Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

continual same page popping


  • This topic is locked This topic is locked
28 replies to this topic

#1 fredn

fredn

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 01 September 2011 - 02:46 PM

Hi,

I'm running XP, 32 bit, with SP3.

I had either the HDD Repair or PC Repair malware (it hid all my subdirectories). I immediately did a system restore, and manually un-hid my directories.

I ran MBAM quick scan, and it found Rootkit.TDSS and two Trojan.Agent which I quarantined.

However after every 10 or 20 clicks, (doesn't matter which site I'm on) I will get a pop-up from quizfinddomain.com and another site.

Also a few other strange behaviours occurring, such as suddenly my IE closed, or other apps locking up, taskbar locking up, unable to access Task Manager, etc so I believe something is still here, although MBAM full scan is coming up clean now.

Can anyone please advise me on what to try next? Should I try the TDSS Killer?

Thanks.

Edited by fredn, 01 September 2011 - 03:07 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:24 PM

Posted 01 September 2011 - 11:12 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 fredn

fredn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 02 September 2011 - 11:05 AM

Hi,

I tried to do point 7, run DDS, but instead of a black DOS box opening, I got a CODE editor box with garbage (HEX) text. I probably have different file associations than DDS is expecting. (CODE is an IBM development software).

I am attaching the GMER log.

Thank you.

Attached Files

  • Attached File  ark.txt   43.85KB   1 downloads


#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 PM

Posted 06 September 2011 - 02:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/417044 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 fredn

fredn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 07 September 2011 - 09:07 AM

Hi and thanks for your help,

Referring to your points as requested below:

1. I had either the HDD Repair or PC Repair malware (it hid all my subdirectories). I immediately did a system restore, and manually un-hid my directories.

I ran MBAM quick scan, and it found Rootkit.TDSS and two Trojan.Agent files which I quarantined.

However after every 10 or 20 clicks, (doesn't matter which site I'm on) I will get a pop-up from either quizfinddomain.com or another site.

I ran online ESET which found several Trojan files, which were quarantined.

I ran MBAM full scan and it found several Trojan.FakeAlert files in system restore, which I quarantined.

However I still see odd behaviour.

2. Tried to run DDS but probably due to file associations I come up with a different result than you expect. I am willing to change my file association if explained how.

I have attached a new GMER log, named ark.txt. It indicates some rootkit activity.

I do not have CD emulation.

3. I do not have my original Windows disk available.

Thank you.

Attached Files

  • Attached File  ark.txt   42.48KB   1 downloads


#6 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:24 PM

Posted 07 September 2011 - 11:08 AM

Hi,

Whilst we work on the problems in your logs, it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.

You may wish to "Watch Topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.

Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.


  • Download TDSSKiller.exe and save it to your desktop.
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
    • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
    • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply

Regards,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#7 fredn

fredn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 07 September 2011 - 12:37 PM

Hi Casey,

I ran the TDSSKiller scan. It found one malicious object, and rebooted.

Here is the log.

Thanks for your help.

Attached Files



#8 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:24 PM

Posted 07 September 2011 - 12:58 PM

That looks good :) - you should start noticing improvements now.

Download and run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are prompted to install the Recovery Console, then please do so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you have trouble running ComboFix, then please rename ComboFix.exe to Caseyboy.exe and re-run.

Casey

Edited by Casey_boy, 07 September 2011 - 12:59 PM.
spelling

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#9 fredn

fredn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 08 September 2011 - 08:47 AM

Hi Casey,

I ran combofix. It had trouble downloading recovery console but it continued with the scans.

It completed normally and here is the log.

Thanks for your help. If you have a minute, do you have any details about what the trojans that I removed did?

Fred

Attached Files



#10 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:24 PM

Posted 08 September 2011 - 10:29 AM

Hi Fred,

If you have a minute, do you have any details about what the trojans that I removed did?


I'm not sure what you removed by yourself. If you post the logs then I can have a look. However, I can tell you that we removed (using TDSSKiller) a nasty rootkit which had infected your MBR called TDL4 and that I should have given you this warning actually:

:exclame: Backdoor TDL4 Warning

I hate to give you bad news but one or more of the identified infections is a backdoor trojan.

Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. In addition to the backdoor Trojan that has been identified, your computer is afflicted with multiple other infections. Although we can make an attempt to clean this machine, we cannot guarantee that it will be secure afterwards. Your best and safest course of action is a reformat and reinstallation of the Windows operating system.

If you do decide to attempt cleaning rather than a reformat, do understand that although we may be able to remove all known visible malware, we cannot guarantee that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, equally we cannnot repair the damages it may possibly have caused to vital system files.

Please note that even if we should be successful in removing these infections from your system, it is quite possible that the changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post.


:step1: If you wish to carry on (and that is entirely up to you), I think ComboFix may have deleted some legitimate files so let's scan those.

Please visit the online Jotti Virus Scanner Posted Image<--link
  • Browse to the following filepath:

    C:\Qoobox\Quarantine\c\documents and settings\Default User\SendTo\notepad.exe.vir
    C:\Qoobox\Quarantine\c\program files\messenger\msmsgsin.exe.vir

  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.
  • Repeat this for all the file listed above

:step2: We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#11 fredn

fredn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 08 September 2011 - 01:52 PM

Hello Casey,

As you can imagine I am disheartened by your description of the effects of these malwares. I will change my passwords immediately. I'm also surprised when you say there are multiple other infections. I have only used this pc to visit reputable and well-recognized sites (afaik), although of course I understand that is irrelevant, since even reputable sites can get infected.... but still it's surprising...

I do have a further question for you, if you don't mind.

My first symptom of infection was getting either the HDD Repair or PC Repair malware (it hid all my subdirectories) last week. From reading about those malwares, it seems they could be responsible for dropping the rootkit and/or the several trojans we removed.

My question is, is it possible for this TDSS rootkit to have been on my pc prior to last week? The reason I ask, of course, is because I did do banking etc up until last week when I got one of those two mentioned malwares, but no banking etc since then. If they did get any passwords etc, wouldn't they have used them already? I guess I'm just trying to quantify potential threats by knowing how long I've had this infection.

Those two files you mention in your point 1, I put one of them there and the other I'm not concerned about deleting, so we can ignore those.

I did run OTL, and here are the results. At the moment I'm leaning towards trying to remove anything remaining, because I have a lot of stuff on here and it would take a while to re-install everything, but I'd like to know what you see from these two logs and how much effort there would be to continue down this path.

Thanks again for all your work,
Fred

OTL logfile created on: 9/8/2011 12:49:48 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\work\hijack
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: M/d/yyyy

1.96 Gb Total Physical Memory | 0.80 Gb Available Physical Memory | 40.65% Memory free
2.80 Gb Paging File | 1.81 Gb Available in Paging File | 64.69% Paging File free
Paging file location(s): C:\pagefile.sys 1014 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 14.74 Gb Free Space | 19.78% Space Free | Partition Type: NTFS
Drive G: | 10.00 Gb Total Space | 3.53 Gb Free Space | 35.35% Space Free | Partition Type: NTFS
Drive N: | 464.00 Gb Total Space | 144.03 Gb Free Space | 31.04% Space Free | Partition Type: NTFS
Drive Q: | 985.78 Gb Total Space | 745.81 Gb Free Space | 75.66% Space Free | Partition Type: NTFS
Drive Y: | 10.00 Gb Total Space | 3.53 Gb Free Space | 35.35% Space Free | Partition Type: NTFS
Drive Z: | 10.00 Gb Total Space | 3.53 Gb Free Space | 35.35% Space Free | Partition Type: NTFS

Computer Name: U3900493-XPA | User Name: u3900493 | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/08 12:48:18 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\work\hijack\OTL.exe
PRC - [2010/10/15 21:54:20 | 000,866,592 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
PRC - [2010/10/14 17:40:16 | 001,349,920 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
PRC - [2010/10/14 17:30:20 | 001,418,672 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
PRC - [2010/07/23 15:34:26 | 000,345,424 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe
PRC - [2010/06/17 07:06:00 | 002,552,064 | ---- | M] (Just Great Software) -- C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
PRC - [2009/09/18 04:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2009/04/02 17:20:04 | 000,435,584 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
PRC - [2009/01/18 20:16:04 | 003,275,264 | ---- | M] (Martin Blume) -- C:\work\chess17\Arena\Arena.exe
PRC - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/04 23:40:47 | 000,138,240 | ---- | M] (Websense) -- C:\logonapp.exe
PRC - [2008/02/26 17:38:34 | 000,253,952 | ---- | M] (Magic Control Technology Corporation) -- C:\WINDOWS\system32\trutil01.exe
PRC - [2007/08/01 19:21:02 | 000,716,800 | ---- | M] () -- C:\work\chess13\Fruit-2-3-1.exe
PRC - [2007/06/12 17:09:16 | 002,521,880 | ---- | M] (Intel) -- C:\Program Files\Intel\AMT\UNS.exe
PRC - [2007/06/12 17:09:16 | 000,183,064 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchksrv.exe
PRC - [2007/06/12 17:09:14 | 000,408,344 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchk.exe
PRC - [2007/06/12 17:09:14 | 000,109,336 | ---- | M] (Intel) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2007/03/10 05:40:00 | 000,852,009 | ---- | M] (IBM Corporation) -- C:\Program Files\IBM\Client Access\Emulator\pcsws.exe
PRC - [2007/03/10 05:40:00 | 000,017,961 | ---- | M] (IBM Corporation) -- C:\Program Files\IBM\Client Access\Emulator\pcscm.exe
PRC - [2005/01/21 15:07:16 | 000,081,920 | ---- | M] (TerraNovum) -- C:\WINDOWS\system32\PMService.exe


========== Modules (No Company Name) ==========

MOD - [2010/05/10 08:40:42 | 000,870,256 | ---- | M] () -- C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll
MOD - [2010/05/10 08:39:57 | 000,423,784 | ---- | M] () -- C:\WINDOWS\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\office.dll
MOD - [2010/03/15 16:57:20 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009/09/17 10:50:45 | 000,004,608 | ---- | M] () -- C:\WINDOWS\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\Extensibility.dll
MOD - [2009/02/14 05:04:38 | 000,756,040 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
MOD - [2008/10/26 05:42:14 | 000,065,376 | ---- | M] () -- C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll
MOD - [2007/09/27 11:39:42 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll
MOD - [2007/08/01 19:21:02 | 000,716,800 | ---- | M] () -- C:\work\chess13\Fruit-2-3-1.exe
MOD - [2007/03/10 05:40:00 | 000,172,032 | ---- | M] () -- C:\WINDOWS\system32\cwbrw.dll
MOD - [2007/03/10 05:40:00 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\cwbsv.dll
MOD - [2007/03/10 05:40:00 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\cwbnl.dll
MOD - [2007/03/10 05:40:00 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\cwbco.dll
MOD - [2007/03/10 05:40:00 | 000,016,384 | ---- | M] () -- C:\WINDOWS\system32\cwbad.dll
MOD - [2007/03/09 13:00:00 | 000,069,632 | ---- | M] () -- C:\Program Files\IDM Computer Solutions\UltraEdit-32\ue32ctmn.dll
MOD - [2007/02/09 11:02:28 | 011,411,456 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\8564f563b5d6ce46bdd3964cb7fe3e0a\mscorlib.ni.dll
MOD - [2006/10/27 15:35:18 | 000,436,512 | ---- | M] () -- C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll
MOD - [2005/05/03 05:40:00 | 000,557,056 | ---- | M] () -- C:\Program Files\IBM\Client Access\Mri2924\pcsmgres.dll
MOD - [2005/05/03 05:40:00 | 000,061,440 | ---- | M] () -- C:\Program Files\IBM\Client Access\Mri2924\cwbcomsg.dll
MOD - [2004/12/14 09:54:12 | 000,081,920 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (OnePointDomainAdminService)
SRV - File not found [Auto | Stopped] -- -- (netsvcs_0x2)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (AeXNSClient)
SRV - File not found [Auto | Stopped] -- -- (AClient)
SRV - [2010/10/14 17:40:16 | 001,349,920 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe -- (tmlisten)
SRV - [2010/10/14 17:30:20 | 001,418,672 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe -- (ntrtscan)
SRV - [2010/07/23 15:34:26 | 000,345,424 | ---- | M] () [On_Demand | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2010/01/07 11:42:50 | 000,689,416 | ---- | M] (Trend Micro Inc.) [On_Demand | Stopped] -- C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe -- (TmProxy)
SRV - [2009/09/18 04:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2009/09/18 04:00:00 | 000,246,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
SRV - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/06/12 17:09:16 | 002,521,880 | ---- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\AMT\UNS.exe -- (UNS) Intel®
SRV - [2007/06/12 17:09:16 | 000,183,064 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\atchksrv.exe -- (atchksrv) Intel®
SRV - [2007/06/12 17:09:14 | 000,109,336 | ---- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel®
SRV - [2007/03/10 05:40:00 | 000,065,585 | ---- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\WINDOWS\cwbrxd.exe -- (Cwbrxd)
SRV - [2005/01/21 15:07:16 | 000,081,920 | ---- | M] (TerraNovum) [Auto | Running] -- C:\WINDOWS\system32\PMService.exe -- (EPA_GPO_PMService) Energy Star™


========== Driver Services (SafeList) ==========

DRV - [2010/10/20 19:45:16 | 000,249,424 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys -- (TmFilter)
DRV - [2010/10/20 19:45:06 | 000,036,432 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\tmpreflt.sys -- (TmPreFilter)
DRV - [2010/10/20 19:30:02 | 001,331,384 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\vsapiNT.sys -- (VSApiNt)
DRV - [2010/07/23 15:25:46 | 000,062,032 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2010/07/23 15:25:38 | 000,052,304 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2010/07/23 15:25:30 | 000,163,920 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2010/07/21 14:46:32 | 000,090,448 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2009/09/18 04:00:00 | 000,020,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2009/02/24 17:43:30 | 000,247,808 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xMrMINI.sys -- (xMrMINI)
DRV - [2009/02/24 16:58:58 | 000,253,184 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xVGAMINI.sys -- (xVGAMINI)
DRV - [2008/10/20 20:08:06 | 000,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)
DRV - [2008/02/14 09:36:00 | 000,034,944 | ---- | M] (Magic Control Technology Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xvgausb.sys -- (xVGAUSB)
DRV - [2007/06/12 17:05:50 | 000,045,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2007/02/08 08:30:26 | 000,002,401 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AlKernel.sys -- (AlKernel)
DRV - [2006/03/17 18:18:58 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2006/03/17 18:18:58 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2005/03/17 17:30:10 | 000,132,608 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/08/03 22:29:28 | 000,327,040 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtaa.sys -- (ati2mtaa)
DRV - [2002/03/07 12:05:43 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 13:48:52 | 000,281,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpaa.sys -- (ati2mpaa)
DRV - [2001/08/08 14:13:36 | 000,158,140 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2001/08/08 14:13:30 | 000,012,479 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV01nt.sys -- (iAimFP0)
DRV - [2001/08/08 14:13:30 | 000,012,031 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV02NT.sys -- (iAimFP1)
DRV - [2001/08/08 14:13:30 | 000,011,679 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV05NT.sys -- (iAimFP2)
DRV - [2001/08/08 14:13:28 | 000,019,359 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wVchNTxx.sys -- (iAimFP4)
DRV - [2001/08/08 14:13:28 | 000,011,999 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wSiINTxx.sys -- (iAimFP3)
DRV - [2001/08/08 14:13:26 | 000,033,503 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV04nt.sys -- (iAimTV3)
DRV - [2001/08/08 14:13:24 | 000,029,215 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV01nt.sys -- (iAimTV0)
DRV - [2001/08/08 14:13:24 | 000,023,519 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys -- (iAimTV4)
DRV - [2001/08/08 14:13:24 | 000,019,199 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV02NT.sys -- (iAimTV1)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://inet/proxy_AutoConfig/carswell.pac

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://inet/
IE - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-ca
IE - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 04 79 30 A8 A8 FD CA 01 [binary data]
IE - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://inet.carswell.com/proxy_autoconfig/carswell.pac

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..network.proxy.ftp: "10.192.4.61"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "10.192.4.61"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "10.192.4.61"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.no_proxies_on: ""
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.ssl: "10.192.4.61"
FF - prefs.js..network.proxy.ssl_port: 8080
FF - prefs.js..network.proxy.type: 1

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 1.0.3\Extensions\\Components: C:\Program Files\Mozilla Firefox\Components [2010/05/25 11:03:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 1.0.3\Extensions\\Plugins: C:\Program Files\Mozilla Firefox\Plugins [2011/06/06 15:36:41 | 000,000,000 | ---D | M]

[2010/05/25 11:03:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\u3900493\Application Data\Mozilla\Firefox\Profiles\p3ftn96r.default\extensions
[2010/05/25 11:03:48 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Documents and Settings\u3900493\Application Data\Mozilla\Firefox\Profiles\p3ftn96r.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2011/09/07 09:07:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/26 13:04:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2011/09/07 09:07:24 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2005/05/11 15:27:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\defaults\profile\extensions
[2005/05/11 15:27:30 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Program Files\Mozilla Firefox\defaults\profile\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2005/04/14 18:41:00 | 000,094,208 | ---- | M] () -- C:\Program Files\mozilla firefox\components\BrandRes.dll
[2005/04/14 18:41:00 | 000,150,912 | ---- | M] (Full Circle Software, Inc.) -- C:\Program Files\mozilla firefox\components\fullsoft.dll
[2005/04/14 18:41:00 | 000,041,573 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2005/04/14 18:41:00 | 000,048,223 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2005/04/14 18:41:00 | 000,008,813 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\qfaservices.dll
[2005/04/14 18:41:00 | 000,159,847 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2005/09/02 12:59:53 | 000,823,296 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npdbplug.dll
[2011/05/04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2005/04/14 18:41:00 | 000,000,680 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.png
[2005/04/14 18:41:00 | 000,000,735 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.src
[2005/04/14 18:41:00 | 000,000,356 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.png
[2005/04/14 18:41:00 | 000,000,976 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.src
[2005/04/14 18:41:00 | 000,000,557 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\dictionary.png
[2005/04/14 18:41:00 | 000,000,692 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\dictionary.src
[2005/04/14 18:41:00 | 000,000,210 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.gif
[2005/04/14 18:41:00 | 000,001,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.src
[2005/04/14 18:41:00 | 000,001,076 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.gif
[2005/04/14 18:41:00 | 000,000,687 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.src
[2005/04/14 18:41:00 | 000,000,088 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.gif
[2005/04/14 18:41:00 | 000,001,098 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.src

O1 HOSTS File: ([2011/09/08 09:13:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [atchk] C:\Program Files\Intel\AMT\atchk.exe (Intel Corporation)
O4 - HKLM..\Run: [Client Access Service] C:\Program Files\IBM\Client Access\cwbsvstr.exe (IBM Corporation)
O4 - HKLM..\Run: [EPA_EZ_GPO_Tool] C:\WINDOWS\system32\EZ_GPO_Tool.exe (Environmental Protection Agency)
O4 - HKLM..\Run: [IMNNQ] File not found
O4 - HKLM..\Run: [IMNNQ NetQ Web Server] File not found
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [trutil0] C:\WINDOWS\system32\trutil01.exe (Magic Control Technology Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe (RealNetworks, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 0
O7 - HKU\S-1-5-21-1042883198-748202677-1346798384-195092\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244727302390 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1307387712671 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38210.3238657407 (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://thomsonevents.webex.com/client/v_mywebex-t20/event/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.192.4.33 10.192.4.34
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TLR.Thomson.Com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{03D78A6E-BA0A-4D9E-823F-56BAC841EB8E}: DhcpNameServer = 10.192.4.175 10.192.4.176
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{74A45951-A9D8-4E1A-9754-E4185B93C646}: DhcpNameServer = 10.192.4.22 10.192.4.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{76D83FDF-4F99-4A04-8C8A-505BF71FF675}: DhcpNameServer = 10.192.4.22 10.192.4.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{98533199-A0CE-4C82-890F-21D5E16183CF}: DhcpNameServer = 10.192.4.33 10.192.4.34
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{98533199-A0CE-4C82-890F-21D5E16183CF}: Domain = tlr.thomson.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C94ECD3C-5B53-4B58-A6DE-26CBCB092B16}: DhcpNameServer = 10.192.4.33 10.192.4.34
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{ED24CA21-2D08-4038-9653-09A511ED176C}: DhcpNameServer = 10.192.4.22 10.192.4.21
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/02/14 13:21:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/08 09:02:22 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/09/08 09:02:22 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/09/08 09:02:22 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/09/08 09:02:22 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/09/08 09:02:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/09/08 09:01:56 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/09/08 09:01:55 | 000,000,000 | R--D | C] -- C:\Documents and Settings\u3900493\My Documents\My Videos
[2011/09/08 09:01:55 | 000,000,000 | R--D | C] -- C:\Documents and Settings\u3900493\Start Menu\Programs\Administrative Tools
[2011/09/07 09:07:22 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/09/07 09:07:22 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/09/07 09:07:22 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/08/31 15:27:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\u3900493\Start Menu\Programs\HiJackThis
[2011/08/30 14:50:02 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/08/29 14:34:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\u3900493\Application Data\Malwarebytes
[2011/08/29 14:34:41 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/08/29 14:34:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/08/29 14:34:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/08/29 14:34:33 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/29 14:34:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/08/18 09:54:30 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\u3900493\Recent
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/08 12:51:06 | 000,016,980 | RHS- | M] () -- C:\Documents and Settings\u3900493\ntuser.pol
[2011/09/08 11:17:07 | 000,001,260 | ---- | M] () -- C:\Documents and Settings\u3900493\Desktop\userids2.dtf
[2011/09/08 11:17:03 | 000,011,100 | ---- | M] () -- C:\Documents and Settings\u3900493\Desktop\userids2.csv
[2011/09/08 11:08:58 | 000,011,092 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2011/09/08 09:42:03 | 000,000,100 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2011/09/08 09:37:47 | 000,498,002 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/09/08 09:37:47 | 000,090,118 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/09/08 09:36:46 | 000,000,496 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2011/09/08 09:34:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/08 09:33:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/08 09:13:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/09/08 00:31:07 | 000,016,391 | ---- | M] () -- C:\WINDOWS\cfgall.ini
[2011/09/07 16:39:30 | 000,002,427 | ---- | M] () -- C:\Documents and Settings\u3900493\Desktop\userids.csv
[2011/09/06 12:20:28 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/02 10:28:14 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\u3900493\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk
[2011/08/31 16:49:41 | 000,018,757 | ---- | M] () -- C:\WINDOWS\UEDIT32.INI
[2011/08/31 15:27:40 | 000,001,990 | ---- | M] () -- C:\Documents and Settings\u3900493\Desktop\HiJackThis.lnk
[2011/08/29 15:44:33 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/08/29 15:31:37 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\u3900493\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/08/18 09:45:53 | 000,000,240 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
[2011/08/18 09:45:53 | 000,000,184 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr
[2011/08/18 09:45:46 | 000,000,336 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/08 09:02:22 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/09/08 09:02:22 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/09/08 09:02:22 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/09/08 09:02:22 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/09/08 09:02:22 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/08/31 15:27:40 | 000,001,990 | ---- | C] () -- C:\Documents and Settings\u3900493\Desktop\HiJackThis.lnk
[2011/08/29 15:31:37 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\u3900493\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/08/18 09:45:53 | 000,000,240 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
[2011/08/18 09:45:53 | 000,000,184 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr
[2011/08/18 09:45:45 | 000,000,336 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz
[2011/06/16 21:21:46 | 000,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
[2010/12/22 15:58:24 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\U2LEXCH.DLL
[2010/12/22 15:58:24 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\U2LFINRA.DLL
[2010/12/22 15:58:23 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\U25DTS.DLL
[2010/12/22 15:58:23 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\U2LDTS.DLL
[2010/06/14 11:09:12 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\u3900493\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/23 10:10:48 | 000,001,250 | -H-- | C] () -- C:\Documents and Settings\u3900493\Application Data\Access.qat
[2009/07/06 12:27:23 | 000,327,152 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/06/25 10:17:40 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/06/05 08:26:06 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4837.dll
[2009/06/05 08:25:15 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\igfxtvcx.dll
[2009/05/20 15:47:27 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\jdde.dll
[2009/05/11 08:33:56 | 000,126,976 | ---- | C] () -- C:\WINDOWS\cwbzip.exe
[2008/12/04 16:22:46 | 000,003,680 | ---- | C] () -- C:\WINDOWS\SC3USER.INI
[2008/12/04 16:22:38 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[2008/12/04 16:22:10 | 000,000,129 | ---- | C] () -- C:\WINDOWS\SCUSER.INI
[2007/06/25 12:43:38 | 000,001,364 | ---- | C] () -- C:\WINDOWS\DKAAG2DD.ini
[2006/11/14 14:45:43 | 000,051,392 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2006/03/02 15:41:33 | 000,001,961 | ---- | C] () -- C:\WINDOWS\Bringer.INI
[2006/02/24 15:09:13 | 000,000,248 | -H-- | C] () -- C:\Program Files\Altiră
[2005/05/11 15:27:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/05/11 15:27:37 | 000,099,965 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2005/05/11 15:27:22 | 000,003,791 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/04/26 14:37:54 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2005/04/26 14:37:54 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\uninscpw.exe
[2005/03/24 14:43:10 | 000,000,057 | ---- | C] () -- C:\WINDOWS\HSASTROL.INI
[2005/03/10 15:57:53 | 000,008,521 | ---- | C] () -- C:\WINDOWS\lmpcl2a.ini
[2005/02/23 17:56:27 | 000,000,873 | ---- | C] () -- C:\WINDOWS\DKAAJ2DD.ini
[2005/02/14 09:23:36 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\cwbrw.dll
[2005/02/03 17:52:51 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\ObjLs400.dll
[2005/02/03 17:48:37 | 000,024,630 | ---- | C] () -- C:\WINDOWS\System32\cwbunplp.exe
[2005/02/03 17:48:16 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\cwbad.dll
[2005/02/03 17:48:15 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\cwbsv.dll
[2005/02/03 17:48:14 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\cwbnldlg.dll
[2004/09/27 14:37:46 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\PMevents.dll
[2004/08/11 10:06:26 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2004/08/11 08:58:50 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2004/08/11 08:58:48 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2004/08/11 08:58:48 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2004/08/11 08:58:44 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2004/08/05 18:32:14 | 000,000,024 | ---- | C] () -- C:\WINDOWS\pccntmon.INI
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/05/11 09:17:36 | 000,018,757 | ---- | C] () -- C:\WINDOWS\UEDIT32.INI
[2004/03/04 17:17:52 | 000,016,391 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2004/03/03 18:55:22 | 000,033,809 | ---- | C] () -- C:\WINDOWS\SETUP1.EXE
[2004/03/03 18:23:47 | 000,000,290 | ---- | C] () -- C:\WINDOWS\PROGTRAN.INI
[2004/03/03 17:59:06 | 000,000,132 | ---- | C] () -- C:\WINDOWS\TRANSITS.INI
[2004/02/25 14:56:46 | 000,636,928 | ---- | C] () -- C:\WINDOWS\dbplugin.exe
[2004/02/25 14:56:45 | 000,823,296 | ---- | C] () -- C:\WINDOWS\npdbplug.dll
[2004/02/12 12:19:09 | 000,002,401 | ---- | C] () -- C:\WINDOWS\System32\drivers\AlKernel.sys
[2004/02/09 18:16:49 | 000,000,007 | ---- | C] () -- C:\WINDOWS\Winset.drv
[2004/02/09 18:16:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\winkey.drv
[2003/12/08 10:43:23 | 000,002,723 | ---- | C] () -- C:\WINDOWS\CSHearts.INI
[2003/11/18 17:40:46 | 000,000,565 | ---- | C] () -- C:\WINDOWS\brioqry6.ini
[2003/11/18 17:40:46 | 000,000,331 | ---- | C] () -- C:\WINDOWS\bqoem.ini
[2003/11/18 17:25:18 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\pg32conv.dll
[2003/06/19 14:40:45 | 000,002,080 | ---- | C] () -- C:\WINDOWS\nutribase.INI
[2003/04/24 16:32:32 | 000,115,712 | ---- | C] () -- C:\WINDOWS\Digital Dragon Uninstaller.exe
[2003/04/24 15:59:21 | 000,000,062 | ---- | C] () -- C:\WINDOWS\chou.ini
[2003/02/26 13:31:34 | 002,256,896 | ---- | C] () -- C:\WINDOWS\System32\GMIW.dll
[2002/11/18 11:39:59 | 000,008,235 | ---- | C] () -- C:\WINDOWS\NETPDISP.INI
[2002/11/18 11:39:59 | 000,000,074 | ---- | C] () -- C:\WINDOWS\NETPCFG.INI
[2002/08/29 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/08/29 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/08/29 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/08/29 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/08/29 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/08/29 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/08/29 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/08/29 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/22 09:46:42 | 000,327,680 | ---- | C] () -- C:\WINDOWS\uninstse.exe
[2002/08/22 09:46:42 | 000,098,304 | ---- | C] () -- C:\WINDOWS\iis40lib.dll
[2002/08/22 09:46:42 | 000,040,960 | ---- | C] () -- C:\WINDOWS\setupdll.dll
[2002/07/23 10:36:53 | 000,000,478 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2002/03/06 15:45:50 | 000,000,203 | ---- | C] () -- C:\WINDOWS\electric.ini
[2002/02/27 16:30:48 | 000,020,529 | ---- | C] () -- C:\WINDOWS\System32\cwbwiz.dll
[2002/02/27 16:30:28 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbsy.dll
[2002/02/27 16:30:22 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbnl.dll
[2002/02/27 16:30:19 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbco.dll
[2002/02/27 15:53:11 | 000,251,392 | ---- | C] () -- C:\WINDOWS\System32\Lcoew32.dll
[2002/02/27 15:53:11 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\Lcomgr32.dll
[2002/02/27 15:53:11 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\Lcosck32.dll
[2002/02/27 15:53:11 | 000,001,158 | ---- | C] () -- C:\WINDOWS\Chkver.ini
[2002/02/27 15:53:11 | 000,000,440 | ---- | C] () -- C:\WINDOWS\Vb400.ini
[2002/02/27 15:53:10 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\Implode.dll
[2002/02/27 15:53:09 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\U2lsamp1.dll
[2002/02/27 15:53:06 | 000,043,008 | ---- | C] () -- C:\WINDOWS\System32\Ltfil60n.dll
[2002/02/27 15:53:06 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\Lfwpg60n.dll
[2002/02/27 15:53:05 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\Lfpng60n.dll
[2002/02/27 15:53:05 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\Lftif60n.dll
[2002/02/27 15:53:05 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\Lfpcx60n.dll
[2002/02/27 15:53:05 | 000,022,528 | ---- | C] () -- C:\WINDOWS\System32\Lfpct60n.dll
[2002/02/27 15:53:05 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\Lfpsd60n.dll
[2002/02/27 15:53:05 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Lftga60n.dll
[2002/02/27 15:53:05 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\Lfwmf60n.dll
[2002/02/27 15:53:04 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\Lffax60n.dll
[2002/02/27 15:53:04 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\Lfcmp60n.dll
[2002/02/27 15:53:04 | 000,022,528 | ---- | C] () -- C:\WINDOWS\System32\Lfeps60n.dll
[2002/02/27 15:53:04 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\Lfbmp60n.dll
[2002/02/27 15:53:04 | 000,018,432 | ---- | C] () -- C:\WINDOWS\System32\Lfmsp60n.dll
[2002/02/27 15:53:04 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\Lfmac60n.dll
[2002/02/14 15:16:03 | 000,000,496 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2002/02/14 14:38:54 | 000,000,750 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2002/02/14 14:21:17 | 000,012,351 | ---- | C] () -- C:\WINDOWS\System32\i81xcoin.dll
[2002/02/14 13:43:22 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2002/02/14 13:43:21 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2002/02/14 13:25:04 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2002/02/14 13:17:36 | 000,025,500 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/02/14 06:23:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/02/14 06:22:02 | 000,283,720 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2001/08/23 08:00:00 | 000,498,002 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,090,118 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D282699C

< End of report >

OTL Extras logfile created on: 9/8/2011 12:49:50 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\work\hijack
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: M/d/yyyy

1.96 Gb Total Physical Memory | 0.80 Gb Available Physical Memory | 40.65% Memory free
2.80 Gb Paging File | 1.81 Gb Available in Paging File | 64.69% Paging File free
Paging file location(s): C:\pagefile.sys 1014 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 14.74 Gb Free Space | 19.78% Space Free | Partition Type: NTFS
Drive G: | 10.00 Gb Total Space | 3.53 Gb Free Space | 35.35% Space Free | Partition Type: NTFS
Drive N: | 464.00 Gb Total Space | 144.03 Gb Free Space | 31.04% Space Free | Partition Type: NTFS
Drive Q: | 985.78 Gb Total Space | 745.81 Gb Free Space | 75.66% Space Free | Partition Type: NTFS
Drive Y: | 10.00 Gb Total Space | 3.53 Gb Free Space | 35.35% Space Free | Partition Type: NTFS
Drive Z: | 10.00 Gb Total Space | 3.53 Gb Free Space | 35.35% Space Free | Partition Type: NTFS

Computer Name: U3900493-XPA | User Name: u3900493 | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.scr [@ = ipffile] -- C:\wdsc\CODEEDIT.EXE ()

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\wdsc\system\evfctcpd.exe" = C:\wdsc\system\evfctcpd.exe:*:Enabled:evfctcpd -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04A1E855-4EBF-417D-87FF-2F085CA534A0}" = SEE2 USB 2.0 VGA Adapter (Multiple) 9.02.0311.1153
"{0D1793D4-4772-4D63-9B1E-3A064B4B4CE6}" = IBM WebSphere Development Studio Client
"{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0
"{1E8B05CF-BE07-46B7-8C51-66B6F1489A60}" = IBM WebSphere Studio Site Developer 5
"{212C3DB0-F31C-493B-83B5-82D25C8625D8}" = IBM WebSphere Development Studio Client for iSeries
"{2609EDF1-34C4-4B03-B634-55F3B3BC4931}" = Configuration Manager Client
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 26
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{34B8F04F-A38E-43B5-89BB-DD063980214B}" = Reuters Messaging Troubleshooting Tool
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3ACF7A26-1743-4A84-85F1-2450B35925E4}" = Classic Menu for Office
"{41846938-6A9E-488B-9E37-21F7D814ECFA}" = mpmri
"{41846971-6A9E-488B-9E37-21F7D814ECFA}" = mpmri
"{42639657-5C5A-45AF-91F9-275B6E1F0AD9}" = IBM WebSphere Development Studio Client for iSeries
"{42ACDABB-C7AC-4C7E-BB0B-075BFF32D763}" = VB400 Application Suite
"{43B6667D-7520-4186-B05B-F5C0494C495D}" = UltraEdit-32
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{543C369C-5E97-4625-8229-F1D256CD5676}" = IBM WebSphere Development Studio Client for iSeries
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5AE5DB70-5CE6-4876-A83E-8246CC36FC28}" = Microsoft Office PowerPoint 2007 Get Started Tab
"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes
"{5F48BE9A-FBD9-4023-839E-26101BEDEF74}" = Reuters Messaging 7
"{639159C2-B27B-4208-8965-D8A0AEDBDED2}" = Microsoft .NET Framework 2.0 SDK - ENU
"{68B52EFD-86CC-486E-A8D0-A3A1554CB5BC}" = Microsoft Office Word 2007 Get Started Tab
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{721ABC3B-5F12-4332-9C0C-C11424EF666C}" = WIMGAPI
"{725E1033-B7EE-4D07-9D26-542345A36963}" = HEAT
"{73726B45-FD55-4AA8-852F-4AB3285E6CAC}" = mp
"{7C05EEDD-E565-4E2B-ADE4-0C784C17311C}" = Crystal Reports for .NET Framework 2.0 (x86)
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
"{831053E0-79D4-11D4-B1C4-0050BAAABBFD}" = WOW Love
"{86EF9EB6-DE10-4ABB-B221-D61972BB3C09}" = Collaboration Data Objects 1.2.1
"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
"{8D273DE5-ABFA-4BD0-A9D7-EE9C971438C4}_is1" = PDF-Viewer
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{E437F3AD-E332-4C40-B902-278CF997B977}" =
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{E437F3AD-E332-4C40-B902-278CF997B977}" =
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{E437F3AD-E332-4C40-B902-278CF997B977}" =
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{E437F3AD-E332-4C40-B902-278CF997B977}" =
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{E437F3AD-E332-4C40-B902-278CF997B977}" =
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{E437F3AD-E332-4C40-B902-278CF997B977}" =
"{90120000-00B0-0409-0000-0000000FF1CE}" = Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90530409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Standard 2003
"{95120000-0038-0409-0000-0000000FF1CE}" = Time Zone Data Update Tool for Microsoft Office Outlook
"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support
"{A7EB2835-45B1-4A0D-A5EA-E9D668F2B4D2}" = SEQUEL FYI
"{A847BFFB-A77E-4D71-A22F-6268EAF1B1AB}" = Altiris Patch Management Agent
"{AB706D91-2242-4E1D-B4D0-1ED35387F5A7}" = Microsoft Office Excel 2007 Get Started Tab
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C458C955-F425-493F-A8C1-DD5C8CCB8B60}" = Arasan 8.4
"{C5B83F18-6959-4760-9879-709E29E75DAF}" = EZ GPO Power Management Config Tool
"{C5C6E763-C360-11D3-9426-0060089CDD83}" = SEQUEL ViewPoint
"{DF985DBB-4AEE-41ED-8B39-13EB5FBA9C41}" = ServiceCenter5.1
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{EE8C39F2-3762-497D-B64A-2EEDEE21E91B}" = DB2.NetProvider
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F2A0AD68-4600-439B-BE3E-73D78836E7E1}" = IBM WebSphere Development Studio Client for iSeries
"{FF47A5F6-DB6A-4A18-A532-47209793267F}" = Astro Calendar
"{FFA2B2B6-3BDE-4728-B404-A16E0F853F6A}" = Microsoft Office Live Meeting 2005
"18ba52e5ad8e834bda6458fab8d7e0ae-406174263" = HP Service Manager 7.01 Client
"ActiveTouchMeetingClient" = WebEx
"Ad-aware 6 Personal" = Ad-aware 6 Personal
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Arena 2.0.1_is1" = Arena 2.0.1
"ClientAccessExpress" = IBM iSeries Access for Windows
"ClientAccessExpressSP" = IBM iSeries Access for Windows SI35287
"CutePDF Writer Installation" = CutePDF Writer 2.3
"Dell Printer Software Uninstall" = Dell Printer Software Uninstall
"Digital Dragon" =
"EditPad Lite" = Just Great Software EditPad Lite 6.6.4
"ESET Online Scanner" = ESET Online Scanner v3
"Fruit Beta 05/11/03_is1" = Fruit Beta 05/11/03
"HDMI" = Intel® Graphics Media Accelerator Driver
"HECI" = Intel Management Engine Interface
"HijackThis" = HijackThis 1.99.1
"I Ching" = I Ching
"IBM Distributed Debugger" = IBM Distributed Debugger
"IBMWebASDeinstall" = IBM WebSphere Application Server
"ie8" = Windows Internet Explorer 8
"Lexmark Printer Software Uninstall" = Lexmark Printer Software Uninstall
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"MemoClip Pro_is1" = MemoClip Pro 1.55
"MESOL" = Intel Active Management Technology
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Microsoft .NET Framework 2.0 SDK - ENU" = Microsoft .NET Framework 2.0 SDK - ENU
"Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
"Mozilla Firefox (1.0.3)" = Mozilla Firefox (1.0.3)
"nbsr13" = NutriBase SR13 Navigator
"NetDinstKey" = NetPerfector
"OfficeScanNT" = Trend Micro OfficeScan Client
"PROPLUS" = Microsoft Office Professional Plus 2007
"PROSet" = Intel® PRO Network Connections Drivers
"RDC" = RDC
"RealDownload" = RealDownload
"RealJukebox 1.0" = RealJukebox
"RealPlayer 6.0" = RealPlayer Basic
"RichFX Player" = RichFX Player
"Robot Product Maintenance Wizard 1" = Robot Product Maintenance Wizard 1
"RSP_is1" = RSP
"SereneScreen Marine Aquarium Time_is1" = SereneScreen Marine Aquarium Time
"Shockwave" = Shockwave
"Some PDF to Word Converter_is1" = Some PDF to Word Converter 1.5
"ST5UNST #1" = MATCHMKR
"TVWiz" = Intel® TV Wizard
"Visual SourceSafe 6.0" = Microsoft Visual SourceSafe 6.0
"WIC" = Windows Imaging Component
"WinBoard" = WinBoard
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1042883198-748202677-1346798384-195092\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"1fbbb37600375282" = Subscription Transfer Application
"370bde1fd4d57469" = Publication Tracking Application
"878967836d639808" = Set Make-Up Application
"GoToMeeting" = GoToMeeting 4.5.0.452

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/8/2011 9:37:36 AM | Computer Name = U3900493-XPA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/8/2011 9:37:36 AM | Computer Name = U3900493-XPA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/8/2011 9:37:36 AM | Computer Name = U3900493-XPA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/8/2011 9:37:36 AM | Computer Name = U3900493-XPA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/8/2011 9:37:37 AM | Computer Name = U3900493-XPA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/8/2011 9:37:37 AM | Computer Name = U3900493-XPA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/8/2011 9:37:37 AM | Computer Name = U3900493-XPA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/8/2011 9:37:37 AM | Computer Name = U3900493-XPA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/8/2011 9:37:37 AM | Computer Name = U3900493-XPA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/8/2011 9:37:37 AM | Computer Name = U3900493-XPA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

[ OSession Events ]
Error - 5/25/2010 12:06:30 PM | Computer Name = U3900493-XPA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1536
seconds with 240 seconds of active time. This session ended with a crash.

Error - 12/9/2010 3:59:50 PM | Computer Name = U3900493-XPA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6629
seconds with 960 seconds of active time. This session ended with a crash.

Error - 5/12/2011 7:02:39 AM | Computer Name = U3900493-XPA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 251696
seconds with 6600 seconds of active time. This session ended with a crash.

Error - 7/15/2011 1:00:59 PM | Computer Name = U3900493-XPA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 349094
seconds with 15840 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 9/8/2011 9:33:54 AM | Computer Name = U3900493-XPA | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {D851F103-8C90-4321-AFF0-58BA5BD421C2}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 9/8/2011 9:33:55 AM | Computer Name = U3900493-XPA | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {D851F103-8C90-4321-AFF0-58BA5BD421C2}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 9/8/2011 9:33:55 AM | Computer Name = U3900493-XPA | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {D851F103-8C90-4321-AFF0-58BA5BD421C2}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 9/8/2011 9:34:18 AM | Computer Name = U3900493-XPA | Source = Service Control Manager | ID = 7000
Description = The Altiris Client Service service failed to start due to the following
error: %%2

Error - 9/8/2011 9:34:18 AM | Computer Name = U3900493-XPA | Source = Service Control Manager | ID = 7000
Description = The Altiris Agent service failed to start due to the following error:
%%2

Error - 9/8/2011 9:34:18 AM | Computer Name = U3900493-XPA | Source = Service Control Manager | ID = 7023
Description = The KdXt$sQ` HKc`lhkY=x86 Family 15 service terminated with
the following error: %%126

Error - 9/8/2011 9:34:18 AM | Computer Name = U3900493-XPA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
CCDevice

Error - 9/8/2011 9:35:24 AM | Computer Name = U3900493-XPA | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 9/8/2011 9:35:24 AM | Computer Name = U3900493-XPA | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053

Error - 9/8/2011 9:37:00 AM | Computer Name = U3900493-XPA | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.


< End of report >

#12 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:24 PM

Posted 08 September 2011 - 02:37 PM

Hi Fred,

From the logs it looks as though the first signs of malware on your PC arrived on the 18th August. However, there is no way to know when exactly TDL4 appeared. You're right though, the trojans were probably the source of the TDL4 infection. I'll give you some steps later on which may help to prevent this in the future.

Your log doesn't look too bad now.

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :otl
    O4 - HKLM..\Run: [IMNNQ] File not found
    O4 - HKLM..\Run: [IMNNQ NetQ Web Server] File not found
    O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab (Reg Error: Key error.)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38210.3238657407 (Reg Error: Key error.)
    O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    [2011/08/18 09:45:53 | 000,000,240 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
    [2011/08/18 09:45:53 | 000,000,184 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr
    [2011/08/18 09:45:46 | 000,000,336 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz
    @Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D282699C
    
    :commands
    [EMPTYTEMP]
    [CREATERESTOREPOINT]
    [REBOOT]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.

How is your PC now running?

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#13 fredn

fredn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 09 September 2011 - 08:49 AM

Hello Casey,
To answer your last question first, the pc is running much better - it's snappy and no more popups.

I had a problem with running your last instruction though. I pasted the info into OTL and pressed RunFix. At the bottom it said "Killing Processes Do Not Interrupt". It stayed like that for about half hour with no perceived activity, then my screensaver kicked in and when I returned to the display I only saw my desktop. I waited another half hour and then hard booted.

I had exited everything except the browser.

Should I try again?

As a sidenote, it's odd that they would install a harmful malware such as TDL4 and then advertise their presence by having popups etc.... unless that was just coincidental.

Thanks,
Fred

#14 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:24 PM

Posted 09 September 2011 - 10:55 AM

Hi,

Could you try it again please?

If that doesn't work could you try running the script from within Safe Mode? (If you don't know what that is or how to access it, let me know).

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#15 fredn

fredn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 09 September 2011 - 11:57 AM

Hi,

I will try again first thing on Monday morning.... won't have time during the weekend...

talk to you then...

Fred




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users