Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bloodhound.MalPE and Trojan.Gen [Closed]


  • This topic is locked This topic is locked

#1
Matasovsky

Matasovsky

    Member

  • Member
  • PipPipPip
  • 128 posts
Workstation had Adware pop up saying Hardrive was failing or infected. Asking to use/purchase a bogus software to scan to fix.

Try to restart under multiple log ins. Get near the end of the log in process and quit and go back to the log-in window.

Had to restart in safe mode (w/ networking) to get booted up.

Will Attach the OTL.txt, Extras.txt and ALSO, the Symantec Endpoint Protect - Risk Log.

OTL logfile created on: 10/13/2011 4:32:18 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.13 Mb Total Physical Memory | 603.34 Mb Available Physical Memory | 59.09% Memory free
2.40 Gb Paging File | 2.07 Gb Available in Paging File | 85.97% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 9.86 Gb Free Space | 26.47% Space Free | Partition Type: NTFS
Drive G: | 599.99 Gb Total Space | 131.98 Gb Free Space | 22.00% Space Free | Partition Type: NTFS
Drive I: | 12.00 Gb Total Space | 4.09 Gb Free Space | 34.06% Space Free | Partition Type: NTFS
Drive J: | 49.99 Gb Total Space | 1.01 Gb Free Space | 2.01% Space Free | Partition Type: NTFS
Drive P: | 39.07 Gb Total Space | 7.66 Gb Free Space | 19.62% Space Free | Partition Type: NTFS
Drive Q: | 399.99 Gb Total Space | 41.62 Gb Free Space | 10.41% Space Free | Partition Type: NTFS
Drive U: | 19.99 Gb Total Space | 9.20 Gb Free Space | 45.99% Space Free | Partition Type: NTFS
Drive W: | 4.88 Gb Total Space | 1.75 Gb Free Space | 35.85% Space Free | Partition Type: NTFS
Drive Y: | 399.99 Gb Total Space | 41.62 Gb Free Space | 10.41% Space Free | Partition Type: NTFS
Drive Z: | 399.99 Gb Total Space | 41.62 Gb Free Space | 10.41% Space Free | Partition Type: NTFS

Computer Name: IN012 | User Name: dwagner | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/13 16:30:48 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\OTL.exe
PRC - [2011/08/18 19:21:22 | 000,204,800 | ---- | M] (N-able Technologies) -- C:\Program Files\N-able Technologies\Windows Agent\bin\agent.exe
PRC - [2011/08/18 19:21:20 | 000,028,672 | ---- | M] (N-able Technologies) -- C:\Program Files\N-able Technologies\Windows Agent\bin\AgentMaint.exe
PRC - [2009/03/03 11:50:56 | 001,795,400 | -H-- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2009/03/03 11:50:56 | 001,443,144 | -H-- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2009/03/03 11:50:53 | 002,440,120 | -H-- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2008/09/11 19:47:40 | 000,108,392 | -H-- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/09 01:33:57 | 000,998,400 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\6e563a58e6fc0117070d5b8fd59e4e1b\System.Management.ni.dll
MOD - [2011/10/09 01:28:59 | 001,840,640 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\a2392c995b1bb6b63079091259222357\System.Web.Services.ni.dll
MOD - [2011/10/09 01:28:40 | 000,771,584 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b7e0214a811f81e09041864081139641\System.Runtime.Remoting.ni.dll
MOD - [2011/10/09 01:21:21 | 000,679,936 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\de9cd25ccb24bcf8a0316756e766721f\System.Security.ni.dll
MOD - [2011/10/09 01:21:12 | 005,450,752 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\10154dcad2d62f226af2fd4211460a4b\System.Xml.ni.dll
MOD - [2011/10/09 01:21:04 | 000,971,264 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\77df2cd21a5b85a1605b335aa9ad9d44\System.Configuration.ni.dll
MOD - [2011/10/09 01:21:02 | 000,212,992 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\70a1400affdc775d7c7398e036359286\System.ServiceProcess.ni.dll
MOD - [2011/10/09 01:20:44 | 007,950,848 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e6c79e1d71b0c9000afd7e5e439b5c54\System.ni.dll
MOD - [2011/10/09 01:02:21 | 011,490,816 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
MOD - [2011/04/19 15:19:40 | 000,065,536 | ---- | M] () -- C:\Program Files\N-able Technologies\Windows Agent\bin\SISRepository.dll
MOD - [2011/04/19 15:19:40 | 000,036,864 | ---- | M] () -- C:\Program Files\N-able Technologies\Windows Agent\bin\SISRepositoryCommon.dll
MOD - [2006/06/23 11:10:58 | 000,466,944 | -H-- | M] () -- C:\WINDOWS\system32\nvshell.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (Smcinst)
SRV - [2011/09/16 11:28:42 | 000,019,968 | ---- | M] () [Auto | Stopped] -- C:\Program Files\N-able Technologies\NRM\RSMWinService.exe -- (RSMWebServer)
SRV - [2011/08/18 19:21:22 | 000,204,800 | ---- | M] (N-able Technologies) [Auto | Running] -- C:\Program Files\N-able Technologies\Windows Agent\bin\agent.exe -- (Windows Agent Service)
SRV - [2011/08/18 19:21:20 | 000,028,672 | ---- | M] (N-able Technologies) [Auto | Running] -- C:\Program Files\N-able Technologies\Windows Agent\bin\AgentMaint.exe -- (Windows Agent Maintenance Service)
SRV - [2011/07/13 12:29:52 | 001,642,496 | ---- | M] (WCCS) [On_Demand | Stopped] -- C:\Program Files\N-able Technologies\NRM\UltraVNCServer\winrdp.exe -- (winrdp_service)
SRV - [2009/07/09 21:43:40 | 001,830,856 | -H-- | M] (UltraVNC) [Auto | Stopped] -- C:\Program Files\UltraVNC\WinVNC.exe -- (uvnc_service)
SRV - [2009/03/03 11:50:56 | 001,795,400 | -H-- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/03/03 11:50:55 | 000,320,840 | -H-- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/03/03 11:50:53 | 002,440,120 | -H-- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2008/09/11 19:47:40 | 000,108,392 | -H-- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2008/09/11 19:47:40 | 000,108,392 | -H-- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2008/08/13 16:12:08 | 000,213,504 | -H-- | M] (Numara Software, Inc.) [Auto | Stopped] -- C:\WINDOWS\TIREMOTE\TIRemoteService.exe -- (TIRmtSvc)
SRV - [2008/06/30 16:36:35 | 003,093,872 | -H-- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/01/04 18:03:34 | 000,079,360 | -H-- | M] (Autodesk) [Auto | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2007/11/14 20:49:10 | 000,660,872 | -H-- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec\Ghost\ngctw32.exe -- (NGCLIENT)
SRV - [2007/04/03 17:18:08 | 001,516,584 | -H-- | M] (Cisco Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2006/08/12 01:51:40 | 000,902,760 | -H-- | M] (Autodesk, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe -- (Autodesk Network Licensing Service)
SRV - [2006/06/23 13:39:27 | 000,172,032 | -H-- | M] (New Boundary Technologies, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2006/03/03 21:03:10 | 000,069,632 | -H-- | M] (HP) [Unknown | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2011/07/28 07:01:02 | 000,105,592 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/03/03 11:54:58 | 000,123,952 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/03/03 11:51:05 | 000,043,824 | -H-- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/03/03 11:51:04 | 000,319,664 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/03/03 11:51:04 | 000,279,600 | -H-- | M] (Symantec Corporation) [File_System | System | Stopped] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2008/09/11 19:47:32 | 000,420,400 | -H-- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/09/11 19:47:32 | 000,191,536 | -H-- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2008/09/11 19:47:32 | 000,027,696 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2008/02/29 03:13:46 | 000,028,944 | -H-- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2008/02/29 03:13:36 | 000,079,120 | -H-- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2008/02/29 03:13:24 | 000,036,880 | -H-- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/02/29 03:13:16 | 000,035,344 | -H-- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/02/29 03:12:56 | 000,063,120 | -H-- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2008/02/29 03:12:48 | 000,020,240 | -H-- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2007/08/15 08:27:18 | 000,009,600 | -H-- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\n558.sys -- (n558)
DRV - [2007/04/03 17:17:08 | 000,306,295 | -H-- | M] (Cisco Systems, Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/01/24 01:23:16 | 000,127,376 | -H-- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 15:28:02 | 000,005,275 | -H-- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/08/23 09:39:00 | 000,240,896 | -H-- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/07/20 14:37:22 | 000,035,712 | -H-- | M] (Sonic Focus, Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32)
DRV - [2005/07/18 19:40:40 | 001,019,064 | -H-- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/04/05 12:38:32 | 000,132,352 | RH-- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/09/28 09:33:58 | 002,241,280 | -H-- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/08/12 18:45:52 | 000,113,664 | -H-- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2004/07/18 00:11:26 | 000,768,512 | -H-- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/01/13 00:31:37 | 001,576,312 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20111009.009\NAVEX15.SYS -- (NAVEX15)
DRV - [2004/01/13 00:31:37 | 000,374,392 | -H-- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2004/01/13 00:31:37 | 000,086,136 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20111009.009\NAVENG.SYS -- (NAVENG)
DRV - [2001/08/17 13:11:02 | 000,153,631 | -H-- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el90xnd5.sys -- (EL90X)
DRV - [2001/08/17 08:11:06 | 000,066,591 | -H-- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet:82
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://intranet:82
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)



O1 HOSTS File: ([2001/08/23 08:00:00 | 000,000,734 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [CHotkey] C:\WINDOWS\zHotkey.exe ()
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\Hdaudpropshortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [IntelAudioStudio] C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe (Intel Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [NGTray] C:\Program Files\Symantec\Ghost\ngtray.exe (Symantec Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [ShowWnd] C:\WINDOWS\ShowWnd.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] sttray.exe File not found
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe (Numara Software, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNTSecurity = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 2600 = C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\c0f3f978.com (EasyPHP)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 1 = msmsgsin.exe
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 2 = msnmsgr.exe
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O15 - HKLM\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ontent/opuc.cab (Office Update Installation Engine)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.4.1.cab (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1233852403215 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1151414561311 (MUWebControl Class)
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} http://radaol-prod-w...agi3.0.84.2.cab (UnagiAx Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...8044.2415393519 (Reg Error: Key error.)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...ro.cab53083.cab (ZoneIntro Class)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_08)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.10.10.11 10.10.10.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gibraltardesign.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9B6615CE-0961-46B0-9959-37AFF6EBB151}: DhcpNameServer = 10.10.10.6 10.10.10.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C148A023-9056-47F0-898E-A633A66AC711}: DhcpNameServer = 10.10.10.11 10.10.10.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C148A023-9056-47F0-898E-A633A66AC711}: Domain = gibraltardesign.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {9EF34FF2-3396-4527-9D27-04C8C1C67806} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/12 12:17:00 | 000,000,000 | -H-D | M] - C:\Autodesk VIZ 2006 -- [ NTFS ]
O32 - AutoRun File - [2004/02/03 15:55:46 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/05/10 15:57:54 | 000,001,870 | ---- | M] () - U:\AutoCAD MEP 2010 - ARCH.lnk -- [ NTFS ]
O32 - AutoRun File - [2010/05/06 10:44:20 | 000,001,870 | ---- | M] () - U:\AutoCAD MEP 2010-ELEC.lnk -- [ NTFS ]
O32 - AutoRun File - [2010/05/06 10:47:12 | 000,001,870 | ---- | M] () - U:\AutoCAD MEP 2010-MECH.lnk -- [ NTFS ]
O32 - AutoRun File - [2010/05/06 10:48:44 | 000,001,870 | ---- | M] () - U:\AutoCAD MEP 2010-PLUM.lnk -- [ NTFS ]
O32 - AutoRun File - [2010/05/19 13:37:56 | 000,001,870 | ---- | M] () - U:\AutoCAD MEP 2010-STRC.lnk -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/13 16:30:45 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\OTL.exe
[2011/10/13 16:05:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Macromedia
[2011/10/13 16:04:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Adobe
[2011/10/13 16:04:41 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\TEMP\PrivacIE
[2011/10/13 16:04:29 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\TEMP\IETldCache
[2011/10/13 16:03:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\Symantec
[2011/10/13 16:02:55 | 000,000,000 | --SD | C] -- C:\Documents and Settings\TEMP\Application Data\Microsoft
[2011/10/13 16:02:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TEMP\Start Menu\Programs\Startup
[2011/10/13 16:02:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TEMP\Start Menu
[2011/10/13 16:02:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TEMP\SendTo
[2011/10/13 16:02:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TEMP\Recent
[2011/10/13 16:02:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TEMP\My Documents\My Pictures
[2011/10/13 16:02:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TEMP\My Documents\My Music
[2011/10/13 16:02:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TEMP\My Documents
[2011/10/13 16:02:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TEMP\Favorites
[2011/10/13 16:02:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TEMP\Application Data
[2011/10/13 16:02:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TEMP\Start Menu\Programs\Accessories
[2011/10/13 16:02:55 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\TEMP\Cookies
[2011/10/13 16:02:55 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\TEMP\Templates
[2011/10/13 16:02:55 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\TEMP\PrintHood
[2011/10/13 16:02:55 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\TEMP\NetHood
[2011/10/13 16:02:55 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\TEMP\My Documents\My Received Files
[2011/10/13 16:02:55 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft
[2011/10/13 16:02:55 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\TEMP\Local Settings
[2011/10/13 16:02:55 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\TEMP\Application Data\Identities
[2011/10/13 16:02:55 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\TEMP\Desktop
[2011/10/13 14:27:38 | 000,496,640 | -HS- | C] ( ) -- C:\Documents and Settings\All Users\Application Data\DNQjcPtFlY.exe
[2011/10/13 14:18:02 | 000,000,000 | ---D | C] -- C:\Program Files\IIS Express
[2011/10/11 05:55:06 | 000,460,288 | -HS- | C] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\dEaYgfJuMxVqq.exe
[2011/10/10 12:30:57 | 000,458,240 | -HS- | C] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\ojjxXPniykJvb.exe
[2011/10/10 07:53:24 | 000,345,600 | -H-- | C] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
[2011/10/10 07:49:55 | 000,453,120 | -HS- | C] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\nTEtPClXirMXi.exe
[2011/10/10 07:48:48 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Local Settings
[2011/10/07 08:28:15 | 000,000,000 | -H-D | C] -- C:\Program Files\UltraVNC
[2011/10/05 09:29:23 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/10/05 09:29:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/10/05 09:29:19 | 000,022,216 | -H-- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/10/05 09:29:18 | 000,000,000 | -H-D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2004/07/18 01:55:20 | 000,135,168 | -H-- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/13 16:30:48 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\OTL.exe
[2011/10/13 16:02:58 | 000,013,420 | RHS- | M] () -- C:\Documents and Settings\TEMP\ntuser.pol
[2011/10/13 15:08:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/13 14:27:08 | 000,496,640 | -HS- | M] ( ) -- C:\Documents and Settings\All Users\Application Data\DNQjcPtFlY.exe
[2011/10/13 14:25:47 | 000,014,874 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2011/10/13 14:15:26 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/13 14:14:35 | 000,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2011/10/12 15:25:48 | 000,001,643 | -H-- | M] () -- C:\WINDOWS\System32\InstallUtil.InstallLog
[2011/10/11 05:54:20 | 000,460,288 | -HS- | M] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\dEaYgfJuMxVqq.exe
[2011/10/11 00:57:16 | 000,458,240 | -HS- | M] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\ojjxXPniykJvb.exe
[2011/10/10 08:02:17 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
[2011/10/10 08:02:17 | 000,000,200 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
[2011/10/10 08:02:09 | 000,000,336 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
[2011/10/10 08:00:00 | 000,043,805 | -H-- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/10/10 07:53:24 | 000,345,600 | -H-- | M] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
[2011/10/10 07:49:10 | 000,453,120 | -HS- | M] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\nTEtPClXirMXi.exe
[2011/10/10 07:39:23 | 000,534,538 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/10/10 07:39:23 | 000,099,988 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/10/09 01:15:54 | 000,001,374 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2011/10/08 03:00:00 | 000,000,278 | -H-- | M] () -- C:\WINDOWS\tasks\defrag.job
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/13 16:02:57 | 000,013,420 | RHS- | C] () -- C:\Documents and Settings\TEMP\ntuser.pol
[2011/10/13 16:02:56 | 000,002,605 | -H-- | C] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook 2003.lnk
[2011/10/13 16:02:56 | 000,002,587 | -H-- | C] () -- C:\Documents and Settings\TEMP\Desktop\Microsoft Office Outlook 2003.lnk
[2011/10/13 16:02:56 | 000,000,804 | -H-- | C] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/10/13 16:02:56 | 000,000,779 | -H-- | C] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/10/13 16:02:56 | 000,000,079 | -H-- | C] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/10/13 16:02:55 | 000,001,599 | -H-- | C] () -- C:\Documents and Settings\TEMP\Start Menu\Programs\Remote Assistance.lnk
[2011/10/13 16:02:55 | 000,000,767 | -H-- | C] () -- C:\Documents and Settings\TEMP\Start Menu\Programs\Internet Explorer.lnk
[2011/10/13 16:02:55 | 000,000,738 | -H-- | C] () -- C:\Documents and Settings\TEMP\Start Menu\Programs\Outlook Express.lnk
[2011/10/10 08:02:17 | 000,000,296 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
[2011/10/10 08:02:17 | 000,000,200 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
[2011/10/10 08:02:09 | 000,000,336 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
[2011/10/10 07:59:50 | 000,000,718 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\ATT.exe.lnk
[2009/04/24 12:13:58 | 000,110,413 | -H-- | C] () -- C:\WINDOWS\hpoins11.dat
[2009/04/24 12:13:24 | 000,077,824 | -H-- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2009/04/24 12:13:10 | 000,006,947 | -H-- | C] () -- C:\WINDOWS\hpomdl11.dat
[2009/03/03 10:04:37 | 000,029,744 | -H-- | C] () -- C:\WINDOWS\System32\InstHelper.dll
[2009/03/03 10:03:45 | 000,197,672 | -H-- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2009/03/03 10:03:44 | 000,193,576 | -H-- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2009/03/02 18:21:54 | 000,000,012 | ---- | C] () -- C:\WINDOWS\bthservsdp.dat
[2008/04/30 10:50:09 | 000,094,208 | -H-- | C] () -- C:\WINDOWS\TIRHService.exe
[2008/04/12 11:30:51 | 000,000,028 | -H-- | C] () -- C:\WINDOWS\pdf995.ini
[2008/04/09 09:32:23 | 000,045,056 | -H-- | C] () -- C:\WINDOWS\System32\KmRemove.exe
[2008/04/07 07:29:55 | 000,051,716 | -H-- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2008/04/07 07:29:55 | 000,000,059 | -H-- | C] () -- C:\WINDOWS\wpd99.drv
[2008/03/05 17:06:54 | 000,000,768 | -H-- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2008/01/04 18:03:05 | 000,000,231 | -H-- | C] () -- C:\WINDOWS\System32\3dsviz.ini
[2008/01/04 18:03:04 | 000,000,043 | -H-- | C] () -- C:\WINDOWS\System32\InstallSettings.ini
[2007/08/15 08:27:18 | 000,009,600 | -H-- | C] () -- C:\WINDOWS\System32\drivers\n558.sys
[2007/01/22 07:24:38 | 000,001,324 | -H-- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2006/08/10 12:46:37 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\mtstack16.INI
[2006/07/07 06:58:45 | 000,000,044 | -H-- | C] () -- C:\WINDOWS\STRATIS.INI
[2006/06/28 11:07:11 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/06/23 13:39:28 | 000,543,232 | -H-- | C] () -- C:\WINDOWS\zHotkey.exe
[2006/06/23 13:39:28 | 000,532,544 | -H-- | C] () -- C:\WINDOWS\PIC.dll
[2006/06/23 13:39:28 | 000,036,864 | -H-- | C] () -- C:\WINDOWS\ShowWnd.exe
[2006/06/23 13:39:28 | 000,024,576 | -H-- | C] () -- C:\WINDOWS\HKNTDLL.dll
[2006/06/23 11:10:58 | 001,662,976 | -H-- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/06/23 11:10:58 | 001,519,616 | -H-- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/06/23 11:10:58 | 001,466,368 | -H-- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/06/23 11:10:58 | 001,339,392 | -H-- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/06/23 11:10:58 | 001,019,904 | -H-- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/06/23 11:10:58 | 000,466,944 | -H-- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/06/23 11:10:58 | 000,442,368 | -H-- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/06/23 11:10:58 | 000,110,592 | -H-- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/09/14 14:47:41 | 000,192,512 | -H-- | C] () -- C:\WINDOWS\System32\RTCOMDLL.dll
[2005/09/14 14:47:40 | 000,156,160 | -H-- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2004/08/04 03:56:57 | 000,538,624 | ---- | C] () -- C:\WINDOWS\System32\spider.exe
[2004/07/18 00:07:42 | 000,086,016 | -H-- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2004/07/18 00:06:20 | 000,389,120 | -H-- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[2004/02/27 10:01:14 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/02/05 11:04:43 | 000,000,061 | -H-- | C] () -- C:\WINDOWS\smscfg.ini
[2004/02/04 14:49:48 | 000,000,376 | -H-- | C] () -- C:\WINDOWS\ODBC.INI
[2004/02/03 15:57:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/02/03 15:52:33 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/02/03 15:51:24 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\sol.exe
[2004/02/03 15:51:23 | 000,119,808 | ---- | C] () -- C:\WINDOWS\System32\winmine.exe
[2004/02/03 15:51:23 | 000,055,296 | ---- | C] () -- C:\WINDOWS\System32\freecell.exe
[2004/02/03 10:36:40 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/02/03 10:35:43 | 000,304,416 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/01/07 16:05:08 | 000,002,695 | -H-- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 08:00:00 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 08:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 08:00:00 | 000,534,538 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 08:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 08:00:00 | 000,099,988 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 08:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,004,463 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 08:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2009/02/12 12:22:32 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2007/06/27 09:26:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2009/02/05 11:19:16 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2009/03/04 10:51:41 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2011/10/08 03:00:00 | 000,000,278 | -H-- | M] () -- C:\WINDOWS\Tasks\defrag.job

========== Purity Check ==========



< End of report >

Attached Files


  • 0

Advertisements


#2
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :yes:

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Please download UnHide.exe by Grinler.

It will unhide folders/files that were set to be hidden by the infection you had.



NEXT:



Re-Running OTL

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:



What issues are you currently experiencing with your computer?
  • 0

#3
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Replying to keep topic open. Just got back from vacation after being gone 4 days.
  • 0

#4
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Will review and follow instructions and respond today.
  • 0

#5
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Post deleted. :)

Edited by Matasovsky, 24 October 2011 - 09:56 AM.

  • 0

#6
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay, I'll await your next reply with the results of the scans.
  • 0

#7
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
OTL logfile created on: 10/24/2011 1:45:05 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\dwagner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.13 Mb Total Physical Memory | 365.10 Mb Available Physical Memory | 35.75% Memory free
2.40 Gb Paging File | 1.91 Gb Available in Paging File | 79.64% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 9.62 Gb Free Space | 25.80% Space Free | Partition Type: NTFS
Drive G: | 599.99 Gb Total Space | 131.98 Gb Free Space | 22.00% Space Free | Partition Type: NTFS
Drive I: | 12.00 Gb Total Space | 4.09 Gb Free Space | 34.06% Space Free | Partition Type: NTFS
Drive J: | 49.99 Gb Total Space | 0.15 Gb Free Space | 0.30% Space Free | Partition Type: NTFS
Drive P: | 39.07 Gb Total Space | 7.63 Gb Free Space | 19.54% Space Free | Partition Type: NTFS
Drive Q: | 399.99 Gb Total Space | 35.80 Gb Free Space | 8.95% Space Free | Partition Type: NTFS
Drive U: | 19.99 Gb Total Space | 9.20 Gb Free Space | 45.99% Space Free | Partition Type: NTFS
Drive W: | 4.88 Gb Total Space | 1.75 Gb Free Space | 35.85% Space Free | Partition Type: NTFS
Drive Y: | 399.99 Gb Total Space | 35.80 Gb Free Space | 8.95% Space Free | Partition Type: NTFS
Drive Z: | 399.99 Gb Total Space | 35.80 Gb Free Space | 8.95% Space Free | Partition Type: NTFS

Computer Name: IN012 | User Name: dwagner | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/24 13:44:11 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dwagner\Desktop\OTL.exe
PRC - [2011/08/18 19:21:22 | 000,204,800 | ---- | M] (N-able Technologies) -- C:\Program Files\N-able Technologies\Windows Agent\bin\agent.exe
PRC - [2011/08/18 19:21:20 | 000,028,672 | ---- | M] (N-able Technologies) -- C:\Program Files\N-able Technologies\Windows Agent\bin\AgentMaint.exe
PRC - [2009/03/03 11:50:56 | 001,795,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2009/03/03 11:50:56 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2009/03/03 11:50:53 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2008/09/11 19:47:40 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/09 01:33:57 | 000,998,400 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\6e563a58e6fc0117070d5b8fd59e4e1b\System.Management.ni.dll
MOD - [2011/10/09 01:28:59 | 001,840,640 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\a2392c995b1bb6b63079091259222357\System.Web.Services.ni.dll
MOD - [2011/10/09 01:28:40 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b7e0214a811f81e09041864081139641\System.Runtime.Remoting.ni.dll
MOD - [2011/10/09 01:21:21 | 000,679,936 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\de9cd25ccb24bcf8a0316756e766721f\System.Security.ni.dll
MOD - [2011/10/09 01:21:12 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\10154dcad2d62f226af2fd4211460a4b\System.Xml.ni.dll
MOD - [2011/10/09 01:21:04 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\77df2cd21a5b85a1605b335aa9ad9d44\System.Configuration.ni.dll
MOD - [2011/10/09 01:21:02 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\70a1400affdc775d7c7398e036359286\System.ServiceProcess.ni.dll
MOD - [2011/10/09 01:20:44 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e6c79e1d71b0c9000afd7e5e439b5c54\System.ni.dll
MOD - [2011/10/09 01:02:21 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
MOD - [2011/04/19 15:19:40 | 000,065,536 | ---- | M] () -- C:\Program Files\N-able Technologies\Windows Agent\bin\SISRepository.dll
MOD - [2011/04/19 15:19:40 | 000,036,864 | ---- | M] () -- C:\Program Files\N-able Technologies\Windows Agent\bin\SISRepositoryCommon.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (Smcinst)
SRV - [2011/09/16 11:28:42 | 000,019,968 | ---- | M] () [Auto | Stopped] -- C:\Program Files\N-able Technologies\NRM\RSMWinService.exe -- (RSMWebServer)
SRV - [2011/08/18 19:21:22 | 000,204,800 | ---- | M] (N-able Technologies) [Auto | Running] -- C:\Program Files\N-able Technologies\Windows Agent\bin\agent.exe -- (Windows Agent Service)
SRV - [2011/08/18 19:21:20 | 000,028,672 | ---- | M] (N-able Technologies) [Auto | Running] -- C:\Program Files\N-able Technologies\Windows Agent\bin\AgentMaint.exe -- (Windows Agent Maintenance Service)
SRV - [2011/07/13 12:29:52 | 001,642,496 | ---- | M] (WCCS) [On_Demand | Stopped] -- C:\Program Files\N-able Technologies\NRM\UltraVNCServer\winrdp.exe -- (winrdp_service)
SRV - [2009/07/09 21:43:40 | 001,830,856 | ---- | M] (UltraVNC) [Auto | Stopped] -- C:\Program Files\UltraVNC\WinVNC.exe -- (uvnc_service)
SRV - [2009/03/03 11:50:56 | 001,795,400 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/03/03 11:50:55 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/03/03 11:50:53 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2008/09/11 19:47:40 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2008/09/11 19:47:40 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2008/08/13 16:12:08 | 000,213,504 | ---- | M] (Numara Software, Inc.) [Auto | Stopped] -- C:\WINDOWS\TIREMOTE\TIRemoteService.exe -- (TIRmtSvc)
SRV - [2008/06/30 16:36:35 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/01/04 18:03:34 | 000,079,360 | ---- | M] (Autodesk) [Auto | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2007/11/14 20:49:10 | 000,660,872 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec\Ghost\ngctw32.exe -- (NGCLIENT)
SRV - [2007/04/03 17:18:08 | 001,516,584 | ---- | M] (Cisco Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2006/08/12 01:51:40 | 000,902,760 | ---- | M] (Autodesk, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe -- (Autodesk Network Licensing Service)
SRV - [2006/06/23 13:39:27 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2011/10/24 11:59:05 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20111023.005\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/10/24 11:59:05 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/10/24 11:59:05 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20111023.005\NAVENG.SYS -- (NAVENG)
DRV - [2011/07/28 07:01:02 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/03/03 11:54:58 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/03/03 11:51:05 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/03/03 11:51:04 | 000,319,664 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/03/03 11:51:04 | 000,279,600 | ---- | M] (Symantec Corporation) [File_System | System | Stopped] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2008/09/11 19:47:32 | 000,420,400 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2008/09/11 19:47:32 | 000,191,536 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2008/09/11 19:47:32 | 000,027,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2008/02/29 03:13:46 | 000,028,944 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2008/02/29 03:13:36 | 000,079,120 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2008/02/29 03:13:24 | 000,036,880 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/02/29 03:13:16 | 000,035,344 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/02/29 03:12:56 | 000,063,120 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2008/02/29 03:12:48 | 000,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2007/08/15 08:27:18 | 000,009,600 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\n558.sys -- (n558)
DRV - [2007/04/03 17:17:08 | 000,306,295 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/01/24 01:23:16 | 000,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 15:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/08/23 09:39:00 | 000,240,896 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/07/20 14:37:22 | 000,035,712 | ---- | M] (Sonic Focus, Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32)
DRV - [2005/07/18 19:40:40 | 001,019,064 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/04/05 12:38:32 | 000,132,352 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/09/28 09:33:58 | 002,241,280 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/08/12 18:45:52 | 000,113,664 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2004/07/18 00:11:26 | 000,768,512 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2001/08/17 13:11:02 | 000,153,631 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el90xnd5.sys -- (EL90X)
DRV - [2001/08/17 08:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.10.10.5:8080

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.10.10.5:8080

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet:82
IE - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://intranet:82
IE - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.10.10.5:8080

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll File not found
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: C:\Documents and Settings\dwagner\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll File not found



O1 HOSTS File: ([2001/08/23 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\Hdaudpropshortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [IntelAudioStudio] C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe (Intel Corporation)
O4 - HKLM..\Run: [NGTray] C:\Program Files\Symantec\Ghost\ngtray.exe (Symantec Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [ShowWnd] C:\WINDOWS\ShowWnd.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] sttray.exe File not found
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe (Numara Software, Inc.)
O4 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe File not found
O4 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111..\Run: [wuaucldt] c:\documents and settings\dwagner\wuaucldt.exe File not found
O4 - HKU\.DEFAULT..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNTSecurity = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 2600 = C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\c0f3f978.com (EasyPHP)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 1
O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1
O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 1 = msmsgsin.exe
O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 2 = msnmsgr.exe
O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O15 - HKLM\..Trusted Domains: aol.com ([free] http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: aol.com ([free] http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: aol.com ([free] http in Trusted sites)
O15 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ontent/opuc.cab (Office Update Installation Engine)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.4.1.cab (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1233852403215 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1151414561311 (MUWebControl Class)
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} http://radaol-prod-w...agi3.0.84.2.cab (UnagiAx Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...8044.2415393519 (Reg Error: Key error.)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...ro.cab53083.cab (ZoneIntro Class)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_08)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.10.10.11 10.10.10.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gibraltardesign.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9B6615CE-0961-46B0-9959-37AFF6EBB151}: DhcpNameServer = 10.10.10.6 10.10.10.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C148A023-9056-47F0-898E-A633A66AC711}: DhcpNameServer = 10.10.10.11 10.10.10.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C148A023-9056-47F0-898E-A633A66AC711}: Domain = gibraltardesign.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\dwagner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\dwagner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {9EF34FF2-3396-4527-9D27-04C8C1C67806} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/12 12:17:00 | 000,000,000 | ---D | M] - C:\Autodesk VIZ 2006 -- [ NTFS ]
O32 - AutoRun File - [2004/02/03 15:55:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/05/10 15:57:54 | 000,001,870 | ---- | M] () - U:\AutoCAD MEP 2010 - ARCH.lnk -- [ NTFS ]
O32 - AutoRun File - [2010/05/06 10:44:20 | 000,001,870 | ---- | M] () - U:\AutoCAD MEP 2010-ELEC.lnk -- [ NTFS ]
O32 - AutoRun File - [2010/05/06 10:47:12 | 000,001,870 | ---- | M] () - U:\AutoCAD MEP 2010-MECH.lnk -- [ NTFS ]
O32 - AutoRun File - [2010/05/06 10:48:44 | 000,001,870 | ---- | M] () - U:\AutoCAD MEP 2010-PLUM.lnk -- [ NTFS ]
O32 - AutoRun File - [2010/05/19 13:37:56 | 000,001,870 | ---- | M] () - U:\AutoCAD MEP 2010-STRC.lnk -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/24 13:44:02 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\dwagner\Desktop\OTL.exe
[2011/10/18 11:57:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp
[2011/10/18 11:57:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2011/10/18 11:51:50 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/10/18 11:51:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/10/18 11:50:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2011/10/13 14:27:38 | 000,496,640 | -HS- | C] ( ) -- C:\Documents and Settings\All Users\Application Data\DNQjcPtFlY.exe
[2011/10/13 14:19:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\dwagner\Recent
[2011/10/13 14:18:02 | 000,000,000 | ---D | C] -- C:\Program Files\IIS Express
[2011/10/11 08:00:14 | 000,025,088 | ---- | C] (EasyPHP) -- C:\Documents and Settings\dwagner\Application Data\KB634133.exe
[2011/10/11 05:55:06 | 000,460,288 | -HS- | C] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\dEaYgfJuMxVqq.exe
[2011/10/10 12:30:57 | 000,458,240 | -HS- | C] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\ojjxXPniykJvb.exe
[2011/10/10 08:02:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dwagner\Start Menu\Programs\System Restore
[2011/10/10 07:53:24 | 000,345,600 | ---- | C] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
[2011/10/10 07:49:55 | 000,453,120 | -HS- | C] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\nTEtPClXirMXi.exe
[2011/10/10 07:48:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Local Settings
[2011/10/10 07:48:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dwagner\Application Data\Sun
[2011/10/07 08:28:15 | 000,000,000 | ---D | C] -- C:\Program Files\UltraVNC
[2011/10/05 09:29:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dwagner\Application Data\Malwarebytes
[2011/10/05 09:29:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/10/05 09:29:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/10/05 09:29:19 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/10/05 09:29:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/10/04 17:46:24 | 000,139,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpwd.sys
[2011/10/04 17:46:08 | 000,010,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndistapi.sys
[2004/07/18 01:55:20 | 000,135,168 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\dwagner\My Documents\*.tmp files -> C:\Documents and Settings\dwagner\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/24 13:44:11 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dwagner\Desktop\OTL.exe
[2011/10/24 11:56:43 | 000,684,297 | ---- | M] () -- C:\Documents and Settings\dwagner\Desktop\unhide.exe
[2011/10/19 15:33:15 | 000,013,420 | RHS- | M] () -- C:\Documents and Settings\dwagner\ntuser.pol
[2011/10/19 15:10:01 | 000,014,700 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2011/10/19 15:09:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/19 15:08:33 | 000,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2011/10/19 15:06:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/10/19 12:06:01 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/19 06:56:50 | 000,002,622 | ---- | M] () -- C:\Documents and Settings\dwagner\Desktop\Microsoft Outlook 2003.lnk
[2011/10/18 12:42:22 | 1090,995,200 | ---- | M] () -- C:\Documents and Settings\dwagner\My Documents\archive.pst
[2011/10/18 11:57:19 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/18 11:51:50 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/10/15 11:21:20 | 000,000,506 | ---- | M] () -- C:\Documents and Settings\dwagner\Desktop\Shortcut to 11-417 VU Morris Hall Renovation.lnk
[2011/10/14 09:07:36 | 1090,995,200 | ---- | M] () -- C:\Documents and Settings\dwagner\My Documents\archive_mm.pst
[2011/10/13 14:27:08 | 000,496,640 | -HS- | M] ( ) -- C:\Documents and Settings\All Users\Application Data\DNQjcPtFlY.exe
[2011/10/12 15:25:48 | 000,001,643 | ---- | M] () -- C:\WINDOWS\System32\InstallUtil.InstallLog
[2011/10/11 08:47:55 | 000,025,088 | ---- | M] (EasyPHP) -- C:\Documents and Settings\dwagner\Application Data\KB634133.exe
[2011/10/11 05:54:20 | 000,460,288 | -HS- | M] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\dEaYgfJuMxVqq.exe
[2011/10/11 00:57:16 | 000,458,240 | -HS- | M] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\ojjxXPniykJvb.exe
[2011/10/10 08:02:17 | 000,000,857 | ---- | M] () -- C:\Documents and Settings\dwagner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk
[2011/10/10 08:02:17 | 000,000,296 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
[2011/10/10 08:02:17 | 000,000,200 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
[2011/10/10 08:02:16 | 000,000,839 | ---- | M] () -- C:\Documents and Settings\dwagner\Desktop\System Restore.lnk
[2011/10/10 08:02:09 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
[2011/10/10 08:00:00 | 000,043,805 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/10/10 07:53:24 | 000,345,600 | ---- | M] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
[2011/10/10 07:49:10 | 000,453,120 | -HS- | M] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\nTEtPClXirMXi.exe
[2011/10/10 07:39:26 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\dwagner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/10/10 07:39:23 | 000,534,538 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/10/10 07:39:23 | 000,099,988 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/10/08 03:00:00 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defrag.job
[2011/10/05 09:29:23 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/10/05 08:13:27 | 003,433,472 | ---- | M] () -- C:\Documents and Settings\dwagner\Desktop\FW meet the class of 2015 Research.msg
[2011/10/03 08:05:06 | 000,000,762 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ATT.exe.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\dwagner\My Documents\*.tmp files -> C:\Documents and Settings\dwagner\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/24 12:12:31 | 000,002,497 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Word 2003.lnk
[2011/10/24 12:12:31 | 000,002,483 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office PowerPoint 2003.lnk
[2011/10/24 12:12:31 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/10/24 12:12:31 | 000,000,972 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Excel.lnk
[2011/10/24 12:12:31 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/10/24 12:12:31 | 000,000,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2011/10/24 12:12:24 | 000,001,762 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
[2011/10/24 12:12:24 | 000,001,518 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2011/10/24 12:12:23 | 000,002,209 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft ActiveSync.lnk
[2011/10/24 12:12:23 | 000,001,844 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN Explorer.lnk
[2011/10/24 12:12:23 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2011/10/24 12:12:23 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2011/10/24 11:55:00 | 000,684,297 | ---- | C] () -- C:\Documents and Settings\dwagner\Desktop\unhide.exe
[2011/10/18 12:01:52 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/10/18 11:59:33 | 000,000,506 | ---- | C] () -- C:\Documents and Settings\dwagner\Desktop\Shortcut to 11-417 VU Morris Hall Renovation.lnk
[2011/10/18 11:51:50 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/10/18 11:51:30 | 000,000,884 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/14 11:08:29 | 1090,995,200 | ---- | C] () -- C:\Documents and Settings\dwagner\My Documents\archive_mm.pst
[2011/10/10 08:02:17 | 000,000,857 | ---- | C] () -- C:\Documents and Settings\dwagner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk
[2011/10/10 08:02:17 | 000,000,296 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
[2011/10/10 08:02:17 | 000,000,200 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
[2011/10/10 08:02:16 | 000,000,839 | ---- | C] () -- C:\Documents and Settings\dwagner\Desktop\System Restore.lnk
[2011/10/10 08:02:09 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
[2011/10/10 07:59:50 | 000,000,762 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ATT.exe.lnk
[2011/10/10 07:58:42 | 000,002,209 | R--- | C] () -- C:\Documents and Settings\dwagner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Outlook Express.lnk
[2011/10/10 07:58:42 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\dwagner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/10/10 07:58:42 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\dwagner\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/10/10 07:58:42 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\dwagner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/10/10 07:58:42 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\dwagner\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/10/05 08:13:27 | 003,433,472 | ---- | C] () -- C:\Documents and Settings\dwagner\Desktop\FW meet the class of 2015 Research.msg
[2011/09/27 13:49:59 | 000,000,531 | ---- | C] () -- C:\Documents and Settings\dwagner\Desktop\Shortcut to 09-452 Gary Locke ES Renov & Rel Work.lnk
[2011/05/30 11:46:13 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\dwagner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/27 08:48:30 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\dwagner\Application Data\$_hpcst$.hpc
[2009/04/24 12:13:58 | 000,110,413 | ---- | C] () -- C:\WINDOWS\hpoins11.dat
[2009/04/24 12:13:24 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2009/04/24 12:13:10 | 000,006,947 | ---- | C] () -- C:\WINDOWS\hpomdl11.dat
[2009/03/03 10:04:37 | 000,029,744 | ---- | C] () -- C:\WINDOWS\System32\InstHelper.dll
[2009/03/03 10:03:45 | 000,197,672 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2009/03/03 10:03:44 | 000,193,576 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2009/03/02 18:21:54 | 000,000,012 | ---- | C] () -- C:\WINDOWS\bthservsdp.dat
[2008/04/30 10:50:09 | 000,094,208 | ---- | C] () -- C:\WINDOWS\TIRHService.exe
[2008/04/12 11:30:51 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2008/04/09 09:32:23 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\KmRemove.exe
[2008/04/07 07:29:55 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2008/04/07 07:29:55 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2008/03/05 17:06:54 | 000,000,768 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2008/01/04 18:03:05 | 000,000,231 | ---- | C] () -- C:\WINDOWS\System32\3dsviz.ini
[2008/01/04 18:03:04 | 000,000,043 | ---- | C] () -- C:\WINDOWS\System32\InstallSettings.ini
[2007/08/15 08:27:18 | 000,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\n558.sys
[2007/01/22 07:24:38 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2006/08/10 12:46:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack16.INI
[2006/07/07 06:58:45 | 000,000,044 | ---- | C] () -- C:\WINDOWS\STRATIS.INI
[2006/06/28 11:07:11 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/06/23 13:39:28 | 000,543,232 | ---- | C] () -- C:\WINDOWS\zHotkey.exe
[2006/06/23 13:39:28 | 000,532,544 | ---- | C] () -- C:\WINDOWS\PIC.dll
[2006/06/23 13:39:28 | 000,036,864 | ---- | C] () -- C:\WINDOWS\ShowWnd.exe
[2006/06/23 13:39:28 | 000,024,576 | ---- | C] () -- C:\WINDOWS\HKNTDLL.dll
[2006/06/23 11:10:58 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/06/23 11:10:58 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/06/23 11:10:58 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/06/23 11:10:58 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/06/23 11:10:58 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/06/23 11:10:58 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/06/23 11:10:58 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/06/23 11:10:58 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/09/14 14:47:41 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\RTCOMDLL.dll
[2005/09/14 14:47:40 | 000,156,160 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2004/08/04 03:56:57 | 000,538,624 | ---- | C] () -- C:\WINDOWS\System32\spider.exe
[2004/07/18 00:07:42 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2004/07/18 00:06:20 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[2004/02/27 10:01:14 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/02/05 11:04:43 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/02/04 14:49:48 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/02/03 15:57:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/02/03 15:52:33 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/02/03 15:51:24 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\sol.exe
[2004/02/03 15:51:23 | 000,119,808 | ---- | C] () -- C:\WINDOWS\System32\winmine.exe
[2004/02/03 15:51:23 | 000,055,296 | ---- | C] () -- C:\WINDOWS\System32\freecell.exe
[2004/02/03 10:36:40 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/02/03 10:35:43 | 000,304,416 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 08:00:00 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2001/08/23 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 08:00:00 | 000,534,538 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2001/08/23 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 08:00:00 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2001/08/23 08:00:00 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2001/08/23 08:00:00 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2001/08/23 08:00:00 | 000,099,988 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 60 bytes -> C:\Library:AFP_AfpInfo

< End of report >
  • 0

#8
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
OTL Extras logfile created on: 10/24/2011 1:45:05 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\dwagner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.13 Mb Total Physical Memory | 365.10 Mb Available Physical Memory | 35.75% Memory free
2.40 Gb Paging File | 1.91 Gb Available in Paging File | 79.64% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 9.62 Gb Free Space | 25.80% Space Free | Partition Type: NTFS
Drive G: | 599.99 Gb Total Space | 131.98 Gb Free Space | 22.00% Space Free | Partition Type: NTFS
Drive I: | 12.00 Gb Total Space | 4.09 Gb Free Space | 34.06% Space Free | Partition Type: NTFS
Drive J: | 49.99 Gb Total Space | 0.15 Gb Free Space | 0.30% Space Free | Partition Type: NTFS
Drive P: | 39.07 Gb Total Space | 7.63 Gb Free Space | 19.54% Space Free | Partition Type: NTFS
Drive Q: | 399.99 Gb Total Space | 35.80 Gb Free Space | 8.95% Space Free | Partition Type: NTFS
Drive U: | 19.99 Gb Total Space | 9.20 Gb Free Space | 45.99% Space Free | Partition Type: NTFS
Drive W: | 4.88 Gb Total Space | 1.75 Gb Free Space | 35.85% Space Free | Partition Type: NTFS
Drive Y: | 399.99 Gb Total Space | 35.80 Gb Free Space | 8.95% Space Free | Partition Type: NTFS
Drive Z: | 399.99 Gb Total Space | 35.80 Gb Free Space | 8.95% Space Free | Partition Type: NTFS

Computer Name: IN012 | User Name: dwagner | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 1
"DisableConfig" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3753:TCP" = 3753:TCP:*:Enabled:SETS
"3751:TCP" = 3751:TCP:*:Enabled:SETS
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\CA\eTrust Antivirus\InoRpc.exe" = C:\Program Files\CA\eTrust Antivirus\InoRpc.exe:*:Enabled:eTrust Antivirus - RPC Server
"C:\Program Files\CA\eTrust Antivirus\InocIT.exe" = C:\Program Files\CA\eTrust Antivirus\InocIT.exe:*:Enabled:eTrust Antivirus - Local Scanner
"C:\Program Files\CA\eTrust Antivirus\Realmon.exe" = C:\Program Files\CA\eTrust Antivirus\Realmon.exe:*:Enabled:eTrust Antivirus - Realtime monitor
"C:\Program Files\CA\eTrust Antivirus\InoNmSrv.exe" = C:\Program Files\CA\eTrust Antivirus\InoNmSrv.exe:*:Enabled:eTrust Antivirus - Admin Server -- (Computer Associates International, Inc.)
"C:\Autodesk VIZ 2006\3dsviz.exe" = C:\Autodesk VIZ 2006\3dsviz.exe:*:Enabled:Autodesk VIZ 2006
"C:\Program Files\backburner 2\monitor.exe" = C:\Program Files\backburner 2\monitor.exe:*:Enabled:backburner 2.3 monitor
"C:\Program Files\backburner 2\manager.exe" = C:\Program Files\backburner 2\manager.exe:*:Enabled:backburner 2.3 manager
"C:\Program Files\backburner 2\server.exe" = C:\Program Files\backburner 2\server.exe:*:Enabled:backburner 2.3 server
"C:\Program Files\Autodesk\Backburner\monitor.exe" = C:\Program Files\Autodesk\Backburner\monitor.exe:*:Enabled:backburner 2.3 monitor
"C:\Program Files\Autodesk\Backburner\manager.exe" = C:\Program Files\Autodesk\Backburner\manager.exe:*:Enabled:backburner 2.3 manager
"C:\Program Files\Autodesk\Backburner\server.exe" = C:\Program Files\Autodesk\Backburner\server.exe:*:Enabled:backburner 2.3 server
"C:\Program Files\Autodesk\VIZ2008\3dsviz.exe" = C:\Program Files\Autodesk\VIZ2008\3dsviz.exe:*:Enabled:Autodesk VIZ 2008
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
"C:\Program Files\Symantec\Ghost\ngctw32.exe" = C:\Program Files\Symantec\Ghost\ngctw32.exe:*:Enabled:Symantec Ghost Client Agent -- (Symantec Corporation)
"C:\WINDOWS\TIREMOTE\TIRemoteService.exe" = C:\WINDOWS\TIREMOTE\TIRemoteService.exe:*:Enabled:Track-It! Workstation Manager -- (Numara Software, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\Ghost\ngctw32.exe" = C:\Program Files\Symantec\Ghost\ngctw32.exe:*:Enabled:Symantec Ghost Client Agent -- (Symantec Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{0E4BC542-9CFD-4E97-B586-9F1E5516E7B9}" = Microsoft IntelliPoint 6.1
"{22025051-1991-48EB-8BE8-7A3329DAE7ED}" = IIS 7.5 Express
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{29622F4A-245C-4126-8764-897E21E888D1}" = Google Earth Pro
"{3248F0A8-6813-11D6-A77B-00B0D0150080}" = J2SE Runtime Environment 5.0 Update 8
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A316611-45D1-429C-AA26-B71259C44689}" = HP Photosmart, Officejet and Deskjet 7.0.A
"{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}" = Symantec Endpoint Protection
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D008E41-F84D-4CC1-A8CF-B8419E51ACDF}" = Intel Audio Studio
"{3D1B20A6-E31D-4BB5-BC5C-DDD3B0D91728}" = Intel Audio Studio
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}" = VPN Client
"{5783F2D7-0204-0409-0000-0060B0CE6BBA}" = Autodesk Architectural Desktop 2004
"{5783F2D7-0211-0409-0000-0060B0CE6BBA}" = AutoCAD Express Tools Volumes 1-9
"{5783F2D7-4006-0409-0002-0060B0CE6BBA}" = Autodesk Building Systems 2006
"{5783F2D7-5106-0409-0002-0060B0CE6BBA}" = Autodesk Building Systems 2007.1
"{62548E48-942A-44E3-9FBF-6CB8EDB7F4C8}" = DocuTrac Workstation Component
"{67897379-D83F-11D4-A541-005004881E56}" = Powerprint Request 5.0.48 Request (Windows 95/98/ME/NT/2000/XP)
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}" = Multimedia Keyboard Driver
"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{935AF2EE-C825-4EF5-AF4E-67C29E55299F}" = Spitfire Trust 2006
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9A346205-EA92-4406-B1AB-50379DA3F057}" = Autodesk DWF Viewer 7
"{A2A73632-BBAA-43EB-A337-ADF43F905A1C}" = Gateway Download Assistant
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A4D1304D-DE5F-4554-9273-8F2F2C497CDF}" = RPC Plugin for Autodesk VIZ 2006
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AE560836-8AED-4140-98C0-BFEA348A5952}" = Windows Agent
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BF38CB00-71E2-4F63-0A45-36CB5C633080}" = Symantec Ghost Console Client
"{C0333997-7B38-416D-B69B-206CC24A9F7C}" = KIP Request 6
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{ECD94AA1-D865-4EF4-8F7C-5AA68D37ABE9}" = Autodesk MapGuide® Viewer ActiveX Control Release 6.3
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{FACF203E-0F4D-489A-B80C-D185253C8FCB}" = Autodesk Design Review 2008
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Ajera" = Ajera
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner
"DocBar 2.0 for AutoCAD 2000-2007_is1" = DocBar 2.0 for AutoCAD 2000-2007
"Gateway Drivers and Applications Recovery" = Gateway Drivers and Applications Recovery
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OmniFormat" = OmniFormat
"Pdf995" = Pdf995
"PdfEdit995" = PdfEdit995
"Signature995" = Signature995
"Ultravnc2_is1" = UltraVNC 1.0.6.4
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"COMcheck 3.8.0 " = COMcheck 3.8.0
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/24/2011 9:49:39 AM | Computer Name = IN012 | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

Error - 10/24/2011 10:20:39 AM | Computer Name = IN012 | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

Error - 10/24/2011 10:44:39 AM | Computer Name = IN012 | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

Error - 10/24/2011 11:15:40 AM | Computer Name = IN012 | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

Error - 10/24/2011 11:38:40 AM | Computer Name = IN012 | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

Error - 10/24/2011 12:04:43 PM | Computer Name = IN012 | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

Error - 10/24/2011 12:28:44 PM | Computer Name = IN012 | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

Error - 10/24/2011 12:50:44 PM | Computer Name = IN012 | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

Error - 10/24/2011 1:05:44 PM | Computer Name = IN012 | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

Error - 10/24/2011 1:43:45 PM | Computer Name = IN012 | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

[ System Events ]
Error - 10/24/2011 12:01:40 PM | Computer Name = IN012 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service LiveUpdate
with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}

Error - 10/24/2011 12:01:41 PM | Computer Name = IN012 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service LiveUpdate
with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}

Error - 10/24/2011 12:01:42 PM | Computer Name = IN012 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service LiveUpdate
with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}

Error - 10/24/2011 12:01:43 PM | Computer Name = IN012 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service LiveUpdate
with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}

Error - 10/24/2011 12:01:44 PM | Computer Name = IN012 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service LiveUpdate
with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}

Error - 10/24/2011 12:01:45 PM | Computer Name = IN012 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service LiveUpdate
with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}

Error - 10/24/2011 12:01:46 PM | Computer Name = IN012 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service LiveUpdate
with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}

Error - 10/24/2011 12:01:47 PM | Computer Name = IN012 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service LiveUpdate
with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}

Error - 10/24/2011 12:01:48 PM | Computer Name = IN012 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service LiveUpdate
with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}

Error - 10/24/2011 12:01:49 PM | Computer Name = IN012 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service LiveUpdate
with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}


< End of report >
  • 0

#9
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Re: Other issues.

None that I'm aware of.

User said the had e-mail archived from September. Archive file I found only goes to late August.

Believe this could be an ID 10 T situation. :)
  • 0

#10
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

Did you set up these proxies in Internet Explorer?

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.10.10.5:8080
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.10.10.5:8080
IE - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet:82
IE - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://intranet:82
IE - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.10.10.5:8080

Did you open these ports?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3753:TCP" = 3753:TCP:*:Enabled:SETS
"3751:TCP" = 3751:TCP:*:Enabled:SETS

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    KILLALLPROCESSES
    :OTL
    O4 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe File not found
    O4 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111..\Run: [wuaucldt] c:\documents and settings\dwagner\wuaucldt.exe File not found
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 2600 = C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\c0f3f978.com (EasyPHP)
    O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 1 = msmsgsin.exe
    O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 2 = msnmsgr.exe
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...8044.2415393519 (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2)
    O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_08)
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
    [2011/10/13 14:27:38 | 000,496,640 | -HS- | C] ( ) -- C:\Documents and Settings\All Users\Application Data\DNQjcPtFlY.exe
    [2011/10/11 08:00:14 | 000,025,088 | ---- | C] (EasyPHP) -- C:\Documents and Settings\dwagner\Application Data\KB634133.exe
    [2011/10/11 05:55:06 | 000,460,288 | -HS- | C] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\dEaYgfJuMxVqq.exe
    [2011/10/10 12:30:57 | 000,458,240 | -HS- | C] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\ojjxXPniykJvb.exe
    [2011/10/10 07:53:24 | 000,345,600 | ---- | C] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
    [2011/10/10 07:49:55 | 000,453,120 | -HS- | C] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\nTEtPClXirMXi.exe
    [2011/10/13 14:27:08 | 000,496,640 | -HS- | M] ( ) -- C:\Documents and Settings\All Users\Application Data\DNQjcPtFlY.exe
    [2011/10/11 08:47:55 | 000,025,088 | ---- | M] (EasyPHP) -- C:\Documents and Settings\dwagner\Application Data\KB634133.exe
    [2011/10/11 05:54:20 | 000,460,288 | -HS- | M] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\dEaYgfJuMxVqq.exe
    [2011/10/11 00:57:16 | 000,458,240 | -HS- | M] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\ojjxXPniykJvb.exe
    [2011/10/10 08:02:17 | 000,000,296 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
    [2011/10/10 08:02:17 | 000,000,200 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
    [2011/10/10 08:02:09 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
    [2011/10/10 07:53:24 | 000,345,600 | ---- | M] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
    [2011/10/10 07:49:10 | 000,453,120 | -HS- | M] (RapidEE.com) -- C:\Documents and Settings\All Users\Application Data\nTEtPClXirMXi.exe
    [2011/10/10 08:02:17 | 000,000,296 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
    [2011/10/10 08:02:17 | 000,000,200 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
    [2011/10/10 08:02:09 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
    @Alternate Data Stream - 60 bytes -> C:\Library:AFP_AfpInfo
    
    :Reg
    
    :Files
    dir /s /a "C:\Documents and Settings\dwagner\Start Menu\Programs\System Restore" /c
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptyjava]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Remove Program
We need to remove a program. To do this please do the following:
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
  • J2SE Runtime Environment 5.0 Update 8
  • Java™ SE Runtime Environment 6 Update 1
  • Java™ 6 Update 2
  • Java™ 6 Update 5
  • Java 2 Runtime Environment, SE v1.4.2
  • Google Toolbar for Internet Explorer <== If you don't use it, then I suggest removing it.


NEXT:



Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Edited by SweetTech, 24 October 2011 - 12:52 PM.

  • 0

Advertisements


#11
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
IE - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet:82
IE - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://intranet:82

These above I recognize.

As for others, I'd have to ask previous IT person responsible.

Are there things in the OTL Run that effect what you are asking about?

Will wait for your response.
  • 0

#12
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

Thanks for the information on those two entries.

The only thing that's in the OTL fix that I have a question about is this:

O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 1 = msmsgsin.exe
O7 - HKU\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 2 = msnmsgr.exe

Do you know if this was something that was set on purpose? If it wasn't then you can proceed with the OTL fix, if not, post back here for a revised fix.

Edited by SweetTech, 24 October 2011 - 03:40 PM.

  • 0

#13
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
I have no idea whether it was done intentionally. Since we have it identified, I will proceed w/ the OTL fix and continue to do a little background on this issue. If I find we in fact need it we can put it back in at that time.
  • 0

#14
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay. Sounds good.
  • 0

#15
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
All processes killed
========== OTL ==========
Registry key HKEY_USERS\S-1-5-21-368597260-1834286960-2103163636-4111\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\S-1-5-21-368597260-1834286960-2103163636-4111\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\2600 deleted successfully.
File C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\c0f3f978.com not found.
Registry key HKEY_USERS\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun not found.
Registry key HKEY_USERS\S-1-5-21-368597260-1834286960-2103163636-4111\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {9F1C11AA-197B-4942-BA54-47A8489BB47F}
C:\WINDOWS\Downloaded Program Files\iuctl.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
C:\Documents and Settings\All Users\Application Data\DNQjcPtFlY.exe moved successfully.
File C:\Documents and Settings\dwagner\Application Data\KB634133.exe not found.
File C:\Documents and Settings\All Users\Application Data\dEaYgfJuMxVqq.exe not found.
File C:\Documents and Settings\All Users\Application Data\ojjxXPniykJvb.exe not found.
File C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe not found.
File C:\Documents and Settings\All Users\Application Data\nTEtPClXirMXi.exe not found.
File C:\Documents and Settings\All Users\Application Data\DNQjcPtFlY.exe not found.
File C:\Documents and Settings\dwagner\Application Data\KB634133.exe not found.
File C:\Documents and Settings\All Users\Application Data\dEaYgfJuMxVqq.exe not found.
File C:\Documents and Settings\All Users\Application Data\ojjxXPniykJvb.exe not found.
C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk moved successfully.
C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr moved successfully.
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk moved successfully.
File C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe not found.
File C:\Documents and Settings\All Users\Application Data\nTEtPClXirMXi.exe not found.
File C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk not found.
File C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr not found.
File C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk not found.
ADS C:\Library:AFP_AfpInfo deleted successfully.
========== REGISTRY ==========
========== FILES ==========
< dir /s /a "C:\Documents and Settings\dwagner\Start Menu\Programs\System Restore" /c >
Volume in drive C has no label.
Volume Serial Number is 8830-5179
Directory of C:\Documents and Settings\dwagner\Start Menu\Programs\System Restore
10/10/2011 08:02 AM <DIR> .
10/10/2011 08:02 AM <DIR> ..
10/10/2011 08:02 AM 851 System Restore.lnk
10/10/2011 08:02 AM 923 Uninstall System Restore.lnk
2 File(s) 1,774 bytes
Total Files Listed:
2 File(s) 1,774 bytes
2 Dir(s) 10,323,296,256 bytes free
C:\Documents and Settings\administrator.GIBRALTARDESIGN\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\administrator.GIBRALTARDESIGN\Desktop\cmd.txt deleted successfully.
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?processed file: C:\WINDOWS\system32\drivers\etc\hosts
C:\Documents and Settings\administrator.GIBRALTARDESIGN\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\administrator.GIBRALTARDESIGN\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\administrator.GIBRALTARDESIGN\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\administrator.GIBRALTARDESIGN\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Unable to start service SrService!

[EMPTYJAVA]

User: Administrator

User: administrator.GIBRALTARDESIGN

User: ADMINI~1~GIB

User: All Users

User: Default User

User: dodle

User: dodle.GIBRALTARDESIGN
->Java cache emptied: 83961 bytes

User: dwagner
->Java cache emptied: 3818 bytes

User: hheaddy
->Java cache emptied: 56107 bytes

User: hheaddy.IN012

User: LocalService

User: mmatasovsky
->Java cache emptied: 61236782 bytes

User: MWService

User: n2ntech

User: NetworkService

Total Java Files Cleaned = 59.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 405 bytes

User: administrator.GIBRALTARDESIGN
->Flash cache emptied: 3202 bytes

User: ADMINI~1~GIB

User: All Users

User: Default User

User: dodle
->Flash cache emptied: 39971 bytes

User: dodle.GIBRALTARDESIGN
->Flash cache emptied: 1061 bytes

User: dwagner
->Flash cache emptied: 2083014 bytes

User: hheaddy
->Flash cache emptied: 0 bytes

User: hheaddy.IN012
->Flash cache emptied: 2235 bytes

User: LocalService

User: mmatasovsky
->Flash cache emptied: 74674 bytes

User: MWService

User: n2ntech

User: NetworkService

Total Flash Files Cleaned = 2.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 10262011_112104
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP