Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help with Malware removal [Solved]

Started by lanceberry , Jul 10 2010 01:41 PM

  • This topic is locked This topic is locked

#1
lanceberry
Posted 10 July 2010 - 01:41 PM

lanceberry

    Member

  • Member
  • PipPip
  • 15 posts
Hello and thanks for the help in advance. Here is what has happened and all the logs requested before posting in the order in which I did them. The first will be the logs I did from S/D and MB before logging in here, this way you can see how it started.

I was surfing the net yesterday and all of a sudden a 2-3 IE windows started opening and then a malware software program that

I have never heard of opened and started running. It found some items and asked if I wanted to repair.

I stopped the program and closed all windows. I found traces of the program and deleted them.

I tried to run Malwarebytes and S/D but neither would run. I could update S/D using the update icon, but the program would not run. I could also not access websites, it seems it kept putting DNS entries into my TCP/ip settings.

I booted in safe mode and ran MB, S/D and Symantec end point. They found varies things and the logs are below.

I was able to finally get MB updated and running and now it is running and not finding anything in normal mode. Log below.

I purchased MB and the active protection is running and it has stopped a program, but can’t delete it. Log below.


FIRST EVENT:
Filename Risk Action Risk Type Original Location Computer User Status Current Location Primary Action Secondary Action Logged By Action Description Date and Time
net.net Trojan.Adclicker Cleaned by deletion File C:\WINDOWS\system32\ USHOU03-1LB01 LBerry Deleted Deleted Clean security risk Quarantine Auto-Protect scan The file was deleted successfully. 7/9/2010 14:47



20 7/9/2010 2:37:34 PM Intrusion Prevention Critical Outgoing TCP 173.208.157.203 00-00-00-00-00-00 10.248.4.156 00-1C-23-95-38-D8 C:\DOCUME~1\LBerry\LOCALS~1\Temp\sracoemxnw.tmp LBerry EMRSN Internal 13 7/9/2010 2:37:23 PM 7/9/2010 2:37:23 PM [SID: 23378] HTTP Zbot Malicious File Download detected.

21 7/9/2010 2:37:34 PM Intrusion Prevention Critical Outgoing TCP 68.178.232.100 00-00-00-00-00-00 10.248.4.156 00-1C-23-95-38-D8 C:\DOCUME~1\LBerry\LOCALS~1\Temp\sracoemxnw.tmp LBerry EMRSN Internal 13 7/9/2010 2:37:23 PM 7/9/2010 2:37:23 PM [SID: 23378] HTTP Zbot Malicious File Download detected.

22 7/9/2010 2:38:42 PM Intrusion Prevention Critical Incoming TCP 193.104.34.41 00-00-00-00-00-00 10.248.4.156 00-1C-23-95-38-D8 C:\Program Files\Java\jre6\bin\java.exe LBerry EMRSN Internal 1 7/9/2010 2:38:28 PM 7/9/2010 2:38:28 PM [SID: 23752] HTTP Phoenix Toolkit Java Class Activity detected.

23 7/9/2010 2:38:42 PM Active Response Major Incoming None 193.104.34.41 00-00-00-00-00-00 10.248.4.156 00-1C-23-95-38-D8 LBerry EMRSN Internal 1 7/9/2010 2:38:28 PM 7/9/2010 2:38:28 PM Traffic from IP address 193.104.34.41 is blocked from 7/9/2010 2:38:28 PM to 7/9/2010 2:48:28 PM.

24 7/9/2010 2:40:21 PM Intrusion Prevention Critical Incoming TCP 91.212.226.7 00-00-00-00-00-00 10.248.4.156 00-1C-23-95-38-D8 C:\WINDOWS\system32\svchost.exe LBerry EMRSN Internal 1 7/9/2010 2:40:10 PM 7/9/2010 2:40:10 PM [SID: 23615] HTTPS Tidserv Request 2 detected.

25 7/9/2010 2:40:26 PM Active Response Major Incoming None 91.212.226.7 00-00-00-00-00-00 10.248.4.156 00-1C-23-95-38-D8 LBerry EMRSN Internal 1 7/9/2010 2:40:11 PM 7/9/2010 2:40:11 PM Traffic from IP address 91.212.226.7 is blocked from 7/9/2010 2:40:11 PM to 7/9/2010 2:50:11 PM.

26 7/9/2010 2:48:42 PM Active Response Disengaged Information None None 193.104.34.41 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 LBerry EMRSN Internal 1 7/9/2010 2:48:28 PM 7/9/2010 2:48:28 PM Active Response that started at 07/09/2010 14:38:28 is disengaged. The traffic from IP address 193.104.34.41 was blocked for 600 second(s).

27 7/9/2010 2:50:25 PM Active Response Disengaged Information None None 91.212.226.7 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 LBerry EMRSN Internal 1 7/9/2010 2:50:11 PM 7/9/2010 2:50:11 PM Active Response that started at 07/09/2010 14:40:11 is disengaged. The traffic from IP address 91.212.226.7 was blocked for 600 second(s).

28 7/9/2010 4:16:41 PM Port Scan Minor Incoming UDP 192.168.1.1 00-0F-66-52-C4-BD 239.255.255.250 01-00-5E-7F-FF-FA LBerry EMRSN External 1 7/9/2010 4:15:40 PM 7/9/2010 4:15:40 PM Somebody is scanning your computer.

29 7/9/2010 4:16:46 PM Active Response Major Incoming None 192.168.1.1 00-0F-66-52-C4-BD 239.255.255.250 01-00-5E-7F-FF-FA LBerry EMRSN External 1 7/9/2010 4:15:41 PM 7/9/2010 4:15:41 PM Traffic from IP address 192.168.1.1 is blocked from 7/9/2010 4:15:41 PM to 7/9/2010 4:25:41 PM.

30 7/9/2010 4:26:46 PM Active Response Disengaged Information None None 192.168.1.1 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 LBerry EMRSN External 1 7/9/2010 4:25:41 PM 7/9/2010 4:25:41 PM Active Response that started at 07/09/2010 16:15:41 is disengaged. The traffic from IP address 192.168.1.1 was blocked for 600 second(s).

31 7/9/2010 4:28:44 PM Port Scan Minor Incoming UDP 192.168.1.1 00-0F-66-52-C4-BD 192.168.1.105 00-1C-26-58-B4-98 LBerry EMRSN External 1 7/9/2010 4:27:41 PM 7/9/2010 4:27:41 PM Somebody is scanning your computer.

32 7/9/2010 4:28:44 PM Active Response Major Incoming None 192.168.1.1 00-0F-66-52-C4-BD 192.168.1.105 00-1C-26-58-B4-98 LBerry EMRSN External 1 7/9/2010 4:27:41 PM 7/9/2010 4:27:41 PM Traffic from IP address 192.168.1.1 is blocked from 7/9/2010 4:27:41 PM to 7/9/2010 4:37:41 PM.

33 7/9/2010 4:38:44 PM Active Response Disengaged Information None None 192.168.1.1 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 LBerry EMRSN External 1 7/9/2010 4:37:42 PM 7/9/2010 4:37:42 PM Active Response that started at 07/09/2010 16:27:41 is disengaged. The traffic from IP address 192.168.1.1 was blocked for 600 second(s).


S/D runs


09.07.2010 16:50:06 - ##### check started #####
09.07.2010 16:50:06 - ### Version: 1.6.2
09.07.2010 16:50:06 - ### Date: 7/9/2010 4:50:06 PM
09.07.2010 16:50:13 - ##### checking bots #####
09.07.2010 16:58:05 - found: Win32.FraudLoad Data
09.07.2010 16:58:05 - found: Win32.FraudLoad TCP/IP Settings #1 Undefined
09.07.2010 16:58:05 - found: Win32.FraudLoad TCP/IP Settings #2 Undefined
09.07.2010 17:32:12 - ##### check finished #####


--- Report generated: 2010-07-09 17:32 ---

Win32.FraudLoad: [SBI $962E4FE5] Data (File, nothing done)
C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
Properties.size=286
Properties.md5=84A5A90AB9CD4A9174FE06D10AD77CB0
Properties.filedate=1278710045
Properties.filedatetext=2010-07-09 16:14:05

Win32.FraudLoad: [SBI $9696C990] TCP/IP Settings #1 (Undefined) (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer=208.67.220.220,208.67.222.222

Win32.FraudLoad: [SBI $9696C990] TCP/IP Settings #2 (Undefined) (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6DB7FD84-B23E-40A6-BD2A-9172C3533548}\DhcpNameServer=208.67.220.220,208.67.222.222


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-09-09 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-07-06 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-07-06 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-07-06 Includes\HijackersC.sbi (*)
2010-06-29 Includes\iPhone.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2010-07-06 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-07-06 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-07-06 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-07-06 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-07-06 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-06-29 Includes\Trojans.sbi (*)
2010-07-06 Includes\TrojansC-02.sbi (*)
2010-07-06 Includes\TrojansC-03.sbi (*)
2010-07-06 Includes\TrojansC-04.sbi (*)
2010-07-06 Includes\TrojansC-05.sbi (*)
2010-07-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

--- Report generated: 2010-07-09 17:32 ---

Win32.FraudLoad: [SBI $962E4FE5] Data (File, fixed)
C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Win32.FraudLoad: [SBI $9696C990] TCP/IP Settings #1 (Undefined) (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer=208.67.220.220,208.67.222.222

Win32.FraudLoad: [SBI $9696C990] TCP/IP Settings #2 (Undefined) (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6DB7FD84-B23E-40A6-BD2A-9172C3533548}\DhcpNameServer=208.67.220.220,208.67.222.222


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-09-09 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-07-06 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-07-06 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-07-06 Includes\HijackersC.sbi (*)
2010-06-29 Includes\iPhone.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2010-07-06 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-07-06 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-07-06 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-07-06 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-07-06 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-06-29 Includes\Trojans.sbi (*)
2010-07-06 Includes\TrojansC-02.sbi (*)
2010-07-06 Includes\TrojansC-03.sbi (*)
2010-07-06 Includes\TrojansC-04.sbi (*)
2010-07-06 Includes\TrojansC-05.sbi (*)
2010-07-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

7/9/2010 4:29:42 PM Downloaded update info file. (http://www.safer-net...es/spybotsd.ini)
7/9/2010 4:29:55 PM downloaded update Detection rules: iPhone
7/9/2010 4:29:55 PM - URL: http://imp.betanews....udes.iPhone.zip
7/9/2010 4:29:55 PM - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.iPhone.zip
7/9/2010 4:30:02 PM downloaded update Detection rules: Malware
7/9/2010 4:30:02 PM - URL: http://imp.betanews....des.malware.zip
7/9/2010 4:30:02 PM - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.malware.zip
7/9/2010 4:30:06 PM downloaded update Detection rules: PUPS
7/9/2010 4:30:06 PM - URL: http://imp.betanews....cludes.pups.zip
7/9/2010 4:30:06 PM - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.pups.zip
7/9/2010 4:31:38 PM downloaded update Detection rules: Spybots
7/9/2010 4:31:38 PM - URL: http://imp.betanews....des.spybots.zip
7/9/2010 4:31:38 PM - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.spybots.zip
7/9/2010 4:31:38 PM - FILE REJECTED because of bad checksum
7/9/2010 4:32:46 PM downloaded update Detection rules: Supplemental
7/9/2010 4:32:46 PM - URL: http://imp.betanews....upplemental.zip
7/9/2010 4:32:46 PM - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\supplemental.zip
7/9/2010 4:33:04 PM downloaded update Detection rules: Trojans
7/9/2010 4:33:04 PM - URL: http://imp.betanews....des.trojans.zip
7/9/2010 4:33:04 PM - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.trojans.zip
7/9/2010 4:33:47 PM downloaded update Detection rules: Update
7/9/2010 4:33:47 PM - URL: http://imp.betanews....es/includes.zip
7/9/2010 4:33:47 PM - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.zip
7/9/2010 4:38:49 PM Downloaded update info file. (http://www.safer-net...es/spybotsd.ini)
7/9/2010 4:38:58 PM downloaded update Detection rules: Spybots
7/9/2010 4:38:58 PM - URL: http://fastspeedtest...des.spybots.zip
7/9/2010 4:38:58 PM - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.spybots.zip
7/9/2010 4:39:16 PM Downloaded update info file. (http://www.safer-net...es/spybotsd.ini)
7/10/2010 9:30:17 AM Downloaded update info file. (http://www.safer-net...es/spybotsd.ini)

NOW FROM MB

Malwarebytes' Anti-Malware 1.44
Database version: 3888
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

7/9/2010 4:08:13 PM
mbam-log-2010-07-09 (16-08-13).txt

Scan type: Quick Scan
Objects scanned: 165079
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{14ac7248-18df-4808-826d-6a524db38b6a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{14ac7248-18df-4808-826d-6a524db38b6a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6db7fd84-b23e-40a6-bd2a-9172c3533548}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6db7fd84-b23e-40a6-bd2a-9172c3533548}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8af9d725-7192-4c4c-b535-965a3f2a18f5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8af9d725-7192-4c4c-b535-965a3f2a18f5}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

7/10/2010 9:49:11 AM
mbam-log-2010-07-10 (09-49-11).txt

Scan type: Quick scan
Objects scanned: 15992
Time elapsed: 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

7/10/2010 10:23:19 AM
mbam-log-2010-07-10 (10-23-19).txt

Scan type: Quick scan
Objects scanned: 165873
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe (Trojan.Chifrax) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6db7fd84-b23e-40a6-bd2a-9172c3533548}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6db7fd84-b23e-40a6-bd2a-9172c3533548}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8af9d725-7192-4c4c-b535-965a3f2a18f5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8af9d725-7192-4c4c-b535-965a3f2a18f5}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LBerry\Local Settings\Temp\Setup.exe (Trojan.Chifrax) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4300

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/10/2010 11:31:21 AM
mbam-log-2010-07-10 (11-31-21).txt

Scan type: Quick scan
Objects scanned: 182967
Time elapsed: 14 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6db7fd84-b23e-40a6-bd2a-9172c3533548}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6db7fd84-b23e-40a6-bd2a-9172c3533548}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8af9d725-7192-4c4c-b535-965a3f2a18f5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8af9d725-7192-4c4c-b535-965a3f2a18f5}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.224,93.188.166.204 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LBerry\Application Data\b941a5a4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ernel32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\spool\prtprocs\w32x86\K93g79a.dll (Trojan.Agent) -> Delete on reboot.



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4300

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/10/2010 11:56:03 AM
mbam-log-2010-07-10 (11-56-03).txt

Scan type: Flash scan
Objects scanned: 134216
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4300

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/10/2010 1:51:40 PM
mbam-log-2010-07-10 (13-51-40).txt

Scan type: Quick scan
Objects scanned: 182108
Time elapsed: 24 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


AND THEN THE ACTIVE PROTECTION KEEPS FINDING THIS AFTER EACH REBOOT...(I THINK??)

11:45:07 LBerry MESSAGE Protection started successfully
11:45:11 LBerry MESSAGE IP Protection started successfully
11:47:20 LBerry MESSAGE IP Protection stopped
11:47:21 LBerry MESSAGE IP Protection started successfully
11:57:55 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent QUARANTINE
11:57:56 LBerry ERROR Quarantine failed: UtilityReadFile failed with error code 2
11:58:01 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
11:58:02 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
12:06:36 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
13:24:31 LBerry MESSAGE Protection started successfully
13:24:48 LBerry MESSAGE IP Protection started successfully
13:25:16 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
13:25:16 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
13:25:16 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent QUARANTINE
13:25:16 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
13:25:17 LBerry ERROR Quarantine failed: UtilityReadFile failed with error code 2
13:25:24 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
13:25:25 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
13:25:31 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
13:25:44 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
13:41:08 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
13:41:23 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
13:41:27 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY
13:50:09 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY

OTL.TXT
OTL logfile created on: 7/10/2010 1:54:01 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Sync Data\LBerry's Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.70 Gb Total Space | 28.62 Gb Free Space | 25.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USHOU03-1LB01
Current User Name: LBerry
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/10 12:07:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Sync Data\LBerry's Documents\Downloads\OTL.exe
PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2010/04/01 12:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/14 21:33:22 | 001,864,888 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2010/02/14 21:33:22 | 001,455,432 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2010/02/14 21:33:22 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2010/02/14 21:33:22 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2010/02/14 21:33:20 | 002,477,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/10/01 10:53:04 | 000,403,015 | ---- | M] (Plaxo, Inc.) -- C:\Program Files\Plaxo\3.23.0.11\PlaxoHelper_en.exe
PRC - [2009/06/09 17:30:44 | 000,068,888 | ---- | M] (AT&T) -- C:\Program Files\AT&T Global Network Client\NetLogSvc.exe
PRC - [2009/06/09 17:30:42 | 000,437,528 | ---- | M] (AT&T) -- C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
PRC - [2009/06/09 17:30:38 | 000,336,152 | ---- | M] (AT&T) -- C:\Program Files\AT&T Global Network Client\NetClientSvc.exe
PRC - [2009/06/05 07:40:40 | 000,372,736 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\LDClient\softmon.exe
PRC - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 16:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2008/10/24 09:14:36 | 000,206,112 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2008/06/02 10:42:32 | 000,155,648 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\Shared Files\residentAgent.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/24 07:05:26 | 000,406,528 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\LDClient\issuser.exe
PRC - [2008/03/11 06:45:00 | 000,118,784 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
PRC - [2008/03/04 09:57:28 | 000,258,048 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\LDClient\rcgui.exe
PRC - [2008/02/22 12:43:38 | 001,245,184 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2008/02/22 12:40:20 | 000,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2008/02/12 12:01:48 | 000,666,176 | ---- | M] (Check Point Software Tech Ltd) -- C:\Program Files\Pointsec\Pointsec for PC\P95tray.exe
PRC - [2008/02/12 12:01:40 | 000,367,168 | ---- | M] () -- C:\WINDOWS\system32\Prot_srv.exe
PRC - [2008/02/12 12:01:40 | 000,145,984 | ---- | M] () -- C:\WINDOWS\system32\pstartSr.exe
PRC - [2007/12/06 15:16:56 | 000,225,280 | ---- | M] () -- C:\Program Files\LANDesk\LDClient\LDRegWatch.exe
PRC - [2007/11/30 05:25:18 | 000,192,512 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\LDClient\tmcsvc.exe
PRC - [2007/11/30 05:22:44 | 000,196,608 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\LDClient\LocalSch.EXE
PRC - [2007/11/30 05:09:10 | 000,262,144 | ---- | M] (LANDesk Software, Ltd.) -- C:\Program Files\LANDesk\LDClient\collector.exe
PRC - [2007/10/23 09:45:40 | 001,336,632 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\U3\U3Launcher\LaunchU3.exe
PRC - [2007/08/31 07:13:00 | 000,032,819 | ---- | M] (LANDesk Software Ltd.) -- C:\WINDOWS\system32\cba\pds.exe
PRC - [2007/07/31 22:10:04 | 000,065,536 | ---- | M] ( TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
PRC - [2007/07/30 22:54:38 | 002,158,592 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2007/07/20 16:48:00 | 002,170,880 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
PRC - [2007/07/20 16:30:28 | 000,311,296 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
PRC - [2007/07/10 12:00:24 | 000,045,056 | R--- | M] (BVM Limited) -- C:\WINDOWS\system32\pclnksvc.exe
PRC - [2007/05/10 10:23:50 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\stacsv.exe
PRC - [2007/05/10 10:22:32 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
PRC - [2006/12/18 15:22:14 | 000,278,528 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PRC - [2006/10/27 20:13:48 | 000,270,336 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
PRC - [2006/09/28 21:08:46 | 000,270,336 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
PRC - [2006/08/23 13:11:38 | 000,069,632 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
PRC - [2006/01/23 23:14:10 | 000,069,632 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
PRC - [2001/12/06 02:13:50 | 000,110,592 | ---- | M] (Captaris, Inc.) -- C:\Program Files\RightFax\FaxCtrl.exe


========== Modules (SafeList) ==========

MOD - [2010/07/10 12:07:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Sync Data\LBerry's Documents\Downloads\OTL.exe
MOD - [2009/10/01 10:49:26 | 000,043,585 | ---- | M] (Plaxo, Inc.) -- C:\Program Files\Plaxo\3.23.0.11\plx_hook.dll
MOD - [2008/04/14 05:42:02 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/03/18 16:47:22 | 000,035,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe -- (aspnet_state)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2010/02/14 21:33:22 | 001,864,888 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2010/02/14 21:33:22 | 000,341,320 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2010/02/14 21:33:22 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2010/02/14 21:33:22 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2010/02/14 21:33:20 | 002,477,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/12/29 16:21:20 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/10/09 18:59:22 | 000,121,416 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe -- (ATTRcAppSvc)
SRV - [2009/07/13 12:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/06/09 17:30:44 | 000,068,888 | ---- | M] (AT&T) [On_Demand | Running] -- C:\Program Files\AT&T Global Network Client\NetLogSvc.exe -- (NetLogSvc)
SRV - [2009/06/09 17:30:42 | 000,437,528 | ---- | M] (AT&T) [Auto | Running] -- C:\Program Files\AT&T Global Network Client\netcfgsvr.exe -- (netcfgsvr)
SRV - [2009/06/09 17:30:38 | 000,336,152 | ---- | M] (AT&T) [Auto | Running] -- C:\Program Files\AT&T Global Network Client\NetClientSvc.exe -- (NetClientSvc)
SRV - [2009/06/05 07:40:40 | 000,372,736 | ---- | M] (LANDesk Software, Ltd.) [Auto | Running] -- C:\Program Files\LANDesk\LDCLient\softmon.exe -- (Softmon) LANDesk®
SRV - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2008/06/02 10:42:32 | 000,155,648 | ---- | M] (LANDesk Software, Ltd.) [Auto | Running] -- C:\Program Files\LANDesk\Shared Files\residentagent.exe -- (CBA8) LANDesk®
SRV - [2008/03/24 07:05:26 | 000,406,528 | ---- | M] (LANDesk Software, Ltd.) [Auto | Running] -- C:\Program Files\LANDesk\LDClient\issuser.exe -- (ISSUSER)
SRV - [2008/03/11 06:45:00 | 000,118,784 | ---- | M] (LANDesk Software, Ltd.) [Auto | Running] -- C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe -- (LANDesk Policy Invoker)
SRV - [2008/02/22 12:40:20 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2008/02/12 12:01:40 | 000,367,168 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\Prot_srv.exe -- (Pointsec)
SRV - [2008/02/12 12:01:40 | 000,145,984 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\pstartSr.exe -- (Pointsec_start)
SRV - [2007/11/30 05:25:18 | 000,192,512 | ---- | M] (LANDesk Software, Ltd.) [Auto | Running] -- C:\Program Files\LANDesk\LDClient\tmcsvc.exe -- (Intel Targeted Multicast)
SRV - [2007/11/30 05:22:44 | 000,196,608 | ---- | M] (LANDesk Software, Ltd.) [Auto | Running] -- C:\Program Files\LANDesk\LDClient\LocalSch.EXE -- (Intel Local Scheduler Service)
SRV - [2007/09/06 16:47:59 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/08/31 07:13:00 | 000,032,819 | ---- | M] (LANDesk Software Ltd.) [Auto | Running] -- C:\WINDOWS\system32\cba\pds.exe -- (Intel PDS)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/07/10 12:00:24 | 000,045,056 | R--- | M] (BVM Limited) [Auto | Running] -- C:\WINDOWS\system32\pclnksvc.exe -- (PCLink for Windows)
SRV - [2007/05/10 10:23:50 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys -- (HSFHWAZL)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys -- (HSF_DPV)
DRV - [2010/06/17 08:56:42 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100710.004\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/06/17 08:56:42 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\eeCtrl.sys -- (eeCtrl)
DRV - [2010/06/17 08:56:42 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100710.004\NAVENG.SYS -- (NAVENG)
DRV - [2010/06/02 19:59:06 | 000,161,920 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WpsHelper.sys -- (WpsHelper)
DRV - [2010/05/26 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/04/01 09:23:21 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/02/14 21:33:26 | 000,042,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\WPSDRVnt.sys -- (WPS)
DRV - [2010/02/14 21:33:24 | 000,320,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2010/02/14 21:33:24 | 000,281,648 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2010/02/14 21:33:24 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2010/02/14 21:33:22 | 000,092,488 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys -- (SysPlant)
DRV - [2010/02/14 21:33:22 | 000,050,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Teefer2.sys -- (Teefer2)
DRV - [2010/02/14 21:33:18 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2010/02/14 21:33:18 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/02/14 21:33:18 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2009/10/09 18:47:40 | 000,024,064 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\tcpipBM.sys -- (tcpipBM)
DRV - [2009/10/09 18:44:10 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2009/06/23 12:03:16 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2009/06/09 17:32:56 | 000,019,328 | R--- | M] (AT&T) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\agnwifi.sys -- (agnwifi)
DRV - [2009/06/09 17:32:38 | 000,011,392 | R--- | M] (AT&T) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avpnnic.sys -- (avpnnic)
DRV - [2009/06/09 17:11:16 | 000,219,648 | ---- | M] (AT&T) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\agnfilt.sys -- (agnfilt)
DRV - [2009/05/04 16:57:18 | 000,148,096 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swumxa3.sys -- (SWUMXA3) Sierra Wireless USB MUX Driver (UMTSA3)
DRV - [2009/04/30 14:51:28 | 001,952,512 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2009/03/31 15:45:42 | 000,190,080 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swnc8ua3.sys -- (SWNC8UA3) Sierra Wireless MUX NDIS Driver (UMTSA3)
DRV - [2008/09/04 14:03:54 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2008/08/22 10:05:42 | 000,026,760 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/21 07:42:00 | 000,088,896 | ---- | M] (SafeNet, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)
DRV - [2008/02/12 12:00:38 | 000,220,096 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prot_2k.sys -- (prot_2k)
DRV - [2007/11/09 14:04:28 | 000,105,216 | R--- | M] (Option NV) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Gt51Ip.sys -- (GT72NDISIPXP)
DRV - [2007/11/09 14:04:28 | 000,059,264 | R--- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gt72ubus.sys -- (GT72UBUS)
DRV - [2007/08/31 11:58:20 | 000,018,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2007/06/11 14:25:00 | 000,041,856 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2007/05/31 15:50:20 | 006,727,136 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/05/30 16:23:04 | 000,011,904 | ---- | M] (LANDesk Software, Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ldblank.sys -- (ldblank)
DRV - [2007/05/30 16:23:04 | 000,003,712 | ---- | M] (LANDesk Software, Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mirrorflt.sys -- (mirrorflt)
DRV - [2007/05/30 16:23:04 | 000,003,328 | ---- | M] (LANDesk Software, Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ldmirror.sys -- (ldmirror)
DRV - [2007/05/24 14:27:00 | 000,064,000 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2007/05/10 10:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/04/27 07:40:00 | 000,035,328 | ---- | M] (SafeNet, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS -- (SNTNLUSB)
DRV - [2007/04/24 13:20:00 | 000,113,920 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (tosrfbd)
DRV - [2007/04/24 11:33:46 | 000,100,488 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s125mgmt.sys -- (s125mgmt) Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/24 11:33:46 | 000,098,696 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s125obex.sys -- (s125obex)
DRV - [2007/04/24 11:33:44 | 000,108,680 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s125mdm.sys -- (s125mdm)
DRV - [2007/04/24 11:33:42 | 000,015,112 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s125mdfl.sys -- (s125mdfl)
DRV - [2007/04/24 11:33:34 | 000,083,336 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s125bus.sys -- (s125bus) Sony Ericsson Device 125 driver (WDM)
DRV - [2007/04/15 22:03:04 | 000,056,576 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2007/04/15 21:49:08 | 000,132,608 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/03/30 12:38:14 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gtptser.sys -- (GTPTSER)
DRV - [2007/03/18 15:44:38 | 000,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2007/03/01 16:53:00 | 000,073,728 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tosrfhid.sys -- (Tosrfhid)
DRV - [2006/11/20 17:55:00 | 000,036,480 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (tosrfbnp)
DRV - [2006/10/10 19:33:00 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 11:05:58 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006/07/21 11:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/08/12 16:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/07/11 18:58:00 | 000,003,712 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Toshidpt.sys -- (toshidpt)
DRV - [2005/01/06 13:42:00 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2004/08/04 05:00:00 | 000,008,832 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\rasacd.sys -- (RasAcd)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://dial.sbc.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/27 12:28:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/03 08:34:44 | 000,000,000 | ---D | M]

[2010/02/07 20:54:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\Mozilla\Extensions
[2010/07/10 09:30:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\Mozilla\Firefox\Profiles\s1hh9hel.default\extensions
[2010/07/09 16:07:40 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\LBerry\Application Data\Mozilla\Firefox\Profiles\s1hh9hel.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/09 22:25:30 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/08/07 02:37:06 | 000,053,355 | ---- | M] (Oracle Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPJinit13129.dll

O1 HOSTS File: ([2009/12/29 12:40:14 | 000,370,657 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 12778 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95tray.exe (Check Point Software Tech Ltd)
O4 - HKLM..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\FaxCtrl.exe (Captaris, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKCU..\Run: [PlaxoSysTray] C:\Program Files\Plaxo\3.23.0.11\plaxosystray.exe (Plaxo, Inc.)
O4 - HKCU..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.23.0.11\PlaxoHelper_en.exe (Plaxo, Inc.)
O4 - HKCU..\Run: [Second Copy] C:\Program Files\SecCopy\SecCopy.exe (Centered Systems)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\LaunchU3.exe.lnk = C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe ()
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O15 - HKCU\..Trusted Domains: emersonprocess.com ([sp] http in Local intranet)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.5.4.cab (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1252554721213 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1252554793761 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFECAFE-0013-0001-0029-ABCDEFABCDEF} Reg Error: Value error. (JInitiator 1.3.1.29)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://join-test.we...bex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emrsn.org
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (pssogina.dll) - C:\WINDOWS\System32\PssoGina.dll (Check Point Software Tech Ltd)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\LBerry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\LBerry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3082e500-02e0-11df-9738-001c239538d8}\Shell - "" = AutoRun
O33 - MountPoints2\{3082e500-02e0-11df-9738-001c239538d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3082e500-02e0-11df-9738-001c239538d8}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- File not found
O33 - MountPoints2\{78c1be41-e675-11de-a2e8-001a6b8b8b1b}\Shell\AutoRun\command - "" = D:\TMCD.exe -- File not found
O33 - MountPoints2\{78c1be41-e675-11de-a2e8-001a6b8b8b1b}\Shell\OpenCD\Command - "" = D:\TMCD.exe -- File not found
O33 - MountPoints2\{c9947340-9e38-11de-9350-001a6b8b8b1b}\Shell - "" = AutoRun
O33 - MountPoints2\{c9947340-9e38-11de-9350-001a6b8b8b1b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c9947340-9e38-11de-9350-001a6b8b8b1b}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{fae38138-9db7-11de-9343-001c239538d8}\Shell - "" = AutoRun
O33 - MountPoints2\{fae38138-9db7-11de-9343-001c239538d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fae38138-9db7-11de-9343-001c239538d8}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 90 Days ==========

[2010/07/10 11:04:09 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/10 11:04:07 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/10 11:04:07 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/10 11:00:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/10 11:00:01 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/07/09 16:23:41 | 000,000,000 | ---D | C] -- C:\Sync Data\LBerry's Documents\Downloads
[2010/07/09 15:31:51 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\LBerry\Recent
[2010/07/09 14:37:26 | 000,206,336 | ---- | C] (ApexDC++ Development Team) -- C:\WINDOWS\Sraxaa.exe
[2010/07/08 19:28:04 | 000,000,000 | ---D | C] -- C:\Program Files\FCU Configuration
[2010/06/28 14:54:28 | 000,000,000 | R--D | C] -- C:\Sync Data\LBerry's Documents\My Videos
[2010/06/21 16:12:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bg-bg
[2010/06/21 16:12:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-cn
[2010/06/21 16:12:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\cs-cz
[2010/06/21 16:11:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\et-ee
[2010/06/21 16:11:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\hu-hu
[2010/06/21 16:11:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\hr-hr
[2010/06/21 16:11:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ja-jp
[2010/06/21 16:11:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\lv-lv
[2010/06/21 16:11:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\lt-lt
[2010/06/21 16:11:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pl-pl
[2010/06/21 16:11:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-pt
[2010/06/21 16:11:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ru-ru
[2010/06/21 16:11:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ro-ro
[2010/06/21 16:11:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sk-sk
[2010/06/21 16:11:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sl-si
[2010/06/21 16:11:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\th-th
[2010/06/18 10:55:28 | 000,000,000 | ---D | C] -- C:\Sync Data\LBerry's Documents\Trade Shows and Meetings
[2010/06/15 16:59:14 | 000,000,000 | ---D | C] -- C:\Sync Data\LBerry's Documents\Customers
[2010/06/15 15:08:42 | 000,588,969 | ---- | C] (Macromedia, Inc.) -- C:\WINDOWS\Pink Floyd.exe
[2010/06/15 15:08:42 | 000,407,240 | ---- | C] (MacSourcery) -- C:\WINDOWS\Pink Floyd.scr
[2010/06/15 15:08:42 | 000,040,960 | ---- | C] (MacSourcery) -- C:\WINDOWS\Pink Floyd.dll
[2010/05/13 10:34:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LBerry\Application Data\Xerox
[2010/05/08 13:04:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\U3
[2010/04/27 12:26:17 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/27 12:26:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer

========== Files - Modified Within 90 Days ==========

[2010/07/10 14:06:00 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{ABC8ADFD-81D4-42F3-A9C6-265B25C4C745}.job
[2010/07/10 13:26:17 | 000,168,250 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/07/10 13:24:24 | 000,002,575 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\LaunchU3.exe.lnk
[2010/07/10 13:23:17 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/10 13:22:53 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\tasks\b941a5a4.job
[2010/07/10 13:17:59 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/10 13:17:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/10 12:11:56 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\LBerry\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk
[2010/07/10 11:33:38 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\LBerry\NTUSER.DAT
[2010/07/10 11:33:08 | 000,000,268 | -HS- | M] () -- C:\Documents and Settings\LBerry\ntuser.ini
[2010/07/10 11:04:13 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/10 11:00:02 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\LBerry\Desktop\NTREGOPT.lnk
[2010/07/10 11:00:02 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\LBerry\Desktop\ERUNT.lnk
[2010/07/09 15:32:51 | 000,030,060 | ---- | M] () -- C:\Sync Data\LBerry's Documents\cc_20100709_153239.reg
[2010/07/09 15:14:50 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/09 15:14:50 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/09 15:14:50 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/07/09 14:37:19 | 000,206,336 | ---- | M] (ApexDC++ Development Team) -- C:\WINDOWS\Sraxaa.exe
[2010/07/09 11:05:59 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\LBerry\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2007.lnk
[2010/07/08 19:28:12 | 000,000,762 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\FCU Configuration.lnk
[2010/07/08 19:28:11 | 000,000,191 | ---- | M] () -- C:\WINDOWS\{0E2FEC12-96B8-465A-82E6-85011A52CC6F}_WiseFW.ini
[2010/07/08 13:07:27 | 000,168,250 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/07/08 12:01:00 | 000,000,268 | ---- | M] () -- C:\WINDOWS\tasks\defrag.job
[2010/07/03 12:23:24 | 000,000,857 | ---- | M] () -- C:\Documents and Settings\LBerry\Application Data\Microsoft\Internet Explorer\Quick Launch\MyScribe.lnk
[2010/07/02 08:57:27 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\LBerry\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office PowerPoint 2007.lnk
[2010/06/28 23:34:26 | 000,016,896 | ---- | M] () -- C:\Documents and Settings\LBerry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/24 06:44:35 | 000,005,817 | ---- | M] () -- C:\Sync Data\LBerry's Documents\Lance.Theme
[2010/06/23 12:32:24 | 000,614,884 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/23 12:32:24 | 000,525,898 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/23 12:32:24 | 000,095,588 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/22 08:29:24 | 000,005,817 | ---- | M] () -- C:\Sync Data\LBerry's Documents\My Favorite Theme.theme
[2010/06/18 09:18:21 | 000,028,160 | ---- | M] () -- C:\Sync Data\LBerry's Documents\Copy of Copy of RTG-HOU Discounts - Under Construction.xls
[2010/06/18 08:44:13 | 000,010,722 | ---- | M] () -- C:\Sync Data\LBerry's Documents\Bookings Forecast - United States - World Areas.xlsx
[2010/06/17 08:58:14 | 000,002,280 | RHS- | M] () -- C:\Documents and Settings\LBerry\ntuser.pol
[2010/06/16 13:48:30 | 000,357,355 | ---- | M] () -- C:\Sync Data\LBerry's Documents\FHR_MN_PROPANE_QTE300556.pdf
[2010/06/16 09:00:55 | 000,345,919 | ---- | M] () -- C:\Sync Data\LBerry's Documents\453703-TOPSCAR061010GM.pdf
[2010/06/15 15:08:43 | 000,588,969 | ---- | M] (Macromedia, Inc.) -- C:\WINDOWS\Pink Floyd.exe
[2010/06/15 15:08:42 | 000,407,240 | ---- | M] (MacSourcery) -- C:\WINDOWS\Pink Floyd.scr
[2010/06/15 15:08:42 | 000,040,960 | ---- | M] (MacSourcery) -- C:\WINDOWS\Pink Floyd.dll
[2010/06/14 15:38:33 | 000,094,208 | ---- | M] () -- C:\Documents and Settings\LBerry\Desktop\blank-letter-head-RTG-EPM.doc
[2010/06/11 09:32:36 | 000,416,287 | ---- | M] () -- C:\Sync Data\LBerry's Documents\PDS_OPC_Mirror.pdf
[2010/06/10 18:48:34 | 000,400,736 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 10:36:18 | 000,018,104 | RHS- | M] () -- C:\Documents and Settings\All Users.WINDOWS\ntuser.pol
[2010/06/07 14:53:45 | 000,006,566 | ---- | M] () -- C:\Sync Data\LBerry's Documents\1424 US-77, Denton, TX 76201 to Fredericksburg Inn and Suites.htm
[2010/06/07 14:53:13 | 000,013,577 | ---- | M] () -- C:\Sync Data\LBerry's Documents\Fredericksburg Inn and Suites to 1424 US-77, Denton, TX 76201.pdf
[2010/06/02 19:59:06 | 000,161,920 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WpsHelper.sys
[2010/06/02 09:25:03 | 000,041,325 | ---- | M] () -- C:\Sync Data\LBerry's Documents\Think customer.docx
[2010/05/28 14:09:34 | 000,017,408 | ---- | M] () -- C:\Sync Data\LBerry's Documents\Copy of CTRL_Saab_Level_08.xls
[2010/05/27 15:13:27 | 000,000,173 | ---- | M] () -- C:\WINDOWS\contain.INI
[2010/05/18 19:04:13 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\LBerry\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2010/05/13 18:18:34 | 000,002,317 | ---- | M] () -- C:\Documents and Settings\LBerry\Application Data\Microsoft\Internet Explorer\Quick Launch\AT&T Global Network Client.lnk
[2010/05/05 16:26:57 | 000,016,212 | ---- | M] () -- C:\Sync Data\LBerry's Documents\sunoco.docx
[2010/05/05 14:40:41 | 000,002,393 | ---- | M] () -- C:\Documents and Settings\LBerry\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Visio 2003.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/27 10:03:18 | 000,017,961 | ---- | M] () -- C:\Sync Data\LBerry's Documents\Astoria Generating Company LP Terms and Conditions.doc
[2010/04/26 14:52:10 | 000,025,633 | ---- | M] () -- C:\Sync Data\LBerry's Documents\Astoria Generating Company, LP Terms and Conditions.pdf
[2010/04/24 10:47:43 | 000,000,000 | ---- | M] () -- C:\settings.mmp
[2010/04/24 10:00:45 | 000,000,088 | ---- | M] () -- C:\Documents and Settings\LBerry\Application Data\usb.inf
[2010/04/23 13:45:58 | 000,085,504 | ---- | M] () -- C:\Sync Data\LBerry's Documents\Rosemount Tank Gauging BLANK Representative Agreement.doc
[2010/04/21 10:10:15 | 000,194,767 | ---- | M] () -- C:\Sync Data\LBerry's Documents\AGC REVISED T&C'S.pdf
[2010/04/21 09:08:21 | 000,473,664 | ---- | M] () -- C:\Sync Data\LBerry's Documents\P300494_Cert.pdf
[2010/04/20 12:45:03 | 000,028,160 | ---- | M] () -- C:\Sync Data\LBerry's Documents\Copy of Delayed orders.xls
[2010/04/19 16:11:53 | 000,048,299 | ---- | M] () -- C:\Sync Data\LBerry's Documents\Sunoco Nederland.QTE300447.pdf
[2010/04/19 11:10:01 | 000,010,599 | ---- | M] () -- C:\Sync Data\LBerry's Documents\RTG-HOU Disscounts.xlsx
[2010/04/19 07:22:56 | 000,058,880 | ---- | M] () -- C:\Sync Data\LBerry's Documents\AGC Supplier Qualification Form 12Aug08.xls
[2010/04/15 17:14:54 | 000,017,408 | ---- | M] () -- C:\Sync Data\LBerry's Documents\LanceCFS repdist list.xls

========== Files Created - No Company Name ==========

[2010/07/10 11:04:13 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/10 11:00:02 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\LBerry\Desktop\NTREGOPT.lnk
[2010/07/10 11:00:02 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\LBerry\Desktop\ERUNT.lnk
[2010/07/09 15:32:45 | 000,030,060 | ---- | C] () -- C:\Sync Data\LBerry's Documents\cc_20100709_153239.reg
[2010/07/09 14:37:17 | 000,000,282 | -H-- | C] () -- C:\WINDOWS\tasks\b941a5a4.job
[2010/07/08 19:28:12 | 000,000,762 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\FCU Configuration.lnk
[2010/07/08 19:27:50 | 000,000,191 | ---- | C] () -- C:\WINDOWS\{0E2FEC12-96B8-465A-82E6-85011A52CC6F}_WiseFW.ini
[2010/07/03 12:23:24 | 000,000,857 | ---- | C] () -- C:\Documents and Settings\LBerry\Application Data\Microsoft\Internet Explorer\Quick Launch\MyScribe.lnk
[2010/06/24 06:44:35 | 000,005,817 | ---- | C] () -- C:\Sync Data\LBerry's Documents\Lance.Theme
[2010/06/22 08:29:24 | 000,005,817 | ---- | C] () -- C:\Sync Data\LBerry's Documents\My Favorite Theme.theme
[2010/06/18 09:18:20 | 000,028,160 | ---- | C] () -- C:\Sync Data\LBerry's Documents\Copy of Copy of RTG-HOU Discounts - Under Construction.xls
[2010/06/18 08:44:13 | 000,010,722 | ---- | C] () -- C:\Sync Data\LBerry's Documents\Bookings Forecast - United States - World Areas.xlsx
[2010/06/16 13:47:03 | 000,357,355 | ---- | C] () -- C:\Sync Data\LBerry's Documents\FHR_MN_PROPANE_QTE300556.pdf
[2010/06/16 09:00:55 | 000,345,919 | ---- | C] () -- C:\Sync Data\LBerry's Documents\453703-TOPSCAR061010GM.pdf
[2010/06/11 09:32:36 | 000,416,287 | ---- | C] () -- C:\Sync Data\LBerry's Documents\PDS_OPC_Mirror.pdf
[2010/06/07 14:53:45 | 000,006,566 | ---- | C] () -- C:\Sync Data\LBerry's Documents\1424 US-77, Denton, TX 76201 to Fredericksburg Inn and Suites.htm
[2010/06/07 14:53:13 | 000,013,577 | ---- | C] () -- C:\Sync Data\LBerry's Documents\Fredericksburg Inn and Suites to 1424 US-77, Denton, TX 76201.pdf
[2010/06/02 09:24:10 | 000,041,325 | ---- | C] () -- C:\Sync Data\LBerry's Documents\Think customer.docx
[2010/05/28 14:09:34 | 000,017,408 | ---- | C] () -- C:\Sync Data\LBerry's Documents\Copy of CTRL_Saab_Level_08.xls
[2010/05/24 08:45:43 | 000,000,461 | ---- | C] () -- C:\Documents and Settings\LBerry\Application Data\Microsoft\Internet Explorer\Quick Launch\Drivers & Downloads - Public Sector.url
[2010/05/08 13:04:35 | 000,002,575 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\LaunchU3.exe.lnk
[2010/05/05 16:26:30 | 000,016,212 | ---- | C] () -- C:\Sync Data\LBerry's Documents\sunoco.docx
[2010/04/27 10:03:12 | 000,017,961 | ---- | C] () -- C:\Sync Data\LBerry's Documents\Astoria Generating Company LP Terms and Conditions.doc
[2010/04/24 10:47:43 | 000,000,000 | ---- | C] () -- C:\settings.mmp
[2010/04/24 10:00:45 | 000,000,088 | ---- | C] () -- C:\Documents and Settings\LBerry\Application Data\usb.inf
[2010/04/23 16:26:32 | 000,473,664 | ---- | C] () -- C:\Sync Data\LBerry's Documents\P300494_Cert.pdf
[2010/04/23 13:47:47 | 000,085,504 | ---- | C] () -- C:\Sync Data\LBerry's Documents\Rosemount Tank Gauging BLANK Representative Agreement.doc
[2010/04/21 10:10:15 | 000,194,767 | ---- | C] () -- C:\Sync Data\LBerry's Documents\AGC REVISED T&C'S.pdf
[2010/04/20 12:45:03 | 000,028,160 | ---- | C] () -- C:\Sync Data\LBerry's Documents\Copy of Delayed orders.xls
[2010/04/19 14:54:56 | 000,048,299 | ---- | C] () -- C:\Sync Data\LBerry's Documents\Sunoco Nederland.QTE300447.pdf
[2010/04/19 11:10:00 | 000,010,599 | ---- | C] () -- C:\Sync Data\LBerry's Documents\RTG-HOU Disscounts.xlsx
[2010/04/19 07:22:56 | 000,058,880 | ---- | C] () -- C:\Sync Data\LBerry's Documents\AGC Supplier Qualification Form 12Aug08.xls
[2010/04/15 17:14:53 | 000,017,408 | ---- | C] () -- C:\Sync Data\LBerry's Documents\LanceCFS repdist list.xls
[2010/04/15 07:07:49 | 000,025,633 | ---- | C] () -- C:\Sync Data\LBerry's Documents\Astoria Generating Company, LP Terms and Conditions.pdf
[2010/02/23 14:45:03 | 000,000,173 | ---- | C] () -- C:\WINDOWS\contain.INI
[2010/01/19 18:34:39 | 000,036,962 | ---- | C] () -- C:\WINDOWS\System32\ActPanel.dll
[2009/09/28 11:13:50 | 000,354,304 | ---- | C] () -- C:\WINDOWS\System32\WCT32DX.DLL
[2009/09/28 11:13:50 | 000,300,544 | ---- | C] () -- C:\WINDOWS\System32\WRT32DX.DLL
[2009/09/28 11:13:50 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\strbatch_ps.dll
[2009/09/28 11:13:50 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\strSrvCalc_ps.dll
[2009/09/28 11:13:50 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\strsrv_ps.dll
[2009/09/10 12:28:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2009/09/10 11:58:45 | 000,026,760 | R--- | C] () -- C:\WINDOWS\System32\drivers\swmsflt.sys
[2009/09/10 11:00:47 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/09/10 11:00:40 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/09/09 23:54:05 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2009/09/09 18:52:55 | 000,000,500 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/09/09 18:25:48 | 000,000,473 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/02/12 12:01:44 | 000,141,888 | ---- | C] () -- C:\WINDOWS\System32\NovPwd32.dll
[2008/02/12 12:00:38 | 000,220,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\prot_2k.sys
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/08/30 18:33:07 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/08/30 18:33:07 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/08/30 18:33:07 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/08/30 18:33:06 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/11/09 16:07:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/16 23:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2005/09/02 14:44:08 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 21:30:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/08/04 05:00:00 | 000,008,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\rasacd.sys
[2004/07/20 17:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 14:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll

========== LOP Check ==========

[2009/09/09 20:17:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AGNS
[2009/09/24 09:45:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Applications
[2010/02/03 18:40:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AT&T
[2009/09/09 19:25:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Autodesk
[2009/11/19 11:03:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CardScan
[2009/12/29 16:21:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Citrix
[2009/10/04 13:09:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\GARMIN
[2009/09/10 09:49:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\GroupPolicy
[2009/09/23 09:11:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\LANDesk
[2009/09/25 13:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Pointsec
[2009/10/31 09:37:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Research In Motion
[2009/11/19 09:58:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft
[2009/09/20 13:24:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Teleca
[2010/07/09 07:41:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2010/07/10 13:19:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\vulScan
[2010/02/07 20:54:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\AT&T
[2010/02/07 20:54:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\Bytemobile
[2010/02/07 20:54:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\CardScan
[2010/02/07 20:54:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\Corex
[2010/02/07 20:54:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\DBUpdater
[2010/02/07 20:54:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\GARMIN
[2010/02/07 20:54:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\MyScribe
[2010/02/07 20:54:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\Research In Motion
[2010/02/07 20:54:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\Sierra Wireless
[2010/02/07 20:54:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\Teleca
[2010/02/10 21:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\webex
[2010/02/07 20:54:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\Windows Desktop Search
[2010/02/07 20:54:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\Windows Search
[2010/05/13 10:34:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LBerry\Application Data\Xerox
[2010/07/10 13:22:53 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\Tasks\b941a5a4.job
[2010/07/08 12:01:00 | 000,000,268 | ---- | M] () -- C:\WINDOWS\Tasks\defrag.job
[2010/07/10 14:06:00 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{ABC8ADFD-81D4-42F3-A9C6-265B25C4C745}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2005/12/13 14:50:30 | 000,049,140 | ---- | M] () -- C:\access-bridge.jar
[2005/12/13 14:50:30 | 000,000,153 | ---- | M] () -- C:\accessibility.properties
[2004/08/11 17:15:00 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/07/09 15:14:50 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2009/09/25 13:47:16 | 000,000,512 | ---- | M] () -- C:\BOOT_SAV.BOT
[2006/07/27 10:32:38 | 000,026,860 | ---- | M] () -- C:\certdb.txt
[2004/08/11 17:15:00 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/08/30 18:35:16 | 000,006,513 | RH-- | M] () -- C:\dell.sdr
[2010/02/04 00:20:37 | 001,038,872 | ---- | M] () -- C:\drivers.log
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
[2007/11/07 09:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
[2007/11/07 09:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
[2007/11/07 09:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2009/09/09 14:26:39 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2007/09/07 10:05:07 | 000,000,164 | ---- | M] () -- C:\install.dat
[2007/11/07 09:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
[2010/01/19 18:34:54 | 000,000,191 | ---- | M] () -- C:\Install.LOG
[2007/11/07 09:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
[2007/11/07 09:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2007/11/07 09:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
[2007/11/07 09:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
[2007/11/07 09:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
[2007/11/07 09:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
[2007/11/07 09:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
[2007/11/07 09:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
[2007/11/07 09:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
[2004/08/11 17:15:00 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2005/12/13 14:50:30 | 000,043,901 | ---- | M] () -- C:\jaccess-1_3.jar
[2005/12/13 14:50:30 | 000,167,936 | ---- | M] (Sun Microsystems©) -- C:\JavaAccessBridge.DLL
[2007/08/30 18:59:30 | 000,000,000 | ---- | M] () -- C:\Log.txt
[2004/08/11 17:15:00 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/06/08 20:38:31 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/07/10 13:17:18 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2009/09/25 13:47:34 | 002,097,152 | RHS- | M] () -- C:\PROT_INS.SYS
[2010/04/24 10:47:43 | 000,000,000 | ---- | M] () -- C:\settings.mmp
[2006/12/05 19:52:06 | 000,000,505 | ---- | M] () -- C:\unPDVDDX.iss
[2009/09/10 00:01:17 | 000,000,086 | ---- | M] () -- C:\unPDVDDX.log
[2007/11/07 09:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2009/09/25 13:47:15 | 000,000,006 | ---- | M] () -- C:\VOL_CHAR.DAT
[2005/12/13 14:50:30 | 000,090,112 | ---- | M] (Sun Microsystems©) -- C:\WindowsAccessBridge.DLL

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/09/09 15:41:00 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\system32\spool\prtprocs\w32x86\*.tmp >

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2009/08/14 21:49:20 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2008/02/01 11:13:12 | 000,241,664 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5mc.DLL
[2010/03/17 08:51:42 | 000,082,184 | ---- | M] (Microsoft Corporation.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lmdippr8.dll
[2006/10/26 19:58:12 | 000,030,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2001/11/27 08:27:00 | 000,024,967 | ---- | M] (Captaris, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\RFPrint.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.scr >
[2010/06/15 15:08:42 | 000,407,240 | ---- | M] (MacSourcery) -- C:\WINDOWS\Pink Floyd.scr

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.dat >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/02/14 21:33:26 | 000,087,368 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\FwsVpn.dll
[2010/02/14 21:33:26 | 000,107,848 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\SymVPN.dll
[2010/02/14 21:33:26 | 000,357,704 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\sysfer.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/09/09 10:22:41 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/09/09 10:22:41 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/09/09 10:22:41 | 000,917,504 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\user32.dll /md5 >
[2008/04/14 05:42:10 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll

< %systemroot%\system32\ws2_32.dll /md5 >
[2008/04/14 05:42:12 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll

< %systemroot%\system32\ws2help.dll /md5 >
[2008/04/14 05:42:12 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=9789E95E1D88EEB4B922BF3EA7779C28 -- C:\WINDOWS\system32\ws2help.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"NoAutoRebootWithLoggedOnUsers" = 1
"NoAutoUpdate" = 0
"AUOptions" = 4
"ScheduledInstallDay" = 0
"ScheduledInstallTime" = 12
"DetectionFrequencyEnabled" = 1
"DetectionFrequency" = 22
"AutoInstallMinorUpdates" = 1
"UseWUServer" = 1

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-06-23 17:33:52

========== Alternate Data Streams ==========

@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EA029835
< End of report >

EXTRAS.TXT
OTL Extras logfile created on: 7/10/2010 1:54:06 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Sync Data\LBerry's Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.70 Gb Total Space | 28.62 Gb Free Space | 25.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USHOU03-1LB01
Current User Name: LBerry
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with Corel Paint Shop Pro Photo X2] -- "C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\Corel Paint Shop Pro Photo.exe" "%L" (Corel, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"67:TCP" = 67:TCP:*:enabled:LANDesk® PXE TCP Port
"67:UDP" = 67:UDP:*:enabled:LANDesk® PXE UDP Port
"9535:TCP" = 9535:TCP:*:enabled:LANDesk® Remote Control Agent TCP Port
"9535:UDP" = 9535:UDP:*:enabled:LANDesk® Remote Control Agent UDP Port
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"137:UDP" = 137:UDP:*:enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:enabled:@xpsp2res.dll,-22002
"139:TCP" = 139:TCP:*:enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:enabled:@xpsp2res.dll,-22005
"67:TCP" = 67:TCP:*:enabled:LANDesk® PXE TCP Port
"67:UDP" = 67:UDP:*:enabled:LANDesk® PXE UDP Port
"9535:TCP" = 9535:TCP:*:enabled:LANDesk® Remote Control Agent TCP Port
"9535:UDP" = 9535:UDP:*:enabled:LANDesk® Remote Control Agent UDP Port
"18248:UDP" = 18248:UDP:*:Enabled:PC Link

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\AT&T Global Network Client\NetClient.exe" = C:\Program Files\AT&T Global Network Client\NetClient.exe:*:Enabled:AT&T Global Network Client -- (AT&T)
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)
"C:\Program Files\LANDesk\LDCLient\AdvanceAgent.exe" = C:\Program Files\LANDesk\LDCLient\AdvanceAgent.exe:*:Enabled:LANDesk Advance Agent -- File not found
"C:\WINDOWS\system32\cba\pds.exe" = C:\WINDOWS\system32\CBA\pds.exe:*:enabled:LANDesk® Ping Discovery Service -- (LANDesk Software Ltd.)
"C:\WINDOWS\system32\msgsys.exe" = C:\WINDOWS\system32\msgsys.exe:*:Enabled:LANDesk Message Service -- (LANDesk Software Ltd.)
"C:\Program Files\LANDesk\LDClient\issuser.exe" = C:\Program Files\LANDesk\LDClient\issuser.exe:*:Enabled:LANDesk Remote Control Agent -- (LANDesk Software, Ltd.)
"C:\Program Files\LANDesk\LDClient\tmcsvc.exe" = C:\Program Files\LANDesk\LDCLient\tmcsvc.exe:*:enabled:LANDesk® Targeted Multicast Client -- (LANDesk Software, Ltd.)
"%windir%\system32\msgsys.exe" = %windir%\system32\msgsys.exe:*:enabled:LANDesk® CBA Message System -- (LANDesk Software Ltd.)
"C:\Program Files\LANDesk\LDCLient\wuser32.exe" = C:\Program Files\LANDesk\LDCLient\wuser32.exe:*:enabled:Remote Control Agent -- File not found
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)
"C:\Program Files\LANDesk\Shared Files\residentagent.exe" = C:\Program Files\LANDesk\Shared Files\residentagent.exe:*:Enabled:LANDesk® Management Agent -- (LANDesk Software, Ltd.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
"C:\WINDOWS\system32\CBA\pds.exe" = C:\WINDOWS\system32\CBA\pds.exe:*:enabled:LANDesk® Ping Discovery Service -- (LANDesk Software Ltd.)
"C:\Program Files\LANDesk\LDCLient\tmcsvc.exe" = C:\Program Files\LANDesk\LDCLient\tmcsvc.exe:*:enabled:LANDesk® Targeted Multicast Client -- (LANDesk Software, Ltd.)
"%windir%\system32\msgsys.exe" = %windir%\system32\msgsys.exe:*:enabled:LANDesk® CBA Message System -- (LANDesk Software Ltd.)
"C:\Program Files\LANDesk\LDCLient\wuser32.exe" = C:\Program Files\LANDesk\LDCLient\wuser32.exe:*:enabled:Remote Control Agent -- File not found
"C:\Program Files\AT&T\Communication Manager\SwiApiMux.exe" = C:\Program Files\AT&T\Communication Manager\SwiApiMux.exe:*:Enabled:SwiApiMux -- (Sierra Wireless, Inc.)
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)
"C:\Program Files\LANDesk\Shared Files\residentagent.exe" = C:\Program Files\LANDesk\Shared Files\residentagent.exe:*:Enabled:LANDesk® Management Agent -- (LANDesk Software, Ltd.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0E2FEC12-96B8-465A-82E6-85011A52CC6F}" = Configuration Tool
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{25BEC3AB-5CD4-481D-9143-215C1BBB189E}" = Sony Ericsson PC Suite
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{26E76762-7F20-4694-AD06-CC3A9B547A71}" = Microsoft Office Live Meeting 2007
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2E56775F-12A6-44CB-A969-3C2CEB371313}" = Dexterity Shared Components 10.0
"{2EFCC193-D915-4CCB-9201-31773A27BC06}" = Symantec Endpoint Protection
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{31B33270-24D7-4307-84F2-A3288636B83A}" = Pointsec PC
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{433657FC-710A-4A06-85FD-709C3F98D3DB}" = AT&T Global Network Client Managed VPN Edition
"{45734758-4041-4EA8-8E62-DE661FC3879C}" = LANDesk® Common Base Agent 8
"{4CB47111-82EB-4796-83AE-99B27A602BA6}" = CardScan 8.0.5
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5783F2D6-7028-0409-0000-0060B0CE6BBA}" = DWG TrueView 2009
"{5B7CF62F-D339-4FAA-A610-372ED5A2787F}" = BlackBerry Desktop Software 5.0.1
"{5DB161C0-7C9C-41D7-8DA1-CB112F60946B}" = Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{66A9D30D-1464-4C7F-B2F3-507DADAF2595}" = Microsoft IntelliPoint 6.3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}" = BlackBerry® Media Sync
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A69D94E-C569-4154-9643-72E94D1DDFDA}" = XPS Essentials Pack
"{7304D7E6-765C-4981-82DD-656DE1CB46DB}" = RFClient8.01
"{753D852A-D86D-42C9-9978-40AE66FB8985}" = Driver Installer
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7E8833A1-AF24-4CAE-82DF-CFE14C14B94D}" = LANDesk Advance Agent
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{896DCCC7-9749-4DD6-BAEF-49F9A9CEE295}" = Microsoft Dynamics GP 10.0
"{896DCCC7-9749-4DD6-BAEF-49F9A9CEE295}_Ex" = Microsoft Dynamics GP 10.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_SMALLBUSINESSR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_SMALLBUSINESSR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A4-0409-0000-0000000FF1CE}" = Microsoft Office 2003 Web Components
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-00CA-0000-0000-0000000FF1CE}" = Microsoft Office Small Business 2007
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91530409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Standard 2003
"{91710409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting
"{94824ADD-8F26-43D2-84DB-22E11F377E5E}" = Microsoft English TTS Engine
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9579E862-5FC7-4337-B1CC-5E37451524C5}" = Motorola Driver Installation
"{96172E04-BB14-45F6-A77B-8EE7A421B903}" = SAPI Wrapper
"{97D0C0A1-7E64-4B05-A2EE-61D2CE23F154}" = TTS Wrapper
"{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A58F2B4A-ABAC-479E-83CE-F3AF284C9737}" = Sentinel System Driver Installer 7.4.2
"{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-0000-BA7E-000000000003}" = Adobe Acrobat 8 Standard
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B98BE95C-E76F-4246-B8E6-BEB8EE791D06}" = Roxio Media Manager
"{C084BC61-E537-11DE-8616-005056806466}" = Google Earth
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2E8B236-7554-45FE-92C0-94EF76E4D182}" = Garmin City Navigator North America NT 2010.20
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C60BA916-9E44-4DA4-B11A-9E27B7624EF5}" = Sony Ericsson Drivers
"{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}" = Microsoft Outlook Personal Folders Backup
"{C82185E8-C27B-4EF4-2008-4444BC2C2B6D}" = Microsoft Streets & Trips 2008
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{C92E7DF1-624A-4D95-A4C4-18CB491B44A4}" = Sony Ericsson Device Data
"{CAFECAFE-0013-0001-0129-ABCDEFABCDEF}" = Oracle JInitiator 1.3.1.29
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D4B6D71F-3DDC-48AF-8275-D1FE81AA1CFE}" = LANDesk Advance Agent
"{D689B418-235A-4290-A0A5-A75E490E0351}" = Symantec Endpoint Protection
"{D6BF6477-8369-489F-8DE6-3731F4B88560}" = Sony Ericsson PC Suite
"{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}" = U3Launcher
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E3C3831A-079A-4105-96BE-A74169D62087}" = Rosemount TankMaster
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{E52E5DD7-58CD-439E-8941-5C8EA370C44D}" = AMS Wireless SNAP-ON
"{E9EB1566-BA9E-458D-9EF3-5776FE58FC69}" = AT&T Communication Manager
"{EFF87108-C9D0-43F1-BEE1-28DA87778F1A}" = Garmin Communicator Plugin
"{F1BA3CD5-89DC-4273-8603-A75F33E9B335}" = Nokia Connectivity Adapter Cable DKU-5
"{F804CAE5-50B2-4646-803A-A428325237CA}" = Driver Installer
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"ActiveTouchMeetingClient" = WebEx
"Adobe Acrobat 8 Standard" = Adobe Acrobat 8.2.3 Standard
"Adobe Acrobat 8 Standard_823" = Adobe Acrobat 8.2.3 - CPSID_83708
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Algebrator_is1" = Algebrator 4.0
"BlackBerry_{5B7CF62F-D339-4FAA-A610-372ED5A2787F}" = BlackBerry Desktop Software 5.0.1
"Broadcom 802.11 Application" = Dell Wireless WLAN Card Utility
"CCleaner" = CCleaner
"DWG TrueView 2009" = DWG TrueView 2009
"ERUNT_is1" = ERUNT 1.1j
"FLV Player" = FLV Player 2.0 (build 25)
"GoToAssist" = GoToAssist 8.0.0.514
"ie8" = Windows Internet Explorer 8
"InstallShield_{E52E5DD7-58CD-439E-8941-5C8EA370C44D}" = AMS Wireless SNAP-ON
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack" = Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyDefrag_is1" = MyDefrag v4.1.2
"MyScribe" = MyScribe
"NVIDIA Drivers" = NVIDIA Drivers
"Outlook Attachment Remover_is1" = Outlook Attachment Remover 2.0
"Plaxo" = Plaxo Toolbar for Windows
"Second Copy 7" = Second Copy 7
"SMALLBUSINESSR" = Microsoft Office Small Business 2007
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEP" = XPS Essentials Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"309a46b1dc89b774" = Dell Driver Download Manager
"f031ef6ac137efc5" = Dell Driver Download Manager - 1

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/10/2010 1:47:50 PM | Computer Name = USHOU03-1LB01 | Source = ESENT | ID = 455
Description = wuaueng.dll (4008) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 7/10/2010 2:12:10 PM | Computer Name = USHOU03-1LB01 | Source = ESENT | ID = 489
Description = wuauclt (3548) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 7/10/2010 2:12:10 PM | Computer Name = USHOU03-1LB01 | Source = ESENT | ID = 455
Description = wuaueng.dll (3548) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 7/10/2010 2:12:20 PM | Computer Name = USHOU03-1LB01 | Source = ESENT | ID = 489
Description = wuauclt (3548) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 7/10/2010 2:12:20 PM | Computer Name = USHOU03-1LB01 | Source = ESENT | ID = 455
Description = wuaueng.dll (3548) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 7/10/2010 2:18:04 PM | Computer Name = USHOU03-1LB01 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 7/10/2010 2:18:05 PM | Computer Name = USHOU03-1LB01 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 7/10/2010 2:22:48 PM | Computer Name = USHOU03-1LB01 | Source = Userenv | ID = 1521
Description = Windows cannot locate the server copy of your roaming profile and
is attempting to log you on with your local profile. Changes to the profile will
not be copied to the server when you logoff. Possible causes of this error include
network problems or insufficient security rights. If this problem persists, contact
your network administrator. DETAIL - The network location cannot be reached.
For information about network troubleshooting, see Windows Help.

Error - 7/10/2010 2:22:51 PM | Computer Name = USHOU03-1LB01 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 7/10/2010 2:24:03 PM | Computer Name = USHOU03-1LB01 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for EMRSN\LBerry failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

[ OSession Events ]
Error - 10/11/2009 3:38:16 PM | Computer Name = USHOU03-1LB01 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6504.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 0
seconds with 0 seconds of active time. This session ended with a crash.

Error - 2/15/2010 6:31:23 PM | Computer Name = USHOU03-1LB01 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6514.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 9775
seconds with 4200 seconds of active time. This session ended with a crash.

Error - 4/12/2010 2:13:43 PM | Computer Name = USHOU03-1LB01 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 15171
seconds with 1740 seconds of active time. This session ended with a crash.

Error - 4/21/2010 10:51:52 PM | Computer Name = USHOU03-1LB01 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 408
seconds with 300 seconds of active time. This session ended with a crash.

Error - 5/11/2010 3:24:33 PM | Computer Name = USHOU03-1LB01 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 231
seconds with 60 seconds of active time. This session ended with a crash.

Error - 6/8/2010 10:28:05 AM | Computer Name = USHOU03-1LB01 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6524.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 1
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/23/2010 12:57:50 PM | Computer Name = USHOU03-1LB01 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2129
seconds with 720 seconds of active time. This session ended with a crash.

[ Pointsec Events ]
Error - 12/12/2009 1:16:44 PM | Computer Name = USHOU03-1LB01 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

Error - 12/13/2009 3:01:44 AM | Computer Name = USHOU03-1LB01 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

Error - 12/14/2009 2:10:14 AM | Computer Name = USHOU03-1LB01 | Source = prot_srv | ID = 462754
Description = The recovery file could not be created: path not found.

[ System Events ]
Error - 7/10/2010 1:09:43 PM | Computer Name = USHOU03-1LB01 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 7/10/2010 1:09:43 PM | Computer Name = USHOU03-1LB01 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 7/10/2010 1:58:01 PM | Computer Name = USHOU03-1LB01 | Source = USBSTOR | ID = 458758
Description =

Error - 7/10/2010 2:18:04 PM | Computer Name = USHOU03-1LB01 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain EMRSN due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 7/10/2010 2:18:58 PM | Computer Name = USHOU03-1LB01 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 7/10/2010 2:20:36 PM | Computer Name = USHOU03-1LB01 | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 7/10/2010 2:20:36 PM | Computer Name = USHOU03-1LB01 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher
9 service to connect.

Error - 7/10/2010 2:20:36 PM | Computer Name = USHOU03-1LB01 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 7/10/2010 2:21:41 PM | Computer Name = USHOU03-1LB01 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
RasAcd

Error - 7/10/2010 2:55:44 PM | Computer Name = USHOU03-1LB01 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.


< End of report >






GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-10 12:05:59
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\LBerry\LOCALS~1\Temp\kxliyuog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----
  • 0

Advertisements

#2
Rorschach112
Posted 10 July 2010 - 02:31 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
lanceberry
Posted 11 July 2010 - 07:09 AM

lanceberry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks again for your help, here is the log file


ComboFix 10-07-10.01 - LBerry 07/11/2010 1:44.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1263 [GMT -5:00]
Running from: c:\sync data\LBerry's Documents\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\LBerry\GoToAssistDownloadHelper.exe
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\system32\st325602.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-11 to 2010-07-11 )))))))))))))))))))))))))))))))
.

2010-07-10 16:04 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 16:04 . 2010-07-10 16:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 16:04 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 16:00 . 2010-07-10 16:00 -------- d-----w- c:\program files\ERUNT
2010-07-09 22:44 . 2010-07-09 22:44 -------- d-----w- c:\documents and settings\SuperSTC.USHOU03-1LB01\Application Data\Malwarebytes
2010-07-09 21:45 . 2010-07-09 21:46 -------- d-----w- c:\documents and settings\SuperSTC.USHOU03-1LB01
2010-07-09 19:37 . 2010-07-09 19:37 206336 ----a-w- c:\windows\Sraxaa.exe
2010-07-09 00:28 . 2010-07-09 12:42 -------- d-----w- c:\program files\FCU Configuration
2010-06-21 21:12 . 2010-06-21 21:12 -------- d-----w- c:\windows\system32\bg-bg
2010-06-21 21:12 . 2010-06-21 21:12 -------- d-----w- c:\windows\system32\zh-cn
2010-06-21 21:12 . 2010-06-21 21:12 -------- d-----w- c:\windows\system32\cs-cz
2010-06-15 20:08 . 2010-06-15 20:08 588969 ------w- c:\windows\Pink Floyd.exe
2010-06-15 20:08 . 2010-06-15 20:08 40960 ------w- c:\windows\Pink Floyd.dll
2010-06-15 20:08 . 2010-06-15 20:08 407240 ------w- c:\windows\Pink Floyd.scr
2010-06-15 20:08 . 2010-06-15 20:08 18192 ------w- c:\windows\Pink Floyd.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-11 06:27 . 2009-10-22 19:01 -------- d-----w- c:\program files\Plaxo
2010-07-11 06:22 . 2009-09-23 13:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\vulScan
2010-07-10 15:57 . 2009-09-10 03:14 -------- dc----w- c:\documents and settings\LBerry\Application Data\U3
2010-07-09 21:02 . 2009-09-10 00:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-07-09 12:41 . 2009-09-10 14:01 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-07-08 18:07 . 2009-09-09 20:53 168250 ----a-w- c:\windows\system32\nvModes.dat
2010-06-28 04:32 . 2009-12-29 17:35 -------- d-----w- c:\program files\MyDefrag v4.1.2
2010-06-23 17:02 . 2007-08-31 00:13 -------- d-----w- c:\program files\Microsoft.NET
2010-06-21 21:15 . 2009-09-09 23:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-06-03 00:59 . 2009-06-23 17:03 161920 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-05-13 15:34 . 2010-05-13 15:34 -------- dc----w- c:\documents and settings\LBerry\Application Data\Xerox
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-11_06.11.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-11 06:21 . 2010-07-11 06:21 16384 c:\windows\Temp\Perflib_Perfdata_8e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Second Copy"="c:\progra~1\SecCopy\SecCopy.exe" [2009-08-01 891680]
"PlaxoUpdate"="c:\program files\Plaxo\3.23.0.11\PlaxoHelper_en.exe" [2009-10-01 403015]
"PlaxoSysTray"="c:\program files\Plaxo\3.23.0.11\PlaxoSysTray.exe" [2009-10-01 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\faxctrl.exe" [2001-12-06 110592]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-02-15 115560]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-04-30 2396160]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-08-01 65536]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2008-02-12 666176]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-7-30 2158592]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2010-5-8 22486]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-29 21:21 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-16 22:20 624056 ------w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
2009-10-09 23:58 883272 ------w- c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-08-31 16:03 623960 ------w- c:\program files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardScanAgent]
2008-08-28 00:30 152824 ------w- c:\program files\CardScan\CardScan\CardScanAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2008-08-08 22:30 16712 ------r- c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 14:14 206112 ------w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 10:42 169984 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetSP - restore settings on power failure]
2009-06-09 22:30 53528 ------w- c:\program files\AT&T Global Network Client\NetSP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-05-31 20:50 8429568 ------w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2007-05-31 20:50 67584 ------w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-05-31 20:50 81920 ------w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-05-31 20:50 1626112 ------w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-06-08 23:40 128560 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ------w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ------w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ------w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 15:22 405504 ------w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-06-13 13:16 528384 ------r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-10 03:16 149280 ------w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 ------w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"gupdate"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\WINDOWS\\system32\\CBA\\pds.exe"=
"c:\\Program Files\\LANDesk\\LDCLient\\tmcsvc.exe"=
"%windir%\\system32\\msgsys.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"67:TCP"= 67:TCP:LANDesk® PXE TCP Port
"67:UDP"= 67:UDP:LANDesk® PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port
"18248:UDP"= 18248:UDP:PC Link

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2/12/2008 12:00 PM 220096]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [6/2/2008 10:42 AM 155648]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [9/23/2009 8:57 AM 118784]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/10/2010 11:04 AM 304464]
R2 NetClientSvc;AT&T Global Network Client Service;c:\program files\AT&T Global Network Client\NetClientSvc.exe [6/9/2009 5:30 PM 336152]
R2 PCLink for Windows;PC Link for Windows;c:\windows\system32\pclnksvc.exe [7/10/2007 12:00 PM 45056]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2/12/2008 12:01 PM 367168]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2/12/2008 12:01 PM 145984]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\softmon.exe [9/23/2009 8:57 AM 372736]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [10/9/2009 6:59 PM 121416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [5/27/2010 4:13 AM 102448]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [9/23/2009 8:57 AM 3328]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/10/2010 11:04 AM 20952]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [9/23/2009 8:57 AM 3712]
R3 NetLogSvc;NetLogSvc;c:\progra~1\AT&TGL~1\NETLOG~1.EXE [6/9/2009 5:30 PM 68888]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [3/31/2009 3:45 PM 190080]
R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [5/4/2009 4:57 PM 148096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/23/2009 12:03 PM 23888]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2/18/2008 4:14 PM 105216]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2/8/2008 12:00 PM 59264]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [9/23/2009 8:57 AM 11904]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/11/2009 12:50 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-08-04 10:42]

2009-09-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 19:56]

2010-07-11 c:\windows\Tasks\User_Feed_Synchronization-{ABC8ADFD-81D4-42F3-A9C6-265B25C4C745}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://dial.sbc.yahoo.com/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: bmnet.dll
DPF: {CAFECAFE-0013-0001-0029-ABCDEFABCDEF}
FF - ProfilePath - c:\documents and settings\LBerry\Application Data\Mozilla\Firefox\Profiles\s1hh9hel.default\
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13129.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 02:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1164)
c:\windows\system32\pssogina.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(1220)
c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(284)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Plaxo\3.23.0.11\plx_hook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\dfshim.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-11 02:09:52
ComboFix-quarantined-files.txt 2010-07-11 07:09

Pre-Run: 30,642,872,320 bytes free
Post-Run: 30,625,837,056 bytes free

- - End Of File - - 20C56B45F4FFF9BE66A41E7101928065
  • 0

#4
Rorschach112
Posted 11 July 2010 - 07:25 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#5
lanceberry
Posted 11 July 2010 - 08:04 AM

lanceberry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is my MWB log file.

I forgot to mention but you most likely could see that I am on a corporate managed laptop and can not turn off the symantec end point protection virus program. I am doing the online scan now.

THANKS

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4302

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/11/2010 9:02:03 AM
mbam-log-2010-07-11 (09-02-03).txt

Scan type: Quick scan
Objects scanned: 180736
Time elapsed: 13 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#6
lanceberry
Posted 11 July 2010 - 06:15 PM

lanceberry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
The online scanner is still running. 6.15 hours and is only 53% done, up to now no threats found.
  • 0

#7
lanceberry
Posted 12 July 2010 - 04:47 AM

lanceberry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
THANKS.

here is the Kaspersky report:

KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, July 12, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, July 11, 2010 11:06:18
Records in database: 4233535


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Objects scanned 151569
Threats found 1
Infected objects found 1
Suspicious objects found 0
Scan duration 12:24:39

File name Threat Threats count
C:\WINDOWS\Sraxaa.exe Infected: Trojan.Win32.Monder.djab 1

Selected area has been scanned.
  • 0

#8
Rorschach112
Posted 12 July 2010 - 08:45 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo.com/forum/Help-Malware-removal-t281772.html

Collect::
C:\WINDOWS\Sraxaa.exe

Suspect::

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

  • 0

#9
lanceberry
Posted 12 July 2010 - 11:09 PM

lanceberry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sorry for the delays in my post, but I am traveling for work and do not have an internet connection during the day. Thanks for your help and here is the log. As stated before and shown in the log Symantic end point is runing and I cant shut it off before running ComboFix.

ComboFix 10-07-10.01 - LBerry 07/12/2010 23:43:26.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1202 [GMT -5:00]
Running from: c:\sync data\LBerry's Documents\Downloads\ComboFix.exe
Command switches used :: c:\sync data\LBerry's Documents\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

file zipped: c:\windows\Sraxaa.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Sraxaa.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))
.

2010-07-10 16:04 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 16:04 . 2010-07-10 16:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 16:04 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 16:00 . 2010-07-10 16:00 -------- d-----w- c:\program files\ERUNT
2010-07-09 22:44 . 2010-07-09 22:44 -------- d-----w- c:\documents and settings\SuperSTC.USHOU03-1LB01\Application Data\Malwarebytes
2010-07-09 21:45 . 2010-07-09 21:46 -------- d-----w- c:\documents and settings\SuperSTC.USHOU03-1LB01
2010-07-09 00:28 . 2010-07-12 23:59 -------- d-----w- c:\program files\FCU Configuration
2010-06-21 21:12 . 2010-06-21 21:12 -------- d-----w- c:\windows\system32\bg-bg
2010-06-21 21:12 . 2010-06-21 21:12 -------- d-----w- c:\windows\system32\zh-cn
2010-06-21 21:12 . 2010-06-21 21:12 -------- d-----w- c:\windows\system32\cs-cz
2010-06-15 20:08 . 2010-06-15 20:08 588969 ------w- c:\windows\Pink Floyd.exe
2010-06-15 20:08 . 2010-06-15 20:08 40960 ------w- c:\windows\Pink Floyd.dll
2010-06-15 20:08 . 2010-06-15 20:08 407240 ------w- c:\windows\Pink Floyd.scr
2010-06-15 20:08 . 2010-06-15 20:08 18192 ------w- c:\windows\Pink Floyd.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-13 04:28 . 2009-10-22 19:01 -------- d-----w- c:\program files\Plaxo
2010-07-13 04:17 . 2009-09-23 13:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\vulScan
2010-07-12 11:19 . 2009-09-10 14:01 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-07-10 15:57 . 2009-09-10 03:14 -------- dc----w- c:\documents and settings\LBerry\Application Data\U3
2010-07-09 21:02 . 2009-09-10 00:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-07-08 18:07 . 2009-09-09 20:53 168250 ----a-w- c:\windows\system32\nvModes.dat
2010-06-28 04:32 . 2009-12-29 17:35 -------- d-----w- c:\program files\MyDefrag v4.1.2
2010-06-23 17:02 . 2007-08-31 00:13 -------- d-----w- c:\program files\Microsoft.NET
2010-06-21 21:15 . 2009-09-09 23:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-06-03 00:59 . 2009-06-23 17:03 161920 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-11_06.11.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-13 04:16 . 2010-07-13 04:16 16384 c:\windows\Temp\Perflib_Perfdata_120.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Second Copy"="c:\progra~1\SecCopy\SecCopy.exe" [2009-08-01 891680]
"PlaxoUpdate"="c:\program files\Plaxo\3.23.0.11\PlaxoHelper_en.exe" [2009-10-01 403015]
"PlaxoSysTray"="c:\program files\Plaxo\3.23.0.11\PlaxoSysTray.exe" [2009-10-01 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\faxctrl.exe" [2001-12-06 110592]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-02-15 115560]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-04-30 2396160]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-08-01 65536]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2008-02-12 666176]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-7-30 2158592]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2010-5-8 22486]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-29 21:21 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-16 22:20 624056 ------w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
2009-10-09 23:58 883272 ------w- c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-08-31 16:03 623960 ------w- c:\program files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardScanAgent]
2008-08-28 00:30 152824 ------w- c:\program files\CardScan\CardScan\CardScanAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2008-08-08 22:30 16712 ------r- c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 14:14 206112 ------w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 10:42 169984 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetSP - restore settings on power failure]
2009-06-09 22:30 53528 ------w- c:\program files\AT&T Global Network Client\NetSP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-05-31 20:50 8429568 ------w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2007-05-31 20:50 67584 ------w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-05-31 20:50 81920 ------w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-05-31 20:50 1626112 ------w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-06-08 23:40 128560 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ------w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ------w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ------w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 15:22 405504 ------w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-06-13 13:16 528384 ------r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-10 03:16 149280 ------w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 ------w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"gupdate"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\WINDOWS\\system32\\CBA\\pds.exe"=
"c:\\Program Files\\LANDesk\\LDCLient\\tmcsvc.exe"=
"%windir%\\system32\\msgsys.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"67:TCP"= 67:TCP:LANDesk® PXE TCP Port
"67:UDP"= 67:UDP:LANDesk® PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port
"18248:UDP"= 18248:UDP:PC Link

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2/12/2008 12:00 PM 220096]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [6/2/2008 10:42 AM 155648]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [9/23/2009 8:57 AM 118784]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/10/2010 11:04 AM 304464]
R2 NetClientSvc;AT&T Global Network Client Service;c:\program files\AT&T Global Network Client\NetClientSvc.exe [6/9/2009 5:30 PM 336152]
R2 PCLink for Windows;PC Link for Windows;c:\windows\system32\pclnksvc.exe [7/10/2007 12:00 PM 45056]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2/12/2008 12:01 PM 367168]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2/12/2008 12:01 PM 145984]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\softmon.exe [9/23/2009 8:57 AM 372736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [5/27/2010 4:13 AM 102448]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [9/23/2009 8:57 AM 3328]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/10/2010 11:04 AM 20952]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [9/23/2009 8:57 AM 3712]
R3 NetLogSvc;NetLogSvc;c:\progra~1\AT&TGL~1\NETLOG~1.EXE [6/9/2009 5:30 PM 68888]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [10/9/2009 6:59 PM 121416]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/23/2009 12:03 PM 23888]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2/18/2008 4:14 PM 105216]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2/8/2008 12:00 PM 59264]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [9/23/2009 8:57 AM 11904]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [3/31/2009 3:45 PM 190080]
S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [5/4/2009 4:57 PM 148096]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/11/2009 12:50 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-08-04 10:42]

2009-09-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 19:56]

2010-07-13 c:\windows\Tasks\User_Feed_Synchronization-{ABC8ADFD-81D4-42F3-A9C6-265B25C4C745}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://dial.sbc.yahoo.com/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: bmnet.dll
DPF: {CAFECAFE-0013-0001-0029-ABCDEFABCDEF}
FF - ProfilePath - c:\documents and settings\LBerry\Application Data\Mozilla\Firefox\Profiles\s1hh9hel.default\
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13129.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-12 23:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\pssogina.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(692)
c:\windows\system32\bmnet.dll
.
Completion time: 2010-07-13 00:06:08
ComboFix-quarantined-files.txt 2010-07-13 05:05
ComboFix2.txt 2010-07-11 07:09

Pre-Run: 30,879,563,776 bytes free
Post-Run: 30,965,161,984 bytes free

- - End Of File - - F970E54D549FA2E067029C5B5B96C0B3
Upload was successful
  • 0

#10
Rorschach112
Posted 13 July 2010 - 04:49 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.



  • Open OTL
  • Under the Custom Scans/Fixes box at the bottom, paste the following:
    :Commands
[clearallrestorepoints]
  • Click the Run Fix button at the top
  • It might ask you to reboot, if so click YES



  • Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
  • Click on the CleanUp button.
  • Click Yes to begin the cleanup process and remove tools, including this application
  • You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes



  • Please read my guide on how to prevent malware and about safe computing here
Thank you for your patience, and performing all of the procedures requested.
  • 0

Advertisements

#11
lanceberry
Posted 13 July 2010 - 09:05 AM

lanceberry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks again for your help. Can you please send me the link to make a donation to support the site and your efforts.
  • 0

#12
lanceberry
Posted 13 July 2010 - 10:38 AM

lanceberry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I see the link for the donate in your signature, missed it before.

I accidentally opened IE and got a message from the active Malwarebytes scan program, here is the log. I can not find the file in that directory.

00:57:07 LBerry MESSAGE Protection started successfully
00:57:16 LBerry MESSAGE IP Protection started successfully
02:08:11 LBerry MESSAGE IP Protection stopped
02:08:39 LBerry MESSAGE Database updated successfully
02:08:44 LBerry MESSAGE IP Protection started successfully
02:09:30 LBerry MESSAGE IP Protection stopped
02:09:35 LBerry MESSAGE IP Protection started successfully
09:43:21 LBerry MESSAGE Protection started successfully
09:43:30 LBerry MESSAGE IP Protection started successfully
10:55:06 LBerry MESSAGE Protection started successfully
10:55:11 LBerry MESSAGE IP Protection started successfully
11:33:46 LBerry DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent QUARANTINE
11:33:47 LBerry ERROR Quarantine failed: UtilityReadFile failed with error code 2
  • 0

#13
Rorschach112
Posted 13 July 2010 - 03:17 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
update mbam run a quick scan post that log here


the site doesn't take donations any more since its self-sufficient, that is why a lot of the staff have donation links themselves.
  • 0

#14
lanceberry
Posted 13 July 2010 - 10:53 PM

lanceberry

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is what came up, I have left the window open and not removed yet to wait instructions.

Thanks

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4311

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/13/2010 11:52:14 PM
mbam-log-2010-07-13 (23-52-14).txt

Scan type: Quick scan
Objects scanned: 181430
Time elapsed: 27 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\JDK5SWFMZY (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#15
Rorschach112
Posted 14 July 2010 - 05:53 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
remove that

lets do another scan to be safe


[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP