Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create a FREE account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you sign in.
Create an Account Login to Account

Arestocrat White Screen Submit Button [Closed]


  • This topic is locked This topic is locked

#1
Bill2244

Bill2244

    New Member

  • Member
  • Pip
  • 2 posts
I was watching some youtube videos and click on a ad and the next thing I know my screen is all white with a Submit button and when I clicked on the click button it stated I would have to send money to get this fixed. At that time I could not control alt delete and shut the machine down. I had to cold boot the laptop. I booted the laptop in Safe Mode and did some research. I was able to find a couple of suggested fixes by removing files from the registry. After I implemented the fixes I was able to alt tab and that is when I discovered that the virus was Arestocrat. I need you help. I am running XP and I need the laptop for travel.

OTL logfile created on: 4/10/2013 11:29:40 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = \\GAXGPFS14\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.92 Gb Total Physical Memory | 2.32 Gb Available Physical Memory | 79.48% Memory free
3.77 Gb Paging File | 3.45 Gb Available in Paging File | 91.61% Paging File free
Paging file location(s): C:\pagefile.sys 1024 4096

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 202.76 Gb Free Space | 87.07% Space Free | Partition Type: NTFS
Drive H: | 232.88 Gb Total Space | 202.76 Gb Free Space | 87.07% Space Free | Partition Type: *NT5CSC

Computer Name: RCSELF08 | User Name: TWMCALIS | NOT logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/04/10 23:28:48 | 000,602,112 | ---- | M] (OldTimer Tools) -- \\GAXGPFS14\\OTL.com
PRC - [2012/10/16 17:00:58 | 000,137,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV - File not found [Auto | Unknown] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - [2013/03/12 21:39:41 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Unknown] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/10/16 17:01:06 | 001,671,424 | ---- | M] (Symantec Corporation) [On_Demand | Unknown] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\Smc.exe -- (SmcService)
SRV - [2012/10/16 17:01:06 | 000,282,032 | ---- | M] (Symantec Corporation) [On_Demand | Unknown] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\snac.exe -- (SNAC)
SRV - [2012/10/16 17:00:58 | 000,137,208 | ---- | M] (Symantec Corporation) [Auto | Unknown] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe -- (SepMasterService)
SRV - [2011/11/10 09:14:31 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Unknown] -- C:\Program Files\Java\jre1.6.0_20\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/03/14 16:43:06 | 000,232,120 | ---- | M] () [Auto | Unknown] -- C:\Program Files\Symantec DLP\Endpoint Agent\wdp.exe -- (WDP)
SRV - [2011/03/14 16:43:00 | 000,255,672 | ---- | M] () [Auto | Unknown] -- C:\Program Files\Symantec DLP\Endpoint Agent\edpa.exe -- (EDPA)
SRV - [2010/07/01 16:47:58 | 000,902,568 | ---- | M] (CREDANT Technologies, Inc.) [Auto | Unknown] -- C:\WINDOWS\System32\EmsService.exe -- (EMS)
SRV - [2010/07/01 16:39:44 | 002,696,616 | ---- | M] (CREDANT Technologies, Inc.) [Auto | Unknown] -- C:\WINDOWS\system32\CmgShieldSvc.exe -- (CMGShield)
SRV - [2009/11/18 07:19:46 | 000,229,458 | ---- | M] (IDT, Inc.) [Auto | Unknown] -- c:\Drivers\Audio\stacsv.exe -- (STacSV)
SRV - [2009/09/18 04:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) [Auto | Unknown] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2009/09/18 04:00:00 | 000,246,624 | ---- | M] () [On_Demand | Unknown] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
SRV - [2009/07/27 10:52:04 | 000,014,336 | ---- | M] (LSI Corporation) [Auto | Unknown] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2008/04/14 08:00:00 | 000,088,576 | ---- | M] (Microsoft Corporation) [Unknown (-1) | Unknown] -- C:\WINDOWS\system32\wbem\wmiaprpl.dll -- (WmiApRpl)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Unknown] -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/01/04 19:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Unknown] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/01/20 20:15:32 | 000,118,784 | ---- | M] (Gemplus) [Auto | Unknown] -- C:\Program Files\Gemplus\GemSafe Libraries\BIN\GCardSrvNT.exe -- (GemSAFE Card Server)
SRV - [2005/04/27 16:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Unknown] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)
SRV - [2004/07/20 17:29:06 | 000,081,920 | ---- | M] (Southern Company Services) [Auto | Unknown] -- C:\Program Files\Southern Company\Windows Maintenance\WinMaint.exe -- (WinMaint)
SRV - [2002/06/27 12:42:22 | 000,036,864 | ---- | M] (Southern Company) [Auto | Unknown] -- C:\WINDOWS\system32\SESWISrv.exe -- (SES WebIcons Installer Service)
SRV - [2001/12/03 17:24:50 | 000,091,648 | ---- | M] () [On_Demand | Unknown] -- C:\Program Files\SmartLine\Remote Task Manager\rtmservice.exe -- (RTM)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Unknown] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Unknown] -- -- (PCIDump)
DRV - File not found [Kernel | System | Unknown] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Unknown] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\Drivers\COH_Mon.sys -- (COH_Mon)
DRV - File not found [Kernel | System | Unknown] -- -- (Changer)
DRV - [2013/02/27 11:26:50 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\VirusDefs\20130327.038\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/02/27 11:26:50 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\VirusDefs\20130327.038\NAVENG.SYS -- (NAVENG)
DRV - [2013/01/30 09:55:02 | 000,997,464 | ---- | M] (Symantec Corporation) [Kernel | System | Unknown] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20130301.011\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/12/18 09:25:51 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/12/13 09:57:46 | 000,092,080 | ---- | M] (Symantec Corporation) [Kernel | System | Unknown] -- C:\WINDOWS\system32\drivers\SysPlant.sys -- (SysPlant)
DRV - [2012/12/11 10:03:42 | 000,141,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2012/11/26 09:59:27 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Unknown] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/11/03 07:38:10 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20130327.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2012/10/16 17:01:08 | 000,759,416 | ---- | M] (Symantec Corporation) [File_System | Boot | Unknown] -- C:\WINDOWS\system32\drivers\SEP\0C01044D\0191.105\x86\SymEFA.sys -- (SymEFA)
DRV - [2012/10/16 17:01:08 | 000,522,872 | ---- | M] (Symantec Corporation) [File_System | System | Unknown] -- C:\WINDOWS\system32\drivers\SEP\0C01044D\0191.105\x86\srtsp.sys -- (SRTSP)
DRV - [2012/10/16 17:01:08 | 000,370,552 | ---- | M] (Symantec Corporation) [Kernel | System | Unknown] -- C:\WINDOWS\system32\drivers\SEP\0C01044D\0191.105\x86\symtdi.sys -- (SYMTDI)
DRV - [2012/10/16 17:01:08 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Unknown] -- C:\WINDOWS\system32\drivers\SEP\0C01044D\0191.105\x86\SymDS.sys -- (SymDS)
DRV - [2012/10/16 17:01:08 | 000,137,336 | ---- | M] (Symantec Corporation) [Kernel | System | Unknown] -- C:\WINDOWS\system32\drivers\SEP\0C01044D\0191.105\x86\Ironx86.sys -- (SymIRON)
DRV - [2012/10/16 17:01:08 | 000,031,864 | ---- | M] (Symantec Corporation) [Kernel | System | Unknown] -- C:\WINDOWS\system32\drivers\SEP\0C01044D\0191.105\x86\srtspx.sys -- (SRTSPX)
DRV - [2012/10/16 17:01:06 | 000,121,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\teefer.sys -- (Teefer2)
DRV - [2012/10/16 17:01:06 | 000,023,984 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\SyDvCtrl32.sys -- (SyDvCtrl)
DRV - [2011/03/14 16:43:52 | 000,019,256 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\vrtam.sys -- (vrtam)
DRV - [2011/03/14 16:43:50 | 000,045,624 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\tdifd111.sys -- (tdifd111)
DRV - [2011/03/14 16:43:48 | 000,048,824 | ---- | M] () [File_System | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\vfsmfd.sys -- (vfsmfd)
DRV - [2011/03/14 16:43:48 | 000,048,824 | ---- | M] () [File_System | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\SFsCtrx111.sys -- (SFsCtrx111)
DRV - [2010/09/27 12:55:32 | 000,054,656 | ---- | M] (LSI Corporation) [Kernel | Boot | Unknown] -- C:\WINDOWS\system32\drivers\LSI_GEN2.sys -- (Lsi_gen2)
DRV - [2010/06/30 17:22:58 | 000,299,624 | ---- | M] (CREDANT Technologies, Inc.) [File_System | Boot | Unknown] -- C:\WINDOWS\system32\drivers\CMGShCEF.sys -- (CmgShieldCEF)
DRV - [2010/06/30 17:22:58 | 000,101,992 | ---- | M] (CREDANT Technologies, Inc.) [Kernel | Boot | Unknown] -- C:\WINDOWS\system32\drivers\CmgHiber.sys -- (CmgHiber)
DRV - [2010/06/30 17:22:58 | 000,022,632 | ---- | M] (CREDANT Technologies, Inc.) [Kernel | Boot | Unknown] -- C:\WINDOWS\system32\drivers\CmgShREG.sys -- (CMGShieldReg)
DRV - [2009/11/18 07:19:46 | 001,654,723 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2009/11/05 21:32:54 | 000,166,568 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress)
DRV - [2009/10/16 08:16:04 | 000,205,824 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\IntcDAud.sys -- (IntcDAud)
DRV - [2009/10/02 23:23:52 | 005,977,216 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32)
DRV - [2009/09/18 04:00:00 | 000,020,848 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2009/09/17 15:54:14 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI)
DRV - [2009/08/24 16:02:18 | 000,045,984 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2009/08/24 16:01:58 | 000,991,264 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2009/07/27 10:52:04 | 001,161,664 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009/07/20 18:05:16 | 000,049,152 | ---- | M] (RICOH Company, Ltd.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\rismc32.sys -- (rismc32)
DRV - [2009/06/25 19:58:10 | 000,048,128 | ---- | M] (REDC) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2009/04/22 01:13:34 | 000,113,664 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2008/12/10 13:56:18 | 000,187,392 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2008/10/20 20:08:06 | 000,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)
DRV - [2008/07/23 14:31:38 | 000,044,800 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2008/06/13 12:42:56 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress)
DRV - [2008/05/23 16:51:02 | 000,024,624 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Unknown] -- C:\WINDOWS\system32\drivers\hpdskflt.sys -- (hpdskflt)
DRV - [2008/05/23 16:50:16 | 000,028,592 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\Accelerometer.sys -- (Accelerometer)
DRV - [2008/04/14 08:00:00 | 000,088,576 | ---- | M] (Microsoft Corporation) [Unknown (-1) | Unknown (-1) | Unknown] -- C:\WINDOWS\system32\wbem\wmiaprpl.dll -- (WmiApRpl)
DRV - [2007/06/18 16:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/04/17 20:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\regi.sys -- (regi)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Unknown] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Unknown] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Unknown] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Unknown] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Unknown] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Unknown] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Unknown] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Unknown] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Unknown] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Unknown] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2004/06/15 12:06:20 | 000,251,578 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Unknown] -- C:\WINDOWS\system32\drivers\a320raid.sys -- (a320raid)
DRV - [2002/10/01 22:16:00 | 000,033,808 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Unknown] -- C:\WINDOWS\system32\drivers\aac.sys -- (aac)
DRV - [2002/08/29 15:29:12 | 000,036,096 | ---- | M] (LSI Logic) [Kernel | Boot | Unknown] -- C:\WINDOWS\system32\drivers\symmpi_2.sys -- (Symmpi)
DRV - [2001/08/17 13:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Reg Error: Value error.
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = Reg Error: Value error.
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://sotoday.southernco.com
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?...=OIE8HP&PC=UP62
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...1I7ADFA_enUS455
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = evxapeapr04.com;alxapar04;evxapeapr05..com;alxapar05;evxgpeapr02.com;gaxgpar02;evxgpeapr03.com;gaxgpar03;<local>


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre1.6.0_20\lib\deploy\jqs\ff [2011/11/10 09:14:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\IPSFFPlgn\ [2013/04/10 23:12:03 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2008/04/14 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\IPS\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.6.0_20\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre1.6.0_20\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {30421E54-3B57-4E5B-947C-9B6BEEA57683} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [CmgShieldUI] C:\WINDOWS\system32\CmgShieldUI.exe (CREDANT Technologies, Inc.)
O4 - HKLM..\Run: [EmsService] C:\WINDOWS\System32\EmsServiceHelper.exe (CREDANT Technologies, Inc.)
O4 - HKLM..\Run: [gemstrmw] C:\WINDOWS\System32\gemstrmw.exe (Gemplus)
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [SHDash] C:\program Files\Southern Company\SHDash\COMPONENTS\BIN\ScHrShDashWin.exe (Southern Company)
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u File not found
O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD8SESD\DVDCheck.exe (InterVideo Inc.)
O4 - HKLM..\Run: [WebIconsSubscription] C:\Southern\WebIcons\Subscription Management\WI_Subscriptions.exe File not found
O4 - HKLM..\Run: [WebIconUser] C:\Program Files\Southern Company\WebIcons\WicRun.exe (Southern Company)
O4 - HKCU..\Run: [] File not found
O4 - HKCU..\Run: [DisplaySwitch] C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe (Корпорация Майкрософт)
O4 - HKCU..\Run: [IWOAIsrv] "C:\Program Files\ATT Connect\OutlookAddin\Server\IWOAISRV.exe" File not found
O4 - HKCU..\Run: [Push Client] C:\Documents and Settings\twmcalis\Local Settings\Application Data\ATT Connect\Participant\pull.exe File not found
O4 - HKCU..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" File not found
O4 - HKCU..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_0_7 File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\TWMCALIS\Start Menu\Programs\Startup\Billminder.lnk = File not found
O4 - Startup: C:\Documents and Settings\TWMCALIS\Start Menu\Programs\Startup\Monitor My eRooms.lnk = File not found
O4 - Startup: C:\Documents and Settings\TWMCALIS\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = File not found
O4 - Startup: C:\Documents and Settings\Start Menu\Programs\Startup\SetAutoProxy.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMSAppLogo5ChannelNotify = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Persistence present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Back = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Forward = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Stop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Refresh = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Home = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Search = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_History = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Favorites = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Media = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Folders = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Fullscreen = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Tools = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_MailNews = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Size = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Print = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Edit = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Discussions = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Cut = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Copy = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Paste = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Encoding = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_PrintPreview = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetIcon = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeStartMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskbar = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewContextMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EnforceShellExtensionSecurity = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetConnectDisconnect = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDeletePrinter = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAddPrinter = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPrinterTabs = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoUpdate = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogonScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html File not found
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html File not found
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html File not found
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html File not found
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html File not found
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html File not found
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html File not found
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O15 - HKLM\..Trusted Domains: apc.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: click2learn.com ([southernco] https in Trusted sites)
O15 - HKLM\..Trusted Domains: cpscreen.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: cpscreen.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: cpscreen.com ([www] https in Trusted sites)
O15 - HKLM\..Trusted Domains: custhelp.com (http in Trusted sites)
O15 - HKLM\..Trusted Domains: custhelp.com (https in Trusted sites)
O15 - HKLM\..Trusted Domains: custhelp.com ( http in Trusted sites)
O15 - HKLM\..Trusted Domains: custhelp.com ([support] https in Trusted sites)
O15 - HKLM\..Trusted Domains: custhelp.com ( http in Trusted sites)
O15 - HKLM\..Trusted Domains: custhelp.com ( https in Trusted sites)
O15 - HKLM\..Trusted Domains: emss.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: gpc.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: gulf.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: iconf.net ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: mpc.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: sav.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: scsnet.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: snc.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: socogen.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: southernco.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: southernco.com ([dv-gabrielleois] https in Trusted sites)
O15 - HKLM\..Trusted Domains: southernco.com ([gabrielle3] https in Trusted sites)
O15 - HKLM\..Trusted Domains: southernco.com ([gabrielle4] https in Trusted sites)
O15 - HKLM\..Trusted Domains: southernco.com ([gabrielleois] https in Trusted sites)
O15 - HKLM\..Trusted Domains: southernco.com ([pdtweb] http in Trusted sites)
O15 - HKLM\..Trusted Domains: southernco.com ([qa-gabrielleois] https in Trusted sites)
O15 - HKLM\..Trusted Domains: southernco.com ([ua-gabrielleois] https in Trusted sites)
O15 - HKLM\..Trusted Domains: southerncompany.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: sumtotalsystems.com ([southernco] http in Trusted sites)
O15 - HKLM\..Trusted Domains: sumtotalsystems.com ([southernco] https in Trusted sites)
O15 - HKLM\..Trusted Domains: sumtotalsystems.com ([totalrm] http in Trusted sites)
O15 - HKLM\..Trusted Domains: sumtotalsystems.com ([totalrm] https in Trusted sites)
O15 - HKLM\..Trusted Domains: sumtotalsystems.com ([tu71rm] http in Trusted sites)
O15 - HKLM\..Trusted Domains: sumtotalsystems.com ([tu71rm] https in Trusted sites)
O15 - HKLM\..Trusted Domains: taleo.net ( http in Trusted sites)
O15 - HKLM\..Trusted Domains: taleo.net ( https in Trusted sites)
O15 - HKLM\..Trusted Domains: usverify.com ([cpscreen] https in Trusted sites)
O15 - HKCU\..Trusted Domains: alxapar04 ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: alxapar05 ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: apc.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: click2learn.com ( https in Trusted sites)
O15 - HKCU\..Trusted Domains: cpscreen.com (http in Trusted sites)
O15 - HKCU\..Trusted Domains: cpscreen.com (https in Trusted sites)
O15 - HKCU\..Trusted Domains: cpscreen.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: custhelp.com (https in Trusted sites)
O15 - HKCU\..Trusted Domains: custhelp.com ( http in Trusted sites)
O15 - HKCU\..Trusted Domains: custhelp.com (https in Trusted sites)
O15 - HKCU\..Trusted Domains: custhelp.com ([support] http in Trusted sites)
O15 - HKCU\..Trusted Domains: custhelp.com ([support] https in Trusted sites)
O15 - HKCU\..Trusted Domains: custhelp.com ( http in Trusted sites)
O15 - HKCU\..Trusted Domains: custhelp.com ( https in Trusted sites)
O15 - HKCU\..Trusted Domains: emss.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: gaxgpar02 ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: gaxgpar03 ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: gpc.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: gulf.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: iconf.net ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: mpc.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: rightnow.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: rightnowtech.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: rnttraining.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: sav.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: scsnet.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: snc.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: socogen.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: southernco.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: southernco.com ([clm] https in Trusted sites)
O15 - HKCU\..Trusted Domains: southernco.com ([dv-gabrielleois] https in Trusted sites)
O15 - HKCU\..Trusted Domains: southernco.com ([evxapeapr04] * in Local intranet)
O15 - HKCU\..Trusted Domains: southernco.com ([evxapeapr05] * in Local intranet)
O15 - HKCU\..Trusted Domains: southernco.com ([evxgpeapr02] * in Local intranet)
O15 - HKCU\..Trusted Domains: southernco.com ([evxgpeapr03] * in Local intranet)
O15 - HKCU\..Trusted Domains: southernco.com ([gabrielle3] https in Trusted sites)
O15 - HKCU\..Trusted Domains: southernco.com ([gabrielle4] https in Trusted sites)
O15 - HKCU\..Trusted Domains: southernco.com ([gabrielleois] https in Trusted sites)
O15 - HKCU\..Trusted Domains: southernco.com ([hatch] http in Trusted sites)
O15 - HKCU\..Trusted Domains: southernco.com ([pdtweb] * in Trusted sites)
O15 - HKCU\..Trusted Domains: southernco.com ([pdtweb] file in Trusted sites)
O15 - HKCU\..Trusted Domains: southernco.com ([pdtweb] http in Trusted sites)
O15 - HKCU\..Trusted Domains: southernco.com ([qa-gabrielleois] https in Trusted sites)
O15 - HKCU\..Trusted Domains: southernco.com ([ua-gabrielleois] https in Trusted sites)
O15 - HKCU\..Trusted Domains: southerncompany.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: sumtotalsystems.com ([] http in Trusted sites)
O15 - HKCU\..Trusted Domains: sumtotalsystems.com ([] https in Trusted sites)
O15 - HKCU\..Trusted Domains: sumtotalsystems.com ([totalrm] http in Trusted sites)
O15 - HKCU\..Trusted Domains: sumtotalsystems.com ([totalrm] https in Trusted sites)
O15 - HKCU\..Trusted Domains: sumtotalsystems.com ([tu71rm] http in Trusted sites)
O15 - HKCU\..Trusted Domains: sumtotalsystems.com ([tu71rm] https in Trusted sites)
O15 - HKCU\..Trusted Domains: taleo.net ([analyticsny] http in Trusted sites)
O15 - HKCU\..Trusted Domains: taleo.net ([analyticsny] https in Trusted sites)
O15 - HKCU\..Trusted Domains: taleo.net ([] http in Trusted sites)
O15 - HKCU\..Trusted Domains: taleo.net ([] https in Trusted sites)
O15 - HKCU\..Trusted Domains: usverify.com ([cpscreen] https in Trusted sites)
O16 - DPF: {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} https://access-a1.co...svrloader32.cab (Cisco SSL VPN Relay Loader)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} http://aquire-codeba...e91/OrgPubX.CAB (OrgPublisher PluginX)
O16 - DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_12)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://orafin-pkfnsc...HTML/oaj2se.exe (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://iconnect.web...nbr/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.6.1 64.134.255.2 64.134.255.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5E416729-1AA1-4F84-A20A-A71F7322A29C}: DhcpNameServer = 192.168.6.1 64.134.255.2 64.134.255.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AE1B7D56-9512-4F42-B0AD-234C830F45CA}: DhcpNameServer = 148.115.222.20 148.115.12.204
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (SESGina.dll) - C:\WINDOWS\System32\SesGina.dll (Southern Company)
O20 - Winlogon\Notify\CMGShieldNP: DllName - (CmgShieldNP.dll) - C:\WINDOWS\System32\CmgShieldNP.dll (CREDANT Technologies, Inc.)
O20 - Winlogon\Notify\SEP: DllName - (C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll) - File not found
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/08 15:05:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2099/01/01 12:00:00 | 000,602,112 | ---- | C] (OldTimer Tools) -- \\GAXGPFS14\TWMCALIS$\OTL.com
[2099/01/01 12:00:00 | 000,000,000 | R--D | C] -- \\GAXGPFS14\\My Pictures
[2099/01/01 12:00:00 | 000,000,000 | -HSD | C] -- \\GAXGPFS14\\RECYCLER
[2013/04/05 07:09:53 | 000,035,840 | ---- | C] (Корпорация Майкрософт) -- C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
[2013/04/05 07:09:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Application Data\Sun
[2013/03/12 21:39:36 | 015,859,416 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerInstaller.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\TWMCALIS\*.tmp files -> C:\Documents and Settings\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/04/10 23:28:48 | 000,602,112 | ---- | M] (OldTimer Tools) -- \\GAXGPFS14\OTL.com
[2013/04/10 23:11:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/04/10 23:10:02 | 000,000,398 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{925BDB80-6023-4267-9615-CC92F40C92DB}.job
[2013/04/10 23:10:00 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B9F7774E-C3BA-453C-BE0F-8979862E30E4}.job
[2013/04/10 23:10:00 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{7E56C4F4-37BF-4DFC-BF0F-44F1E2F973C3}.job
[2013/04/10 23:10:00 | 000,000,396 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{019433D4-938E-45E6-B672-B638AA0752A5}.job
[2013/04/10 23:10:00 | 000,000,386 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{E0A0D963-5712-495F-8B48-17150F49B1DC}.job
[2013/04/10 23:05:37 | 000,000,474 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2013/04/10 22:04:48 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/04/10 21:47:00 | 000,015,707 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2013/04/10 21:45:01 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/04/05 07:09:52 | 000,035,840 | ---- | M] (Корпорация Майкрософт) -- C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
[2013/04/05 06:41:01 | 000,002,329 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Outlook 2007.lnk
[2013/04/05 06:40:20 | 000,000,000 | -H-- | M] () -- \\GAXGPFS14\\Default.rdp
[2013/04/05 06:39:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/03/28 12:48:38 | 000,064,588 | RHS- | M] () -- C:\Documents and Settings\ntuser.pol
[2013/03/28 12:19:37 | 000,136,200 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2013/03/27 11:40:55 | 000,008,192 | ---- | M] () -- C:\WINDOWS\REGULOCS.OLD
[2013/03/25 20:12:38 | 000,507,986 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/03/25 20:12:38 | 000,090,138 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/03/15 01:34:30 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/03/12 21:39:40 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/03/12 21:39:40 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/03/12 21:39:36 | 015,859,416 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerInstaller.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\*.tmp files -> C:\Documents and Settings\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,000,000 | -H-- | C] () -- \\GAXGPFS14\\Default.rdp
[2013/04/10 21:47:00 | 000,015,707 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2013/03/27 11:40:55 | 000,008,192 | ---- | C] () -- C:\WINDOWS\REGULOCS.OLD
[2013/03/27 11:39:13 | 000,000,396 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{019433D4-938E-45E6-B672-B638AA0752A5}.job
[2012/09/11 10:31:48 | 000,036,864 | ---- | C] () -- C:\Documents and Settings\atwbxdet.dll
[2012/09/11 10:31:48 | 000,001,058 | ---- | C] () -- C:\Documents and Settings\XrxWm.ini
[2012/09/11 10:31:48 | 000,000,483 | RH-- | C] () -- C:\Documents and Settings\xw65cpdy.dyc
[2012/09/11 10:31:48 | 000,000,023 | ---- | C] () -- C:\Documents and Settings\AMPSPREF.INI
[2012/09/11 10:30:06 | 000,064,588 | RHS- | C] () -- C:\Documents and Settings\ntuser.pol
[2012/02/17 09:48:53 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/26 08:04:05 | 000,048,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\SFsCtrx111.sys
[2011/09/26 08:04:03 | 000,019,256 | ---- | C] () -- C:\WINDOWS\System32\drivers\vrtam.sys
[2011/09/26 08:04:01 | 000,048,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\vfsmfd.sys
[2011/05/31 08:38:15 | 000,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
[2011/05/31 06:55:40 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/03 14:28:11 | 000,136,200 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2011/05/03 13:46:03 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2011/05/03 13:01:17 | 000,870,560 | ---- | C] () -- C:\WINDOWS\System32\igkrng575.bin
[2011/05/03 13:01:16 | 000,127,868 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng575.bin
[2011/05/03 13:01:16 | 000,004,096 | ---- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[2011/05/03 13:01:16 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2011/05/03 12:08:32 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2011/05/03 12:08:32 | 000,000,173 | ---- | C] () -- C:\WINDOWS\wininit.ini

========== ZeroAccess Check ==========

[2010/02/08 17:52:23 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"ThreadingModel" = Both
"" = C:\RECYCLER\S-1-5-21-126249482-871834763-32515855-84080\$df573e7813b6d6c8ce6c70d7f89ea804\n.

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2009/12/22 01:21:02 | 001,509,888 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 08:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

Edited by Bill2244, 12 April 2013 - 04:21 AM.

  • 0

Similar Topics: Arestocrat White Screen Submit Button [Closed]     x


#2
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,203 posts
Hello Bill2244

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image text box.
    :OTL
    O4 - HKCU..\Run: [DisplaySwitch] C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe (?????????? ??????????)
    [2013/04/05 07:09:53 | 000,035,840 | ---- | C] (?????????? ??????????) -- C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.

Let me know How things are doing

Gringo
  • 0

#3
Bill2244

Bill2244

    New Member

  • Member
  • Pip
  • 2 posts
This worked perfectly. Thank you so much. You are a life safer.
  • 0

#4
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,203 posts
Hello Bill2244

This infection loves to bring friends so we need to dig a little deeper


These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.


-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
  • 0

#5
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,203 posts
Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
  • 0

#6
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,203 posts
Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
  • 0

#7
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,203 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured