OTL logfile created on: 7/9/2011 11:44:35 AM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\(Replace_MyName)\Desktop\Malware Tools
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
4.00 Gb Total Physical Memory | 3.26 Gb Available Physical Memory | 81.64% Memory free
5.83 Gb Paging File | 5.38 Gb Available in Paging File | 92.21% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 20.47 Gb Total Space | 11.84 Gb Free Space | 57.82% Space Free | Partition Type: NTFS
Drive E: | 116.22 Gb Total Space | 100.31 Gb Free Space | 86.31% Space Free | Partition Type: NTFS
Computer Name: (Computer_Name) | User Name: (Replace_MyName) | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ========== PRC - C:\Documents and Settings\(Replace_MyName)\Desktop\Malware Tools\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe (LSI Logic Corporation)
PRC - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe ()
PRC - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe (Dell Inc.)
PRC - C:\WINDOWS\system32\logon.scr (Microsoft Corporation)
PRC - C:\WINDOWS\system32\rdpclip.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\ServerAppliance\appmgr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\ServerAppliance\elementmgr.exe (Microsoft Corporation)
PRC - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe (Dell Inc.)
PRC - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe (Dell Inc.)
PRC - C:\WINDOWS\system32\ServerAppliance\srvcsurg.exe (Microsoft Corporation)
========== Modules (SafeList) ========== MOD - C:\Documents and Settings\(Replace_MyName)\Desktop\Malware Tools\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\winsta.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ========== SRV - (WinHttpAutoProxySvc) -- File not found
SRV - (SmcService) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe (Symantec Corporation)
SRV - (SNAC) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe (Symantec Corporation)
SRV - (SepMasterService) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe (Symantec Corporation)
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies, Inc.)
SRV - (mr2kserv) -- C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe (LSI Logic Corporation)
SRV - (Server Administrator) -- C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe ()
SRV - (omsad) -- C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe (Dell Inc.)
SRV - (Tssdis) -- C:\WINDOWS\system32\tssdis.exe (Microsoft Corporation)
SRV - (RSoPProv) -- C:\WINDOWS\system32\rsopprov.exe (Microsoft Corporation)
SRV - (Pop3Svc) -- C:\WINDOWS\system32\pop3server\POP3Svc.exe (Microsoft Corporation)
SRV - (NtFrs) -- C:\WINDOWS\system32\ntfrs.exe (Microsoft Corporation)
SRV - (LicenseService) -- C:\WINDOWS\system32\llssrv.exe (Microsoft Corporation)
SRV - (IsmServ) -- C:\WINDOWS\system32\ismserv.exe (Microsoft Corporation)
SRV - (SMTPSVC) Simple Mail Transfer Protocol (SMTP) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (IISADMIN) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (Dfs) -- C:\WINDOWS\system32\dfssvc.exe (Microsoft Corporation)
SRV - (W3SVC) -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (appmgr) -- C:\WINDOWS\system32\ServerAppliance\appmgr.exe (Microsoft Corporation)
SRV - (elementmgr) -- C:\WINDOWS\system32\ServerAppliance\elementmgr.exe (Microsoft Corporation)
SRV - (dcevt32) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe (Dell Inc.)
SRV - (dcstor32) -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe (Dell Inc.)
SRV - (TrkSvr) -- C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
SRV - (sacsvr) -- C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
SRV - (srvcsurg) -- C:\WINDOWS\system32\ServerAppliance\srvcsurg.exe (Microsoft Corporation)
========== Driver Services (SafeList) ========== DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtsp.sys (Symantec Corporation)
DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtspx.sys (Symantec Corporation)
DRV - (SymEFA) -- C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMEFA.SYS (Symantec Corporation)
DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20110516.040\NAVEX15.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20110516.040\NAVENG.SYS (Symantec Corporation)
DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20110514.001\BHDrvx86.sys (Symantec Corporation)
DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20110514.005\IDSXpx86.sys (Symantec Corporation)
DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys (Symantec Corporation)
DRV - (SymDS) -- C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMDS.SYS (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\symtdi.sys (Symantec Corporation)
DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (l2nd) -- C:\WINDOWS\system32\drivers\bxnd52x.sys (Broadcom Corporation)
DRV - (dcdbas) -- C:\WINDOWS\system32\drivers\dcdbas32.sys (Dell Inc.)
DRV - (WLBS) -- C:\WINDOWS\system32\drivers\wlbs.sys (Microsoft Corporation)
DRV - (ClusDisk) -- C:\WINDOWS\system32\drivers\clusdisk.sys (Microsoft Corporation)
DRV - (DfsDriver) -- C:\WINDOWS\system32\drivers\Dfs.sys (Microsoft Corporation)
DRV - (BASFND) -- C:\Program Files\Broadcom\SNMP\BASFND.sys (Broadcom Corporation)
========== Standard Registry (All) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://ie.search.msn...st/srchcust.htmIE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
http://ie.search.msn...st/srchasst.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ========== FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\ [2011/07/08 23:54:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/07/08 22:33:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
[2011/07/09 10:46:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\(Replace_MyName)\Application Data\Mozilla\Extensions
[2011/07/08 22:33:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/08 22:33:36 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
File not found (No name found) --
[2011/06/15 21:17:34 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 01:00:00 | 000,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2010/01/01 01:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 01:00:00 | 000,001,131 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2010/01/01 01:00:00 | 000,002,364 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2010/01/01 01:00:00 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2010/01/01 01:00:00 | 000,001,096 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml
O1 HOSTS File: ([2011/07/09 11:34:10 | 000,000,723 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts:
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\IPS\IPSBHO.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
http://www.update.mi...b?1191627984843 (MUWebControl Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (%SystemRoot%\system32\logonui.exe) - C:\WINDOWS\system32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - File not found
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - dimsntfy.dll - C:\WINDOWS\System32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SEP: DllName - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll - File not found
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/10/05 14:24:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ========== [2011/07/09 11:11:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\(Replace_MyName)\Desktop\Malware Tools
[2011/07/09 10:46:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\(Replace_MyName)\Local Settings\Application Data\Mozilla
[2011/07/09 10:46:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\(Replace_MyName)\Application Data\Mozilla
[2011/07/09 10:41:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\(Replace_MyName)\Local Settings\Application Data\Symantec
[2011/07/09 10:41:09 | 000,000,000 | --SD | C] -- C:\Documents and Settings\(Replace_MyName)\Local Settings\Application Data\Microsoft
[2011/07/09 10:41:09 | 000,000,000 | --SD | C] -- C:\Documents and Settings\(Replace_MyName)\Application Data\Microsoft
[2011/07/09 10:41:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\(Replace_MyName)\SendTo
[2011/07/09 10:41:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\(Replace_MyName)\Recent
[2011/07/09 10:41:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\(Replace_MyName)\Application Data
[2011/07/09 10:41:09 | 000,000,000 | R--D | C] -- C:\Documents and Settings\(Replace_MyName)\My Documents
[2011/07/09 10:41:09 | 000,000,000 | R--D | C] -- C:\Documents and Settings\(Replace_MyName)\Favorites
[2011/07/09 10:41:09 | 000,000,000 | R--D | C] -- C:\Documents and Settings\(Replace_MyName)\Start Menu\Programs\Accessories
[2011/07/09 10:41:09 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\(Replace_MyName)\Cookies
[2011/07/09 10:41:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\(Replace_MyName)\PrintHood
[2011/07/09 10:41:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\(Replace_MyName)\NetHood
[2011/07/09 10:41:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\(Replace_MyName)\Local Settings
[2011/07/09 10:41:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\(Replace_MyName)\Application Data\Identities
[2011/07/09 10:41:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\(Replace_MyName)\Desktop
[2011/07/09 10:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\(Replace_MyName)\Start Menu\Programs\Startup
[2011/07/09 10:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\(Replace_MyName)\Start Menu
[2011/07/09 10:41:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\(Replace_MyName)\Templates
[2011/07/08 23:53:50 | 000,127,096 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/07/08 23:53:50 | 000,060,872 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/07/08 23:53:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2011/07/08 23:53:34 | 000,240,048 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\SymVPN.dll
[2011/07/08 23:53:34 | 000,094,128 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\FwsVpn.dll
[2011/07/08 23:53:34 | 000,032,208 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WGX.SYS
[2011/07/08 23:52:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86
[2011/07/08 23:52:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Symantec Endpoint Protection
[2011/07/08 23:52:50 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2011/07/08 23:52:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP
[2011/07/08 23:52:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105
[2011/07/08 23:52:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP\0C01029F
[2011/07/08 23:52:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2011/07/08 22:51:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap
[2011/07/08 22:51:39 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2011/07/08 22:51:17 | 000,000,000 | ---D | C] -- C:\Program Files\Wireshark
[2011/07/08 22:50:39 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/07/08 22:48:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/07/08 22:33:36 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/06/15 11:14:27 | 000,103,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mup.sys
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ========== [2011/07/09 11:34:10 | 000,000,723 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/07/09 11:09:56 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/09 10:41:26 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\(Replace_MyName)\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/07/09 10:06:18 | 183,403,263 | ---- | M] () -- C:\7-8-2-2011.pcap
[2011/07/09 05:24:26 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B8C74696-51D7-4108-AB56-0B755088C999}.job
[2011/07/08 23:53:56 | 000,605,496 | ---- | M] () -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86\Cat.DB
[2011/07/08 23:53:50 | 000,127,096 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/07/08 23:53:50 | 000,060,872 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/07/08 23:53:50 | 000,007,510 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/07/08 23:53:50 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/07/08 23:53:34 | 000,240,048 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\SymVPN.dll
[2011/07/08 23:53:34 | 000,094,128 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\FwsVpn.dll
[2011/07/08 23:53:34 | 000,032,208 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WGX.SYS
[2011/07/08 23:53:34 | 000,000,114 | ---- | M] () -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86\isolate.ini
[2011/07/08 22:51:23 | 000,001,491 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Wireshark.lnk
[2011/07/08 22:44:41 | 000,489,644 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/07/08 22:44:41 | 000,086,694 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/07/08 22:33:44 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2011/07/08 22:33:38 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/07/08 22:22:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/08 22:14:16 | 000,004,087 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/07/08 21:40:13 | 000,093,480 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ========== [2011/07/09 10:41:26 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\(Replace_MyName)\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/07/09 10:41:26 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\(Replace_MyName)\Start Menu\Programs\Internet Explorer.lnk
[2011/07/09 10:41:20 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\(Replace_MyName)\Start Menu\Programs\Outlook Express.lnk
[2011/07/09 10:41:09 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\(Replace_MyName)\Start Menu\Programs\Remote Assistance.lnk
[2011/07/09 10:05:57 | 183,403,263 | ---- | C] () -- C:\7-8-2-2011.pcap
[2011/07/08 23:53:51 | 000,605,496 | ---- | C] () -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86\Cat.DB
[2011/07/08 23:53:50 | 000,007,510 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/07/08 23:53:50 | 000,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/07/08 23:53:34 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86\isolate.ini
[2011/07/08 22:51:23 | 000,001,497 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Wireshark.lnk
[2011/07/08 22:51:23 | 000,001,491 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Wireshark.lnk
[2011/07/08 22:33:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/07/08 22:33:38 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/07/08 22:33:38 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/07/08 12:58:31 | 000,000,438 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B8C74696-51D7-4108-AB56-0B755088C999}.job
[2010/06/25 10:03:12 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2007/11/17 18:28:09 | 000,000,015 | ---- | C] () -- C:\WINDOWS\System32\drivers\dcesmwdm.sys
[2007/10/08 20:51:56 | 000,021,792 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2007/10/08 20:51:56 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2007/10/08 20:51:53 | 000,050,666 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2007/10/08 20:51:51 | 000,010,793 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2007/10/08 20:51:49 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2007/10/08 19:39:52 | 000,061,080 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2007/10/05 14:27:49 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/10/05 14:20:59 | 000,021,160 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/10/05 06:26:58 | 000,121,995 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2007/10/05 06:24:53 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/10/05 06:24:11 | 000,093,480 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/10/05 05:56:54 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2007/10/05 05:56:54 | 000,004,725 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2007/10/05 05:56:46 | 000,489,644 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2007/10/05 05:56:46 | 000,275,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2007/10/05 05:56:46 | 000,086,694 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2007/10/05 05:56:46 | 000,029,710 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2007/10/05 05:56:44 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2007/10/05 05:56:44 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2007/10/05 05:56:34 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2007/10/05 05:56:34 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2007/10/05 05:56:34 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2007/10/05 05:56:32 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/10/05 05:56:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2007/10/05 05:56:12 | 000,046,907 | ---- | C] () -- C:\WINDOWS\mib.bin
[2007/10/05 05:55:40 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2007/10/05 05:55:34 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2007/10/05 05:55:10 | 000,216,006 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2007/10/05 05:54:36 | 000,005,644 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2007/10/05 05:54:24 | 000,000,041 | ---- | C] () -- C:\WINDOWS\System32\mqtgsvc.exe.cfg
========== LOP Check ========== [2011/07/08 22:50:39 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/07/08 22:50:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/07/08 22:20:51 | 000,011,612 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt
[2011/07/09 05:24:26 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{B8C74696-51D7-4108-AB56-0B755088C999}.job
========== Purity Check ========== < End of report >