Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect Virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 GDubbs

GDubbs

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 14 March 2012 - 02:59 PM

Good Afternoon,

My IE9 browser redirects my Google and Bing searches. I enter my search term, then the results generate. When I click on the result I intend to visit, the browser redirects me to one of any number of unhelpful or unrelated sites. When I am directly navigating to pages (by typing address in manually), I frequently receive a message that my browser has stopped working and must be restarted.

Any help that can be provided is greatly appreciated.

Thanks,
GDubbs

DDS:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by greg at 15:39:11 on 2012-03-14
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3710.2085 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Advanced Monitoring Agent\winagent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\ADVANC~1\patchman\lnssatt.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Windows\system32\PrintCtrl.exe
C:\Windows\system32\PrintDisp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Windows\System32\PrintDisp.exe
C:\Program Files\DYMO\DYMO Label Software\DLSService.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\ProgramData\devicexml.exe
C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\PNP4\pnplus4.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\rundll32.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://extpga01.chubb.com/login
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [DymoQuickPrint] "c:\program files\dymo\dymo label software\DymoQuickPrint.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [devicexml] c:\programdata\devicexml.exe
uRun: [utilsrv] c:\users\greg\appdata\roaming\utilsrv.exe
uRun: [Update] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\microsoft\klzgc.dll",DllRegisterServer
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [<NO NAME>]
mRun: [PrintDisp] c:\windows\system32\PrintDisp.exe
mRun: [DLSService] "c:\program files\dymo\dymo label software\DLSService.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [devicexml] c:\programdata\devicexml.exe
mRun: [utilsrv] c:\users\greg\appdata\roaming\utilsrv.exe
dRun: [dplaysvr] c:\windows\system32\config\systemprofile\appdata\local\dplaysvr.exe
dRun: [devicexml] c:\programdata\devicexml.exe
dRun: [utilsrv] c:\windows\system32\config\systemprofile\appdata\roaming\utilsrv.exe
dRun: [Update] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\microsoft\klzgc.dll",DllRegisterServer
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pinkno~1.lnk - c:\program files\pnp4\pnplus4.exe
mPolicies-explorer: NoNTSecurity = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: SoftwareSASGeneration = 3 (0x3)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://chubb.webex.com/client/WBXclient-T27L10NSP25-10481/training/ieatgpc1.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.1.4
TCP: Interfaces\{B4D49782-E219-44C5-B105-91662838C6E8} : DhcpNameServer = 192.168.1.4
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: spba - c:\program files\common files\spba\homefus2.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth
Hosts: 94.63.147.16 www.google.com
Hosts: 94.63.147.17 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 Advanced Monitoring Agent;Advanced Monitoring Agent;c:\program files\advanced monitoring agent\winagent.exe [2011-7-21 1902080]
R2 gfi_lanss10_attservice;GFI LANguard 10 Attendant Service;c:\progra~1\advanc~1\patchman\lnssatt.exe [2011-5-9 175472]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-5-17 13336]
R2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [2011-6-3 69632]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-6-3 1775344]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2011-5-17 224424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-11 106104]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatch12OEM.exe [2010-11-25 219632]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-5-26 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-03-14 16:12:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-12 13:22:38 68632 ----a-w- c:\users\greg\appdata\roaming\utilsrv.exe
2012-03-12 12:53:09 68632 ----a-w- c:\programdata\devicexml.exe
2012-03-09 19:17:38 -------- d-----w- c:\users\greg\appdata\roaming\Malwarebytes
2012-03-09 19:17:32 -------- d-----w- c:\programdata\Malwarebytes
2012-03-09 19:17:31 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-09 19:17:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-08 20:56:29 -------- d-----w- c:\users\greg\appdata\roaming\SUPERAntiSpyware.com
2012-03-08 20:55:44 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-08 20:55:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-19 22:06:33 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-02-19 22:06:17 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 23:45:04 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 23:44:57 442880 ----a-w- c:\windows\system32\ntshrui.dll
.
==================== Find3M ====================
.
2012-01-09 18:56:27 60304 ----a-w- c:\users\greg\g2mdlhlpx.exe
.
============= FINISH: 15:39:43.69 ===============



GMER:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-14 15:58:51
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST325031 rev.JC47
Running: cd36ilps.exe; Driver: C:\Users\greg\AppData\Local\Temp\axddqpoc.sys


---- System - GMER 1.0.15 ----

SSDT 88509D98 ZwAlertResumeThread
SSDT 88509E58 ZwAlertThread
SSDT 882CB3E0 ZwAllocateVirtualMemory
SSDT 882D9940 ZwConnectPort
SSDT 88509B08 ZwCreateMutant
SSDT 88455168 ZwCreateThread
SSDT 884F2D50 ZwFreeVirtualMemory
SSDT 88509BF8 ZwImpersonateAnonymousToken
SSDT 88509CD8 ZwImpersonateThread
SSDT 883D4540 ZwMapViewOfSection
SSDT 88509A28 ZwOpenEvent
SSDT 884B00B0 ZwOpenProcessToken
SSDT 884F2348 ZwOpenThreadToken
SSDT 8839D5C0 ZwResumeThread
SSDT 8832D518 ZwSetContextThread
SSDT 884F2418 ZwSetInformationProcess
SSDT 884F21F0 ZwSetInformationThread
SSDT 88509948 ZwSuspendProcess
SSDT 884F2F90 ZwSuspendThread
SSDT 883BB710 ZwTerminateProcess
SSDT 88504710 ZwTerminateThread
SSDT 88504BE0 ZwUnmapViewOfSection
SSDT 884F27D8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 82A82369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ABBD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 82AC2D90 8 Bytes [98, 9D, 50, 88, 58, 9E, 50, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82AC2DA8 4 Bytes [E0, B3, 2C, 88] {LOOPNZ 0xffffffffffffffb5; SUB AL, 0x88}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82AC2E48 4 Bytes [40, 99, 2D, 88]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82AC2E84 4 Bytes [08, 9B, 50, 88]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82AC2EB8 4 Bytes [68, 51, 45, 88]
.text ...
? C:\Users\greg\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!EnableWindow 75728D02 5 Bytes JMP 675A9A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxParamW 75743B9B 5 Bytes JMP 6750170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxIndirectParamW 75753B7F 5 Bytes JMP 676F6336 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxParamA 7576CF42 5 Bytes JMP 676F62D1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxIndirectParamA 7576D274 5 Bytes JMP 676F639B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxIndirectA 7577E869 5 Bytes JMP 676F6258 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxIndirectW 7577E963 5 Bytes JMP 676F61DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxExA 7577E9C9 5 Bytes JMP 676F617B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxExW 7577E9ED 5 Bytes JMP 676F6117 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] kernel32.dll!CreateThread 764BDCC2 5 Bytes JMP 67567303 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!EnableWindow 75728D02 5 Bytes JMP 675A9A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!CallNextHookEx 7572ABE1 5 Bytes JMP 675C7BAF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!UnhookWindowsHookEx 7572ADF9 5 Bytes JMP 675EEB00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!DefWindowProcA 7572BB1C 7 Bytes JMP 6756952D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!CreateWindowExA 7572BF40 5 Bytes JMP 67573363 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!SetWindowsHookExW 7572E30C 5 Bytes JMP 675A2194 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!CreateWindowExW 7572EC7C 5 Bytes JMP 675CFF87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!DefWindowProcW 7573507D 7 Bytes JMP 675C7C12 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!DialogBoxParamW 75743B9B 5 Bytes JMP 6750170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!DialogBoxIndirectParamW 75753B7F 5 Bytes JMP 676F6336 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!DialogBoxParamA 7576CF42 5 Bytes JMP 676F62D1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!DialogBoxIndirectParamA 7576D274 5 Bytes JMP 676F639B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!MessageBoxIndirectA 7577E869 5 Bytes JMP 676F6258 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!MessageBoxIndirectW 7577E963 5 Bytes JMP 676F61DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!MessageBoxExA 7577E9C9 5 Bytes JMP 676F617B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] USER32.dll!MessageBoxExW 7577E9ED 5 Bytes JMP 676F6117 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6132] ole32.dll!OleLoadFromStream 75C86143 5 Bytes JMP 676F6B0F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1J1V0XDG\ariz340[1].jpg 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1J1V0XDG\bang_ac[1].jpg 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1J1V0XDG\120x45lq2odjorw[1].jpg 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1J1V0XDG\ErrorPageTemplate[1] 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LVBU0HLO\script_300_250[1].js 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LVBU0HLO\92x55l3k48oy1k[1].jpg 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LVBU0HLO\xml[1].htm 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LVBU0HLO\background_gradient[1] 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LVBU0HLO\default[2].jpg 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LVBU0HLO\down[2] 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U72KSWII\httpErrorPagesScripts[2] 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U72KSWII\img_4c56a417[1].jpg 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U72KSWII\img_ac7875fd[1].jpg 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U72KSWII\info_48[1] 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U72KSWII\yfpad_100818[1].js 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U72KSWII\bullet[2] 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U72KSWII\dnserrordiagoff_webOC[1] 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U72KSWII\down[1] 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U72KSWII\errorPageStrings[1] 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y0QR8YEK\1sinisevm_sm[1].jpg 0 bytes
File C:\Users\greg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y0QR8YEK\default[8].jpg 0 bytes
File C:\Users\greg\AppData\Roaming\Microsoft\Windows\Cookies\H2UAEXNX.txt 168 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:49 PM

Posted 14 March 2012 - 05:05 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Also, download OTL by OldTimer from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Quick Scan button and allow it to do it's thing.
  • Once complete, it should open two Notepad Windows - OTL.Txt and Extras.Txt
  • It should also save copies in the same location as OTL.
  • I want you to copy and paste the contents of OTL.txt that should appear into one reply and Extras.Txt into another.
  • The length of the two logs sometimes results in the end being chopped off if you post both in one reply.

So long, and thanks for all the fish.

 

 


#3 GDubbs

GDubbs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 15 March 2012 - 09:59 AM

OTL.txt:

OTL logfile created on: 3/15/2012 10:53:03 AM - Run 1
OTL by OldTimer - Version 3.2.36.3 Folder = C:\Users\greg\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.62 Gb Total Physical Memory | 1.68 Gb Available Physical Memory | 46.41% Memory free
7.24 Gb Paging File | 5.08 Gb Available in Paging File | 70.10% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.09 Gb Total Space | 171.67 Gb Free Space | 77.65% Space Free | Partition Type: NTFS
Drive F: | 507.36 Gb Total Space | 346.19 Gb Free Space | 68.23% Space Free | Partition Type: NTFS
Drive G: | 507.36 Gb Total Space | 346.19 Gb Free Space | 68.23% Space Free | Partition Type: NTFS
Drive H: | 507.36 Gb Total Space | 346.19 Gb Free Space | 68.23% Space Free | Partition Type: NTFS
Drive I: | 507.36 Gb Total Space | 346.19 Gb Free Space | 68.23% Space Free | Partition Type: NTFS
Drive P: | 507.36 Gb Total Space | 346.19 Gb Free Space | 68.23% Space Free | Partition Type: NTFS
Drive S: | 279.39 Gb Total Space | 187.48 Gb Free Space | 67.10% Space Free | Partition Type: NTFS
Drive T: | 74.44 Gb Total Space | 53.82 Gb Free Space | 72.31% Space Free | Partition Type: NTFS
Drive Z: | 507.36 Gb Total Space | 346.19 Gb Free Space | 68.23% Space Free | Partition Type: NTFS

Computer Name: BRRPGQ1 | User Name: greg | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/15 10:51:12 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Users\greg\Desktop\OTL.scr
PRC - [2012/03/12 08:53:08 | 000,068,632 | ---- | M] () -- C:\ProgramData\devicexml.exe
PRC - [2012/03/07 17:27:25 | 003,905,920 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2012/02/14 15:34:00 | 001,902,080 | ---- | M] (Remote Monitoring) -- C:\Program Files\Advanced Monitoring Agent\winagent.exe
PRC - [2011/11/13 07:53:42 | 002,996,592 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe
PRC - [2011/11/13 07:53:40 | 000,946,032 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe
PRC - [2011/11/13 07:53:36 | 002,120,048 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe
PRC - [2011/11/13 07:53:28 | 001,687,408 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe
PRC - [2011/08/11 19:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2011/06/28 16:10:32 | 001,011,784 | ---- | M] (Applied Systems, Inc.) -- G:\WINTAM\HOMEBASE.EXE
PRC - [2011/06/03 16:20:44 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2011/06/03 16:20:43 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2011/06/03 16:20:37 | 001,831,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2011/06/03 16:20:37 | 001,447,240 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2011/06/03 16:20:36 | 001,775,344 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2011/05/12 14:19:46 | 002,815,280 | ---- | M] (Apres Systems Inc) -- \\Etserver\APRES\ETFile\ETFile.exe
PRC - [2011/05/12 14:19:38 | 000,177,456 | ---- | M] (eTFile) -- S:\ETFile\eToolbar.exe
PRC - [2011/05/09 12:37:06 | 000,175,472 | ---- | M] (GFI Software Development Ltd.) -- C:\Program Files\Advanced Monitoring Agent\patchman\lnssatt.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/01/03 03:29:50 | 000,976,896 | ---- | M] (ActMask Co.,Ltd - http://www.all2pdf.com) -- C:\Windows\System32\PrintDisp.exe
PRC - [2010/11/20 17:29:19 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/10/16 17:10:52 | 002,336,104 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
PRC - [2010/09/15 12:14:36 | 000,057,168 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\SPBA\upeksvr.exe
PRC - [2010/04/29 05:04:12 | 000,069,632 | ---- | M] (ActMask Co.,Ltd - HTTP://WWW.ALL2PDF.COM) -- C:\Windows\System32\PrintCtrl.exe
PRC - [2010/03/11 00:22:04 | 000,599,408 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
PRC - [2010/03/11 00:21:16 | 000,300,400 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
PRC - [2010/03/03 21:16:06 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2010/03/03 21:16:04 | 000,284,696 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
PRC - [2009/06/13 00:10:26 | 001,882,360 | ---- | M] (Sanford, L.P.) -- C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe
PRC - [2009/06/13 00:07:48 | 000,055,808 | ---- | M] (Sanford, L.P.) -- C:\Program Files\DYMO\DYMO Label Software\DLSService.exe
PRC - [2008/06/11 22:43:26 | 000,640,376 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2008/04/04 13:54:32 | 000,627,168 | ---- | M] (Alpha Media, Inc.«) -- C:\Program Files\PNP4\pnplus4.exe
PRC - [2001/08/10 18:06:26 | 001,326,592 | ---- | M] (ScanSoft, Inc.) -- C:\Windows\System32\ICRSRV32.EXE


========== Modules (No Company Name) ==========

MOD - [2012/03/15 08:42:36 | 000,052,736 | ---- | M] () -- C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
MOD - [2012/03/15 08:42:35 | 000,065,024 | ---- | M] () -- C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
MOD - [2012/03/12 08:53:08 | 000,068,632 | ---- | M] () -- C:\ProgramData\devicexml.exe
MOD - [2012/03/08 16:56:36 | 000,117,760 | ---- | M] () -- C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
MOD - [2012/03/08 16:56:36 | 000,052,224 | ---- | M] () -- C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
MOD - [2012/02/19 18:09:18 | 002,297,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\f01c5c76d0a19516a37b7bd191a02cda\System.Core.ni.dll
MOD - [2012/02/19 18:07:40 | 000,452,608 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\5be773440afa1e1f565f9021d8fd9730\IAStorUtil.ni.dll
MOD - [2012/02/19 18:05:40 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\a1c4a635721f85bef0ea4194b888b871\System.Runtime.Remoting.ni.dll
MOD - [2012/02/19 18:05:40 | 000,628,224 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\3fccda0d4dd150a217c2798e39e97a48\System.EnterpriseServices.ni.dll
MOD - [2012/02/19 18:05:39 | 006,611,456 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\eedf95f16a7e81ca43dd8accf11498a3\System.Data.ni.dll
MOD - [2012/02/19 18:05:39 | 000,627,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\9e8dfbd1334d30a08ce1f2df29ca9aff\System.Transactions.ni.dll
MOD - [2012/02/19 18:05:17 | 012,433,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6c51e152e7404188914c9fa4d8503ff9\System.Windows.Forms.ni.dll
MOD - [2012/02/19 18:05:11 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\ab87129c2b603f218e4aa5300c9b1bdd\System.Drawing.ni.dll
MOD - [2012/02/19 18:05:07 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\9866d1f6178e1cde25642f1ac293ff8d\System.Xml.ni.dll
MOD - [2012/02/19 18:05:03 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\e620323cacb5b6bfd93fd28d263440e4\System.Configuration.ni.dll
MOD - [2012/02/19 18:02:54 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\47b9e7f070271ff50f988f75ea68fa3e\WindowsBase.ni.dll
MOD - [2012/02/19 18:02:50 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\faf4e8730ecbd07570111bb7c3b20565\System.ni.dll
MOD - [2011/10/25 15:16:57 | 000,044,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\17b4308b0e6d35c1230135ed25fffbfe\stdole.ni.dll
MOD - [2011/10/25 15:10:25 | 011,490,304 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
MOD - [2011/10/05 04:52:30 | 000,756,048 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE12\MSPTLS.DLL
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/08/03 10:51:50 | 001,520,128 | ---- | M] () -- C:\WINTAM\ASTAMSVR.DLL
MOD - [2011/07/29 15:39:36 | 000,477,184 | ---- | M] () -- C:\WINTAM\ASTAMDEF.DLL
MOD - [2011/07/23 03:02:21 | 000,423,784 | ---- | M] () -- C:\Windows\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\office.dll
MOD - [2011/06/22 11:46:12 | 000,434,016 | ---- | M] () -- C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll
MOD - [2011/06/03 16:10:01 | 000,151,552 | ---- | M] () -- C:\Users\greg\AppData\Local\assembly\dl3\CNDCCZ5D.9GX\V5RT8VE4.MD1\21e630fd\000178f7_2938c701\Interop.Office.DLL
MOD - [2011/06/03 16:04:34 | 000,495,616 | ---- | M] () -- C:\Users\greg\AppData\Local\assembly\dl3\CNDCCZ5D.9GX\V5RT8VE4.MD1\4a0e0db1\003cd0ff_2938c701\Interop.Word.DLL
MOD - [2011/06/03 16:04:34 | 000,442,368 | ---- | M] () -- C:\Users\greg\AppData\Local\assembly\dl3\CNDCCZ5D.9GX\V5RT8VE4.MD1\aae53444\00d446f6_2938c701\Interop.MSProject.DLL
MOD - [2011/06/03 16:04:34 | 000,286,720 | ---- | M] () -- C:\Users\greg\AppData\Local\assembly\dl3\CNDCCZ5D.9GX\V5RT8VE4.MD1\7df00ddc\00880bfb_2938c701\Interop.Outlook.DLL
MOD - [2011/06/03 16:04:34 | 000,204,800 | ---- | M] () -- C:\Users\greg\AppData\Local\assembly\dl3\CNDCCZ5D.9GX\V5RT8VE4.MD1\3f47a2dc\00b53cfc_2938c701\Interop.PowerPoint.DLL
MOD - [2011/06/03 16:04:33 | 000,950,272 | ---- | M] () -- C:\Users\greg\AppData\Local\assembly\dl3\CNDCCZ5D.9GX\V5RT8VE4.MD1\09f50017\003165e4_2938c701\Interop.Excel.DLL
MOD - [2011/06/03 13:48:46 | 000,004,608 | ---- | M] () -- C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\Extensibility.dll
MOD - [2011/06/03 13:48:38 | 000,920,376 | ---- | M] () -- C:\Windows\assembly\GAC\Microsoft.Office.Interop.Outlook\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Outlook.dll
MOD - [2011/05/12 14:19:00 | 000,169,264 | ---- | M] () -- s:\ETFile\eTSecDB.dll
MOD - [2011/05/11 21:08:08 | 000,083,248 | ---- | M] () -- s:\ETFile\etConnection.dll
MOD - [2011/05/11 16:09:40 | 000,054,576 | ---- | M] () -- \\Etserver\APRES\ETFile\eTAIConnection.dll
MOD - [2011/05/11 15:51:08 | 000,030,000 | ---- | M] () -- \\Etserver\APRES\ETFile\eTFolderSec.dll
MOD - [2011/05/11 15:51:00 | 000,091,440 | ---- | M] () -- \\Etserver\APRES\ETFile\eTSecMngr.dll
MOD - [2011/05/11 15:50:12 | 000,046,384 | ---- | M] () -- \\Etserver\APRES\ETFile\etfpreq.dll
MOD - [2011/04/29 15:54:42 | 000,342,528 | ---- | M] () -- C:\WINTAM\TAMI18N.DLL
MOD - [2010/11/20 17:29:11 | 002,927,616 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2010/08/23 16:44:22 | 000,075,080 | ---- | M] () -- s:\ETFile\eTFileCrypto.dll
MOD - [2010/01/29 18:24:02 | 000,471,040 | ---- | M] () -- C:\Windows\System32\adxloader.dll
MOD - [2009/06/13 00:06:58 | 000,090,112 | ---- | M] () -- C:\Program Files\DYMO\DYMO Label Software\DYMO.Common.dll
MOD - [2009/06/10 17:23:19 | 000,261,632 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2009/02/26 13:46:56 | 000,064,344 | ---- | M] () -- C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll
MOD - [2008/06/11 22:32:28 | 002,666,496 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 9.0\PDFMaker\Common\AdobePDFMakerX.dll
MOD - [2008/03/11 12:00:34 | 000,520,192 | ---- | M] () -- \\Etserver\APRES\ETFile\eTPDF.dll
MOD - [2004/10/27 21:54:22 | 000,212,992 | ---- | M] () -- C:\Windows\System32\OCRSDK.dll
MOD - [2001/08/17 09:32:58 | 000,165,528 | ---- | M] () -- C:\WINTAM\VSSPELL6.OCX
MOD - [2000/05/27 22:28:50 | 000,051,712 | ---- | M] () -- C:\Windows\System32\OCROCX.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/02/14 15:34:00 | 001,902,080 | ---- | M] (Remote Monitoring) [Auto | Running] -- C:\Program Files\Advanced Monitoring Agent\winagent.exe -- (Advanced Monitoring Agent)
SRV - [2011/11/13 07:53:40 | 000,946,032 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)
SRV - [2011/08/11 19:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/06/03 16:20:44 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2011/06/03 16:20:44 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2011/06/03 16:20:37 | 001,831,928 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2011/06/03 16:20:37 | 000,345,416 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2011/06/03 16:20:36 | 001,775,344 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2011/06/03 15:56:56 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/05/26 14:04:59 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011/05/09 12:37:06 | 000,175,472 | ---- | M] (GFI Software Development Ltd.) [Auto | Running] -- C:\Program Files\Advanced Monitoring Agent\patchman\lnssatt.exe -- (gfi_lanss10_attservice)
SRV - [2010/11/25 06:34:18 | 000,219,632 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe -- (RoxWatch12)
SRV - [2010/11/25 06:33:18 | 001,116,656 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe -- (RoxMediaDB12OEM)
SRV - [2010/11/03 17:12:58 | 001,477,632 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)
SRV - [2010/10/16 17:10:52 | 002,336,104 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe -- (TdmService)
SRV - [2010/07/13 15:02:32 | 001,629,696 | ---- | M] () [Auto | Stopped] -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2010/04/29 05:04:12 | 000,069,632 | ---- | M] (ActMask Co.,Ltd - HTTP://WWW.ALL2PDF.COM) [Auto | Running] -- C:\Windows\System32\PrintCtrl.exe -- (Printer Control)
SRV - [2010/03/03 21:16:06 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel®
SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 12:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (SABProcEnum)
DRV - [2012/02/03 05:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/02/03 05:00:00 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/08/04 04:00:00 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20120313.020\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/08/04 04:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20120313.020\NAVENG.SYS -- (NAVENG)
DRV - [2011/07/22 12:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 17:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/06/03 16:22:02 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/06/03 16:20:45 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2011/06/03 16:20:44 | 000,320,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2011/06/03 16:20:44 | 000,281,648 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
DRV - [2011/06/03 16:20:33 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/06/03 16:20:33 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2011/06/03 16:20:30 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2010/11/20 17:29:24 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 17:29:03 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 17:29:03 | 000,027,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2010/04/06 04:36:20 | 000,224,424 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1k6232.sys -- (e1kexpress) Intel®
DRV - [2010/02/03 01:10:32 | 000,030,880 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\iqvw32.sys -- (NAL)
DRV - [2009/12/29 18:52:40 | 009,532,488 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/06/04 14:14:00 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\PBADRV.sys -- (PBADRV)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {D380E05A-D94A-4C3E-A2D5-EFC776EC26F3}
IE - HKLM\..\SearchScopes\{D380E05A-D94A-4C3E-A2D5-EFC776EC26F3}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://extpga01.chubb.com/login
IE - HKCU\..\SearchScopes,DefaultScope = {815EACC6-97A0-4091-8B6F-810ED40E6189}
IE - HKCU\..\SearchScopes\{815EACC6-97A0-4091-8B6F-810ED40E6189}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)



O1 HOSTS File: ([2012/03/12 07:55:11 | 000,000,882 | RH-- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 94.63.147.16 www.google.com
O1 - Hosts: 94.63.147.17 www.bing.com
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [devicexml] C:\ProgramData\devicexml.exe ()
O4 - HKLM..\Run: [DLSService] C:\Program Files\DYMO\DYMO Label Software\DLSService.exe (Sanford, L.P.)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [PrintDisp] C:\Windows\System32\PrintDisp.exe (ActMask Co.,Ltd - http://www.all2pdf.com)
O4 - HKLM..\Run: [utilsrv] C:\Users\greg\AppData\Roaming\utilsrv.exe ()
O4 - HKCU..\Run: [devicexml] C:\ProgramData\devicexml.exe ()
O4 - HKCU..\Run: [DymoQuickPrint] C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe (Sanford, L.P.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [Update] C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\klzgc.dll (eMajix.com, Inc.)
O4 - HKCU..\Run: [utilsrv] C:\Users\greg\AppData\Roaming\utilsrv.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNTSecurity = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 3
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadblocker.com/activex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://chubb.webex.com/client/WBXclient-T27L10NSP25-10481/training/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LBC.ASI
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B4D49782-E219-44C5-B105-91662838C6E8}: DhcpNameServer = 192.168.1.4
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\spba: DllName - (C:\Program Files\Common Files\SPBA\homefus2.dll) - C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (wvauth) - C:\Windows\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/06/03 15:30:55 | 000,000,192 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/15 10:51:10 | 000,594,944 | ---- | C] (OldTimer Tools) -- C:\Users\greg\Desktop\OTL.scr
[2012/03/15 08:55:02 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/03/14 13:26:20 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\greg\Desktop\dds.scr
[2012/03/14 12:12:19 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/03/09 15:17:38 | 000,000,000 | ---D | C] -- C:\Users\greg\AppData\Roaming\Malwarebytes
[2012/03/09 15:17:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/09 15:17:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/03/09 15:17:31 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/03/09 15:17:31 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/03/08 16:56:29 | 000,000,000 | ---D | C] -- C:\Users\greg\AppData\Roaming\SUPERAntiSpyware.com
[2012/03/08 16:55:44 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/03/08 16:55:44 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

========== Files - Modified Within 30 Days ==========

[2012/03/15 10:51:12 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Users\greg\Desktop\OTL.scr
[2012/03/15 08:48:39 | 000,026,448 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/15 08:48:39 | 000,026,448 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/15 08:46:05 | 001,119,254 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/03/15 08:46:05 | 000,277,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/03/15 08:41:21 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/15 08:41:12 | 2917,343,232 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/14 15:42:36 | 000,302,592 | ---- | M] () -- C:\Users\greg\Desktop\cd36ilps.exe
[2012/03/14 13:26:22 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\greg\Desktop\dds.scr
[2012/03/13 17:12:37 | 000,025,170 | ---- | M] () -- C:\Users\greg\Documents\Miranda PC9 10 Qaire.pdf
[2012/03/13 15:42:36 | 000,041,676 | ---- | M] () -- C:\Users\greg\Documents\Lundqvist YCF Revised.pdf
[2012/03/13 14:53:51 | 000,041,609 | ---- | M] () -- C:\Users\greg\Documents\Lundqvist YCF.pdf
[2012/03/13 09:44:36 | 000,031,510 | ---- | M] () -- C:\Users\greg\Documents\Lundqvist Quick Quote.pdf
[2012/03/12 10:07:10 | 000,634,337 | ---- | M] () -- C:\Users\greg\Documents\Sozio Home PURE Quote No Auto.pdf
[2012/03/12 10:00:06 | 000,634,443 | ---- | M] () -- C:\Users\greg\Documents\Sozio Home PURE Quote.pdf
[2012/03/12 09:58:55 | 000,001,105 | ---- | M] () -- C:\Users\greg\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2012/03/12 09:22:15 | 000,001,409 | ---- | M] () -- C:\Users\greg\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/03/12 09:06:23 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2012/03/12 08:53:08 | 000,068,632 | ---- | M] () -- C:\Users\greg\AppData\Roaming\utilsrv.exe
[2012/03/12 08:53:08 | 000,068,632 | ---- | M] () -- C:\ProgramData\devicexml.exe
[2012/03/09 19:12:59 | 000,039,187 | ---- | M] () -- C:\Users\greg\Documents\Madrazo Pacheco Revised YCF.pdf
[2012/03/09 18:18:04 | 000,007,382 | ---- | M] () -- C:\Users\greg\Documents\Mercuris South Tower Qaire.pdf
[2012/03/09 14:12:04 | 000,003,178 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2012/03/08 16:55:48 | 000,001,963 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/03/08 16:49:09 | 000,352,128 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/03/08 15:15:49 | 000,272,461 | ---- | M] () -- C:\Users\greg\Documents\Miranda Lloyds Application.pdf
[2012/03/06 10:19:20 | 000,032,085 | ---- | M] () -- C:\Users\greg\Documents\Greenwald YCF.pdf
[2012/03/01 12:16:35 | 000,015,448 | ---- | M] () -- C:\Users\greg\Documents\Sherlund Changes Options.pdf
[2012/02/29 11:28:32 | 003,522,206 | ---- | M] () -- C:\Users\greg\Documents\Sherlund OCRd INLM list.pdf
[2012/02/24 12:46:38 | 000,469,497 | ---- | M] () -- C:\Users\greg\Documents\Levy ACE Marine Quick Quote Form.pdf
[2012/02/22 15:04:40 | 000,423,043 | ---- | M] () -- C:\Users\greg\Documents\ACE marine quick quote form.pdf
[2012/02/22 09:16:25 | 000,017,411 | ---- | M] () -- C:\Users\greg\Documents\Dougherty Vickers Amended Cert.pdf
[2012/02/22 09:15:26 | 000,033,972 | ---- | M] () -- C:\Users\greg\Documents\Dougherty LBC net Invoice.pdf
[2012/02/22 09:14:41 | 000,034,098 | ---- | M] () -- C:\Users\greg\Documents\Dougherty Zurich Endst.pdf
[2012/02/16 17:39:12 | 000,025,601 | ---- | M] () -- C:\Users\greg\Documents\Selander Island Lane Summary.pdf
[2012/02/15 16:04:13 | 000,064,067 | ---- | M] () -- C:\Users\greg\Documents\Gosnell Certificate 2.pdf
[2012/02/15 16:04:02 | 000,063,983 | ---- | M] () -- C:\Users\greg\Documents\Gosnell Certificate 1.pdf
[2012/02/15 16:01:07 | 000,031,536 | ---- | M] () -- C:\Users\greg\Documents\Gosnell Certificate 3.pdf
[2012/02/15 14:56:19 | 000,013,111 | ---- | M] () -- C:\Users\greg\Documents\Osherow Covg Update.pdf
[2012/02/15 14:56:02 | 000,019,497 | ---- | M] () -- C:\Users\greg\Documents\Osherow Renewal.pdf
[2012/02/15 13:01:37 | 000,028,878 | ---- | M] () -- C:\Users\greg\Documents\Chubb Annotated Certificate of Insurance.pdf
[2012/02/15 12:59:45 | 000,025,908 | ---- | M] () -- C:\Users\greg\Documents\Chubb Certificate of Insurance.pdf
[2012/02/14 17:22:22 | 003,386,076 | ---- | M] () -- C:\Users\greg\Documents\NYS_storm_surge_zones.pdf

========== Files Created - No Company Name ==========

[2012/03/14 15:42:36 | 000,302,592 | ---- | C] () -- C:\Users\greg\Desktop\cd36ilps.exe
[2012/03/13 17:12:37 | 000,025,170 | ---- | C] () -- C:\Users\greg\Documents\Miranda PC9 10 Qaire.pdf
[2012/03/13 15:42:36 | 000,041,676 | ---- | C] () -- C:\Users\greg\Documents\Lundqvist YCF Revised.pdf
[2012/03/13 14:53:51 | 000,041,609 | ---- | C] () -- C:\Users\greg\Documents\Lundqvist YCF.pdf
[2012/03/13 09:44:36 | 000,031,510 | ---- | C] () -- C:\Users\greg\Documents\Lundqvist Quick Quote.pdf
[2012/03/12 10:07:10 | 000,634,337 | ---- | C] () -- C:\Users\greg\Documents\Sozio Home PURE Quote No Auto.pdf
[2012/03/12 09:22:38 | 000,068,632 | ---- | C] () -- C:\Users\greg\AppData\Roaming\utilsrv.exe
[2012/03/12 09:06:23 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2012/03/12 08:53:09 | 000,068,632 | ---- | C] () -- C:\ProgramData\devicexml.exe
[2012/03/09 19:12:59 | 000,039,187 | ---- | C] () -- C:\Users\greg\Documents\Madrazo Pacheco Revised YCF.pdf
[2012/03/09 18:18:04 | 000,007,382 | ---- | C] () -- C:\Users\greg\Documents\Mercuris South Tower Qaire.pdf
[2012/03/08 16:55:48 | 000,001,963 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/03/08 15:14:15 | 000,272,461 | ---- | C] () -- C:\Users\greg\Documents\Miranda Lloyds Application.pdf
[2012/03/06 10:19:20 | 000,032,085 | ---- | C] () -- C:\Users\greg\Documents\Greenwald YCF.pdf
[2012/03/01 12:16:35 | 000,015,448 | ---- | C] () -- C:\Users\greg\Documents\Sherlund Changes Options.pdf
[2012/02/29 11:28:32 | 003,522,206 | ---- | C] () -- C:\Users\greg\Documents\Sherlund OCRd INLM list.pdf
[2012/02/22 15:17:43 | 000,469,497 | ---- | C] () -- C:\Users\greg\Documents\Levy ACE Marine Quick Quote Form.pdf
[2012/02/22 09:16:25 | 000,017,411 | ---- | C] () -- C:\Users\greg\Documents\Dougherty Vickers Amended Cert.pdf
[2012/02/22 09:15:26 | 000,033,972 | ---- | C] () -- C:\Users\greg\Documents\Dougherty LBC net Invoice.pdf
[2012/02/22 09:14:41 | 000,034,098 | ---- | C] () -- C:\Users\greg\Documents\Dougherty Zurich Endst.pdf
[2012/02/17 17:07:24 | 000,634,443 | ---- | C] () -- C:\Users\greg\Documents\Sozio Home PURE Quote.pdf
[2012/02/16 17:39:12 | 000,025,601 | ---- | C] () -- C:\Users\greg\Documents\Selander Island Lane Summary.pdf
[2012/02/15 16:01:07 | 000,031,536 | ---- | C] () -- C:\Users\greg\Documents\Gosnell Certificate 3.pdf
[2012/02/15 16:00:54 | 000,064,067 | ---- | C] () -- C:\Users\greg\Documents\Gosnell Certificate 2.pdf
[2012/02/15 16:00:35 | 000,063,983 | ---- | C] () -- C:\Users\greg\Documents\Gosnell Certificate 1.pdf
[2012/02/15 14:56:19 | 000,013,111 | ---- | C] () -- C:\Users\greg\Documents\Osherow Covg Update.pdf
[2012/02/15 14:56:02 | 000,019,497 | ---- | C] () -- C:\Users\greg\Documents\Osherow Renewal.pdf
[2012/02/15 13:01:37 | 000,028,878 | ---- | C] () -- C:\Users\greg\Documents\Chubb Annotated Certificate of Insurance.pdf
[2012/02/15 12:59:45 | 000,025,908 | ---- | C] () -- C:\Users\greg\Documents\Chubb Certificate of Insurance.pdf
[2012/02/14 17:22:22 | 003,386,076 | ---- | C] () -- C:\Users\greg\Documents\NYS_storm_surge_zones.pdf
[2011/11/30 14:27:00 | 000,000,122 | ---- | C] () -- C:\Windows\BSCForms.ini
[2011/10/17 16:35:14 | 000,153,544 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2011/07/22 16:30:48 | 000,007,606 | ---- | C] () -- C:\Users\greg\AppData\Local\Resmon.ResmonCfg
[2011/06/13 09:05:50 | 000,000,071 | ---- | C] () -- C:\Windows\bi_group.ini
[2011/06/03 16:10:31 | 000,000,092 | ---- | C] () -- C:\Users\greg\AppData\Local\fusioncache.dat
[2011/06/03 15:39:12 | 000,000,037 | ---- | C] () -- C:\Windows\iltwain.ini
[2011/06/03 15:28:13 | 000,212,992 | ---- | C] () -- C:\Windows\System32\OCRSDK.dll
[2011/06/03 15:28:13 | 000,147,455 | ---- | C] () -- C:\Windows\System32\OCRSDK.dat
[2011/06/03 15:28:13 | 000,051,712 | ---- | C] () -- C:\Windows\System32\OCROCX.dll
[2011/06/03 15:28:13 | 000,006,894 | ---- | C] () -- C:\Windows\System32\OCRSDK.ini
[2011/06/03 14:51:26 | 000,227,840 | ---- | C] () -- C:\Windows\System32\ASLotus.dll
[2011/06/03 14:51:26 | 000,211,456 | ---- | C] () -- C:\Windows\System32\Blicefax.drv
[2011/06/03 14:51:26 | 000,178,944 | ---- | C] () -- C:\Windows\System32\Tiff.dll
[2011/06/03 14:51:25 | 000,122,880 | ---- | C] () -- C:\Windows\System32\ASAPI.dll
[2011/06/03 13:53:12 | 001,391,616 | ---- | C] () -- C:\Windows\System32\ActPDF.dll
[2011/06/03 13:53:06 | 000,691,200 | ---- | C] () -- C:\Windows\System32\PrintLog.exe
[2011/06/03 13:53:06 | 000,524,288 | ---- | C] () -- C:\Windows\System32\PrtPass.exe
[2011/06/03 13:52:26 | 000,000,558 | ---- | C] () -- C:\Windows\ricdb.ini
[2011/06/03 13:52:04 | 000,338,944 | ---- | C] () -- C:\Windows\System32\lffpx7.dll
[2011/06/03 13:52:04 | 000,122,880 | ---- | C] () -- C:\Windows\System32\LFKODAK.DLL
[2011/06/03 13:52:03 | 000,106,496 | ---- | C] () -- C:\Windows\System32\W001T32W.DLL
[2011/06/03 13:30:33 | 000,003,178 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/05/17 15:30:23 | 000,080,368 | ---- | C] () -- C:\Windows\System32\pbadrvdll.dll
[2011/01/11 18:05:18 | 000,008,592 | ---- | C] () -- C:\Windows\System32\ractrlkeyhook.dll
[2010/11/20 17:29:26 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2010/10/01 16:56:28 | 000,087,040 | ---- | C] () -- C:\Windows\System32\Internationalization_th.dll
[2010/10/01 16:56:28 | 000,074,752 | ---- | C] () -- C:\Windows\System32\Internationalization_zh-HK.dll
[2010/10/01 16:56:26 | 000,089,088 | ---- | C] () -- C:\Windows\System32\Internationalization_sl.dll
[2010/10/01 16:56:24 | 000,089,088 | ---- | C] () -- C:\Windows\System32\Internationalization_sk.dll
[2010/10/01 16:56:22 | 000,090,112 | ---- | C] () -- C:\Windows\System32\Internationalization_hr.dll
[2010/10/01 16:56:20 | 000,088,064 | ---- | C] () -- C:\Windows\System32\Internationalization_tr.dll
[2010/10/01 16:56:18 | 000,091,648 | ---- | C] () -- C:\Windows\System32\Internationalization_ro.dll
[2010/10/01 16:56:18 | 000,091,648 | ---- | C] () -- C:\Windows\System32\Internationalization_pt-BR.dll
[2010/10/01 16:56:16 | 000,091,136 | ---- | C] () -- C:\Windows\System32\Internationalization_hu.dll
[2010/10/01 16:56:14 | 000,084,480 | ---- | C] () -- C:\Windows\System32\Internationalization_he.dll
[2010/10/01 16:56:12 | 000,089,088 | ---- | C] () -- C:\Windows\System32\Internationalization_fi.dll
[2010/10/01 16:56:10 | 000,095,744 | ---- | C] () -- C:\Windows\System32\Internationalization_el.dll
[2010/10/01 16:56:10 | 000,090,112 | ---- | C] () -- C:\Windows\System32\Internationalization_cs.dll
[2010/10/01 16:56:08 | 000,086,016 | ---- | C] () -- C:\Windows\System32\Internationalization_ar.dll
[2010/10/01 16:56:06 | 000,074,752 | ---- | C] () -- C:\Windows\System32\Internationalization_zh-CHT.dll
[2010/10/01 16:56:06 | 000,074,240 | ---- | C] () -- C:\Windows\System32\Internationalization_zh-CHS.dll
[2010/10/01 16:56:04 | 000,090,624 | ---- | C] () -- C:\Windows\System32\Internationalization_sv.dll
[2010/10/01 16:56:02 | 000,090,112 | ---- | C] () -- C:\Windows\System32\Internationalization_ru.dll
[2010/10/01 16:56:00 | 000,093,184 | ---- | C] () -- C:\Windows\System32\Internationalization_pt.dll
[2010/10/01 16:56:00 | 000,092,160 | ---- | C] () -- C:\Windows\System32\Internationalization_pl.dll
[2010/10/01 16:55:58 | 000,088,576 | ---- | C] () -- C:\Windows\System32\Internationalization_no.dll
[2010/10/01 16:55:56 | 000,096,256 | ---- | C] () -- C:\Windows\System32\Internationalization_nl.dll
[2010/10/01 16:55:56 | 000,078,848 | ---- | C] () -- C:\Windows\System32\Internationalization_ko.dll
[2010/10/01 16:55:54 | 000,080,384 | ---- | C] () -- C:\Windows\System32\Internationalization_ja.dll
[2010/10/01 16:55:52 | 000,093,696 | ---- | C] () -- C:\Windows\System32\Internationalization_it.dll
[2010/10/01 16:55:50 | 000,093,696 | ---- | C] () -- C:\Windows\System32\Internationalization_fr.dll
[2010/10/01 16:55:50 | 000,093,184 | ---- | C] () -- C:\Windows\System32\Internationalization_es.dll
[2010/10/01 16:55:46 | 000,094,720 | ---- | C] () -- C:\Windows\System32\Internationalization_de.dll
[2010/10/01 16:55:44 | 000,091,648 | ---- | C] () -- C:\Windows\System32\Internationalization_da.dll
[2010/09/30 09:49:10 | 000,012,800 | ---- | C] () -- C:\Windows\System32\Wavx_ESC_Logging.dll
[2010/08/19 18:18:20 | 001,008,640 | ---- | C] () -- C:\Windows\System32\DemoLicense.dll

========== LOP Check ==========

[2011/06/03 15:53:29 | 000,000,000 | ---D | M] -- C:\Users\greg\AppData\Roaming\ICAClient
[2012/03/15 09:01:58 | 000,000,000 | ---D | M] -- C:\Users\greg\AppData\Roaming\RPost
[2011/10/25 14:03:46 | 000,000,000 | ---D | M] -- C:\Users\greg\AppData\Roaming\webex
[2012/03/12 15:57:32 | 000,020,858 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

OTL Exras.txt:

OTL Extras logfile created on: 3/15/2012 10:53:03 AM - Run 1
OTL by OldTimer - Version 3.2.36.3 Folder = C:\Users\greg\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.62 Gb Total Physical Memory | 1.68 Gb Available Physical Memory | 46.41% Memory free
7.24 Gb Paging File | 5.08 Gb Available in Paging File | 70.10% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.09 Gb Total Space | 171.67 Gb Free Space | 77.65% Space Free | Partition Type: NTFS
Drive F: | 507.36 Gb Total Space | 346.19 Gb Free Space | 68.23% Space Free | Partition Type: NTFS
Drive G: | 507.36 Gb Total Space | 346.19 Gb Free Space | 68.23% Space Free | Partition Type: NTFS
Drive H: | 507.36 Gb Total Space | 346.19 Gb Free Space | 68.23% Space Free | Partition Type: NTFS
Drive I: | 507.36 Gb Total Space | 346.19 Gb Free Space | 68.23% Space Free | Partition Type: NTFS
Drive P: | 507.36 Gb Total Space | 346.19 Gb Free Space | 68.23% Space Free | Partition Type: NTFS
Drive S: | 279.39 Gb Total Space | 187.48 Gb Free Space | 67.10% Space Free | Partition Type: NTFS
Drive T: | 74.44 Gb Total Space | 53.82 Gb Free Space | 72.31% Space Free | Partition Type: NTFS
Drive Z: | 507.36 Gb Total Space | 346.19 Gb Free Space | 68.23% Space Free | Partition Type: NTFS

Computer Name: BRRPGQ1 | User Name: greg | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{023D64D7-E7B4-47C7-BE6E-B7C2E8960D08}" = Citrix online plug-in (Web)
"{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software Installer
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0CCAF47C-E428-48C2-82B2-5F25CE1D67DA}" = Gemalto
"{17504ED4-DB08-40A8-81C2-27D8C01581DA}" = Windows Live Remote Service Resources
"{19A4A990-5343-4FF7-B3B5-6F046C091EDF}" = Windows Live Remote Client
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{227E8782-B2F4-4E97-B0EE-49DE9CC1C0C0}" = Windows Live Remote Service
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java™ 6 Update 26
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{2EECD5EF-5095-467C-B80C-4AB3096EFD60}" = SPBA 5.9
"{3138EAD3-700B-4A10-B617-B3F8096EE30D}" = Dell Edoc Viewer
"{3250260C-7A95-4632-893B-89657EB5545B}" = PhotoShowExpress
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{39DA39E8-73BF-4E09-80A1-BBE1623876A4}" = eTFile
"{3A6BE9F4-5FC8-44BB-BE7B-32A29607FEF6}" = Preboot Manager
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel® Rapid Storage Technology
"{464B3406-A4D0-4914-910F-7CA4380DCC13}" = Windows Live Remote Client Resources
"{47611CAC-79A7-4ED6-8DF8-BA9FDCD98102}" = Symantec Endpoint Protection Client
"{4E4E65EE-C456-45AC-B5AD-C62C3A325BD0}" = Dell Data Protection | Access | Drivers
"{4E60E212-3177-4B16-BCB3-616CCC52357D}" = Upek Touchchip Fingerprint Reader
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{58F4D4FD-1814-4068-B316-C28FC776C6DD}" = GoToMyPC
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{5D56359C-92E3-4306-A48D-7F95B8D0D48D}" = GFI LANguard 10 Agent
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{68E1BAC6-F79F-43C4-AF03-A89F53F748D3}" = Microsoft XML Parser
"{6AC87FB3-ACFC-4416-890C-8976D5A9B371}" = Trusted Drive Manager
"{6F0BBEFE-BE1C-419B-BA1F-D36C9E7915BC}" = Roxio Creator Starter
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7206B668-FEE0-455B-BB1F-9B5A2E0EC94A}" = Custom
"{75E0B85A-085F-4BA3-B2BF-1995AFD8024D}" = NTRU TCG Software Stack
"{7746BFAA-2B5D-4FFD-A0E8-4558F4668105}" = Roxio Burn
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7AAA00C4-26E6-4EC0-8069-955B0A9D6009}" = Intel® Network Connections 15.2.89.0
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{7DE09674-ABB9-4272-8756-46B86C79C35E}" = ScrewDrivers Client v4
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{841CBDD5-4BB5-403E-AEE3-2FADC3890BE8}" = Dell Data Protection | Access | Middleware
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A81F719-56E6-4042-889B-5CC7D6714B96}" = RPostOffice
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_STANDARD_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_STANDARD_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_STANDARD_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_STANDARD_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARD_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARD_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARD_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_STANDARD_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_STANDARD_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{9A00EC4E-27E1-42C4-98DD-662F32AC8870}" = Sonic CinePlayer Decoder Pack
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A6A8F17-6E83-48EC-B35F-5D8968411AA8}" = fax@vantage
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9DAED4FC-2B0E-4F3F-8141-F2ABF02CCFCB}" = BioAPI Framework
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A121EEDE-C68F-461D-91AA-D48BA226AF1C}" = Roxio Activation Module
"{A32F592F-AA0E-49AF-8E85-A0A25AF83314}" = Wave Infrastructure Installer
"{A357CF2C-C34E-448D-80C6-61A9109260E9}" = eTFile - MS Office AddIn
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A7D91856-258D-4C87-8041-B170851CE432}" = Dell Data Protection | Access
"{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9.5
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{ABBA2EA4-740E-4052-902B-9CA70B081E3F}" = Dell Data Protection | Access
"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Franšais, Deutsch
"{AC76BA86-1033-F400-7760-000000000004}{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Franšais, Deutsch
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{BD3068DE-D53B-4CE8-B2BC-32E1323441CD}" = PC-CCID
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E30E7561-A466-4393-B8BF-FD93E733EF3C}" = Microsoft Office Live Meeting 2007
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"{EF56258E-0326-48C5-A86C-3BAC26FC15DF}" = Roxio Creator Starter
"{F06B5C4C-8D2E-4B24-9D43-7A45EEC6C878}" = Roxio Creator Starter
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F6D6B258-E3CA-4AAC-965A-68D3E3140A8C}" = iTunes
"{F839C6BD-E92E-48FA-9CE6-7BFAF94F7096}" = DellAccess
"{F8665452-6154-48AC-89FA-F7D1235E604C}" = fax@vantage Print Driver (NT32)
"{F8A9085D-4C7A-41a9-8A77-C8998A96C421}" = Intel® Control Center
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"9512AA21B791B05A54E27065C45BBC417AB282DF" = Windows Driver Package - Dell Inc. PBADRV System (09/11/2009 1.0.1.6)
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Advanced Monitoring Agent_is1" = Advanced Monitoring Agent
"Boston Software Form Viewer Workstation" = Boston Software Form Viewer Workstation
"DYMO Label v.8" = DYMO Label v.8
"ESET Online Scanner" = ESET Online Scanner v3
"IDCardGenerate" = IDCardGenerate
"InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9.5
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"PinkNotes™ Plus 4.60" = PinkNotes™ Plus 4.60
"PROSetDX" = Intel® Network Connections 15.2.89.0
"STANDARD" = Microsoft Office Standard 2007
"WinLiveSuite" = Windows Live Essentials
"WinRater Form Viewer" = WinRater Form Viewer

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Adobe Connect Add-in" = Adobe Connect Add-in
"GoToMeeting" = GoToMeeting 5.0.0.799

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

#4 GDubbs

GDubbs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 15 March 2012 - 11:57 AM

ESET results below.

An interesting thing happened with the ESET scan. I started one this morning and it identified a total of seven threats (all similarly titled - Kryptik appears in all), and then right at the end of the scan, IE crashed and the results were lost. I re-ran the scan and instead of seven, it found just one threat (below). This time, however, my symantec went crazy with alerts of things it had caught. Therefore, I post that log for you as well.

ESET:
C:\TDSSKiller_Quarantine\14.03.2012_11.59.13\mbr0000\tdlfs0000\tsk0001.dta a variant of Win32/Rootkit.Kryptik.KB trojan

Symantec:
Risk,Filename,Original Location,Status,Date
Trojan.Gen,tsk0001.dta,C:\TDSSKiller_Quarantine\14.03.2012_11.59.13\mbr0000\tdlfs0000\,Infected,3/14/2012 12:12 PM
Trojan Horse,APQ80C6.tmp,C:\PROGRAMDATA\Symantec\SRTSP\QUARANTINE\,Infected,3/14/2012 1:30 PM
Trojan.Gen.2,APQ80D7.tmp,C:\PROGRAMDATA\Symantec\SRTSP\QUARANTINE\,Infected,3/14/2012 1:30 PM
Backdoor.Pihar,APQ80D8.tmp,C:\PROGRAMDATA\Symantec\SRTSP\QUARANTINE\,Infected,3/14/2012 1:31 PM
Backdoor.Pihar,APQ80D9.tmp,C:\PROGRAMDATA\Symantec\SRTSP\QUARANTINE\,Infected,3/14/2012 1:31 PM
Trojan Horse,APQ80E9.tmp,C:\PROGRAMDATA\Symantec\SRTSP\QUARANTINE\,Infected,3/14/2012 1:32 PM
Trojan Horse,APQ80EA.tmp,C:\PROGRAMDATA\Symantec\SRTSP\QUARANTINE\,Infected,3/14/2012 1:32 PM
Downloader,devicexml.exe,C:\ProgramData\,Infected,3/15/2012 11:39 AM
Downloader,kbkb.exe,C:\Users\greg\AppData\Local\Temp\,Infected,3/15/2012 12:19 PM
Downloader,klzgc.dll,C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\,Cleaned,3/15/2012 12:38 PM
Downloader,nnafru.dll,C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\,Cleaned,3/15/2012 12:39 PM
Trojan.Dropper,0.5763343818021246,C:\Windows\Temp\,Infected,3/15/2012 12:41 PM
Downloader,yrvoeikqjqhgpwxijeqdgei.exe,C:\Windows\Temp\,Infected,3/15/2012 12:41 PM
Downloader,klzgc.dll,C:\Windows\Temp\nsg5034.tmp\,Infected,3/15/2012 12:42 PM
Downloader,nnafru.dll,C:\Windows\Temp\nsg5034.tmp\,Infected,3/15/2012 12:42 PM
Downloader,klzgc.dll,C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\,Cleaned,3/15/2012 12:49 PM
Downloader,klzgc.dll,C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\,Cleaned,3/15/2012 12:51 PM
Downloader,nnafru.dll,C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\,Cleaned,3/15/2012 12:51 PM
Downloader,nnafru.dll,C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\,Cleaned,3/15/2012 12:52 PM
Suspicious.Vundo.2,8AA3.tmp,C:\Windows\Temp\,Infected,3/12/2012 8:54 AM
Trojan.ADH.2,grafmore.exe,C:\ProgramData\,Infected,3/12/2012 9:01 AM


let me know what further you require. many thanks.

GDubbs

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:49 PM

Posted 15 March 2012 - 04:01 PM

Good evening. :)

Run OTL.exe.

  • Copy and paste the following into the Custom Scans/Fixes box at the bottom:

    :processes
    killallprocesses

    :OTL
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [devicexml] C:\ProgramData\devicexml.exe ()
    O4 - HKLM..\Run: [utilsrv] C:\Users\greg\AppData\Roaming\utilsrv.exe ()
    O4 - HKCU..\Run: [devicexml] C:\ProgramData\devicexml.exe ()
    O4 - HKCU..\Run: [utilsrv] C:\Users\greg\AppData\Roaming\utilsrv.exe ()

    :Files
    c:\programdata\devicexml.exe
    c:\users\greg\appdata\roaming\utilsrv.exe
    c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\microsoft\klzgc.dll
    c:\windows\system32\config\systemprofile\appdata\roaming\utilsrv.exe
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [start explorer]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Click the Run Fix button at the top.
  • Let the program run until it has completed and then reboot the PC when it is done.
Please let me have a copy of the log that appears once OTL has completed it's run.


Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. The name of the log will in the following format: xxxxxxxx_xxxxxx. x representing the month, date, year and time the log was created. Eg: 03062009_170403

So long, and thanks for all the fish.

 

 


#6 GDubbs

GDubbs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 16 March 2012 - 12:41 PM

Thank you very much Noviciate. I will be away until Tuesday March 20th and will post results then.

#7 GDubbs

GDubbs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 21 March 2012 - 01:27 PM

All processes killed
========== PROCESSES ==========
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\devicexml deleted successfully.
File C:\ProgramData\devicexml.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\utilsrv deleted successfully.
File C:\Users\greg\AppData\Roaming\utilsrv.exe not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\devicexml deleted successfully.
File C:\ProgramData\devicexml.exe not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\utilsrv deleted successfully.
File C:\Users\greg\AppData\Roaming\utilsrv.exe not found.
========== FILES ==========
File\Folder c:\programdata\devicexml.exe not found.
File\Folder c:\users\greg\appdata\roaming\utilsrv.exe not found.
File\Folder c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\microsoft\klzgc.dll not found.
File\Folder c:\windows\system32\config\systemprofile\appdata\roaming\utilsrv.exe not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\greg\Desktop\cmd.bat deleted successfully.
C:\Users\greg\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: greg
->Temp folder emptied: 828494 bytes
->Temporary Internet Files folder emptied: 245232196 bytes
->Java cache emptied: 2007886 bytes
->Flash cache emptied: 5333077 bytes

User: Public

User: User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 37946 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 242.00 mb


[EMPTYFLASH]

User: administrator

User: All Users

User: Default

User: Default User

User: greg
->Flash cache emptied: 0 bytes

User: Public

User: User
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb



OTL by OldTimer - Version 3.2.36.3 log created on 03212012_142000

Files\Folders moved on Reboot...
C:\Windows\temp\JET157.tmp moved successfully.

Registry entries deleted on Reboot...

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:49 PM

Posted 21 March 2012 - 03:52 PM

Good evening. :)

What is Symantec showing now and how is the PC behaving?

So long, and thanks for all the fish.

 

 


#9 GDubbs

GDubbs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 22 March 2012 - 11:05 AM

Symantec scan found nothing but tracking cookies.
Did a new ESET scan too and it found only:

C:\TDSSKiller_Quarantine\14.03.2012_11.59.13\mbr0000\tdlfs0000\tsk0001.dta a variant of Win32/Rootkit.Kryptik.KB trojan

I no longer have TDSSKiller on my machine and so have deleted that folder entirely and rebooted.

Machine seems to be behaving 100% fine (fast, no redirects).

Thanks,
GDubbs

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:49 PM

Posted 22 March 2012 - 04:08 PM

Good evening.

Grand. I'd like you to run the PC for a day or two, rebooting at least once and then as you have Malwarebytes Anti-Malware installed, update it, run a full scan and let me have the resulting log as well as a fresh DDS log. Assuming that all is well, there may be a little housekeeping to do, but you'll be on your way shortly thereafter.

So long, and thanks for all the fish.

 

 


#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:49 PM

Posted 27 March 2012 - 03:07 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users