Gb Available Physical Memory | 75.82% Memory free
15.01 Gb Paging File | 14.41 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 12500 25000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 103.26 Gb Free Space | 69.28% Space Free | Partition Type: NTFS
Drive E: | 12021.30 Gb Total Space | 226.99 Gb Free Space | 1.89% Space Free | Partition Type: NTFS
Drive H: | 3723.87 Gb Total Space | 2148.39 Gb Free Space | 57.69% Space Free | Partition Type: NTFS
Drive K: | 3723.87 Gb Total Space | 2148.39 Gb Free Space | 57.69% Space Free | Partition Type: NTFS
Drive L: | 920.52 Gb Total Space | 313.45 Gb Free Space | 34.05% Space Free | Partition Type: NTFS
Drive S: | 3723.87 Gb Total Space | 2148.39 Gb Free Space | 57.69% Space Free | Partition Type: NTFS
Drive T: | 273.43 Gb Total Space | 0.01 Gb Free Space | 0.00% Space Free | Partition Type: NTFS

Computer Name: MD2L3-AEB2F | User Name: SwansonS | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"AllowUserPrefMerge" = 1
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"16540:UDP:*:enabled:LiveMeeting Stream" = 16540:UDP:*:enabled:LiveMeeting Stream
"2701:TCP:*:enabled:SMSPing" = 2701:TCP:*:enabled:SMSPing
"2702:TCP:*:enabled:SMSRemoteControl" = 2702:TCP:*:enabled:SMSRemoteControl
"2704:TCP:*:enabled:SMSFileTransfer" = 2704:TCP:*:enabled:SMSFileTransfer

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\List]
"%programfiles%\Anywhere+\anywhere.exe:*:enabled:Anywhere+" = %programfiles%\Anywhere+\anywhere.exe:*:enabled:Anywhere+

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\List]
"16540:UDP:*:enabled:LiveMeeting Stream" = 16540:UDP:*:enabled:LiveMeeting Stream
"2102:TCP:*:enabled:SMSPing" = 2102:TCP:*:enabled:SMSPing
"2701:TCP:*:enabled:SMSping" = 2701:TCP:*:enabled:SMSping
"2704:TCP:*:enabled:SMSFiletransfer" = 2704:TCP:*:enabled:SMSFiletransfer

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:TCP" = 1900:TCP:LocalSubNet:Enabled:UDP 1900

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1DE3088D-E607-4EB0-9223-106E7B5AF2F1}" = Microsoft Conferencing Add-in for Microsoft Office Outlook
"{20AF1A1C-878D-440B-ADAC-C8D75D11CCF9}" = ViewMail for Outlook 7.0(2)
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 12
"{2F221920-DB3B-4A74-A010-26ABDBA07AC2}" = SMS Advanced Client
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}" = Symantec Endpoint Protection
"{3F5CFC1C-653B-4B22-9153-2BDDF2E03C0E}" = Seagate Manager Installer
"{40ABCBEA-890E-415A-B2FF-30687B3C13EA}" = TempTale Manager Desktop 6.0
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{5CD85AD2-1767-4967-B623-F264D2740FD4}" = AstraZeneca Certificate
"{64211D43-D195-413C-A7E7-666C10B53E1F}" = Ericsson Wireless Module Core
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = ThinkPad Bluetooth with Enhanced Data Rate Software
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{93056DCB-B067-4CD4-8739-F4BAAC78CDDC}" = Juniper Installer Service
"{95120000-0052-0409-0000-0000000FF1CE}" = Microsoft Office Visio Viewer 2007
"{95994CCD-B1ED-4734-8A2B-B58142206E36}" = Windows Media Player
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6A6E04B-492D-4A7B-84E8-A83FB060D941}" = AZ_IELink_1.0_MDI_XP_EN_B1
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A98AFBC7-D5A7-46A1-8795-EABE2F55A7D6}" = Microsoft Office Live Meeting 2007
"{AC76BA86-1033-0000-7760-100000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B117DAE4-1940-4320-8788-811E9D4FE529}" = SafeGuard® Easy Client 4.50.3
"{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}" = Citrix Presentation Server Client
"{BCA4424F-825A-4F5D-834C-FFA0EC379655}" = ISPI Tools 1.07.0004
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1E44702-21F5-4918-B8A3-6D126D5BD33C}" = Windows Messenger 5.1
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{F21E27F8-6AF8-44D1-90DC-F637E9821502}" = Adobe File
"0829220F684052198BBFE704DEB3BE4B298FDD80" = Windows Driver Package - Intel (iaStor) SCSIAdapter (11/03/2008 8.6.3.1004)
"2DA959FE3D6F0F5BC313481E72071D510DD786FB" = Windows Driver Package - Intel (w29n51) net (12/19/2007 9.0.4.39)
"3A4BCF4FDC99FD1314C1765462A054093CDEF58B" = Windows Driver Package - Intel (iaStor) hdc (07/22/2008 8.2.4.1005)
"3CAF815BFC73E654C99B86AF66B092DBC28E38EA" = Windows Driver Package - Intel (NETw5x32) net (08/28/2008 12.1.0.14)
"575AD5FC1842C926C7F4F663E867A3BD97D2B05C" = Windows Driver Package - Intel SYSTEM (12/13/2007 1.0.0.2)
"74EB790A80874414D7B286C1A7CF7F99CB8215AC" = Windows Driver Package - Intel (iaStor) SCSIAdapter (07/22/2008 8.2.4.1005)
"AC3Filter_is1" = AC3Filter 1.63b
"Adobe Acrobat 7.0 Professional - V" = Adobe Acrobat 7.1.0 Professional
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDA_HSF" = ThinkPad Modem Adapter
"F47257BFD82AA5BBF9668FC2EE9A258601FCE833" = Windows Driver Package - Intel (iaStor) hdc (11/03/2008 8.6.3.1004)
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{3F5CFC1C-653B-4B22-9153-2BDDF2E03C0E}" = Seagate Manager Installer
"Juniper Network Connect 6.0.0" = Juniper Networks Network Connect 6.0.0
"Juniper Network Connect 6.4.0" = Juniper Networks Network Connect 6.4.0
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Media Player - Codec Pack" = Media Player Codec Pack 3.8.0
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Power Management Driver" = ThinkPad Power Management Driver
"SAPFrontend" = SAP Front End
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/28/2011 9:33:10 PM | Computer Name = MD2L3-AEB2F | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for MEDIMMUNE\swansons failed to
contact the active directory (0x8007054b). The specified domain either does not
exist or could not be contacted. Enrollment will not be performed.

Error - 3/28/2011 11:51:08 PM | Computer Name = MD2L3-AEB2F | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 3/29/2011 12:29:22 AM | Computer Name = MD2L3-AEB2F | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 4/1/2011 11:40:48 AM | Computer Name = MD2L3-AEB2F | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/1/2011 11:40:48 AM | Computer Name = MD2L3-AEB2F | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/1/2011 11:41:43 AM | Computer Name = MD2L3-AEB2F | Source = Application Hang | ID = 1001
Description = Fault bucket 1203548446.

Error - 4/1/2011 11:41:51 AM | Computer Name = MD2L3-AEB2F | Source = Application Hang | ID = 1001
Description = Fault bucket 1203548446.

Error - 4/1/2011 2:28:12 PM | Computer Name = MD2L3-AEB2F | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/1/2011 2:28:16 PM | Computer Name = MD2L3-AEB2F | Source = Application Hang | ID = 1001
Description = Fault bucket 1203548446.

Error - 4/7/2011 1:07:05 PM | Computer Name = MD2L3-AEB2F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16827, faulting
module mshtml.dll, version 7.0.6000.16825, fault address 0x0003c1b5.

[ System Events ]
Error - 10/10/2010 8:02:51 PM | Computer Name = MD2L3-AEB2F | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain MEDIMMUNE due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 10/10/2010 9:03:20 PM | Computer Name = MD2L3-AEB2F | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 480 minutes. NtpClient has no source of accurate
time.

Error - 10/17/2010 10:29:10 AM | Computer Name = MD2L3-AEB2F | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain MEDIMMUNE due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 10/17/2010 10:29:21 AM | Computer Name = MD2L3-AEB2F | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 10/17/2010 10:29:23 AM | Computer Name = MD2L3-AEB2F | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 10/17/2010 10:32:32 AM | Computer Name = MD2L3-AEB2F | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 10/17/2010 10:34:22 AM | Computer Name = MD2L3-AEB2F | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 10/17/2010 10:35:41 AM | Computer Name = MD2L3-AEB2F | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 10/17/2010 10:37:42 AM | Computer Name = MD2L3-AEB2F | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 10/17/2010 10:38:48 AM | Computer Name = MD2L3-AEB2F | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.


< End of report >

#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:42 AM

Posted 02 June 2011 - 12:36 PM

Hi-

Thank you for the logs. They did show some problems.

First, please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.0.0) from Kaspersky's website.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.

    To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. C:\TDSSKiller.2.5.0_23.07.2010_15.31.43_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
Next, download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your reply, copy in the contents of the TDSSKiller report and the ComboFix report. How is your computer running now?
Shannon

#5 Silverlode

Silverlode
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 02 June 2011 - 08:59 PM

Shannon

Sorry about the delay in response. Was tied up away from the computer.
I need to provide a bit of disclosure with you here so hang with me for a moment.
I downloaded TDSSKiller and ran it. It didn't find anything. I will post the log below.

I read fully the instructions concerning Combofix and I have a couple of issues. First and foremost, I can not turn off my virus scanning software in order to run Combofix, so I didn't run it. The reason I can't turn it off is because this is a company computer that issued this to me (private company, not the govt) and the IT dept has the virus software settings locked (Symantec in this case).

The reason I have sought out this site for help is because I have tried on a couple of occasions to let them (work IT) solve the issue and thus far they have failed to do so. Further, it costs me a lot of valuable productive time while they have my computer for a whole day at a time, etc. So basically I was hoping I could get this figured out myself in my spare time with some help with the real experts on this stuff.

So, is there any way to solve this without running Combofix and/or turning off the virus software? Thanks again - Your help is appreciated.

TDSS Log:

2011/06/02 21:06:43.0375 4044 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
2011/06/02 21:06:43.0843 4044 ================================================================================
2011/06/02 21:06:43.0843 4044 SystemInfo:
2011/06/02 21:06:43.0843 4044
2011/06/02 21:06:43.0843 4044 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/02 21:06:43.0843 4044 Product type: Workstation
2011/06/02 21:06:43.0843 4044 ComputerName: MD2L3-AEB2F
2011/06/02 21:06:43.0843 4044 UserName: SwansonS
2011/06/02 21:06:43.0843 4044 Windows directory: C:\WINDOWS
2011/06/02 21:06:43.0843 4044 System windows directory: C:\WINDOWS
2011/06/02 21:06:43.0843 4044 Processor architecture: Intel x86
2011/06/02 21:06:43.0843 4044 Number of processors: 2
2011/06/02 21:06:43.0843 4044 Page size: 0x1000
2011/06/02 21:06:43.0843 4044 Boot type: Normal boot
2011/06/02 21:06:43.0843 4044 ================================================================================
2011/06/02 21:06:46.0671 4044 Initialize success
2011/06/02 21:07:03.0671 1260 ================================================================================
2011/06/02 21:07:03.0671 1260 Scan started
2011/06/02 21:07:03.0671 1260 Mode: Manual;
2011/06/02 21:07:03.0671 1260 ================================================================================
2011/06/02 21:07:06.0500 1260 MBR (0x1B8) (9dcf31ee32577c9ebfb8faea7c04b714) \Device\Harddisk0\DR0
2011/06/02 21:07:06.0546 1260 ================================================================================
2011/06/02 21:07:06.0546 1260 Scan finished
2011/06/02 21:07:06.0546 1260 ================================================================================
2011/06/02 21:07:06.0578 2440 Detected object count: 0
2011/06/02 21:07:06.0578 2440 Actual detected object count: 0
2011/06/02 21:08:24.0796 4088 Deinitialize success

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:42 AM

Posted 03 June 2011 - 08:35 AM

hi-

I understand. Let's see if we can clean it up without upsetting IT.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to update Java:
  • Download and install the latest version of Java Runtime Environment (JRE) Version 6.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Under Product / File Description, find the Windows x86 Online and click on its link.
  • Click on Run.
  • Once installed, you will be asked to restart your browser.

We need to run an OTL Fix.
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
:OTL
O4 - HKLM..\Run: [] File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
[2011/05/16 10:44:39 | 000,133,120 | RHS- | C] () -- C:\WINDOWS\System32\l_exceptn.dll
[2011/05/16 10:44:39 | 000,000,316 | -HS- | C] () -- C:\WINDOWS\tasks\QNURWK.job
[2011/05/16 10:44:39 | 000,000,314 | -HS- | C] () -- C:\WINDOWS\tasks\Rgflo.job
:commands
[emptytemp]
[resethosts]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If you have to reboot, once back up, open the C:\_OTL\MovedFiles folder and copy the newest log into your next reply.

Next, please download Malwarebytes' Anti-Malware (MBAM) from HERE.
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

Then, do a new OTL scan.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it into your reply:
  • OTL.txt <-- Will be the opened report

In your reply, please copy in the OTL reports and the MBAM report. How are the redirects now?
Shannon

#7 Silverlode

Silverlode
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 03 June 2011 - 10:09 AM

Really appreciate the help!

Couple of points of note.

Ran the OTL fix as you instructed. Symantec error did come up early on saying it was blocking some action. I copied the screen to paste the error so you can see it and forgot to paste it to something before the computer restarted later (duh).

Ran MBAM as instructed. It did find something. Removed, moved on to next step...

Attempted to run OTL scan again. It will not run. It opens up, says its gathering disk data (or something of that nature) and then stops responding. Tried it a couple of times. Deleted and reinstalled OTL, same thing. Deleted and rebooted computer and reinstalled, same thing.

So I only have logs for initial OTL fix and MBAM which are below in that order.

I also have one more question. I have a thumb drive that I only used on this computer while it was infected. Dont know if there is anything nasty on it. I have things I need to save on it. How should I go about ensuring whatever was on my C: didn't get on there?

Thanks again.

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
C:\WINDOWS\system32\l_exceptn.dll moved successfully.
C:\WINDOWS\tasks\QNURWK.job moved successfully.
C:\WINDOWS\tasks\Rgflo.job moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 122 bytes
->Temporary Internet Files folder emptied: 82054 bytes
->Java cache emptied: 7618363 bytes

User: All Users

User: bosherb
->Temp folder emptied: 78381908 bytes
->Temporary Internet Files folder emptied: 315430 bytes

User: Default User
->Flash cache emptied: 56466 bytes

User: harnisht
->Temp folder emptied: 6635 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 2853263 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: swansons
->Temp folder emptied: 337953 bytes
->Temporary Internet Files folder emptied: 154179628 bytes
->Java cache emptied: 19427 bytes
->Flash cache emptied: 146226 bytes

User: swansons-off
->Temp folder emptied: 1457286377 bytes
->Temporary Internet Files folder emptied: 253734019 bytes
->Java cache emptied: 5282775 bytes
->Flash cache emptied: 186553 bytes

User: wa_Saghrif
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 128478 bytes
->Flash cache emptied: 41478 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1048576 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49635 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 4178187 bytes

Total Files Cleaned = 1,875.00 mb

HOSTS file reset successfully

OTL by OldTimer - Version 3.2.23.0 log created on 06032011_095006

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\swansons\Local Settings\Temp\~DF1F2B.tmp not found!
File\Folder C:\Documents and Settings\swansons\Local Settings\Temp\~DF1F91.tmp not found!
C:\Documents and Settings\swansons\Local Settings\Temporary Internet Files\Content.IE5\C4GXN8MD\page__p__2269568__fromsearch__1[1].htm moved successfully.
C:\Documents and Settings\swansons\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
File\Folder C:\Documents and Settings\swansons-off\Local Settings\Temporary Internet Files\Content.IE5\RCXJ40Z7\d%3D2%3Bitime%3D915023203%3Bkvmn%3D93301382%3Bkvtid%3D15debe4012oj9a%3Bkvseg%3D99999%3A60194%3A60190%3A50226%3A50202%3Bnodecode%3Dyes%3Blink%3D;ord=915023203[1] not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_2b0.dat not found!

Registry entries deleted on Reboot...

__________________________________________________________________________


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6763

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/3/2011 10:43:57 AM
mbam-log-2011-06-03 (10-43-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 249240
Time elapsed: 33 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:42 AM

Posted 03 June 2011 - 11:00 AM

How are the redirects?
Shannon

#9 Silverlode

Silverlode
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 03 June 2011 - 12:33 PM

No re-directs at the moment. I have run random A/V programs that detected stuff and the re-directs temporarily stopped but then restarted within a few hours. So I guess only time will tell and I am keeping my fingers crossed.

#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:42 AM

Posted 03 June 2011 - 12:44 PM

I am hoping that the redirects are gone, because there is not much else that I want to do on your company computer. As to your question about the thumb drive -

The first thing to do is to run Flash_Disinfector and then scan the thumb drive with Malwarebytes' Anti-Malware.

Flash_Disinfector is a specialized fix tool created by sUBs to remove infections that load an autorun.inf file on removable media. Flash_Disinfector will create a hidden "dummy" autorun folder/file with special permissions in each partition and every external drive that was connected when the tool was run. This folder helps to keep the malicious autorun.ini file from being installed on the root drive and running other malicious files which will infect the computer.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Now, run MBAM against the thumb drive.
Shannon

#11 Silverlode

Silverlode
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 03 June 2011 - 03:56 PM

Ran both as directed. Nothing detected. I hope I am out of the woods, so to speak.

Your help has been greatly appreciated. How should I proceed if the problem comes back within the next few hours as happened before?

#12 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:42 AM

Posted 03 June 2011 - 04:27 PM

Let me know
Shannon

#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:42 AM

Posted 07 June 2011 - 10:03 AM

How are the re-directs?
Shannon

#14 Silverlode

Silverlode
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 07 June 2011 - 10:41 AM

I think you got it. Thanks again!

#15 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:42 AM

Posted 07 June 2011 - 12:03 PM

You are welcome!
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users