Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Codec C Malware


  • This topic is locked This topic is locked
28 replies to this topic

#1 sk2012

sk2012

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 24 March 2012 - 02:05 AM

Hi,

I downloaded Codec C when trying to watch a video online. I clicked the advertisement thinking that I needed to in order to continue, and it downloaded. It seems pretty nasty. I updated and ran a full scan of my computer with Symantec, but nothing was found. I also did some research, but could not find a way to get rid of it. Also, all the program in my start menu on Windows are not appearing and firefox and google chrome have new home pages. I tried to remove it from control panel as well but to no avail. Please help. I am attaching th required DDS contents, attach and ark files.

Thanks!
SK
============================= DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_29
Run by Sahil.Katchi at 12:21:28 on 2012-03-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.403 [GMT 5.5:30]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: CyberArmor Client *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Prot_srv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\Common Files\Juniper Networks\Endpoint Defense\dsEES.exe
C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\i386\drivers\audio\a_idt_high_def_audio_5.10.0.6274\driver\stacsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\pstartSr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\CyberArmor\casvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Timbuktu Pro\Tb2Logon.exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\eyutils\SMSTOOLS\EYSelectTrayApp.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\RBManager\RBManager.exe
C:\Program Files\Documentum\AppConnector\Documentum.AppConnector.LocaleManager.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Documentum\AppConnector\Documentum.AppConnector.CredentialManager.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.1.2.200808010926\win32\x86\eclipse.exe
C:\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.j2se.win32.x86_1.6.0.20090219c-200908151410\jre\bin\notes2w.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ngmonitor.exe
C:\Lotus\Notes\ntaskldr.EXE
C:\Lotus\Notes\swiftsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Sahil.Katchi\Local Settings\Temporary Internet Files\Content.IE5\IZA90U8N\Defogger[1].exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title = Windows Internet Explorer provided by Ernst & Young
uStart Page = hxxp://gss.iweb.ey.com/
uInternet Settings,ProxyServer = ftp=FPROXY1:80;http=FPROXY1:80;https=FPROXY1:80
uInternet Settings,ProxyOverride = blrscr3.egs-seg.gc.ca;142.221.160.*;*.gamx.ey.net;myvpn.eycan.com;cda.eyo.ca;*.taxnavigator.ca;ey.venngo.com;ogs.ey.com;*.kontiki.com;globaltracker.ey.com;199.52.42.94;199.50.15.252;199.50.15.251;199.50.14.59;199.50.14.91;199.50.15.220;199.50.15.219;eyonline-er*.ey.com;eroomdestage.ey.com;eroomusstage.ey.com;*.eyqa.net;*.eyua.net;*.gamx.ey.com;erniedomino.ey.com;eyo-iis-pd.ey.com;eyonline.ey.com;sdc.ey.com;deqp001.quickplace.ey.com;gbqp001.quickplace.ey.com;qp002.quickplace.ey.com;qp001.quickplace.ey.com;*.gofileroom.com;199.50.20.187;*.eylink.com;199.50.20.186;*.adc.ey.com;gosystemrs.fasttax.com;169.254.*.*;riatraining.com;www.riahelp.com;iweb.eycan.com;txrn.ey.com;txsn.ey.com;txadmin.ey.com;*.eyntc.com;eformrs.com;*.ltdcenter.ey.com;198.134.44.*;199.49.190.*;*.ey.net;*.iweb.ey.com;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Codec-C Class: {133a9360-2364-4977-bbd8-5ab2ff7f48a8} - c:\documents and settings\all users\application data\codec-c\bhoclass.dll
BHO: Lync Browser Helper: {31d09ba0-12f5-4cce-be8a-2923e76605da} - c:\program files\microsoft lync\OCHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LexLink IE ToolBar: {cbaa6f21-985c-11d4-a02b-00b0d073e889} - c:\program files\lexisnexis\chckcite\llieobj.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [CockroachOnDesktop] c:\windows\temp\winzip\wzf377\goodluck\goodluck.exe
uRunOnce: [ProxyOn] c:\progra~1\connwiz\ProxyOn.EXE
mRun: [pdfFactory Pro Dispatcher v2] "c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe" /source=HKLM
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
mRun: [TLogonPath] "c:\program files\timbuktu pro\Tb2Logon.exe"
mRun: [CyberArmorHelper] c:\progra~1\cybera~1\pcshelp.exe -check
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ZEYViewer] "c:\program files\eyutils\smstools\EYSelectTrayApp.exe" -startup
mRun: [ey_kdx] c:\program files\kontiki\KHost.exe -all
mRun: [Recycle Bin Manager] "c:\program files\rbmanager\\RBManager.exe"
mRun: [AppConnectorLocaleMgr] c:\program files\documentum\appconnector\Documentum.AppConnector.LocaleManager.exe
mRun: [Pointsec Tray] c:\program files\pointsec\pointsec for pc\P95Tray.exe
mRun: [OdTray.exe] "c:\program files\juniper networks\odyssey access client\OdTray.exe"
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AppConnectorCredentialMgr] c:\program files\documentum\appconnector\Documentum.AppConnector.CredentialManager.exe
mRun: [Check Point Endpoint Tray Application] c:\program files\common files\check point\uiframework\cptray.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
dRunOnce: [QuickLaunch] c:\windows\eyinst\tools\TOGGLEQL.EXE 1
dRunOnce: [Odyssey520FixDel] reg delete "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\Juniper_Odyssey_520_Fix" /f
StartupFolder: c:\docume~1\sahil~1.kat\startm~1\programs\startup\monito~1.lnk - c:\program files\eroom 7\ERClient7.exe
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-system: HideStartupScripts = 1 (0x1)
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - c:\program files\microsoft lync\OCHelper.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: com.mx\www.tuproteccion
Trusted Zone: eformRS.com
Trusted Zone: elementk.com\contentserver
Trusted Zone: ey.com
Trusted Zone: ey.net
Trusted Zone: eygtt.com
Trusted Zone: eyleads.com
Trusted Zone: eylink.com
Trusted Zone: eyqa.net
Trusted Zone: eyua.net
Trusted Zone: fasttax.com\gosystemrs
Trusted Zone: fincad.com\ey
Trusted Zone: intellinex-asp.com
Trusted Zone: intellinex.com
Trusted Zone: lexis.com\web
Trusted Zone: raindance.com\intellinex
Trusted Zone: riahome.com\insourcers
Trusted Zone: riahome.com\support2
Trusted Zone: smarttrainer4.com
Trusted Zone: surveymonkey.com
Trusted Zone: taleo.net\ey
Trusted Zone: thomson.com\gosystem
Trusted Zone: thomsonib.com
Trusted Zone: xtremelearning.com\cserver
DPF: {0DE70C1A-5136-45F6-95DA-B81CCF0DA5B3} - hxxps://gosystemrs.fasttax.com/OCX/RIARSDocumentum.cab
DPF: {13F71666-05F2-11D2-B2F6-00A0C9A08B64} - hxxps://gosystemrs.fasttax.com/OCX/comconv.cab
DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} - hxxps://gosystemrs.fasttax.com/OCX/RSLoginModule.cab
DPF: {2EC07293-4DF5-11D5-992B-0001020FC1FC} - hxxps://gosystemrs.fasttax.com/OCX/comconv.cab
DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} - hxxps://download.gosystem.com/GoDownloads/OCX/GRSClient2005/setup.exe
DPF: {455182EE-8F93-11D2-BA3C-00C04F7F6533} - hxxps://gosystemrs.fasttax.com/OCX/RSTabbedList.cab
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eyonline-er01i.ey.com/eRoomSetup/client.cab
DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} - hxxps://edocs.us.na.ey.net/edocs/wdk/native/WdkPluginCab.CAB
DPF: {7B640A40-EEC1-11D2-B526-00C04F8DEE99} - hxxps://gosystemrs.fasttax.com/OCX/WebAttachments.cab
DPF: {82BFFC8C-B4BD-11D4-9908-000102053AFB} - hxxps://gosystemrs.fasttax.com/OCX/webnotifier.cab
DPF: {86B092BC-7ABA-11D4-98E7-000102053AFB} - hxxps://gosystemrs.fasttax.com/OCX/Downloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {973EA5BE-9ED6-11D3-AB1D-00C04F7468E4} - hxxps://gosystemrs.fasttax.com/OCX/DCParse.cab
DPF: {97A90946-2984-11D3-AAE7-00C04F7468E4} - hxxps://gosystemrs.fasttax.com/OCX/frmsrc.cab
DPF: {C945E31A-102E-4A0D-8854-D599D7AED5FA} - hxxps://gosystemrs.fasttax.com/OCX/vsflex8.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D76D712E-4A96-11D3-BD95-D296DC2DD072} - hxxps://gosystemrs.fasttax.com/OCX/vsflex7.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9F900E19-B522-4765-A5C4-9F4C5B3209D9} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DC2DAE3B-F1CA-4899-A95A-DA660028792B} : NameServer = 10.146.162.34 10.149.64.32
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: OdysseyClient - odyEvent.dll
Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
AppInit_DLLs: cahooknt.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - No File
mASetup: {050569C7-DA4C-49C7-B672-C435B7BCFFBC} - msiexec /i {050569C7-DA4C-49C7-B672-C435B7BCFFBC} /qn
mASetup: {2518F0A1-EAF9-4DD4-BFE9-ECFB8D7772F0} - msiexec /i c:\windows\eyinst\time_tracker_excel_template\4.2\EYTT_4.2.msi /qn
mASetup: {2D41D8AE-F122-413E-A7C5-B6D86F22F5CA} - c:\windows\eyinst\visual_identity_templates_2009\1.0\EYIT.EXE /S
mASetup: {32B47B57-F395-4C16-86C9-C9D54DF60B06} - msiexec /i "c:\windows\eyinst\global_self_help\1.0\Global Self Help.msi" /qn
mASetup: {49F12AB6-48B3-430F-A3A7-41A0C2CCE640} - msiexec /i {49F12AB6-48B3-430F-A3A7-41A0C2CCE640} /qn
mASetup: {D381DABD-07ED-484B-8682-72857D67576B} - Msiexec /fu c:\windows\eyinst\planner_cs\2011.1.0\PlannerCS_2011.1.0.msi /QN
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSection c:\windows\inf\wmactedp.inf,PerUserStub
mASetup: Aventail10 - c:\windows\eyinst\aventail_connect\10.0.4.35\Aventail_10.0.4.35_Build2.EXE /S /LASTUSER SERVER=APACEYRCP01.EY.COM
mASetup: BrandingZone - c:\windows\eyinst\the_branding_zone\Branding_Zone_USER.EXE /S
mASetup: EY_Leads_Branding - c:\windows\eyinst\acs_offline_course_manager\EY_Leads.EXE /S
mASetup: Lotus_Notes - c:\windows\eyinst\lotus_notes\8.0.2\Shortcuts.EXE
mASetup: MSO07QuickLaunch - c:\windows\eyinst\office_2007\12.0\ASQLSC.EXE /S
mASetup: OdyCertUpd - "c:\program files\juniper networks\odyssey access client\odclientadministrator.exe" /i=c:\windows\eyinst\juniper_odyssey_access_client\5.20.14913\OdysseyCertFix05132011.odyClientScript /S
mASetup: pdfFP_Up - c:\windows\eyinst\pdffactory_pro_update\2.50\pdfFP_Up.EXE /S
mASetup: PPTXD07 - msiexec.exe /fo {CC70BA1A-956A-4BB4-B5C0-0FE9904AC8C2} /QN
mASetup: ZZZ_2009-08-12_AutoComplete - cmd.exe /c start c:\windows\eyinst\tools\_AutoComplete.EXE /S
mASetup: ZZZ_2009-08-17_Excel97SubTotals - reg add "HKCU\Software\Microsoft\Office\12.0\Excel\Options" /v Excel97Subtotals /t REG_DWORD /d 1
mASetup: ZZZ_2009-08-17_RemoveDuplicateFavorites - cmd.exe /c start c:\windows\eyinst\tools\_RemoveDuplicateFavorites.EXE /S
mASetup: ZZZ_2009-11-19_EnableBalloonTips - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 1 /f
Hosts: 199.52.42.94 ussecameysdusr.us.na.ey.net
.
============= SERVICES / DRIVERS ===============
.
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [2010-6-9 9856]
R0 odFips2;odFips2;c:\windows\system32\drivers\odFIPS2.sys [2010-6-9 282496]
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2011-3-8 221736]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2009-9-24 10880]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2009-6-14 339328]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2009-6-14 55168]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2009-8-3 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2009-8-3 169320]
R2 CyberArmorRunService;CyberArmor Run Service;c:\program files\cyberarmor\casvc.exe [2009-9-23 77824]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2010-5-21 198000]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2010-7-12 240816]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2011-3-8 658088]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2011-3-8 232104]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2009-9-1 116664]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2009-9-1 1966008]
R2 Viexca2k;CyberArmor Registry Driver;c:\windows\system32\drivers\viexca2k.sys [2009-9-23 21504]
R2 Viexpf2k;CyberArmor W2KDriver;c:\windows\system32\drivers\viexpf2k.sys [2009-9-23 424527]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-11-30 113664]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2010-11-30 33832]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2010-11-30 240344]
R3 EacService;Juniper TNC Endpoint Assessment;c:\program files\common files\juniper networks\tnc client\jTnccService.exe [2010-6-9 152944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-5 106104]
R3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-11-30 116224]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [2010-12-15 420336]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [2010-12-15 29312]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120322.003\naveng.sys [2012-3-23 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120322.003\navex15.sys [2012-3-23 1576312]
R3 NETwNx32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [2010-11-30 6650752]
R3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2010-7-12 22600]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2010-7-12 27208]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [2010-7-12 79944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 EY Tune Up Service;EY Tune Up Service;c:\program files\ernst & young\ey tune up\EYTuneUpService.exe [2010-8-18 73728]
S3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\drivers\jnprva.sys [2010-12-15 12288]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [2010-7-12 25160]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2009-9-24 15744]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2009-9-24 28288]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\ct_ztemt_u_usbser.sys --> c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [?]
S4 CSI Socket Listener;CSI Socket Listener;c:\windows\ecm4\instal~1\cfc\2.0\bin\CsiWin32SocketListener.exe [2011-2-1 32768]
S4 CSIRemoteC;Configuresoft ECM Remote Client;c:\program files\configuresoft\csi remote client\CSIRemoteCSvc.exe [2008-3-14 102400]
S4 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
S4 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2008-5-9 262360]
.
=============== Created Last 30 ================
.
2012-03-24 05:04:59 1152 ----a-w- c:\windows\system32\windrv.sys
2012-03-24 05:00:49 -------- d-----w- C:\sh4ldr
2012-03-24 05:00:49 -------- d-----w- c:\program files\Enigma Software Group
2012-03-24 05:00:18 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-24 05:00:13 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-03-24 04:34:46 -------- d-----w- c:\documents and settings\sahil.katchi\application data\smkits
2012-03-21 13:56:31 -------- d-----w- c:\documents and settings\all users\application data\Premium
2012-03-21 13:55:51 -------- d-----w- c:\documents and settings\all users\application data\Codec-C
2012-03-21 13:55:41 -------- d-----w- C:\codec-info
2012-03-21 13:55:22 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2012-03-02 09:27:50 -------- d-----w- c:\documents and settings\all users\application data\Form11
2012-02-28 03:51:17 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-28 03:51:17 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-23 17:03:34 -------- d-----w- c:\documents and settings\sahil.katchi\application data\webex
.
==================== Find3M ====================
.
2012-03-20 05:12:11 14088 ----a-w- c:\windows\system32\drivers\PROCEXP141.SYS
2012-02-03 09:26:17 1869184 ----a-w- c:\windows\system32\win32k.sys
2012-01-29 06:36:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-29 06:36:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-12-31 14:58:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-29 10:59:58 34304 ----a-w- c:\windows\system32\PushnPullClient.exe
.
============= FINISH: 12:22:08.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:54 PM

Posted 24 March 2012 - 03:48 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 sk2012

sk2012
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 24 March 2012 - 06:42 AM

Hi, I did run combofix on the system. Below are the details from log. The issue still persists. there is no change. I still do not see all programs under start menu and unable to remove codec C from add/remove programs section of control panel. Kindly help further.
Log.
========================================================
ComboFix 12-03-22.01 - Sahil.Katchi 03/24/2012 16:39:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.977 [GMT 5.5:30]
Running from: c:\documents and settings\Sahil.Katchi\Desktop\Home.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: CyberArmor Client *Enabled* {E503B27E-6391-4e17-B2CA-F910AF011E23}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Helpdesk\WINDOWS
c:\documents and settings\katchsa\WINDOWS
c:\documents and settings\Sahil.Katchi\WINDOWS
c:\windows\EventSystem.log
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\windrv.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-02-24 to 2012-03-24 )))))))))))))))))))))))))))))))
.
.
2012-03-24 05:00 . 2012-03-24 05:57 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-21 13:56 . 2012-03-21 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Premium
2012-03-21 13:55 . 2012-03-21 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Codec-C
2012-03-21 13:55 . 2012-03-21 13:55 -------- d-----w- C:\codec-info
2012-03-21 13:55 . 2012-03-21 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-03-02 09:27 . 2012-03-02 09:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Form11
2012-02-28 03:51 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-28 03:51 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-23 17:03 . 2012-02-23 17:03 -------- d-----w- c:\documents and settings\Sahil.Katchi\Application Data\webex
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-20 05:12 . 2011-03-22 10:30 14088 ----a-w- c:\windows\system32\drivers\PROCEXP141.SYS
2012-02-20 09:01 . 2012-02-20 09:01 58776 ----a-r- c:\documents and settings\Sahil.Katchi\Application Data\Microsoft\Installer\{13972BDB-D717-4D71-9F22-DD0FC3B518B4}\ARPPRODUCTICON.exe
2012-02-03 09:26 . 2008-10-22 13:08 1869184 ----a-w- c:\windows\system32\win32k.sys
2012-01-29 06:36 . 2012-01-29 06:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-29 06:36 . 2010-12-11 04:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-09 16:20 . 2008-10-22 04:39 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-12-31 14:58 . 2011-05-28 15:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-29 10:59 . 2011-12-29 10:59 34304 ----a-w- c:\windows\system32\PushnPullClient.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{133A9360-2364-4977-BBD8-5AB2FF7F48A8}]
2012-03-20 18:47 141312 ----a-w- c:\documents and settings\All Users\Application Data\Codec-C\bhoclass.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-01-25 495616]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-01-10 491520]
"TLogonPath"="c:\program files\Timbuktu Pro\Tb2Logon.exe" [2004-03-19 151552]
"CyberArmorHelper"="c:\progra~1\CYBERA~1\pcshelp.exe" [2010-04-15 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-07 737280]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-08-03 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-09-01 125368]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"ZEYViewer"="c:\program files\eyutils\SMSTOOLS\EYSelectTrayApp.exe" [2008-09-22 65536]
"ey_kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-23 1607208]
"Recycle Bin Manager"="c:\program files\RBManager\\RBManager.exe" [2008-11-25 114688]
"AppConnectorLocaleMgr"="c:\program files\Documentum\AppConnector\Documentum.AppConnector.LocaleManager.exe" [2011-05-17 45056]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2011-03-08 858792]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2010-06-09 931184]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-03-10 495708]
"AppConnectorCredentialMgr"="c:\program files\Documentum\AppConnector\Documentum.AppConnector.CredentialManager.exe" [2011-05-17 45056]
"Check Point Endpoint Tray Application"="c:\program files\Common Files\Check Point\UIFramework\cptray.exe" [2010-06-02 70144]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Odyssey520FixDel"="reg delete HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\Juniper_Odyssey_520_Fix" [X]
"QuickLaunch"="c:\windows\EYINST\TOOLS\TOGGLEQL.EXE" [2003-09-03 131072]
.
c:\documents and settings\Sahil.Katchi\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2010-10-5 153096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2010-12-15 04:41 218480 ----a-w- c:\windows\system32\odyEvent.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2004-03-19 08:29 81973 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [6/9/2010 11:10 AM 9856]
R0 odFips2;odFips2;c:\windows\system32\drivers\odFIPS2.sys [6/9/2010 11:10 AM 282496]
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [3/8/2011 3:09 PM 221736]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [9/24/2009 12:48 AM 10880]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CyberArmorRunService;CyberArmor Run Service;c:\program files\CyberArmor\casvc.exe [9/23/2009 10:48 PM 77824]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [5/21/2010 11:35 AM 198000]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [7/12/2010 1:50 PM 240816]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [3/8/2011 3:10 PM 658088]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [3/8/2011 3:10 PM 232104]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/1/2009 1:15 PM 116664]
R2 Viexca2k;CyberArmor Registry Driver;c:\windows\system32\drivers\viexca2k.sys [9/23/2009 10:48 PM 21504]
R2 Viexpf2k;CyberArmor W2KDriver;c:\windows\system32\drivers\viexpf2k.sys [9/23/2009 10:48 PM 424527]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [11/30/2010 4:49 AM 113664]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [11/30/2010 4:50 AM 33832]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [11/30/2010 4:50 AM 240344]
R3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [6/9/2010 11:28 AM 152944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/5/2012 2:24 PM 106104]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [11/30/2010 4:50 AM 116224]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [12/15/2010 10:10 AM 420336]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [12/15/2010 10:11 AM 29312]
R3 NETwNx32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [11/30/2010 4:51 AM 6650752]
R3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [7/12/2010 1:49 PM 22600]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [7/12/2010 1:47 PM 27208]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [7/12/2010 1:49 PM 79944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 EY Tune Up Service;EY Tune Up Service;c:\program files\Ernst & Young\EY Tune Up\EYTuneUpService.exe [8/18/2010 9:34 AM 73728]
S3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\drivers\jnprva.sys [12/15/2010 10:11 AM 12288]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [7/12/2010 1:49 PM 25160]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [9/24/2009 12:47 AM 15744]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [9/24/2009 12:47 AM 28288]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys --> c:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [?]
S4 CSI Socket Listener;CSI Socket Listener;c:\windows\ECM4\INSTAL~1\CFC\2.0\bin\CsiWin32SocketListener.exe [2/1/2011 9:36 AM 32768]
S4 CSIRemoteC;Configuresoft ECM Remote Client;c:\program files\Configuresoft\CSI Remote Client\CSIRemoteCSvc.exe [3/14/2008 3:12 PM 102400]
S4 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
S4 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [5/9/2008 4:23 PM 262360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Aventail10]
2010-09-30 10:34 2913758 ----a-w- c:\windows\EYINST\Aventail_Connect\10.0.4.35\Aventail_10.0.4.35_Build2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\BrandingZone]
2008-03-11 19:57 177106 ----a-w- c:\windows\EYINST\The_Branding_Zone\Branding_Zone_USER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\EY_Leads_Branding]
2008-02-15 17:58 177221 ----a-w- c:\windows\EYINST\ACS_Offline_Course_Manager\EY_Leads.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Lotus_Notes]
2008-09-03 22:06 126874 ----a-w- c:\windows\EYINST\Lotus_Notes\8.0.2\Shortcuts.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\OdyCertUpd]
2010-06-09 06:28 1324400 ----a-w- c:\program files\Juniper Networks\Odyssey Access Client\odClientAdministrator.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\pdfFP_Up]
2009-02-23 20:56 125354 ----a-w- c:\windows\EYINST\pdfFactory_Pro_Update\2.50\pdfFP_Up.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PPTXD07]
2008-05-18 20:27 95744 ----a-w- c:\windows\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2D41D8AE-F122-413E-A7C5-B6D86F22F5CA}]
2009-09-10 05:06 136701 ----a-w- c:\windows\EYINST\Visual_Identity_Templates_2009\1.0\EYIT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2011-12-19 08:13 124928 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 12:27]
.
2012-03-24 c:\windows\Tasks\User_Feed_Synchronization-{96A33348-B7F8-4E8E-A7FA-06035588176D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]
.
2012-03-24 c:\windows\Tasks\User_Feed_Synchronization-{EA494441-F69A-43C3-A686-5D1D09A796E0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gss.iweb.ey.com/
uInternet Settings,ProxyServer = ftp=FPROXY1:80;http=FPROXY1:80;https=FPROXY1:80
uInternet Settings,ProxyOverride = blrscr3.egs-seg.gc.ca;142.221.160.*;*.gamx.ey.net;myvpn.eycan.com;cda.eyo.ca;*.taxnavigator.ca;ey.venngo.com;ogs.ey.com;*.kontiki.com;globaltracker.ey.com;199.52.42.94;199.50.15.252;199.50.15.251;199.50.14.59;199.50.14.91;199.50.15.220;199.50.15.219;eyonline-er*.ey.com;eroomdestage.ey.com;eroomusstage.ey.com;*.eyqa.net;*.eyua.net;*.gamx.ey.com;erniedomino.ey.com;eyo-iis-pd.ey.com;eyonline.ey.com;sdc.ey.com;deqp001.quickplace.ey.com;gbqp001.quickplace.ey.com;qp002.quickplace.ey.com;qp001.quickplace.ey.com;*.gofileroom.com;199.50.20.187;*.eylink.com;199.50.20.186;*.adc.ey.com;gosystemrs.fasttax.com;169.254.*.*;riatraining.com;www.riahelp.com;iweb.eycan.com;txrn.ey.com;txsn.ey.com;txadmin.ey.com;*.eyntc.com;eformrs.com;*.ltdcenter.ey.com;198.134.44.*;199.49.190.*;*.ey.net;*.iweb.ey.com;<local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: com.mx\www.tuproteccion
Trusted Zone: eformRS.com
Trusted Zone: elementk.com\contentserver
Trusted Zone: ey.com
Trusted Zone: ey.net
Trusted Zone: eygtt.com
Trusted Zone: eyleads.com
Trusted Zone: eylink.com
Trusted Zone: eyqa.net
Trusted Zone: eyua.net
Trusted Zone: fasttax.com\gosystemrs
Trusted Zone: fincad.com\ey
Trusted Zone: intellinex-asp.com
Trusted Zone: intellinex.com
Trusted Zone: lexis.com\web
Trusted Zone: raindance.com\intellinex
Trusted Zone: riahome.com\insourcers
Trusted Zone: riahome.com\support2
Trusted Zone: smarttrainer4.com
Trusted Zone: surveymonkey.com
Trusted Zone: taleo.net\ey
Trusted Zone: thomson.com\gosystem
Trusted Zone: thomsonib.com
Trusted Zone: xtremelearning.com\cserver
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DC2DAE3B-F1CA-4899-A95A-DA660028792B}: NameServer = 10.146.162.34 10.149.64.32
DPF: {0DE70C1A-5136-45F6-95DA-B81CCF0DA5B3} - hxxps://gosystemrs.fasttax.com/OCX/RIARSDocumentum.cab
DPF: {2EC07293-4DF5-11D5-992B-0001020FC1FC} - hxxps://gosystemrs.fasttax.com/OCX/comconv.cab
DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} - hxxps://edocs.us.na.ey.net/edocs/wdk/native/WdkPluginCab.CAB
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
ShellExecuteHooks-{0cab0400-7395-11d0-a5e5-0020afe2fdd9} - (no file)
HKLM_ActiveSetup-MSO07QuickLaunch - c:\windows\EYINST\Office_2007\12.0\ASQLSC.EXE
HKLM_ActiveSetup-ZZZ_2009-08-12_AutoComplete - start
HKLM_ActiveSetup-ZZZ_2009-08-17_Excel97SubTotals - reg add HKCU\Software\Microsoft\Office\12.0\Excel\Options
HKLM_ActiveSetup-ZZZ_2009-08-17_RemoveDuplicateFavorites - start
HKLM_ActiveSetup-ZZZ_2009-11-19_EnableBalloonTips - reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKLM_ActiveSetup-{050569C7-DA4C-49C7-B672-C435B7BCFFBC} - msiexec
HKLM_ActiveSetup-{2518F0A1-EAF9-4DD4-BFE9-ECFB8D7772F0} - msiexec
HKLM_ActiveSetup-{32B47B57-F395-4C16-86C9-C9D54DF60B06} - msiexec
HKLM_ActiveSetup-{49F12AB6-48B3-430F-A3A7-41A0C2CCE640} - msiexec
HKLM_ActiveSetup-{D381DABD-07ED-484B-8682-72857D67576B} - Msiexec
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-24 16:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1472)
c:\windows\system32\cahooknt.dll
c:\windows\system32\pssogina.dll
c:\windows\system32\LogonAgentAPI.dll
c:\windows\system32\msi.dll
c:\windows\system32\odyEvent.dll
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'lsass.exe'(1528)
c:\windows\system32\cahooknt.dll
.
Completion time: 2012-03-24 16:57:10
ComboFix-quarantined-files.txt 2012-03-24 11:26
.
Pre-Run: 29,008,105,472 bytes free
Post-Run: 29,077,852,160 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - 5550301475EF37037D8FEC119634BEBA

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:54 PM

Posted 24 March 2012 - 10:05 AM

Greetings

There are other things that need to be taken care of but first I want to check for any rootkits.

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 sk2012

sk2012
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 24 March 2012 - 11:42 PM

Hi I did run TDS killer. and aswMBR. Nothing detected.

=============================================================================

09:48:37.0125 4100 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
09:48:37.0734 4100 ============================================================
09:48:37.0734 4100 Current date / time: 2012/03/25 09:48:37.0734
09:48:37.0734 4100 SystemInfo:
09:48:37.0734 4100
09:48:37.0734 4100 OS Version: 5.1.2600 ServicePack: 3.0
09:48:37.0734 4100 Product type: Workstation
09:48:37.0734 4100 ComputerName: IN010M00022-02
09:48:37.0734 4100 UserName: Sahil.Katchi
09:48:37.0734 4100 Windows directory: C:\WINDOWS
09:48:37.0734 4100 System windows directory: C:\WINDOWS
09:48:37.0734 4100 Processor architecture: Intel x86
09:48:37.0734 4100 Number of processors: 2
09:48:37.0734 4100 Page size: 0x1000
09:48:37.0734 4100 Boot type: Normal boot
09:48:37.0734 4100 ============================================================
09:48:38.0453 4100 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
09:48:38.0453 4100 \Device\Harddisk0\DR0:
09:48:38.0453 4100 MBR used
09:48:38.0453 4100 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3EC1, BlocksNum 0x12A14C00
09:48:38.0578 4100 Initialize success
09:48:38.0578 4100 ============================================================
09:48:41.0546 2400 ============================================================
09:48:41.0546 2400 Scan started
09:48:41.0546 2400 Mode: Manual;
09:48:41.0546 2400 ============================================================
09:48:41.0718 2400 Abiosdsk - ok
09:48:41.0734 2400 abp480n5 - ok
09:48:41.0734 2400 ACPI - ok
09:48:41.0750 2400 ACPIEC - ok
09:48:41.0765 2400 adpu160m - ok
09:48:41.0765 2400 aec - ok
09:48:41.0765 2400 AESTAud - ok
09:48:41.0781 2400 AFD - ok
09:48:41.0781 2400 agp440 - ok
09:48:41.0796 2400 agpCPQ - ok
09:48:41.0812 2400 Aha154x - ok
09:48:41.0812 2400 aic78u2 - ok
09:48:41.0828 2400 aic78xx - ok
09:48:41.0828 2400 Alerter - ok
09:48:41.0843 2400 ALG - ok
09:48:41.0843 2400 AliIde - ok
09:48:41.0859 2400 alim1541 - ok
09:48:41.0875 2400 amdagp - ok
09:48:41.0875 2400 amsint - ok
09:48:41.0875 2400 ApfiltrService - ok
09:48:41.0875 2400 Apple Mobile Device - ok
09:48:41.0875 2400 AppMgmt - ok
09:48:41.0890 2400 Arp1394 - ok
09:48:41.0890 2400 asc - ok
09:48:41.0890 2400 asc3350p - ok
09:48:41.0890 2400 asc3550 - ok
09:48:41.0906 2400 aspnet_state - ok
09:48:41.0906 2400 AsyncMac - ok
09:48:41.0906 2400 atapi - ok
09:48:41.0906 2400 Atdisk - ok
09:48:41.0906 2400 Atmarpc - ok
09:48:41.0921 2400 AudioSrv - ok
09:48:41.0921 2400 audstub - ok
09:48:41.0921 2400 Beep - ok
09:48:41.0921 2400 BITS - ok
09:48:41.0921 2400 Bonjour Service - ok
09:48:41.0937 2400 Browser - ok
09:48:41.0937 2400 catchme - ok
09:48:41.0937 2400 cbidf - ok
09:48:41.0937 2400 cbidf2k - ok
09:48:41.0937 2400 CCALib8 - ok
09:48:41.0937 2400 CCDECODE - ok
09:48:41.0953 2400 ccEvtMgr - ok
09:48:41.0953 2400 CcmExec - ok
09:48:41.0953 2400 ccSetMgr - ok
09:48:41.0953 2400 cd20xrnt - ok
09:48:41.0953 2400 Cdaudio - ok
09:48:41.0968 2400 Cdfs - ok
09:48:41.0968 2400 Cdrom - ok
09:48:41.0968 2400 Changer - ok
09:48:41.0968 2400 CiSvc - ok
09:48:41.0968 2400 ClipSrv - ok
09:48:41.0968 2400 clr_optimization_v2.0.50727_32 - ok
09:48:41.0984 2400 clr_optimization_v4.0.30319_32 - ok
09:48:41.0984 2400 CmBatt - ok
09:48:41.0984 2400 CmdIde - ok
09:48:41.0984 2400 Compbatt - ok
09:48:41.0984 2400 COMSysApp - ok
09:48:42.0000 2400 Cpqarray - ok
09:48:42.0000 2400 CryptSvc - ok
09:48:42.0000 2400 CSI Socket Listener - ok
09:48:42.0000 2400 CSIRemoteC - ok
09:48:42.0015 2400 cvusbdrv - ok
09:48:42.0015 2400 CyberArmorRunService - ok
09:48:42.0015 2400 dac2w2k - ok
09:48:42.0015 2400 dac960nt - ok
09:48:42.0015 2400 DcomLaunch - ok
09:48:42.0031 2400 DefWatch - ok
09:48:42.0031 2400 Dhcp - ok
09:48:42.0031 2400 Disk - ok
09:48:42.0031 2400 dmadmin - ok
09:48:42.0031 2400 dmboot - ok
09:48:42.0031 2400 dmio - ok
09:48:42.0046 2400 dmload - ok
09:48:42.0046 2400 dmserver - ok
09:48:42.0046 2400 DMusic - ok
09:48:42.0046 2400 Dnscache - ok
09:48:42.0046 2400 Dot3svc - ok
09:48:42.0062 2400 dpti2o - ok
09:48:42.0062 2400 drmkaud - ok
09:48:42.0062 2400 e1yexpress - ok
09:48:42.0062 2400 EacService - ok
09:48:42.0062 2400 EapHost - ok
09:48:42.0078 2400 eeCtrl - ok
09:48:42.0078 2400 EraserUtilRebootDrv - ok
09:48:42.0078 2400 ERSvc - ok
09:48:42.0078 2400 es1371 - ok
09:48:42.0078 2400 esgiguard - ok
09:48:42.0078 2400 Eventlog - ok
09:48:42.0109 2400 EventSystem - ok
09:48:42.0109 2400 EY Tune Up Service - ok
09:48:42.0109 2400 Fastfat - ok
09:48:42.0109 2400 FastUserSwitchingCompatibility - ok
09:48:42.0125 2400 Fdc - ok
09:48:42.0125 2400 Fips - ok
09:48:42.0125 2400 FLEXnet Licensing Service - ok
09:48:42.0125 2400 Flpydisk - ok
09:48:42.0125 2400 FltMgr - ok
09:48:42.0125 2400 FontCache3.0.0.0 - ok
09:48:42.0140 2400 Fs_Rec - ok
09:48:42.0140 2400 Ftdisk - ok
09:48:42.0140 2400 gameenum - ok
09:48:42.0140 2400 Gpc - ok
09:48:42.0140 2400 HDAudBus - ok
09:48:42.0156 2400 helpsvc - ok
09:48:42.0156 2400 HidServ - ok
09:48:42.0156 2400 hidusb - ok
09:48:42.0156 2400 hkmsvc - ok
09:48:42.0156 2400 hpn - ok
09:48:42.0156 2400 HSFHWAZL - ok
09:48:42.0171 2400 HSF_DPV - ok
09:48:42.0171 2400 HTTP - ok
09:48:42.0171 2400 HTTPFilter - ok
09:48:42.0171 2400 i2omgmt - ok
09:48:42.0171 2400 i2omp - ok
09:48:42.0187 2400 i8042prt - ok
09:48:42.0187 2400 ialm - ok
09:48:42.0187 2400 iastor - ok
09:48:42.0187 2400 IDriverT - ok
09:48:42.0187 2400 idsvc - ok
09:48:42.0187 2400 Imapi - ok
09:48:42.0203 2400 ImapiService - ok
09:48:42.0203 2400 ini910u - ok
09:48:42.0203 2400 IntcHdmiAddService - ok
09:48:42.0203 2400 IntelIde - ok
09:48:42.0218 2400 intelppm - ok
09:48:42.0218 2400 Ip6Fw - ok
09:48:42.0218 2400 iPassConnectEngine - ok
09:48:42.0218 2400 iPassP - ok
09:48:42.0218 2400 iPassPeriodicUpdateApp - ok
09:48:42.0234 2400 iPassPeriodicUpdateService - ok
09:48:42.0234 2400 IpFilterDriver - ok
09:48:42.0234 2400 IpInIp - ok
09:48:42.0234 2400 IpNat - ok
09:48:42.0234 2400 IPSec - ok
09:48:42.0250 2400 IRENUM - ok
09:48:42.0250 2400 isapnp - ok
09:48:42.0250 2400 JavaQuickStarterService - ok
09:48:42.0250 2400 jnprna - ok
09:48:42.0250 2400 jnprva - ok
09:48:42.0265 2400 JnprVaMgr - ok
09:48:42.0265 2400 JuniperAccessService - ok
09:48:42.0265 2400 Kbdclass - ok
09:48:42.0265 2400 kbdhid - ok
09:48:42.0265 2400 kmixer - ok
09:48:42.0281 2400 KSecDD - ok
09:48:42.0281 2400 KService - ok
09:48:42.0281 2400 LanmanServer - ok
09:48:42.0281 2400 lanmanworkstation - ok
09:48:42.0281 2400 lbrtfdc - ok
09:48:42.0312 2400 LiveUpdate - ok
09:48:42.0312 2400 LmHosts - ok
09:48:42.0312 2400 Lotus Notes Single Logon - ok
09:48:42.0312 2400 MBAMProtector - ok
09:48:42.0312 2400 MBAMService - ok
09:48:42.0328 2400 mdmxsdk - ok
09:48:42.0328 2400 Messenger - ok
09:48:42.0328 2400 mnmdd - ok
09:48:42.0328 2400 mnmsrvc - ok
09:48:42.0328 2400 Modem - ok
09:48:42.0328 2400 Mouclass - ok
09:48:42.0343 2400 mouhid - ok
09:48:42.0343 2400 MountMgr - ok
09:48:42.0343 2400 mraid35x - ok
09:48:42.0343 2400 MRxDAV - ok
09:48:42.0343 2400 MRxSmb - ok
09:48:42.0359 2400 MSDTC - ok
09:48:42.0359 2400 Msfs - ok
09:48:42.0359 2400 MSIServer - ok
09:48:42.0359 2400 MSKSSRV - ok
09:48:42.0375 2400 MSPCLOCK - ok
09:48:42.0375 2400 MSPQM - ok
09:48:42.0375 2400 mssmbios - ok
09:48:42.0375 2400 MSTEE - ok
09:48:42.0375 2400 Mup - ok
09:48:42.0390 2400 NABTSFEC - ok
09:48:42.0390 2400 napagent - ok
09:48:42.0390 2400 NAVENG - ok
09:48:42.0390 2400 NAVEX15 - ok
09:48:42.0390 2400 NDIS - ok
09:48:42.0406 2400 NdisIP - ok
09:48:42.0406 2400 NdisTapi - ok
09:48:42.0406 2400 Ndisuio - ok
09:48:42.0406 2400 NdisWan - ok
09:48:42.0406 2400 NDProxy - ok
09:48:42.0406 2400 Net Driver HPZ12 - ok
09:48:42.0421 2400 NetBIOS - ok
09:48:42.0421 2400 NetBT - ok
09:48:42.0421 2400 NetDDE - ok
09:48:42.0421 2400 NetDDEdsdm - ok
09:48:42.0437 2400 Netlogon - ok
09:48:42.0437 2400 Netman - ok
09:48:42.0437 2400 NetTcpPortSharing - ok
09:48:42.0468 2400 NETwNx32 - ok
09:48:42.0468 2400 NgFilter - ok
09:48:42.0484 2400 NgLog - ok
09:48:42.0484 2400 NgVpn - ok
09:48:42.0484 2400 NgVpnMgr - ok
09:48:42.0484 2400 NgWfp - ok
09:48:42.0484 2400 NIC1394 - ok
09:48:42.0500 2400 Nla - ok
09:48:42.0500 2400 Npfs - ok
09:48:42.0500 2400 Ntfs - ok
09:48:42.0500 2400 NtLmSsp - ok
09:48:42.0500 2400 NtmsSvc - ok
09:48:42.0515 2400 Null - ok
09:48:42.0531 2400 NwlnkFlt - ok
09:48:42.0531 2400 NwlnkFwd - ok
09:48:42.0531 2400 odClientService - ok
09:48:42.0531 2400 odFips - ok
09:48:42.0531 2400 odFips2 - ok
09:48:42.0546 2400 odserv - ok
09:48:42.0546 2400 odysseyIM4 - ok
09:48:42.0546 2400 ohci1394 - ok
09:48:42.0546 2400 ose - ok
09:48:42.0562 2400 Parport - ok
09:48:42.0562 2400 PartMgr - ok
09:48:42.0562 2400 ParVdm - ok
09:48:42.0562 2400 PCI - ok
09:48:42.0562 2400 PCIDump - ok
09:48:42.0578 2400 PCIIde - ok
09:48:42.0578 2400 Pcmcia - ok
09:48:42.0578 2400 PDCOMP - ok
09:48:42.0578 2400 PDFRAME - ok
09:48:42.0578 2400 PDRELI - ok
09:48:42.0593 2400 PDRFRAME - ok
09:48:42.0593 2400 perc2 - ok
09:48:42.0593 2400 perc2hib - ok
09:48:42.0609 2400 PlugPlay - ok
09:48:42.0609 2400 Pml Driver HPZ12 - ok
09:48:42.0609 2400 Pointsec - ok
09:48:42.0609 2400 Pointsec_start - ok
09:48:42.0625 2400 PolicyAgent - ok
09:48:42.0625 2400 PptpMiniport - ok
09:48:42.0625 2400 prepdrvr - ok
09:48:42.0625 2400 ProtectedStorage - ok
09:48:42.0640 2400 prot_2k - ok
09:48:42.0640 2400 PSched - ok
09:48:42.0640 2400 Ptilink - ok
09:48:42.0640 2400 ql1080 - ok
09:48:42.0656 2400 Ql10wnt - ok
09:48:42.0656 2400 ql12160 - ok
09:48:42.0656 2400 ql1240 - ok
09:48:42.0656 2400 ql1280 - ok
09:48:42.0656 2400 RasAcd - ok
09:48:42.0671 2400 RasAuto - ok
09:48:42.0671 2400 Rasl2tp - ok
09:48:42.0671 2400 RasMan - ok
09:48:42.0671 2400 RasPppoe - ok
09:48:42.0687 2400 Raspti - ok
09:48:42.0687 2400 Rdbss - ok
09:48:42.0687 2400 RDPCDD - ok
09:48:42.0687 2400 rdpdr - ok
09:48:42.0703 2400 RDPWD - ok
09:48:42.0703 2400 RDSessMgr - ok
09:48:42.0703 2400 redbook - ok
09:48:42.0703 2400 RemoteAccess - ok
09:48:42.0718 2400 RemoteRegistry - ok
09:48:42.0718 2400 rimmptsk - ok
09:48:42.0718 2400 RpcLocator - ok
09:48:42.0718 2400 RpcSs - ok
09:48:42.0734 2400 RSVP - ok
09:48:42.0734 2400 s716bus - ok
09:48:42.0734 2400 s716mdfl - ok
09:48:42.0734 2400 s716mdm - ok
09:48:42.0734 2400 s716mgmt - ok
09:48:42.0750 2400 s716nd5 - ok
09:48:42.0750 2400 s716obex - ok
09:48:42.0750 2400 s716unic - ok
09:48:42.0750 2400 SamSs - ok
09:48:42.0765 2400 SavRoam - ok
09:48:42.0765 2400 SAVRT - ok
09:48:42.0765 2400 SAVRTPEL - ok
09:48:42.0765 2400 SCardSvr - ok
09:48:42.0781 2400 Schedule - ok
09:48:42.0781 2400 sdbus - ok
09:48:42.0781 2400 Secdrv - ok
09:48:42.0781 2400 seclogon - ok
09:48:42.0812 2400 SENS - ok
09:48:42.0812 2400 serenum - ok
09:48:42.0812 2400 Serial - ok
09:48:42.0828 2400 sffdisk - ok
09:48:42.0843 2400 sffp_sd - ok
09:48:42.0843 2400 Sfloppy - ok
09:48:42.0843 2400 SharedAccess - ok
09:48:42.0843 2400 ShellHWDetection - ok
09:48:42.0875 2400 Simbad - ok
09:48:42.0875 2400 sisagp - ok
09:48:42.0875 2400 SLIP - ok
09:48:42.0890 2400 SNDSrvc - ok
09:48:42.0890 2400 Sparrow - ok
09:48:42.0890 2400 SPBBCDrv - ok
09:48:42.0890 2400 SPBBCSvc - ok
09:48:42.0906 2400 splitter - ok
09:48:42.0906 2400 Spooler - ok
09:48:42.0906 2400 sr - ok
09:48:42.0906 2400 srservice - ok
09:48:42.0921 2400 Srv - ok
09:48:42.0921 2400 SSDPSRV - ok
09:48:42.0921 2400 STacSV - ok
09:48:42.0921 2400 STHDA - ok
09:48:42.0937 2400 stisvc - ok
09:48:42.0937 2400 streamip - ok
09:48:42.0937 2400 swenum - ok
09:48:42.0937 2400 swmidi - ok
09:48:42.0953 2400 SwPrv - ok
09:48:42.0953 2400 Symantec AntiVirus - ok
09:48:42.0953 2400 symc810 - ok
09:48:42.0953 2400 symc8xx - ok
09:48:42.0968 2400 SymEvent - ok
09:48:42.0968 2400 SYMREDRV - ok
09:48:42.0968 2400 SYMTDI - ok
09:48:42.0968 2400 sym_hi - ok
09:48:42.0984 2400 sym_u3 - ok
09:48:42.0984 2400 sysaudio - ok
09:48:42.0984 2400 SysmonLog - ok
09:48:42.0984 2400 TapiSrv - ok
09:48:43.0000 2400 Tb2Device - ok
09:48:43.0000 2400 Tb2Launch - ok
09:48:43.0000 2400 Tb2MirrorSys - ok
09:48:43.0015 2400 Tcpip - ok
09:48:43.0015 2400 TDPIPE - ok
09:48:43.0015 2400 TDTCP - ok
09:48:43.0015 2400 TermDD - ok
09:48:43.0031 2400 TermService - ok
09:48:43.0031 2400 Themes - ok
09:48:43.0031 2400 TlntSvr - ok
09:48:43.0046 2400 TosIde - ok
09:48:43.0046 2400 TrkWks - ok
09:48:43.0046 2400 Udfs - ok
09:48:43.0062 2400 ultra - ok
09:48:43.0062 2400 Update - ok
09:48:43.0062 2400 upnphost - ok
09:48:43.0062 2400 UPS - ok
09:48:43.0078 2400 USBAAPL - ok
09:48:43.0078 2400 usbaudio - ok
09:48:43.0078 2400 usbccgp - ok
09:48:43.0078 2400 USBCCID - ok
09:48:43.0093 2400 usbehci - ok
09:48:43.0093 2400 usbhub - ok
09:48:43.0093 2400 usbprint - ok
09:48:43.0093 2400 usbscan - ok
09:48:43.0109 2400 USBSTOR - ok
09:48:43.0109 2400 usbuhci - ok
09:48:43.0109 2400 usbvideo - ok
09:48:43.0125 2400 VgaSave - ok
09:48:43.0125 2400 viaagp - ok
09:48:43.0125 2400 ViaIde - ok
09:48:43.0125 2400 Viexca2k - ok
09:48:43.0140 2400 Viexpf2k - ok
09:48:43.0140 2400 vmscsi - ok
09:48:43.0140 2400 vmxnet - ok
09:48:43.0140 2400 vmx_svga - ok
09:48:43.0156 2400 VolSnap - ok
09:48:43.0156 2400 VSS - ok
09:48:43.0156 2400 W32Time - ok
09:48:43.0171 2400 Wanarp - ok
09:48:43.0171 2400 Wdf01000 - ok
09:48:43.0171 2400 WDICA - ok
09:48:43.0171 2400 wdmaud - ok
09:48:43.0187 2400 WebClient - ok
09:48:43.0187 2400 WebUpdate4 - ok
09:48:43.0187 2400 winachsf - ok
09:48:43.0203 2400 winmgmt - ok
09:48:43.0218 2400 WmdmPmSN - ok
09:48:43.0218 2400 Wmi - ok
09:48:43.0218 2400 WmiAcpi - ok
09:48:43.0234 2400 WmiApSrv - ok
09:48:43.0234 2400 WMPNetworkSvc - ok
09:48:43.0234 2400 WpdUsb - ok
09:48:43.0250 2400 WPFFontCache_v0400 - ok
09:48:43.0250 2400 WS2IFSL - ok
09:48:43.0250 2400 wscsvc - ok
09:48:43.0250 2400 WSTCODEC - ok
09:48:43.0265 2400 wuauserv - ok
09:48:43.0265 2400 WudfPf - ok
09:48:43.0265 2400 WudfRd - ok
09:48:43.0281 2400 WudfSvc - ok
09:48:43.0281 2400 WZCSVC - ok
09:48:43.0281 2400 xmlprov - ok
09:48:43.0281 2400 ztemtusbser - ok
09:48:43.0312 2400 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
09:48:43.0328 2400 \Device\Harddisk0\DR0 - ok
09:48:43.0328 2400 Boot (0x1200) (ff0c9ec0a31d3167f6e4d1ab2ad2b96b) \Device\Harddisk0\DR0\Partition0
09:48:43.0328 2400 \Device\Harddisk0\DR0\Partition0 - ok
09:48:43.0328 2400 ============================================================
09:48:43.0328 2400 Scan finished
09:48:43.0328 2400 ============================================================
09:48:43.0343 2272 Detected object count: 0
09:48:43.0343 2272 Actual detected object count: 0
09:49:31.0953 2132 ============================================================
09:49:31.0953 2132 Scan started
09:49:31.0953 2132 Mode: Manual;
09:49:31.0953 2132 ============================================================
09:49:31.0968 2132 Abiosdsk - ok
09:49:31.0984 2132 abp480n5 - ok
09:49:31.0984 2132 ACPI - ok
09:49:32.0000 2132 ACPIEC - ok
09:49:32.0000 2132 adpu160m - ok
09:49:32.0015 2132 aec - ok
09:49:32.0015 2132 AESTAud - ok
09:49:32.0031 2132 AFD - ok
09:49:32.0031 2132 agp440 - ok
09:49:32.0046 2132 agpCPQ - ok
09:49:32.0062 2132 Aha154x - ok
09:49:32.0062 2132 aic78u2 - ok
09:49:32.0078 2132 aic78xx - ok
09:49:32.0078 2132 Alerter - ok
09:49:32.0078 2132 ALG - ok
09:49:32.0078 2132 AliIde - ok
09:49:32.0078 2132 alim1541 - ok
09:49:32.0093 2132 amdagp - ok
09:49:32.0093 2132 amsint - ok
09:49:32.0093 2132 ApfiltrService - ok
09:49:32.0093 2132 Apple Mobile Device - ok
09:49:32.0093 2132 AppMgmt - ok
09:49:32.0093 2132 Arp1394 - ok
09:49:32.0109 2132 asc - ok
09:49:32.0109 2132 asc3350p - ok
09:49:32.0109 2132 asc3550 - ok
09:49:32.0125 2132 aspnet_state - ok
09:49:32.0125 2132 AsyncMac - ok
09:49:32.0125 2132 atapi - ok
09:49:32.0125 2132 Atdisk - ok
09:49:32.0125 2132 Atmarpc - ok
09:49:32.0125 2132 AudioSrv - ok
09:49:32.0140 2132 audstub - ok
09:49:32.0140 2132 Beep - ok
09:49:32.0140 2132 BITS - ok
09:49:32.0140 2132 Bonjour Service - ok
09:49:32.0140 2132 Browser - ok
09:49:32.0156 2132 catchme - ok
09:49:32.0156 2132 cbidf - ok
09:49:32.0156 2132 cbidf2k - ok
09:49:32.0156 2132 CCALib8 - ok
09:49:32.0156 2132 CCDECODE - ok
09:49:32.0171 2132 ccEvtMgr - ok
09:49:32.0171 2132 CcmExec - ok
09:49:32.0171 2132 ccSetMgr - ok
09:49:32.0171 2132 cd20xrnt - ok
09:49:32.0171 2132 Cdaudio - ok
09:49:32.0187 2132 Cdfs - ok
09:49:32.0187 2132 Cdrom - ok
09:49:32.0187 2132 Changer - ok
09:49:32.0187 2132 CiSvc - ok
09:49:32.0187 2132 ClipSrv - ok
09:49:32.0187 2132 clr_optimization_v2.0.50727_32 - ok
09:49:32.0203 2132 clr_optimization_v4.0.30319_32 - ok
09:49:32.0203 2132 CmBatt - ok
09:49:32.0203 2132 CmdIde - ok
09:49:32.0203 2132 Compbatt - ok
09:49:32.0203 2132 COMSysApp - ok
09:49:32.0218 2132 Cpqarray - ok
09:49:32.0218 2132 CryptSvc - ok
09:49:32.0218 2132 CSI Socket Listener - ok
09:49:32.0218 2132 CSIRemoteC - ok
09:49:32.0234 2132 cvusbdrv - ok
09:49:32.0234 2132 CyberArmorRunService - ok
09:49:32.0234 2132 dac2w2k - ok
09:49:32.0234 2132 dac960nt - ok
09:49:32.0234 2132 DcomLaunch - ok
09:49:32.0234 2132 DefWatch - ok
09:49:32.0250 2132 Dhcp - ok
09:49:32.0250 2132 Disk - ok
09:49:32.0250 2132 dmadmin - ok
09:49:32.0250 2132 dmboot - ok
09:49:32.0250 2132 dmio - ok
09:49:32.0265 2132 dmload - ok
09:49:32.0265 2132 dmserver - ok
09:49:32.0265 2132 DMusic - ok
09:49:32.0265 2132 Dnscache - ok
09:49:32.0265 2132 Dot3svc - ok
09:49:32.0265 2132 dpti2o - ok
09:49:32.0281 2132 drmkaud - ok
09:49:32.0281 2132 e1yexpress - ok
09:49:32.0281 2132 EacService - ok
09:49:32.0281 2132 EapHost - ok
09:49:32.0281 2132 eeCtrl - ok
09:49:32.0296 2132 EraserUtilRebootDrv - ok
09:49:32.0296 2132 ERSvc - ok
09:49:32.0296 2132 es1371 - ok
09:49:32.0296 2132 esgiguard - ok
09:49:32.0296 2132 Eventlog - ok
09:49:32.0312 2132 EventSystem - ok
09:49:32.0312 2132 EY Tune Up Service - ok
09:49:32.0312 2132 Fastfat - ok
09:49:32.0312 2132 FastUserSwitchingCompatibility - ok
09:49:32.0312 2132 Fdc - ok
09:49:32.0328 2132 Fips - ok
09:49:32.0328 2132 FLEXnet Licensing Service - ok
09:49:32.0328 2132 Flpydisk - ok
09:49:32.0328 2132 FltMgr - ok
09:49:32.0328 2132 FontCache3.0.0.0 - ok
09:49:32.0343 2132 Fs_Rec - ok
09:49:32.0343 2132 Ftdisk - ok
09:49:32.0343 2132 gameenum - ok
09:49:32.0343 2132 Gpc - ok
09:49:32.0343 2132 HDAudBus - ok
09:49:32.0343 2132 helpsvc - ok
09:49:32.0359 2132 HidServ - ok
09:49:32.0359 2132 hidusb - ok
09:49:32.0359 2132 hkmsvc - ok
09:49:32.0359 2132 hpn - ok
09:49:32.0359 2132 HSFHWAZL - ok
09:49:32.0375 2132 HSF_DPV - ok
09:49:32.0375 2132 HTTP - ok
09:49:32.0375 2132 HTTPFilter - ok
09:49:32.0375 2132 i2omgmt - ok
09:49:32.0375 2132 i2omp - ok
09:49:32.0375 2132 i8042prt - ok
09:49:32.0390 2132 ialm - ok
09:49:32.0390 2132 iastor - ok
09:49:32.0390 2132 IDriverT - ok
09:49:32.0390 2132 idsvc - ok
09:49:32.0390 2132 Imapi - ok
09:49:32.0406 2132 ImapiService - ok
09:49:32.0406 2132 ini910u - ok
09:49:32.0406 2132 IntcHdmiAddService - ok
09:49:32.0406 2132 IntelIde - ok
09:49:32.0421 2132 intelppm - ok
09:49:32.0421 2132 Ip6Fw - ok
09:49:32.0421 2132 iPassConnectEngine - ok
09:49:32.0421 2132 iPassP - ok
09:49:32.0421 2132 iPassPeriodicUpdateApp - ok
09:49:32.0437 2132 iPassPeriodicUpdateService - ok
09:49:32.0437 2132 IpFilterDriver - ok
09:49:32.0437 2132 IpInIp - ok
09:49:32.0437 2132 IpNat - ok
09:49:32.0437 2132 IPSec - ok
09:49:32.0453 2132 IRENUM - ok
09:49:32.0453 2132 isapnp - ok
09:49:32.0453 2132 JavaQuickStarterService - ok
09:49:32.0453 2132 jnprna - ok
09:49:32.0453 2132 jnprva - ok
09:49:32.0468 2132 JnprVaMgr - ok
09:49:32.0468 2132 JuniperAccessService - ok
09:49:32.0468 2132 Kbdclass - ok
09:49:32.0468 2132 kbdhid - ok
09:49:32.0468 2132 kmixer - ok
09:49:32.0484 2132 KSecDD - ok
09:49:32.0484 2132 KService - ok
09:49:32.0484 2132 LanmanServer - ok
09:49:32.0484 2132 lanmanworkstation - ok
09:49:32.0484 2132 lbrtfdc - ok
09:49:32.0500 2132 LiveUpdate - ok
09:49:32.0500 2132 LmHosts - ok
09:49:32.0500 2132 Lotus Notes Single Logon - ok
09:49:32.0500 2132 MBAMProtector - ok
09:49:32.0500 2132 MBAMService - ok
09:49:32.0515 2132 mdmxsdk - ok
09:49:32.0515 2132 Messenger - ok
09:49:32.0515 2132 mnmdd - ok
09:49:32.0515 2132 mnmsrvc - ok
09:49:32.0515 2132 Modem - ok
09:49:32.0531 2132 Mouclass - ok
09:49:32.0531 2132 mouhid - ok
09:49:32.0531 2132 MountMgr - ok
09:49:32.0531 2132 mraid35x - ok
09:49:32.0531 2132 MRxDAV - ok
09:49:32.0546 2132 MRxSmb - ok
09:49:32.0546 2132 MSDTC - ok
09:49:32.0546 2132 Msfs - ok
09:49:32.0562 2132 MSIServer - ok
09:49:32.0562 2132 MSKSSRV - ok
09:49:32.0562 2132 MSPCLOCK - ok
09:49:32.0562 2132 MSPQM - ok
09:49:32.0562 2132 mssmbios - ok
09:49:32.0578 2132 MSTEE - ok
09:49:32.0578 2132 Mup - ok
09:49:32.0578 2132 NABTSFEC - ok
09:49:32.0578 2132 napagent - ok
09:49:32.0578 2132 NAVENG - ok
09:49:32.0593 2132 NAVEX15 - ok
09:49:32.0593 2132 NDIS - ok
09:49:32.0593 2132 NdisIP - ok
09:49:32.0593 2132 NdisTapi - ok
09:49:32.0593 2132 Ndisuio - ok
09:49:32.0609 2132 NdisWan - ok
09:49:32.0609 2132 NDProxy - ok
09:49:32.0609 2132 Net Driver HPZ12 - ok
09:49:32.0609 2132 NetBIOS - ok
09:49:32.0609 2132 NetBT - ok
09:49:32.0625 2132 NetDDE - ok
09:49:32.0625 2132 NetDDEdsdm - ok
09:49:32.0625 2132 Netlogon - ok
09:49:32.0625 2132 Netman - ok
09:49:32.0625 2132 NetTcpPortSharing - ok
09:49:32.0625 2132 NETwNx32 - ok
09:49:32.0640 2132 NgFilter - ok
09:49:32.0640 2132 NgLog - ok
09:49:32.0640 2132 NgVpn - ok
09:49:32.0640 2132 NgVpnMgr - ok
09:49:32.0640 2132 NgWfp - ok
09:49:32.0656 2132 NIC1394 - ok
09:49:32.0656 2132 Nla - ok
09:49:32.0656 2132 Npfs - ok
09:49:32.0656 2132 Ntfs - ok
09:49:32.0671 2132 NtLmSsp - ok
09:49:32.0671 2132 NtmsSvc - ok
09:49:32.0671 2132 Null - ok
09:49:32.0671 2132 NwlnkFlt - ok
09:49:32.0671 2132 NwlnkFwd - ok
09:49:32.0687 2132 odClientService - ok
09:49:32.0687 2132 odFips - ok
09:49:32.0687 2132 odFips2 - ok
09:49:32.0687 2132 odserv - ok
09:49:32.0703 2132 odysseyIM4 - ok
09:49:32.0703 2132 ohci1394 - ok
09:49:32.0703 2132 ose - ok
09:49:32.0703 2132 Parport - ok
09:49:32.0703 2132 PartMgr - ok
09:49:32.0718 2132 ParVdm - ok
09:49:32.0718 2132 PCI - ok
09:49:32.0718 2132 PCIDump - ok
09:49:32.0718 2132 PCIIde - ok
09:49:32.0718 2132 Pcmcia - ok
09:49:32.0734 2132 PDCOMP - ok
09:49:32.0734 2132 PDFRAME - ok
09:49:32.0734 2132 PDRELI - ok
09:49:32.0734 2132 PDRFRAME - ok
09:49:32.0734 2132 perc2 - ok
09:49:32.0750 2132 perc2hib - ok
09:49:32.0750 2132 PlugPlay - ok
09:49:32.0765 2132 Pml Driver HPZ12 - ok
09:49:32.0765 2132 Pointsec - ok
09:49:32.0765 2132 Pointsec_start - ok
09:49:32.0765 2132 PolicyAgent - ok
09:49:32.0765 2132 PptpMiniport - ok
09:49:32.0781 2132 prepdrvr - ok
09:49:32.0781 2132 ProtectedStorage - ok
09:49:32.0781 2132 prot_2k - ok
09:49:32.0781 2132 PSched - ok
09:49:32.0796 2132 Ptilink - ok
09:49:32.0796 2132 ql1080 - ok
09:49:32.0796 2132 Ql10wnt - ok
09:49:32.0796 2132 ql12160 - ok
09:49:32.0812 2132 ql1240 - ok
09:49:32.0812 2132 ql1280 - ok
09:49:32.0812 2132 RasAcd - ok
09:49:32.0812 2132 RasAuto - ok
09:49:32.0828 2132 Rasl2tp - ok
09:49:32.0828 2132 RasMan - ok
09:49:32.0828 2132 RasPppoe - ok
09:49:32.0828 2132 Raspti - ok
09:49:32.0843 2132 Rdbss - ok
09:49:32.0843 2132 RDPCDD - ok
09:49:32.0843 2132 rdpdr - ok
09:49:32.0843 2132 RDPWD - ok
09:49:32.0859 2132 RDSessMgr - ok
09:49:32.0859 2132 redbook - ok
09:49:32.0859 2132 RemoteAccess - ok
09:49:32.0859 2132 RemoteRegistry - ok
09:49:32.0875 2132 rimmptsk - ok
09:49:32.0875 2132 RpcLocator - ok
09:49:32.0875 2132 RpcSs - ok
09:49:32.0875 2132 RSVP - ok
09:49:32.0890 2132 s716bus - ok
09:49:32.0890 2132 s716mdfl - ok
09:49:32.0890 2132 s716mdm - ok
09:49:32.0890 2132 s716mgmt - ok
09:49:32.0890 2132 s716nd5 - ok
09:49:32.0906 2132 s716obex - ok
09:49:32.0906 2132 s716unic - ok
09:49:32.0906 2132 SamSs - ok
09:49:32.0906 2132 SavRoam - ok
09:49:32.0921 2132 SAVRT - ok
09:49:32.0921 2132 SAVRTPEL - ok
09:49:32.0921 2132 SCardSvr - ok
09:49:32.0921 2132 Schedule - ok
09:49:32.0937 2132 sdbus - ok
09:49:32.0937 2132 Secdrv - ok
09:49:32.0937 2132 seclogon - ok
09:49:32.0937 2132 SENS - ok
09:49:32.0953 2132 serenum - ok
09:49:32.0953 2132 Serial - ok
09:49:32.0968 2132 sffdisk - ok
09:49:32.0968 2132 sffp_sd - ok
09:49:32.0968 2132 Sfloppy - ok
09:49:32.0984 2132 SharedAccess - ok
09:49:32.0984 2132 ShellHWDetection - ok
09:49:32.0984 2132 Simbad - ok
09:49:32.0984 2132 sisagp - ok
09:49:33.0000 2132 SLIP - ok
09:49:33.0000 2132 SNDSrvc - ok
09:49:33.0000 2132 Sparrow - ok
09:49:33.0015 2132 SPBBCDrv - ok
09:49:33.0015 2132 SPBBCSvc - ok
09:49:33.0015 2132 splitter - ok
09:49:33.0015 2132 Spooler - ok
09:49:33.0031 2132 sr - ok
09:49:33.0031 2132 srservice - ok
09:49:33.0031 2132 Srv - ok
09:49:33.0031 2132 SSDPSRV - ok
09:49:33.0046 2132 STacSV - ok
09:49:33.0046 2132 STHDA - ok
09:49:33.0046 2132 stisvc - ok
09:49:33.0046 2132 streamip - ok
09:49:33.0062 2132 swenum - ok
09:49:33.0062 2132 swmidi - ok
09:49:33.0062 2132 SwPrv - ok
09:49:33.0062 2132 Symantec AntiVirus - ok
09:49:33.0078 2132 symc810 - ok
09:49:33.0078 2132 symc8xx - ok
09:49:33.0078 2132 SymEvent - ok
09:49:33.0078 2132 SYMREDRV - ok
09:49:33.0093 2132 SYMTDI - ok
09:49:33.0093 2132 sym_hi - ok
09:49:33.0093 2132 sym_u3 - ok
09:49:33.0093 2132 sysaudio - ok
09:49:33.0109 2132 SysmonLog - ok
09:49:33.0109 2132 TapiSrv - ok
09:49:33.0109 2132 Tb2Device - ok
09:49:33.0109 2132 Tb2Launch - ok
09:49:33.0125 2132 Tb2MirrorSys - ok
09:49:33.0125 2132 Tcpip - ok
09:49:33.0125 2132 TDPIPE - ok
09:49:33.0125 2132 TDTCP - ok
09:49:33.0140 2132 TermDD - ok
09:49:33.0140 2132 TermService - ok
09:49:33.0140 2132 Themes - ok
09:49:33.0140 2132 TlntSvr - ok
09:49:33.0156 2132 TosIde - ok
09:49:33.0156 2132 TrkWks - ok
09:49:33.0156 2132 Udfs - ok
09:49:33.0171 2132 ultra - ok
09:49:33.0171 2132 Update - ok
09:49:33.0171 2132 upnphost - ok
09:49:33.0171 2132 UPS - ok
09:49:33.0187 2132 USBAAPL - ok
09:49:33.0187 2132 usbaudio - ok
09:49:33.0187 2132 usbccgp - ok
09:49:33.0203 2132 USBCCID - ok
09:49:33.0203 2132 usbehci - ok
09:49:33.0203 2132 usbhub - ok
09:49:33.0203 2132 usbprint - ok
09:49:33.0218 2132 usbscan - ok
09:49:33.0218 2132 USBSTOR - ok
09:49:33.0218 2132 usbuhci - ok
09:49:33.0218 2132 usbvideo - ok
09:49:33.0234 2132 VgaSave - ok
09:49:33.0234 2132 viaagp - ok
09:49:33.0234 2132 ViaIde - ok
09:49:33.0234 2132 Viexca2k - ok
09:49:33.0250 2132 Viexpf2k - ok
09:49:33.0250 2132 vmscsi - ok
09:49:33.0250 2132 vmxnet - ok
09:49:33.0250 2132 vmx_svga - ok
09:49:33.0265 2132 VolSnap - ok
09:49:33.0265 2132 VSS - ok
09:49:33.0265 2132 W32Time - ok
09:49:33.0281 2132 Wanarp - ok
09:49:33.0281 2132 Wdf01000 - ok
09:49:33.0281 2132 WDICA - ok
09:49:33.0296 2132 wdmaud - ok
09:49:33.0296 2132 WebClient - ok
09:49:33.0296 2132 WebUpdate4 - ok
09:49:33.0312 2132 winachsf - ok
09:49:33.0312 2132 winmgmt - ok
09:49:33.0328 2132 WmdmPmSN - ok
09:49:33.0328 2132 Wmi - ok
09:49:33.0328 2132 WmiAcpi - ok
09:49:33.0343 2132 WmiApSrv - ok
09:49:33.0343 2132 WMPNetworkSvc - ok
09:49:33.0343 2132 WpdUsb - ok
09:49:33.0359 2132 WPFFontCache_v0400 - ok
09:49:33.0359 2132 WS2IFSL - ok
09:49:33.0359 2132 wscsvc - ok
09:49:33.0375 2132 WSTCODEC - ok
09:49:33.0375 2132 wuauserv - ok
09:49:33.0375 2132 WudfPf - ok
09:49:33.0375 2132 WudfRd - ok
09:49:33.0390 2132 WudfSvc - ok
09:49:33.0390 2132 WZCSVC - ok
09:49:33.0390 2132 xmlprov - ok
09:49:33.0406 2132 ztemtusbser - ok
09:49:33.0421 2132 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
09:49:33.0468 2132 \Device\Harddisk0\DR0 - ok
09:49:33.0468 2132 Boot (0x1200) (ff0c9ec0a31d3167f6e4d1ab2ad2b96b) \Device\Harddisk0\DR0\Partition0
09:49:33.0468 2132 \Device\Harddisk0\DR0\Partition0 - ok
09:49:33.0468 2132 ============================================================
09:49:33.0468 2132 Scan finished
09:49:33.0468 2132 ============================================================
09:49:33.0468 5016 Detected object count: 0
09:49:33.0468 5016 Actual detected object count: 0


===================================================================================================================

Here is the aswMBR log


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-25 09:53:24
-----------------------------
09:53:24.078 OS Version: Windows 5.1.2600 Service Pack 3
09:53:24.078 Number of processors: 2 586 0x170A
09:53:24.078 ComputerName: IN010M00022-02 UserName: Sahil.Katchi
09:53:24.609 Initialize success
10:08:24.265 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:08:24.281 Disk 0 Vendor: ST916041 0004 Size: 152627MB BusType: 8
10:08:24.312 Disk 0 MBR read successfully
10:08:24.328 Disk 0 MBR scan
10:08:24.328 Disk 0 Windows VISTA default MBR code
10:08:24.359 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 16065
10:08:24.375 Disk 0 scanning sectors +312576705
10:08:24.421 Disk 0 scanning C:\WINDOWS\system32\drivers
10:08:24.453 Service scanning
10:08:47.703 Modules scanning
10:08:47.875 Disk 0 trace - called modules:
10:08:47.875 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
10:08:47.875 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a617448]
10:08:47.875 3 CLASSPNP.SYS[b9978fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x89be5028]
10:08:47.875 Scan finished successfully
10:10:26.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Sahil.Katchi\Desktop\MBR.dat"
10:10:26.203 The log file has been saved successfully to "C:\Documents and Settings\Sahil.Katchi\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:54 PM

Posted 25 March 2012 - 12:07 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\documents and settings\All Users\Application Data\Premium
c:\documents and settings\All Users\Application Data\Codec-C
C:\codec-info
c:\documents and settings\All Users\Application Data\InstallMate

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 sk2012

sk2012
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 25 March 2012 - 12:50 AM

Hi Gringo, Ran combofix with the above script. Do not see any difference. Attached is the log. Do let me know of further steps.
thanks

ComboFix 12-03-22.01 - Sahil.Katchi 03/25/2012 11:08:17.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.941 [GMT 5.5:30]
Running from: c:\documents and settings\Sahil.Katchi\Desktop\Combofix.exe
Command switches used :: c:\documents and settings\Sahil.Katchi\Desktop\CFscript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: CyberArmor Client *Enabled* {E503B27E-6391-4e17-B2CA-F910AF011E23}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\codec-info
c:\codec-info\codec_info.html
c:\documents and settings\All Users\Application Data\Codec-C
c:\documents and settings\All Users\Application Data\Codec-C\background.html
c:\documents and settings\All Users\Application Data\Codec-C\bccldkoinakjmmgebambiaggjobhikfg.crx
c:\documents and settings\All Users\Application Data\Codec-C\bhoclass.dll
c:\documents and settings\All Users\Application Data\Codec-C\content.js
c:\documents and settings\All Users\Application Data\Codec-C\settings.ini
c:\documents and settings\All Users\Application Data\Codec-C\uninstall.exe
c:\documents and settings\All Users\Application Data\InstallMate
c:\documents and settings\All Users\Application Data\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\_Setup.dll
c:\documents and settings\All Users\Application Data\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\_Setupx.dll
c:\documents and settings\All Users\Application Data\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\0.ini
c:\documents and settings\All Users\Application Data\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\20120321192522.log
c:\documents and settings\All Users\Application Data\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\Setup.dat
c:\documents and settings\All Users\Application Data\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\Setup.exe
c:\documents and settings\All Users\Application Data\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\Setup.ico
c:\documents and settings\All Users\Application Data\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\TsuDll.dll
c:\documents and settings\All Users\Application Data\Premium
.
.
((((((((((((((((((((((((( Files Created from 2012-02-25 to 2012-03-25 )))))))))))))))))))))))))))))))
.
.
2012-03-24 12:58 . 2012-03-24 12:58 -------- d-----w- c:\documents and settings\Sahil.Katchi\Application Data\Malwarebytes
2012-03-24 12:58 . 2012-03-24 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-24 12:58 . 2012-03-24 12:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-24 12:58 . 2011-12-10 09:54 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-24 05:00 . 2012-03-24 05:57 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-02 09:27 . 2012-03-02 09:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Form11
2012-02-28 03:51 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-28 03:51 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-20 05:12 . 2011-03-22 10:30 14088 ----a-w- c:\windows\system32\drivers\PROCEXP141.SYS
2012-02-20 09:01 . 2012-02-20 09:01 58776 ----a-r- c:\documents and settings\Sahil.Katchi\Application Data\Microsoft\Installer\{13972BDB-D717-4D71-9F22-DD0FC3B518B4}\ARPPRODUCTICON.exe
2012-02-03 09:26 . 2008-10-22 13:08 1869184 ----a-w- c:\windows\system32\win32k.sys
2012-01-29 06:36 . 2012-01-29 06:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-29 06:36 . 2010-12-11 04:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-09 16:20 . 2008-10-22 04:39 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-12-31 14:58 . 2011-05-28 15:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-29 10:59 . 2011-12-29 10:59 34304 ----a-w- c:\windows\system32\PushnPullClient.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-24_11.25.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-25 05:31 . 2012-03-25 05:31 16384 c:\windows\Temp\Perflib_Perfdata_814.dat
+ 2012-03-25 05:32 . 2012-03-25 05:32 16384 c:\windows\Temp\Perflib_Perfdata_728.dat
+ 2012-03-25 05:30 . 2012-03-25 05:30 16384 c:\windows\Temp\Perflib_Perfdata_54c.dat
+ 2012-03-25 05:32 . 2012-03-25 05:32 16384 c:\windows\Temp\Perflib_Perfdata_2a8.dat
- 2012-03-24 11:25 . 2012-03-24 11:25 53248 c:\windows\Temp\catchme.dll
+ 2012-03-25 05:44 . 2012-03-25 05:44 53248 c:\windows\Temp\catchme.dll
+ 2008-10-22 13:08 . 2012-03-24 14:20 89308 c:\windows\system32\perfc009.dat
- 2008-10-22 13:08 . 2012-02-28 04:02 89308 c:\windows\system32\perfc009.dat
- 2008-10-22 13:08 . 2012-02-28 04:02 505096 c:\windows\system32\perfh009.dat
+ 2008-10-22 13:08 . 2012-03-24 14:20 505096 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-01-25 495616]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-01-10 491520]
"TLogonPath"="c:\program files\Timbuktu Pro\Tb2Logon.exe" [2004-03-19 151552]
"CyberArmorHelper"="c:\progra~1\CYBERA~1\pcshelp.exe" [2010-04-15 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-07 737280]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-08-03 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-09-01 125368]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"ZEYViewer"="c:\program files\eyutils\SMSTOOLS\EYSelectTrayApp.exe" [2008-09-22 65536]
"ey_kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-23 1607208]
"Recycle Bin Manager"="c:\program files\RBManager\\RBManager.exe" [2008-11-25 114688]
"AppConnectorLocaleMgr"="c:\program files\Documentum\AppConnector\Documentum.AppConnector.LocaleManager.exe" [2011-05-17 45056]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2011-03-08 858792]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2010-06-09 931184]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-03-10 495708]
"AppConnectorCredentialMgr"="c:\program files\Documentum\AppConnector\Documentum.AppConnector.CredentialManager.exe" [2011-05-17 45056]
"Check Point Endpoint Tray Application"="c:\program files\Common Files\Check Point\UIFramework\cptray.exe" [2010-06-02 70144]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Odyssey520FixDel"="reg delete HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\Juniper_Odyssey_520_Fix" [X]
.
c:\documents and settings\Sahil.Katchi\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2010-10-5 153096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2010-12-15 04:41 218480 ----a-w- c:\windows\system32\odyEvent.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2004-03-19 08:29 81973 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\cahooknt.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Documentum\\AppConnector\\Documentum.AppConnector.CredentialManager.exe"=
"c:\\Lotus\\Notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.j2se.win32.x86_1.6.0.20090219c-200908151410\\jre\\bin\\notes2w.exe"=
"c:\\Program Files\\eRoom 7\\ERClient7.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [6/9/2010 11:10 AM 9856]
R0 odFips2;odFips2;c:\windows\system32\drivers\odFIPS2.sys [6/9/2010 11:10 AM 282496]
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [3/8/2011 3:09 PM 221736]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [9/24/2009 12:48 AM 10880]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CyberArmorRunService;CyberArmor Run Service;c:\program files\CyberArmor\casvc.exe [9/23/2009 10:48 PM 77824]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [5/21/2010 11:35 AM 198000]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/24/2012 6:28 PM 652360]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [7/12/2010 1:50 PM 240816]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [3/8/2011 3:10 PM 658088]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [3/8/2011 3:10 PM 232104]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/1/2009 1:15 PM 116664]
R2 Viexca2k;CyberArmor Registry Driver;c:\windows\system32\drivers\viexca2k.sys [9/23/2009 10:48 PM 21504]
R2 Viexpf2k;CyberArmor W2KDriver;c:\windows\system32\drivers\viexpf2k.sys [9/23/2009 10:48 PM 424527]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [11/30/2010 4:49 AM 113664]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [11/30/2010 4:50 AM 33832]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [11/30/2010 4:50 AM 240344]
R3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [6/9/2010 11:28 AM 152944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/5/2012 2:24 PM 106104]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [11/30/2010 4:50 AM 116224]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [12/15/2010 10:10 AM 420336]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [12/15/2010 10:11 AM 29312]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/24/2012 6:28 PM 20464]
R3 NETwNx32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [11/30/2010 4:51 AM 6650752]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [7/12/2010 1:47 PM 27208]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [7/12/2010 1:49 PM 79944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 EY Tune Up Service;EY Tune Up Service;c:\program files\Ernst & Young\EY Tune Up\EYTuneUpService.exe [8/18/2010 9:34 AM 73728]
S3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\drivers\jnprva.sys [12/15/2010 10:11 AM 12288]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [7/12/2010 1:49 PM 22600]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [7/12/2010 1:49 PM 25160]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [9/24/2009 12:47 AM 15744]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [9/24/2009 12:47 AM 28288]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys --> c:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [?]
S4 CSI Socket Listener;CSI Socket Listener;c:\windows\ECM4\INSTAL~1\CFC\2.0\bin\CsiWin32SocketListener.exe [2/1/2011 9:36 AM 32768]
S4 CSIRemoteC;Configuresoft ECM Remote Client;c:\program files\Configuresoft\CSI Remote Client\CSIRemoteCSvc.exe [3/14/2008 3:12 PM 102400]
S4 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
S4 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [5/9/2008 4:23 PM 262360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Aventail10]
2010-09-30 10:34 2913758 ----a-w- c:\windows\EYINST\Aventail_Connect\10.0.4.35\Aventail_10.0.4.35_Build2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\BrandingZone]
2008-03-11 19:57 177106 ----a-w- c:\windows\EYINST\The_Branding_Zone\Branding_Zone_USER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\EY_Leads_Branding]
2008-02-15 17:58 177221 ----a-w- c:\windows\EYINST\ACS_Offline_Course_Manager\EY_Leads.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Lotus_Notes]
2008-09-03 22:06 126874 ----a-w- c:\windows\EYINST\Lotus_Notes\8.0.2\Shortcuts.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\OdyCertUpd]
2010-06-09 06:28 1324400 ----a-w- c:\program files\Juniper Networks\Odyssey Access Client\odClientAdministrator.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\pdfFP_Up]
2009-02-23 20:56 125354 ----a-w- c:\windows\EYINST\pdfFactory_Pro_Update\2.50\pdfFP_Up.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PPTXD07]
2008-05-18 20:27 95744 ----a-w- c:\windows\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2D41D8AE-F122-413E-A7C5-B6D86F22F5CA}]
2009-09-10 05:06 136701 ----a-w- c:\windows\EYINST\Visual_Identity_Templates_2009\1.0\EYIT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2011-12-19 08:13 124928 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 12:27]
.
2012-03-25 c:\windows\Tasks\User_Feed_Synchronization-{96A33348-B7F8-4E8E-A7FA-06035588176D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]
.
2012-03-25 c:\windows\Tasks\User_Feed_Synchronization-{EA494441-F69A-43C3-A686-5D1D09A796E0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gss.iweb.ey.com/
uInternet Settings,ProxyServer = ingssweb.ey.net:8080
uInternet Settings,ProxyOverride = *.corptax.com;blrscr3.egs-seg.gc.ca;142.221.160.*;*.gamx.ey.net;myvpn.eycan.com;cda.eyo.ca;*.taxnavigator.ca;ey.venngo.com;ogs*.com;*.kontiki.com;globaltracker.ey.com;199.52.42.94;199.50.15.252;199.50.15.251;199.50.14.59;199.50.14.91;199.50.15.220;199.50.15.219;eyonline-er*.ey.com;eroomdestage.ey.com;eroomusstage.ey.com;*.eyqa.net;*.eyua.net;*.gamx.ey.com;erniedomino.ey.com;eyo-iis-pd.ey.com;eyonline.ey.com;sdc.ey.com;deqp001.quickplace.ey.com;gbqp001.quickplace.ey.com;qp002.quickplace.ey.com;qp001.quickplace.ey.com;*.ey.net;*.gofileroom.com;*.iweb.ey.com;199.50.20.187;*.eylink.com;199.50.20.186;*.adc.ey.com;gosystemrs.fasttax.com;169.254.*.*;riatraining.com;www.riahelp.com;iweb.eycan.com;txrn.ey.com;txsn.ey.com;txadmin.ey.com;*.eyntc.com;eformrs.com;*.ltdcenter.ey.com;198.134.44.*;199.49.190.*;10.165.4.25;10.1.137.10;eyocmsstage.ey.com;wisdom.iweb.eyuk.com;127.0.0.1;<local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: com.mx\www.tuproteccion
Trusted Zone: eformRS.com
Trusted Zone: elementk.com\contentserver
Trusted Zone: ey.com
Trusted Zone: ey.net
Trusted Zone: eygtt.com
Trusted Zone: eyleads.com
Trusted Zone: eylink.com
Trusted Zone: eyqa.net
Trusted Zone: eyua.net
Trusted Zone: fasttax.com\gosystemrs
Trusted Zone: fincad.com\ey
Trusted Zone: intellinex-asp.com
Trusted Zone: intellinex.com
Trusted Zone: lexis.com\web
Trusted Zone: raindance.com\intellinex
Trusted Zone: riahome.com\insourcers
Trusted Zone: riahome.com\support2
Trusted Zone: smarttrainer4.com
Trusted Zone: surveymonkey.com
Trusted Zone: taleo.net\ey
Trusted Zone: thomson.com\gosystem
Trusted Zone: thomsonib.com
Trusted Zone: xtremelearning.com\cserver
TCP: DhcpNameServer = 192.168.1.1
DPF: {0DE70C1A-5136-45F6-95DA-B81CCF0DA5B3} - hxxps://gosystemrs.fasttax.com/OCX/RIARSDocumentum.cab
DPF: {2EC07293-4DF5-11D5-992B-0001020FC1FC} - hxxps://gosystemrs.fasttax.com/OCX/comconv.cab
DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} - hxxps://edocs.us.na.ey.net/edocs/wdk/native/WdkPluginCab.CAB
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{133A9360-2364-4977-BBD8-5AB2FF7F48A8} - c:\documents and settings\All Users\Application Data\Codec-C\bhoclass.dll
AddRemove-{2EF17083-57D4-4D64-AE4F-55F32A2C4571} - c:\documents and settings\All Users\Application Data\Codec-C\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-25 11:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1472)
c:\windows\system32\pssogina.dll
c:\windows\system32\LogonAgentAPI.dll
c:\windows\system32\msi.dll
c:\windows\system32\odyEvent.dll
.
Completion time: 2012-03-25 11:15:51
ComboFix-quarantined-files.txt 2012-03-25 05:45
ComboFix2.txt 2012-03-24 11:27
.
Pre-Run: 28,883,136,512 bytes free
Post-Run: 28,972,318,720 bytes free
.
- - End Of File - - 564EF42C1F51D42A1B0A44B3880FB8E6

#8 sk2012

sk2012
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 25 March 2012 - 01:05 AM

Hi Gringo,

After running this, I noticed that I am not able to connect to my office network using VPN. It says system does not confirm to firm's security standards. What could be the issue?

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:54 PM

Posted 25 March 2012 - 01:12 AM

Hello

about the VPN - I don't know first I have heard of this - try restarting the computer and see if it helps or it may need to be reconfigured

when you say you don't see any difference what do you mean?

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 sk2012

sk2012
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 25 March 2012 - 01:29 AM

Thanks Gringo. By no difference I mean I still don't see all programs under start menu. Also i forgot to mention that when I ran combpfix using CFscript, it deleted codec C files so I thought it would all be fine now but not. Below is the OTL log

OTL logfile created on: 3/25/2012 11:47:52 AM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Sahil.Katchi\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.95 Gb Total Physical Memory | 0.99 Gb Available Physical Memory | 50.70% Memory free
3.80 Gb Paging File | 3.05 Gb Available in Paging File | 80.38% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 26.95 Gb Free Space | 18.08% Space Free | Partition Type: NTFS

Computer Name: IN010M00022-02 | User Name: Sahil.Katchi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Sahil.Katchi\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Documentum\AppConnector\Documentum.AppConnector.LocaleManager.exe (Documentum, a division of EMC Corporation)
PRC - C:\Program Files\Documentum\AppConnector\Documentum.AppConnector.CredentialManager.exe (Documentum, a division of EMC Corporation)
PRC - C:\Program Files\Pointsec\Pointsec for PC\P95tray.exe (Check Point Software Tech Ltd)
PRC - C:\WINDOWS\system32\Prot_srv.exe (Check Point Software Tech Ltd)
PRC - C:\WINDOWS\system32\pstartSr.exe (Check Point Software Tech Ltd)
PRC - C:\Program Files\Pointsec\Pointsec for PC\fde_da_ew.exe ()
PRC - C:\Program Files\eRoom 7\ERClient7.exe (EMC)
PRC - C:\WINDOWS\system32\ngmonitor.exe (Aventail Corporation)
PRC - C:\WINDOWS\system32\ngvpnmgr.exe (Aventail Corporation)
PRC - C:\Program Files\Juniper Networks\Odyssey Access Client\odTray.exe (Juniper Networks, Inc.)
PRC - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe (Juniper Networks, Inc.)
PRC - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe (Juniper Networks)
PRC - C:\Program Files\Common Files\Juniper Networks\Endpoint Defense\dsEES.exe (Juniper Networks)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files\DellTPad\hidfind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe (Juniper Networks)
PRC - C:\Program Files\CyberArmor\pcshelp.exe (InfoExpress)
PRC - C:\Program Files\CyberArmor\pcs.exe (InfoExpress)
PRC - C:\Program Files\CyberArmor\casvc.exe (InfoExpress)
PRC - C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
PRC - c:\I386\drivers\Audio\A_IDT_High_Def_Audio_5.10.0.6274\Driver\stacsv.exe (IDT, Inc.)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\AESTFltr.exe (Andrea Electronics Corporation)
PRC - C:\Program Files\RBManager\RBManager.exe (Ernst & Young)
PRC - C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
PRC - C:\Program Files\Kontiki\KService.exe (Kontiki Inc.)
PRC - C:\Program Files\eyutils\SMSTOOLS\EYSelectTrayApp.exe (Ernst & Young)
PRC - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe (iPass, Inc.)
PRC - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe (iPass, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\CCM\CcmExec.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\fppdis2a.exe (FinePrint Software, LLC)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\fpdisp5a.exe (FinePrint Software, LLC)
PRC - C:\Program Files\Timbuktu Pro\tb2logon.exe (Netopia, Inc.)
PRC - C:\Program Files\Timbuktu Pro\tb2launch.exe (Netopia, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\707a05a7d5a8d99dd56d1d50311a60d2\System.Deployment.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\96e485c02ad346a2bd26a635e7fcb023\Microsoft.VisualBasic.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\94a40f415bfa947e251888bbe88bb973\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\77e1279cbf4eecfb0284b63316fe43fe\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ad99ac6b5666edb8ee742dd64f9578af\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\9351cf29bb1ba951e45a9b3b0edab937\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\9e3803cd2a11f056291862e306a8e2b2\System.ni.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_653a1e77\mscorlib.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_10aba04b\system.xml.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_bd0141a0\system.windows.forms.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_c98c1f1d\system.dll ()
MOD - c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll ()
MOD - c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Pointsec\Pointsec for PC\fde_da_ew.exe ()
MOD - C:\WINDOWS\system32\LogonAgentAPI.dll ()
MOD - C:\Program Files\eRoom 7\Res\ResAddin7409.dll ()
MOD - C:\WINDOWS\system32\vsctool.dll ()
MOD - c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll ()
MOD - c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll ()
MOD - C:\Program Files\iPass\iPassConnect\libeay32.dll ()


========== Win32 Services (SafeList) ==========

SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (Pointsec) -- C:\WINDOWS\system32\Prot_srv.exe (Check Point Software Tech Ltd)
SRV - (Pointsec_start) -- C:\WINDOWS\system32\pstartSr.exe (Check Point Software Tech Ltd)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (EY Tune Up Service) -- C:\Program Files\Ernst & Young\EY Tune Up\EYTuneUpService.exe (Ernst & Young)
SRV - (NgVpnMgr) -- C:\WINDOWS\system32\ngvpnmgr.exe (Aventail Corporation)
SRV - (odClientService) -- C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe (Juniper Networks, Inc.)
SRV - (EacService) -- C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe (Juniper Networks)
SRV - (JuniperAccessService) -- C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe (Juniper Networks)
SRV - (CyberArmorRunService) -- C:\Program Files\CyberArmor\casvc.exe (InfoExpress)
SRV - (STacSV) -- c:\I386\drivers\Audio\A_IDT_High_Def_Audio_5.10.0.6274\Driver\stacsv.exe (IDT, Inc.)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (SavRoam) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (DefWatch) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (SNDSrvc) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)
SRV - (KService) -- C:\Program Files\Kontiki\KService.exe (Kontiki Inc.)
SRV - (Lotus Notes Single Logon) -- C:\Lotus\Notes\nslsvice.exe (IBM Corp)
SRV - (iPassConnectEngine) -- C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe (iPass, Inc.)
SRV - (WebUpdate4) -- C:\WINDOWS\system32\WebUpdateSvc4.exe (Data Perceptions / PowerProgrammer)
SRV - (iPassPeriodicUpdateService) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe (iPass, Inc.)
SRV - (iPassPeriodicUpdateApp) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe (iPass, Inc.)
SRV - (CSIRemoteC) -- C:\Program Files\Configuresoft\CSI Remote Client\CSIRemoteCSvc.exe (Configuresoft, Inc.)
SRV - (CSI Socket Listener) -- C:\WINDOWS\ECM4\Installer\CFC\2.0\bin\CsiWin32SocketListener.exe (Configuresoft, Inc)
SRV - (SPBBCSvc) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
SRV - (CcmExec) -- C:\WINDOWS\system32\CCM\CcmExec.exe (Microsoft Corporation)
SRV - (Tb2Launch) -- C:\Program Files\Timbuktu Pro\tb2launch.exe (Netopia, Inc.)


========== Driver Services (SafeList) ==========

DRV - (ztemtusbser) -- system32\DRIVERS\CT_ZTEMT_U_USBSER.sys File not found
DRV - (WDICA) -- File not found
DRV - (Tb2MirrorSys) -- NetopiaRC\Tb2MirrorSys.sys File not found
DRV - (Tb2Device) -- NetopiaRC\Tb2Device.sys File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\WINDOWS\TEMP\catchme.sys File not found
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120324.019\navex15.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120324.019\naveng.sys (Symantec Corporation)
DRV - (prot_2k) -- C:\WINDOWS\System32\drivers\prot_2k.sys (Check Point Software Tech Ltd)
DRV - (iPassP) iPass Protocol (IEEE 802.1x) -- C:\WINDOWS\system32\drivers\iPassP.sys (Cisco Systems, Inc.)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (NETwNx32) ___ Intel® -- C:\WINDOWS\system32\drivers\NETwNx32.sys (Intel Corporation)
DRV - (NgWfp) -- C:\WINDOWS\system32\drivers\ngwfp.sys (Aventail Corporation)
DRV - (NgFilter) -- C:\WINDOWS\system32\drivers\ngfilter.sys (Aventail Corporation)
DRV - (NgVpn) -- C:\WINDOWS\system32\drivers\ngvpn.sys (Aventail Corporation)
DRV - (NgLog) -- C:\WINDOWS\system32\drivers\nglog.sys (Aventail Corporation)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (odFips2) -- C:\WINDOWS\system32\drivers\odFIPS2.sys (Juniper Networks, Inc.)
DRV - (odFips) -- C:\WINDOWS\system32\drivers\odFIPS.sys (Juniper Networks, Inc.)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (jnprna) -- C:\WINDOWS\system32\drivers\jnprna.sys (Juniper Networks, Inc.)
DRV - (JnprVaMgr) -- C:\WINDOWS\system32\drivers\jnprvamgr.sys (Juniper Networks, Inc.)
DRV - (jnprva) -- C:\WINDOWS\system32\drivers\jnprva.sys (Juniper Networks, Inc.)
DRV - (Viexpf2k) -- C:\WINDOWS\system32\drivers\viexpf2k.sys ()
DRV - (cvusbdrv) -- C:\WINDOWS\system32\drivers\cvusbdrv.sys (Broadcom Corporation)
DRV - (USBCCID) -- C:\WINDOWS\system32\drivers\usbccid.sys (Microsoft Corporation)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (Viexca2k) -- C:\WINDOWS\system32\drivers\viexca2k.sys (InfoExpress)
DRV - (e1yexpress) Intel® -- C:\WINDOWS\system32\drivers\e1y5132.sys (Intel Corporation)
DRV - (SAVRTPEL) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (SAVRT) -- C:\Program Files\Symantec AntiVirus\savrt.sys (Symantec Corporation)
DRV - (AESTAud) -- C:\WINDOWS\system32\drivers\AESTAud.sys (Andrea Electronics Corporation)
DRV - (IntcHdmiAddService) Intel® -- C:\WINDOWS\system32\drivers\IntcHdmi.sys (Intel® Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\symtdi.sys (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\system32\drivers\symredrv.sys (Symantec Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (vmx_svga) -- C:\WINDOWS\system32\drivers\vmx_svga.sys (VMware, Inc.)
DRV - (vmxnet) -- C:\WINDOWS\system32\drivers\vmxnet.sys (VMware, Inc.)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (prepdrvr) -- C:\WINDOWS\system32\CCM\PrepDrv.sys (Microsoft Corporation)
DRV - (s716unic) Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (WDM) -- C:\WINDOWS\system32\drivers\s716unic.sys (MCCI Corporation)
DRV - (s716obex) -- C:\WINDOWS\system32\drivers\s716obex.sys (MCCI Corporation)
DRV - (s716nd5) Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (NDIS) -- C:\WINDOWS\system32\drivers\s716nd5.sys (MCCI Corporation)
DRV - (s716mdm) -- C:\WINDOWS\system32\drivers\s716mdm.sys (MCCI Corporation)
DRV - (s716mgmt) Sony Ericsson Device 716 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s716mgmt.sys (MCCI Corporation)
DRV - (s716mdfl) -- C:\WINDOWS\system32\drivers\s716mdfl.sys (MCCI Corporation)
DRV - (s716bus) Sony Ericsson Device 716 driver (WDM) -- C:\WINDOWS\system32\drivers\s716bus.sys (MCCI Corporation)
DRV - (odysseyIM4) -- C:\WINDOWS\system32\drivers\odysseyIM4.sys (Funk Software, Inc.)
DRV - (vmscsi) -- C:\WINDOWS\system32\drivers\vmscsi.sys (VMware, Inc.)
DRV - (es1371) Creative AudioPCI (ES1371,ES1373) (WDM) -- C:\WINDOWS\system32\drivers\es1371mp.sys (Creative Technology Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://gss.iweb.ey.com/
IE - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = [String data over 1000 bytes]
IE - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = ftp=FPROXY1:80;http=FPROXY1:80;https=FPROXY1:80


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKCU\Software\MozillaPlugins\@emc.com/NpDmDataTransfer: C:\Program Files\eRoom 7\npeRoom7.dll (Documentum, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\webcomponent@globalenglish.com: C:\Program Files\GlobalEnglish\Firefox\Version3\webcomponent@globalenglish.com [2011/01/15 19:42:09 | 000,000,000 | ---D | M]

[2010/11/30 12:01:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sahil.Katchi\Application Data\Mozilla\eclipse\extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\Application\17.0.963.83\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\Application\17.0.963.83\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\Application\17.0.963.83\pdf.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Documents and Settings\Sahil.Katchi\Application Data\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Documents and Settings\Sahil.Katchi\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: ActiveTouch General Plugin Container (Enabled) = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\Application\plugins\npatgpc.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: Microsoft Lync 2010 Meeting Join Plug-in (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: eRoom (Enabled) = C:\Program Files\eRoom 7\npeRoom7.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: TVU Web Player for FireFox (Enabled) = C:\WINDOWS\system32\TVUAx\npTVUAx.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Codec-C = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bccldkoinakjmmgebambiaggjobhikfg\1.0_0\
CHR - Extension: 1-ClickWeather for Chrome = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fgmbighdoomjmebfbgplfmhcdbomjkoa\1.1.0.3_0\
CHR - Extension: AdBlock = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.22_0\
CHR - Extension: Chrome Live Football = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\oamjbefinnglappklpabmhpbcdiephoo\2.0_0\

O1 HOSTS File: ([2012/03/25 11:14:23 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Lync\OCHelper.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx ()
O3 - HKLM\..\Toolbar: (LexLink IE ToolBar) - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - C:\Program Files\LexisNexis\CHCKCITE\llieobj.dll (LexisNexis)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AppConnectorCredentialMgr] C:\Program Files\Documentum\AppConnector\Documentum.AppConnector.CredentialManager.exe (Documentum, a division of EMC Corporation)
O4 - HKLM..\Run: [AppConnectorLocaleMgr] C:\Program Files\Documentum\AppConnector\Documentum.AppConnector.LocaleManager.exe (Documentum, a division of EMC Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Check Point Endpoint Tray Application] C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe (Check Point Software Technologies LTD)
O4 - HKLM..\Run: [CyberArmorHelper] C:\Program Files\CyberArmor\pcshelp.exe (InfoExpress)
O4 - HKLM..\Run: [ey_kdx] C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
O4 - HKLM..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe (FinePrint Software, LLC)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [OdTray.exe] C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe (Juniper Networks, Inc.)
O4 - HKLM..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe (FinePrint Software, LLC)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95tray.exe (Check Point Software Tech Ltd)
O4 - HKLM..\Run: [Recycle Bin Manager] C:\Program Files\RBManager\RBManager.exe (Ernst & Young)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TLogonPath] C:\Program Files\Timbuktu Pro\Tb2Logon.exe (Netopia, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [ZEYViewer] C:\Program Files\eyutils\SMSTOOLS\EYSelectTrayApp.exe (Ernst & Young)
O4 - HKU\.DEFAULT..\RunOnce: [Odyssey520FixDel] reg delete "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\Juniper_Odyssey_520_Fix" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [Odyssey520FixDel] reg delete "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\Juniper_Odyssey_520_Fix" /f File not found
O4 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499..\RunOnce: [ProxyOn] C:\Program Files\ConnWiz\ProxyOn.exe ()
O4 - Startup: C:\Documents and Settings\Sahil.Katchi\Start Menu\Programs\Startup\Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe (EMC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Download present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMSAppLogo5ChannelNotify = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Download present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Persistence present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Download present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Persistence present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Download present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Persistence present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Download present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Persistence present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\Software\Policies\Microsoft\Internet Explorer\Download present
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\Software\Policies\Microsoft\Internet Explorer\Persistence present
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Home = 0
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Fullscreen = 0
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Tools = 0
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Print = 0
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Edit = 0
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Cut = 0
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Copy = 0
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Paste = 0
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Encoding = 0
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1644491937-1275210071-1417001333-199499\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Lync\OCHelper.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Lync\OCHelper.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: com.mx ([www.tuproteccion] https in Trusted sites)
O15 - HKLM\..Trusted Domains: eformRS.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: elementk.com ([contentserver] http in Trusted sites)
O15 - HKLM\..Trusted Domains: ey.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: ey.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: ey.net ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: ey.net ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: eygtt.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: eyleads.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: eylink.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: eyqa.net ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: eyqa.net ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: eyua.net ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: eyua.net ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: fasttax.com ([gosystemrs] https in Trusted sites)
O15 - HKLM\..Trusted Domains: fincad.com ([ey] http in Trusted sites)
O15 - HKLM\..Trusted Domains: intellinex.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: intellinex.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: intellinex-asp.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: lexis.com ([web] http in Trusted sites)
O15 - HKLM\..Trusted Domains: raindance.com ([intellinex] http in Trusted sites)
O15 - HKLM\..Trusted Domains: riahome.com ([insourcers] https in Trusted sites)
O15 - HKLM\..Trusted Domains: riahome.com ([support2] https in Trusted sites)
O15 - HKLM\..Trusted Domains: smarttrainer4.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: surveymonkey.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: taleo.net ([ey] http in Trusted sites)
O15 - HKLM\..Trusted Domains: thomson.com ([gosystem] https in Trusted sites)
O15 - HKLM\..Trusted Domains: thomsonib.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: xtremelearning.com ([cserver] http in Trusted sites)
O16 - DPF: {0DE70C1A-5136-45F6-95DA-B81CCF0DA5B3} https://gosystemrs.fasttax.com/OCX/RIARSDocumentum.cab (RIARSDocumentum.DocumentumIntegration)
O16 - DPF: {13F71666-05F2-11D2-B2F6-00A0C9A08B64} https://gosystemrs.fasttax.com/OCX/comconv.cab (CommonBridge Class)
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} https://gosystemrs.fasttax.com/OCX/RSLoginModule.cab (CLRMachineInfoCtl Class)
O16 - DPF: {2EC07293-4DF5-11D5-992B-0001020FC1FC} https://gosystemrs.fasttax.com/OCX/comconv.cab (RSCompConvClient Class)
O16 - DPF: {455182EE-8F93-11D2-BA3C-00C04F7F6533} https://gosystemrs.fasttax.com/OCX/RSTabbedList.cab (CLRTabbedList Class)
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} https://eyonline-er01i.ey.com/eRoomSetup/client.cab (Reg Error: Key error.)
O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} https://edocs.us.na.ey.net/edocs/wdk/native/WdkPluginCab.CAB (DmDragDrop Class)
O16 - DPF: {7B640A40-EEC1-11D2-B526-00C04F8DEE99} https://gosystemrs.fasttax.com/OCX/WebAttachments.cab (WebAttachObj Class)
O16 - DPF: {82BFFC8C-B4BD-11D4-9908-000102053AFB} https://gosystemrs.fasttax.com/OCX/webnotifier.cab (GRSNotifierCtrl Class)
O16 - DPF: {86B092BC-7ABA-11D4-98E7-000102053AFB} https://gosystemrs.fasttax.com/OCX/Downloader.cab (MultiDownload Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {973EA5BE-9ED6-11D3-AB1D-00C04F7468E4} https://gosystemrs.fasttax.com/OCX/DCParse.cab (IParseCSV Class)
O16 - DPF: {97A90946-2984-11D3-AAE7-00C04F7468E4} https://gosystemrs.fasttax.com/OCX/frmsrc.cab (FrmSrcCt Control)
O16 - DPF: {C945E31A-102E-4A0D-8854-D599D7AED5FA} https://gosystemrs.fasttax.com/OCX/vsflex8.cab (ComponentOne FlexGrid 8.0 (OLEDB))
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {D76D712E-4A96-11D3-BD95-D296DC2DD072} https://gosystemrs.fasttax.com/OCX/vsflex7.cab (:-) VideoSoft FlexGrid 7.0 (OLEDB))
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ey.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{590EC419-F9BD-48A0-95E9-E323218D3CFB}: Domain = mea.ey.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9F900E19-B522-4765-A5C4-9F4C5B3209D9}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9F900E19-B522-4765-A5C4-9F4C5B3209D9}: Domain = mea.ey.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DC2DAE3B-F1CA-4899-A95A-DA660028792B}: NameServer = 10.146.162.34 10.149.64.32
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FC140415-A6C3-4C35-A686-EED073DE1881}: Domain = mea.ey.net
O20 - AppInit_DLLs: (C:\WINDOWS\system32\cahooknt.dll) - C:\WINDOWS\system32\cahooknt.dll (InfoExpress)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (pssogina.dll) - C:\WINDOWS\System32\PssoGina.dll (Check Point Software Tech Ltd)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\OdysseyClient: DllName - (odyEvent.dll) - C:\WINDOWS\System32\odyEvent.dll (Juniper Networks, Inc.)
O20 - Winlogon\Notify\Timbuktu Pro: DllName - (C:\Program Files\Timbuktu Pro\Hook32.dll) - C:\Program Files\Timbuktu Pro\HOOK32.DLL (Netopia, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/22 10:12:15 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/25 11:46:13 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sahil.Katchi\Desktop\OTL.exe
[2012/03/25 11:43:54 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/25 11:06:59 | 000,000,000 | ---D | C] -- C:\Combofix
[2012/03/24 18:28:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sahil.Katchi\Application Data\Malwarebytes
[2012/03/24 18:28:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/24 18:28:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/03/24 18:28:49 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/03/24 18:28:49 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/03/24 16:37:49 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/03/24 16:30:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/24 16:30:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/24 16:30:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/24 16:30:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/24 16:29:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/03/24 16:27:06 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/24 12:21:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
[2012/03/24 12:21:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2012/03/22 18:38:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sahil.Katchi\My Documents\eRoom Files For Offline Editing
[2012/03/03 10:22:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sahil.Katchi\Desktop\IBM
[2012/03/02 14:57:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Form11
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/25 11:55:00 | 000,000,400 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{EA494441-F69A-43C3-A686-5D1D09A796E0}.job
[2012/03/25 11:55:00 | 000,000,398 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{96A33348-B7F8-4E8E-A7FA-06035588176D}.job
[2012/03/25 11:46:38 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sahil.Katchi\Desktop\OTL.exe
[2012/03/25 11:42:38 | 000,000,456 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2012/03/25 11:40:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/25 11:40:16 | 2097,000,448 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/25 11:14:23 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/03/25 10:10:26 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\MBR.dat
[2012/03/24 19:50:42 | 000,505,096 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/24 19:50:42 | 000,089,308 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/24 18:28:51 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/24 18:28:48 | 000,000,837 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\IBM Auth List - 2011.lnk
[2012/03/24 16:37:54 | 000,000,310 | RHS- | M] () -- C:\boot.ini
[2012/03/24 11:51:29 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\defogger_reenable
[2012/03/23 22:36:37 | 000,000,821 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/03/23 14:35:32 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/23 12:32:16 | 000,069,632 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/23 12:04:45 | 000,000,995 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2012/03/23 11:44:20 | 000,000,896 | ---- | M] () -- C:\WINDOWS\SymmTime.ini
[2012/03/23 11:08:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/23 11:07:53 | 000,356,952 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/22 10:45:14 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/21 10:34:13 | 000,007,023 | ---- | M] () -- C:\WINDOWS\System32\OEMINFO.INI
[2012/03/20 10:42:11 | 000,014,088 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\drivers\PROCEXP141.SYS
[2012/03/19 21:44:27 | 000,311,258 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/03/19 09:41:05 | 000,058,394 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\PrintReport.pdf
[2012/03/16 11:03:41 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Start Menu\Programs\Startup\Monitor My eRooms (V7).lnk
[2012/03/07 17:20:38 | 000,000,481 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\HC Self Help .lnk
[2012/03/02 09:40:48 | 000,000,073 | ---- | M] () -- C:\WINDOWS\ZoneLib-DisplayNames.ini
[2012/03/01 14:33:44 | 000,000,609 | ---- | M] () -- C:\WINDOWS\WTXI.INI
[2012/02/27 18:28:51 | 000,000,801 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\Shortcut to vlc.exe.lnk
[2012/02/24 14:28:54 | 000,052,857 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\My Documents\State Mandatory efiling.pdf
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/25 10:10:26 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\MBR.dat
[2012/03/24 18:28:51 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/24 18:28:13 | 000,000,837 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\IBM Auth List - 2011.lnk
[2012/03/24 16:37:54 | 000,000,193 | ---- | C] () -- C:\Boot.bak
[2012/03/24 16:37:52 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/03/24 16:30:41 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/24 16:30:41 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/24 16:30:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/24 16:30:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/24 16:30:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/24 11:51:29 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\defogger_reenable
[2012/03/23 22:36:37 | 000,000,821 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/03/19 09:41:05 | 000,058,394 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\PrintReport.pdf
[2012/03/16 11:03:41 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Start Menu\Programs\Startup\Monitor My eRooms (V7).lnk
[2012/02/28 09:21:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/28 09:21:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/27 18:28:51 | 000,000,801 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\Shortcut to vlc.exe.lnk
[2012/02/24 14:28:50 | 000,052,857 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\My Documents\State Mandatory efiling.pdf
[2011/12/26 11:27:56 | 000,001,067 | ---- | C] () -- C:\WINDOWS\System32\PushnPullClient.exe.config
[2011/11/23 10:08:25 | 000,204,880 | ---- | C] () -- C:\WINDOWS\Rem_EY_eDocs40.EXE
[2011/10/02 09:57:50 | 000,058,880 | ---- | C] () -- C:\WINDOWS\System32\TALPDF32.dll
[2011/10/02 09:57:50 | 000,034,304 | ---- | C] () -- C:\WINDOWS\System32\TALC3932.DLL
[2011/09/24 10:07:50 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2011/09/18 19:05:59 | 000,381,120 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/08/12 19:23:48 | 000,000,073 | ---- | C] () -- C:\WINDOWS\ZoneLib-DisplayNames.ini
[2011/08/12 19:22:56 | 000,000,896 | ---- | C] () -- C:\WINDOWS\SymmTime.ini
[2011/08/10 11:33:01 | 000,102,455 | ---- | C] () -- C:\WINDOWS\System32\Ctree04.dll
[2011/08/09 19:56:32 | 000,102,455 | ---- | C] () -- C:\WINDOWS\System32\ctree03.dll
[2011/08/09 15:23:53 | 000,000,609 | ---- | C] () -- C:\WINDOWS\WTXI.INI
[2011/08/03 09:48:20 | 000,087,984 | ---- | C] () -- C:\WINDOWS\System32\rscncl.dll
[2011/05/28 20:30:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/03/08 15:10:38 | 000,141,992 | ---- | C] () -- C:\WINDOWS\System32\NovPwd32.dll
[2011/03/08 14:26:38 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\LogonAgentAPI.dll
[2011/02/28 09:51:50 | 000,004,096 | -H-- | C] () -- C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\keyfile3.drm
[2011/01/09 16:45:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2010/12/11 14:13:51 | 000,075,136 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/12/06 08:16:43 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/05 15:56:08 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/12/04 22:10:23 | 000,069,632 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/02 17:56:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Txfim082.INI
[2010/12/02 17:40:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Txfim072.INI
[2010/12/02 17:22:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Txfim062.INI
[2010/12/01 11:17:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tb2pro.INI
[2010/11/30 04:50:42 | 000,982,240 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin
[2010/11/30 04:50:39 | 000,439,308 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
[2010/11/30 04:50:39 | 000,004,096 | ---- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[2010/11/30 04:50:38 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2010/11/29 21:02:37 | 000,000,070 | ---- | C] () -- C:\WINDOWS\init.ini
[2010/11/29 20:54:04 | 000,547,164 | ---- | C] () -- C:\WINDOWS\RemCFIT1137.EXE
[2010/11/29 20:50:46 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\fusioncache.dat
[2010/11/29 20:46:20 | 000,154,152 | ---- | C] () -- C:\WINDOWS\RemRBMgr.EXE
[2010/11/29 20:44:07 | 000,356,352 | ---- | C] () -- C:\WINDOWS\System32\iPassI5Installer.exe
[2010/11/29 20:30:47 | 000,065,536 | ---- | C] () -- C:\WINDOWS\eyprobe.exe
[2010/08/24 08:04:54 | 000,083,976 | ---- | C] () -- C:\WINDOWS\System32\wbnotify.dll
[2010/08/24 08:02:34 | 000,239,536 | ---- | C] () -- C:\WINDOWS\System32\rscn06cl.dll
[2010/08/24 08:01:36 | 000,280,496 | ---- | C] () -- C:\WINDOWS\System32\RSCBRGCL.DLL
[2010/08/24 08:00:24 | 000,100,360 | ---- | C] () -- C:\WINDOWS\System32\MultiDownloadCtrl.dll
[2010/08/24 07:57:50 | 000,096,176 | ---- | C] () -- C:\WINDOWS\System32\DCParse.dll
[2010/07/12 13:53:48 | 000,127,664 | ---- | C] () -- C:\WINDOWS\ngmsi.dll
[2010/07/12 13:52:20 | 000,015,024 | ---- | C] () -- C:\WINDOWS\ngutil.exe
[2010/06/09 11:10:12 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\odFIPS2.sys.icv

< End of report >

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:54 PM

Posted 25 March 2012 - 01:43 AM

Hello

I still don't see all programs under start menu

I little more info

when you click on the start button

what is missing - the things on the left?

the things on the right? things like
my computer
my documents

or when you go to all programs - the program folders are empty?

maybe show me a screen shot


gringo



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 sk2012

sk2012
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 25 March 2012 - 01:52 AM

Hi Gringo, When I go to start> All programs, I see most of the programs have disappeared from this list. Under all programs I see only main folders like Accesories, Startup. And when I navigate to system tools folder thorugh accessories folder, I see nothing under there (usually we see items like disk defrag, system cleanup etc.) Also, entertainment folder(accessories) also is empty. Overall I see only 12 folders under all programs versus 30 to 40 folders before codec C download.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:54 PM

Posted 25 March 2012 - 02:12 AM

The next thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps


Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in

    %TEMP%\smtmp\*.* /s

  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.


information and logs:

  • In your next post I need the following

  • .logs from OTL
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 sk2012

sk2012
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 25 March 2012 - 02:23 AM

Hi Gringo, below are the results of OTL scan.

OTL logfile created on: 3/25/2012 12:46:01 PM - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Sahil.Katchi\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.95 Gb Total Physical Memory | 0.92 Gb Available Physical Memory | 47.08% Memory free
3.80 Gb Paging File | 2.98 Gb Available in Paging File | 78.50% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 26.95 Gb Free Space | 18.08% Space Free | Partition Type: NTFS

Computer Name: IN010M00022-02 | User Name: Sahil.Katchi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Sahil.Katchi\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Documentum\AppConnector\Documentum.AppConnector.LocaleManager.exe (Documentum, a division of EMC Corporation)
PRC - C:\Program Files\Documentum\AppConnector\Documentum.AppConnector.CredentialManager.exe (Documentum, a division of EMC Corporation)
PRC - C:\Program Files\Pointsec\Pointsec for PC\P95tray.exe (Check Point Software Tech Ltd)
PRC - C:\WINDOWS\system32\Prot_srv.exe (Check Point Software Tech Ltd)
PRC - C:\WINDOWS\system32\pstartSr.exe (Check Point Software Tech Ltd)
PRC - C:\Program Files\eRoom 7\ERClient7.exe (EMC)
PRC - C:\WINDOWS\system32\ngmonitor.exe (Aventail Corporation)
PRC - C:\WINDOWS\system32\ngvpnmgr.exe (Aventail Corporation)
PRC - C:\Program Files\Juniper Networks\Odyssey Access Client\odTray.exe (Juniper Networks, Inc.)
PRC - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe (Juniper Networks, Inc.)
PRC - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe (Juniper Networks)
PRC - C:\Program Files\Common Files\Juniper Networks\Endpoint Defense\dsEES.exe (Juniper Networks)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files\DellTPad\hidfind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe (Juniper Networks)
PRC - C:\Program Files\CyberArmor\pcshelp.exe (InfoExpress)
PRC - C:\Program Files\CyberArmor\pcs.exe (InfoExpress)
PRC - C:\Program Files\CyberArmor\casvc.exe (InfoExpress)
PRC - C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
PRC - c:\I386\drivers\Audio\A_IDT_High_Def_Audio_5.10.0.6274\Driver\stacsv.exe (IDT, Inc.)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\AESTFltr.exe (Andrea Electronics Corporation)
PRC - C:\Program Files\RBManager\RBManager.exe (Ernst & Young)
PRC - C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
PRC - C:\Program Files\Kontiki\KService.exe (Kontiki Inc.)
PRC - C:\Program Files\eyutils\SMSTOOLS\EYSelectTrayApp.exe (Ernst & Young)
PRC - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe (iPass, Inc.)
PRC - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe (iPass, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\CCM\CcmExec.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\fppdis2a.exe (FinePrint Software, LLC)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\fpdisp5a.exe (FinePrint Software, LLC)
PRC - C:\Program Files\Timbuktu Pro\tb2logon.exe (Netopia, Inc.)
PRC - C:\Program Files\Timbuktu Pro\tb2launch.exe (Netopia, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\707a05a7d5a8d99dd56d1d50311a60d2\System.Deployment.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\96e485c02ad346a2bd26a635e7fcb023\Microsoft.VisualBasic.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\94a40f415bfa947e251888bbe88bb973\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\77e1279cbf4eecfb0284b63316fe43fe\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ad99ac6b5666edb8ee742dd64f9578af\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\9351cf29bb1ba951e45a9b3b0edab937\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\9e3803cd2a11f056291862e306a8e2b2\System.ni.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_653a1e77\mscorlib.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_10aba04b\system.xml.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_bd0141a0\system.windows.forms.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_c98c1f1d\system.dll ()
MOD - c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll ()
MOD - c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\WINDOWS\system32\LogonAgentAPI.dll ()
MOD - C:\Program Files\eRoom 7\Res\ResAddin7409.dll ()
MOD - C:\WINDOWS\system32\vsctool.dll ()
MOD - c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll ()
MOD - c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll ()
MOD - C:\Program Files\iPass\iPassConnect\libeay32.dll ()


========== Win32 Services (SafeList) ==========

SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (Pointsec) -- C:\WINDOWS\system32\Prot_srv.exe (Check Point Software Tech Ltd)
SRV - (Pointsec_start) -- C:\WINDOWS\system32\pstartSr.exe (Check Point Software Tech Ltd)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (EY Tune Up Service) -- C:\Program Files\Ernst & Young\EY Tune Up\EYTuneUpService.exe (Ernst & Young)
SRV - (NgVpnMgr) -- C:\WINDOWS\system32\ngvpnmgr.exe (Aventail Corporation)
SRV - (odClientService) -- C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe (Juniper Networks, Inc.)
SRV - (EacService) -- C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe (Juniper Networks)
SRV - (JuniperAccessService) -- C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe (Juniper Networks)
SRV - (CyberArmorRunService) -- C:\Program Files\CyberArmor\casvc.exe (InfoExpress)
SRV - (STacSV) -- c:\I386\drivers\Audio\A_IDT_High_Def_Audio_5.10.0.6274\Driver\stacsv.exe (IDT, Inc.)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (SavRoam) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (DefWatch) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (SNDSrvc) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)
SRV - (KService) -- C:\Program Files\Kontiki\KService.exe (Kontiki Inc.)
SRV - (Lotus Notes Single Logon) -- C:\Lotus\Notes\nslsvice.exe (IBM Corp)
SRV - (iPassConnectEngine) -- C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe (iPass, Inc.)
SRV - (WebUpdate4) -- C:\WINDOWS\system32\WebUpdateSvc4.exe (Data Perceptions / PowerProgrammer)
SRV - (iPassPeriodicUpdateService) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe (iPass, Inc.)
SRV - (iPassPeriodicUpdateApp) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe (iPass, Inc.)
SRV - (CSIRemoteC) -- C:\Program Files\Configuresoft\CSI Remote Client\CSIRemoteCSvc.exe (Configuresoft, Inc.)
SRV - (CSI Socket Listener) -- C:\WINDOWS\ECM4\Installer\CFC\2.0\bin\CsiWin32SocketListener.exe (Configuresoft, Inc)
SRV - (SPBBCSvc) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
SRV - (CcmExec) -- C:\WINDOWS\system32\CCM\CcmExec.exe (Microsoft Corporation)
SRV - (Tb2Launch) -- C:\Program Files\Timbuktu Pro\tb2launch.exe (Netopia, Inc.)


========== Driver Services (SafeList) ==========

DRV - (ztemtusbser) -- system32\DRIVERS\CT_ZTEMT_U_USBSER.sys File not found
DRV - (WDICA) -- File not found
DRV - (Tb2MirrorSys) -- NetopiaRC\Tb2MirrorSys.sys File not found
DRV - (Tb2Device) -- NetopiaRC\Tb2Device.sys File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\WINDOWS\TEMP\catchme.sys File not found
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120324.019\navex15.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120324.019\naveng.sys (Symantec Corporation)
DRV - (prot_2k) -- C:\WINDOWS\System32\drivers\prot_2k.sys (Check Point Software Tech Ltd)
DRV - (iPassP) iPass Protocol (IEEE 802.1x) -- C:\WINDOWS\system32\drivers\iPassP.sys (Cisco Systems, Inc.)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (NETwNx32) ___ Intel® -- C:\WINDOWS\system32\drivers\NETwNx32.sys (Intel Corporation)
DRV - (NgWfp) -- C:\WINDOWS\system32\drivers\ngwfp.sys (Aventail Corporation)
DRV - (NgFilter) -- C:\WINDOWS\system32\drivers\ngfilter.sys (Aventail Corporation)
DRV - (NgVpn) -- C:\WINDOWS\system32\drivers\ngvpn.sys (Aventail Corporation)
DRV - (NgLog) -- C:\WINDOWS\system32\drivers\nglog.sys (Aventail Corporation)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (odFips2) -- C:\WINDOWS\system32\drivers\odFIPS2.sys (Juniper Networks, Inc.)
DRV - (odFips) -- C:\WINDOWS\system32\drivers\odFIPS.sys (Juniper Networks, Inc.)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (jnprna) -- C:\WINDOWS\system32\drivers\jnprna.sys (Juniper Networks, Inc.)
DRV - (JnprVaMgr) -- C:\WINDOWS\system32\drivers\jnprvamgr.sys (Juniper Networks, Inc.)
DRV - (jnprva) -- C:\WINDOWS\system32\drivers\jnprva.sys (Juniper Networks, Inc.)
DRV - (Viexpf2k) -- C:\WINDOWS\system32\drivers\viexpf2k.sys ()
DRV - (cvusbdrv) -- C:\WINDOWS\system32\drivers\cvusbdrv.sys (Broadcom Corporation)
DRV - (USBCCID) -- C:\WINDOWS\system32\drivers\usbccid.sys (Microsoft Corporation)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (Viexca2k) -- C:\WINDOWS\system32\drivers\viexca2k.sys (InfoExpress)
DRV - (e1yexpress) Intel® -- C:\WINDOWS\system32\drivers\e1y5132.sys (Intel Corporation)
DRV - (SAVRTPEL) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (SAVRT) -- C:\Program Files\Symantec AntiVirus\savrt.sys (Symantec Corporation)
DRV - (AESTAud) -- C:\WINDOWS\system32\drivers\AESTAud.sys (Andrea Electronics Corporation)
DRV - (IntcHdmiAddService) Intel® -- C:\WINDOWS\system32\drivers\IntcHdmi.sys (Intel® Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\symtdi.sys (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\system32\drivers\symredrv.sys (Symantec Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (vmx_svga) -- C:\WINDOWS\system32\drivers\vmx_svga.sys (VMware, Inc.)
DRV - (vmxnet) -- C:\WINDOWS\system32\drivers\vmxnet.sys (VMware, Inc.)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (prepdrvr) -- C:\WINDOWS\system32\CCM\PrepDrv.sys (Microsoft Corporation)
DRV - (s716unic) Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (WDM) -- C:\WINDOWS\system32\drivers\s716unic.sys (MCCI Corporation)
DRV - (s716obex) -- C:\WINDOWS\system32\drivers\s716obex.sys (MCCI Corporation)
DRV - (s716nd5) Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (NDIS) -- C:\WINDOWS\system32\drivers\s716nd5.sys (MCCI Corporation)
DRV - (s716mdm) -- C:\WINDOWS\system32\drivers\s716mdm.sys (MCCI Corporation)
DRV - (s716mgmt) Sony Ericsson Device 716 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s716mgmt.sys (MCCI Corporation)
DRV - (s716mdfl) -- C:\WINDOWS\system32\drivers\s716mdfl.sys (MCCI Corporation)
DRV - (s716bus) Sony Ericsson Device 716 driver (WDM) -- C:\WINDOWS\system32\drivers\s716bus.sys (MCCI Corporation)
DRV - (odysseyIM4) -- C:\WINDOWS\system32\drivers\odysseyIM4.sys (Funk Software, Inc.)
DRV - (vmscsi) -- C:\WINDOWS\system32\drivers\vmscsi.sys (VMware, Inc.)
DRV - (es1371) Creative AudioPCI (ES1371,ES1373) (WDM) -- C:\WINDOWS\system32\drivers\es1371mp.sys (Creative Technology Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://gss.iweb.ey.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = [String data over 1000 bytes]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = ftp=FPROXY1:80;http=FPROXY1:80;https=FPROXY1:80


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKCU\Software\MozillaPlugins\@emc.com/NpDmDataTransfer: C:\Program Files\eRoom 7\npeRoom7.dll (Documentum, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\webcomponent@globalenglish.com: C:\Program Files\GlobalEnglish\Firefox\Version3\webcomponent@globalenglish.com [2011/01/15 19:42:09 | 000,000,000 | ---D | M]

[2010/11/30 12:01:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sahil.Katchi\Application Data\Mozilla\eclipse\extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\Application\17.0.963.83\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\Application\17.0.963.83\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\Application\17.0.963.83\pdf.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Documents and Settings\Sahil.Katchi\Application Data\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Documents and Settings\Sahil.Katchi\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: ActiveTouch General Plugin Container (Enabled) = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\Application\plugins\npatgpc.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: Microsoft Lync 2010 Meeting Join Plug-in (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: eRoom (Enabled) = C:\Program Files\eRoom 7\npeRoom7.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: TVU Web Player for FireFox (Enabled) = C:\WINDOWS\system32\TVUAx\npTVUAx.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Codec-C = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bccldkoinakjmmgebambiaggjobhikfg\1.0_0\
CHR - Extension: 1-ClickWeather for Chrome = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fgmbighdoomjmebfbgplfmhcdbomjkoa\1.1.0.3_0\
CHR - Extension: AdBlock = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.22_0\
CHR - Extension: Chrome Live Football = C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\oamjbefinnglappklpabmhpbcdiephoo\2.0_0\

O1 HOSTS File: ([2012/03/25 11:14:23 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Lync\OCHelper.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx ()
O3 - HKLM\..\Toolbar: (LexLink IE ToolBar) - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - C:\Program Files\LexisNexis\CHCKCITE\llieobj.dll (LexisNexis)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AppConnectorCredentialMgr] C:\Program Files\Documentum\AppConnector\Documentum.AppConnector.CredentialManager.exe (Documentum, a division of EMC Corporation)
O4 - HKLM..\Run: [AppConnectorLocaleMgr] C:\Program Files\Documentum\AppConnector\Documentum.AppConnector.LocaleManager.exe (Documentum, a division of EMC Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Check Point Endpoint Tray Application] C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe (Check Point Software Technologies LTD)
O4 - HKLM..\Run: [CyberArmorHelper] C:\Program Files\CyberArmor\pcshelp.exe (InfoExpress)
O4 - HKLM..\Run: [ey_kdx] C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
O4 - HKLM..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe (FinePrint Software, LLC)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [OdTray.exe] C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe (Juniper Networks, Inc.)
O4 - HKLM..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe (FinePrint Software, LLC)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95tray.exe (Check Point Software Tech Ltd)
O4 - HKLM..\Run: [Recycle Bin Manager] C:\Program Files\RBManager\RBManager.exe (Ernst & Young)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TLogonPath] C:\Program Files\Timbuktu Pro\Tb2Logon.exe (Netopia, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [ZEYViewer] C:\Program Files\eyutils\SMSTOOLS\EYSelectTrayApp.exe (Ernst & Young)
O4 - HKCU..\RunOnce: [ProxyOn] C:\Program Files\ConnWiz\ProxyOn.exe ()
O4 - Startup: C:\Documents and Settings\Sahil.Katchi\Start Menu\Programs\Startup\Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe (EMC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Download present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMSAppLogo5ChannelNotify = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Download present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Persistence present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Home = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Fullscreen = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Tools = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Print = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Edit = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Cut = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Copy = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Paste = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Encoding = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Lync\OCHelper.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Lync\OCHelper.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: com.mx ([www.tuproteccion] https in Trusted sites)
O15 - HKLM\..Trusted Domains: eformRS.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: elementk.com ([contentserver] http in Trusted sites)
O15 - HKLM\..Trusted Domains: ey.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: ey.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: ey.net ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: ey.net ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: eygtt.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: eyleads.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: eylink.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: eyqa.net ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: eyqa.net ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: eyua.net ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: eyua.net ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: fasttax.com ([gosystemrs] https in Trusted sites)
O15 - HKLM\..Trusted Domains: fincad.com ([ey] http in Trusted sites)
O15 - HKLM\..Trusted Domains: intellinex.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: intellinex.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: intellinex-asp.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: lexis.com ([web] http in Trusted sites)
O15 - HKLM\..Trusted Domains: raindance.com ([intellinex] http in Trusted sites)
O15 - HKLM\..Trusted Domains: riahome.com ([insourcers] https in Trusted sites)
O15 - HKLM\..Trusted Domains: riahome.com ([support2] https in Trusted sites)
O15 - HKLM\..Trusted Domains: smarttrainer4.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: surveymonkey.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: taleo.net ([ey] http in Trusted sites)
O15 - HKLM\..Trusted Domains: thomson.com ([gosystem] https in Trusted sites)
O15 - HKLM\..Trusted Domains: thomsonib.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: xtremelearning.com ([cserver] http in Trusted sites)
O16 - DPF: {0DE70C1A-5136-45F6-95DA-B81CCF0DA5B3} https://gosystemrs.fasttax.com/OCX/RIARSDocumentum.cab (RIARSDocumentum.DocumentumIntegration)
O16 - DPF: {13F71666-05F2-11D2-B2F6-00A0C9A08B64} https://gosystemrs.fasttax.com/OCX/comconv.cab (CommonBridge Class)
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} https://gosystemrs.fasttax.com/OCX/RSLoginModule.cab (CLRMachineInfoCtl Class)
O16 - DPF: {2EC07293-4DF5-11D5-992B-0001020FC1FC} https://gosystemrs.fasttax.com/OCX/comconv.cab (RSCompConvClient Class)
O16 - DPF: {455182EE-8F93-11D2-BA3C-00C04F7F6533} https://gosystemrs.fasttax.com/OCX/RSTabbedList.cab (CLRTabbedList Class)
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} https://eyonline-er01i.ey.com/eRoomSetup/client.cab (Reg Error: Key error.)
O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} https://edocs.us.na.ey.net/edocs/wdk/native/WdkPluginCab.CAB (DmDragDrop Class)
O16 - DPF: {7B640A40-EEC1-11D2-B526-00C04F8DEE99} https://gosystemrs.fasttax.com/OCX/WebAttachments.cab (WebAttachObj Class)
O16 - DPF: {82BFFC8C-B4BD-11D4-9908-000102053AFB} https://gosystemrs.fasttax.com/OCX/webnotifier.cab (GRSNotifierCtrl Class)
O16 - DPF: {86B092BC-7ABA-11D4-98E7-000102053AFB} https://gosystemrs.fasttax.com/OCX/Downloader.cab (MultiDownload Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {973EA5BE-9ED6-11D3-AB1D-00C04F7468E4} https://gosystemrs.fasttax.com/OCX/DCParse.cab (IParseCSV Class)
O16 - DPF: {97A90946-2984-11D3-AAE7-00C04F7468E4} https://gosystemrs.fasttax.com/OCX/frmsrc.cab (FrmSrcCt Control)
O16 - DPF: {C945E31A-102E-4A0D-8854-D599D7AED5FA} https://gosystemrs.fasttax.com/OCX/vsflex8.cab (ComponentOne FlexGrid 8.0 (OLEDB))
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {D76D712E-4A96-11D3-BD95-D296DC2DD072} https://gosystemrs.fasttax.com/OCX/vsflex7.cab (:-) VideoSoft FlexGrid 7.0 (OLEDB))
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ey.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{590EC419-F9BD-48A0-95E9-E323218D3CFB}: Domain = mea.ey.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9F900E19-B522-4765-A5C4-9F4C5B3209D9}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9F900E19-B522-4765-A5C4-9F4C5B3209D9}: Domain = mea.ey.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DC2DAE3B-F1CA-4899-A95A-DA660028792B}: NameServer = 10.146.162.34 10.149.64.32
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FC140415-A6C3-4C35-A686-EED073DE1881}: Domain = mea.ey.net
O20 - AppInit_DLLs: (C:\WINDOWS\system32\cahooknt.dll) - C:\WINDOWS\system32\cahooknt.dll (InfoExpress)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (pssogina.dll) - C:\WINDOWS\System32\PssoGina.dll (Check Point Software Tech Ltd)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\OdysseyClient: DllName - (odyEvent.dll) - C:\WINDOWS\System32\odyEvent.dll (Juniper Networks, Inc.)
O20 - Winlogon\Notify\Timbuktu Pro: DllName - (C:\Program Files\Timbuktu Pro\Hook32.dll) - C:\Program Files\Timbuktu Pro\HOOK32.DLL (Netopia, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/22 10:12:15 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/25 11:46:13 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sahil.Katchi\Desktop\OTL.exe
[2012/03/25 11:43:54 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/25 11:06:59 | 000,000,000 | ---D | C] -- C:\Combofix
[2012/03/24 18:28:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sahil.Katchi\Application Data\Malwarebytes
[2012/03/24 18:28:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/24 18:28:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/03/24 18:28:49 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/03/24 18:28:49 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/03/24 16:37:49 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/03/24 16:30:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/24 16:30:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/24 16:30:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/24 16:30:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/24 16:29:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/03/24 16:27:06 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/24 12:21:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
[2012/03/24 12:21:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2012/03/22 18:38:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sahil.Katchi\My Documents\eRoom Files For Offline Editing
[2012/03/03 10:22:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sahil.Katchi\Desktop\IBM
[2012/03/02 14:57:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Form11
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/25 12:50:00 | 000,000,400 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{EA494441-F69A-43C3-A686-5D1D09A796E0}.job
[2012/03/25 12:50:00 | 000,000,398 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{96A33348-B7F8-4E8E-A7FA-06035588176D}.job
[2012/03/25 11:46:38 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sahil.Katchi\Desktop\OTL.exe
[2012/03/25 11:42:38 | 000,000,456 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2012/03/25 11:40:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/25 11:40:16 | 2097,000,448 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/25 11:14:23 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/03/25 10:10:26 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\MBR.dat
[2012/03/24 19:50:42 | 000,505,096 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/24 19:50:42 | 000,089,308 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/24 18:28:51 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/24 18:28:48 | 000,000,837 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\IBM Auth List - 2011.lnk
[2012/03/24 16:37:54 | 000,000,310 | RHS- | M] () -- C:\boot.ini
[2012/03/24 11:51:29 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\defogger_reenable
[2012/03/23 22:36:37 | 000,000,821 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/03/23 14:35:32 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/23 12:32:16 | 000,069,632 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/23 12:04:45 | 000,000,995 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2012/03/23 11:44:20 | 000,000,896 | ---- | M] () -- C:\WINDOWS\SymmTime.ini
[2012/03/23 11:08:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/23 11:07:53 | 000,356,952 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/22 10:45:14 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/21 10:34:13 | 000,007,023 | ---- | M] () -- C:\WINDOWS\System32\OEMINFO.INI
[2012/03/20 10:42:11 | 000,014,088 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\drivers\PROCEXP141.SYS
[2012/03/19 21:44:27 | 000,311,258 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/03/19 09:41:05 | 000,058,394 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\PrintReport.pdf
[2012/03/16 11:03:41 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Start Menu\Programs\Startup\Monitor My eRooms (V7).lnk
[2012/03/07 17:20:38 | 000,000,481 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\HC Self Help .lnk
[2012/03/02 09:40:48 | 000,000,073 | ---- | M] () -- C:\WINDOWS\ZoneLib-DisplayNames.ini
[2012/03/01 14:33:44 | 000,000,609 | ---- | M] () -- C:\WINDOWS\WTXI.INI
[2012/02/27 18:28:51 | 000,000,801 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\Shortcut to vlc.exe.lnk
[2012/02/24 14:28:54 | 000,052,857 | ---- | M] () -- C:\Documents and Settings\Sahil.Katchi\My Documents\State Mandatory efiling.pdf
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/25 10:10:26 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\MBR.dat
[2012/03/24 18:28:51 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/24 18:28:13 | 000,000,837 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\IBM Auth List - 2011.lnk
[2012/03/24 16:37:54 | 000,000,193 | ---- | C] () -- C:\Boot.bak
[2012/03/24 16:37:52 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/03/24 16:30:41 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/24 16:30:41 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/24 16:30:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/24 16:30:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/24 16:30:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/24 11:51:29 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\defogger_reenable
[2012/03/23 22:36:37 | 000,000,821 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/03/19 09:41:05 | 000,058,394 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\PrintReport.pdf
[2012/03/16 11:03:41 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Start Menu\Programs\Startup\Monitor My eRooms (V7).lnk
[2012/02/28 09:21:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/28 09:21:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/27 18:28:51 | 000,000,801 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Desktop\Shortcut to vlc.exe.lnk
[2012/02/24 14:28:50 | 000,052,857 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\My Documents\State Mandatory efiling.pdf
[2011/12/26 11:27:56 | 000,001,067 | ---- | C] () -- C:\WINDOWS\System32\PushnPullClient.exe.config
[2011/11/23 10:08:25 | 000,204,880 | ---- | C] () -- C:\WINDOWS\Rem_EY_eDocs40.EXE
[2011/10/02 09:57:50 | 000,058,880 | ---- | C] () -- C:\WINDOWS\System32\TALPDF32.dll
[2011/10/02 09:57:50 | 000,034,304 | ---- | C] () -- C:\WINDOWS\System32\TALC3932.DLL
[2011/09/24 10:07:50 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2011/09/18 19:05:59 | 000,381,120 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/08/12 19:23:48 | 000,000,073 | ---- | C] () -- C:\WINDOWS\ZoneLib-DisplayNames.ini
[2011/08/12 19:22:56 | 000,000,896 | ---- | C] () -- C:\WINDOWS\SymmTime.ini
[2011/08/10 11:33:01 | 000,102,455 | ---- | C] () -- C:\WINDOWS\System32\Ctree04.dll
[2011/08/09 19:56:32 | 000,102,455 | ---- | C] () -- C:\WINDOWS\System32\ctree03.dll
[2011/08/09 15:23:53 | 000,000,609 | ---- | C] () -- C:\WINDOWS\WTXI.INI
[2011/08/03 09:48:20 | 000,087,984 | ---- | C] () -- C:\WINDOWS\System32\rscncl.dll
[2011/05/28 20:30:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/03/08 15:10:38 | 000,141,992 | ---- | C] () -- C:\WINDOWS\System32\NovPwd32.dll
[2011/03/08 14:26:38 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\LogonAgentAPI.dll
[2011/02/28 09:51:50 | 000,004,096 | -H-- | C] () -- C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\keyfile3.drm
[2011/01/09 16:45:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2010/12/11 14:13:51 | 000,075,136 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/12/06 08:16:43 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/05 15:56:08 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/12/04 22:10:23 | 000,069,632 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/02 17:56:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Txfim082.INI
[2010/12/02 17:40:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Txfim072.INI
[2010/12/02 17:22:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Txfim062.INI
[2010/12/01 11:17:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tb2pro.INI
[2010/11/30 04:50:42 | 000,982,240 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin
[2010/11/30 04:50:39 | 000,439,308 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
[2010/11/30 04:50:39 | 000,004,096 | ---- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[2010/11/30 04:50:38 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2010/11/29 21:02:37 | 000,000,070 | ---- | C] () -- C:\WINDOWS\init.ini
[2010/11/29 20:54:04 | 000,547,164 | ---- | C] () -- C:\WINDOWS\RemCFIT1137.EXE
[2010/11/29 20:50:46 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Sahil.Katchi\Local Settings\Application Data\fusioncache.dat
[2010/11/29 20:46:20 | 000,154,152 | ---- | C] () -- C:\WINDOWS\RemRBMgr.EXE
[2010/11/29 20:44:07 | 000,356,352 | ---- | C] () -- C:\WINDOWS\System32\iPassI5Installer.exe
[2010/11/29 20:30:47 | 000,065,536 | ---- | C] () -- C:\WINDOWS\eyprobe.exe
[2010/08/24 08:04:54 | 000,083,976 | ---- | C] () -- C:\WINDOWS\System32\wbnotify.dll
[2010/08/24 08:02:34 | 000,239,536 | ---- | C] () -- C:\WINDOWS\System32\rscn06cl.dll
[2010/08/24 08:01:36 | 000,280,496 | ---- | C] () -- C:\WINDOWS\System32\RSCBRGCL.DLL
[2010/08/24 08:00:24 | 000,100,360 | ---- | C] () -- C:\WINDOWS\System32\MultiDownloadCtrl.dll
[2010/08/24 07:57:50 | 000,096,176 | ---- | C] () -- C:\WINDOWS\System32\DCParse.dll
[2010/07/12 13:53:48 | 000,127,664 | ---- | C] () -- C:\WINDOWS\ngmsi.dll
[2010/07/12 13:52:20 | 000,015,024 | ---- | C] () -- C:\WINDOWS\ngutil.exe
[2010/06/09 11:10:12 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\odFIPS2.sys.icv

========== Custom Scans ==========

< %TEMP%\smtmp\*.* /s >

< End of report >

#15 sk2012

sk2012
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 25 March 2012 - 02:25 AM

this was done using the custom scan as instructed by you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users