Computer infected by virus

Solved
By meadow
Oct 26, 2012
  1. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    [continue]
    RogueKiller.exe didn't generate report. when click on report button, get "NotePad, couldn't find RKreport[1]_D_11062012_02d1339.txt file". on RogueKiller, Register tab panel, (under deleting finished), there are two item, 1st is removed(0), 2nd is not removed, use HOSTSFIX.

    I have to restart computer now to install mbam. will continue to post after I am back.
  2. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Log from running MBAM.
    -----------------------------
    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org
    Database version: v2012.11.06.09
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    username :: computername [administrator]
    11/6/2012 2:15:15 PM
    mbam-log-2012-11-06 (14-15-15).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 232633
    Time elapsed: 4 minute(s), 29 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 1
    C:\Documents and Settings\All Users\Application Data\uungIlonDpuaYRY.exe (Trojan.Foury) -> Quarantined and deleted successfully.
    (end)
    ------------------------
    have to restart computer now.
  3. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    After running MBAM and restart computer, I cannot logon to my computer, always get domain or ... error, after I disconnect my network cable, I was able to logon.

    log of aswMBR:
    --------------------------------------------
    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-11-06 14:53:05
    -----------------------------
    14:53:05.234 OS Version: Windows 5.1.2600 Service Pack 3
    14:53:05.234 Number of processors: 2 586 0xF0B
    14:53:05.234 ComputerName: mycomputer name UserName: my userid
    14:53:11.328 Initialize success
    14:53:52.625 AVAST engine defs: 12110601
    14:53:58.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
    14:53:58.578 Disk 0 Vendor: ST3160318AS CC45 Size: 152587MB BusType: 3
    14:53:58.750 Disk 0 MBR read successfully
    14:53:58.750 Disk 0 MBR scan
    14:53:58.781 Disk 0 Windows 7 default MBR code
    14:53:58.796 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152578 MB offset 16065
    14:53:58.796 Disk 0 scanning sectors +312496380
    14:53:58.875 Disk 0 scanning C:\WINDOWS\system32\drivers
    14:54:16.453 Service scanning
    14:54:29.921 Service MpKsldb1a2bef c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C73ED4E4-98EF-4DD2-BC73-18C7187C5476}\MpKsldb1a2bef.sys **LOCKED** 32
    14:54:44.515 Modules scanning
    14:54:52.187 Disk 0 trace - called modules:
    14:54:52.203 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    14:54:52.203 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a608ab8]
    14:54:52.203 3 CLASSPNP.SYS[ba178fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8a584b00]
    14:54:58.328 AVAST engine scan C:\WINDOWS
    14:55:11.687 AVAST engine scan C:\WINDOWS\system32
    14:58:24.921 AVAST engine scan C:\WINDOWS\system32\drivers
    14:58:48.406 AVAST engine scan C:\Documents and Settings\IP0XC3
    15:02:03.265 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\IP0XC3\Desktop\MBR.dat"
    15:02:03.343 The log file has been saved successfully to "C:\Documents and Settings\IP0XC3\Desktop\aswMBR.txt"
    ----------------------
    Thanks.
  4. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Still having logon issue?
  5. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Yes, if my computer is connected with network, I cannot logon, get error message"windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found...". I disconnected the cable, and was able to logon to the computer. But I have to wait a little while before desktop show up. Then I plug the network cable back, I can access to internet. I didn't try to access our local network, I don't want to bring any thing to the network.
  6. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ======================================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
  7. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    I cannot find "system restore"
    if I point to my "start", "all program", I only have "mbam". I point to "mbam", get tools and 3 more mbam related items. then point to "tools", only one mbam item.
    if I point to my "Start", then right click on "all program", then click on "open", I can get to folder C:\Documents and Settings\myusername\Start Menu\Programs\Accessories\System Tools, but there is onlyone shortcut "internet explorer" in the folder.
  8. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Go Start>Run and paste this:
    rstrui.exe
    Click OK.

    Does system restore open?
  9. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Restrui.exe is not in the path folder.
    but I find it under c:\windows\system32\restore folder. But when I run it, I got error message "System Restore:system restore is not able to protect your computer. please restart your computer and run system restore again".
    I will try again and report back.
    Thanks.
  10. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    I restarted computer and ran rstrui.exe again, got the same error message as last time.
  11. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Go ahead and run Combofix anyway.
  12. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Log from running Combofix.exe
    ------------------------------
    ComboFix 12-11-09.02 - userid 11/09/2012 12:45:34.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1285 [GMT -5:00]
    Running from: c:\documents and settings\usesid\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\URTTemp
    c:\windows\system32\URTTemp\regtlib.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-10-09 to 2012-11-09 )))))))))))))))))))))))))))))))
    .
    .
    2012-11-09 17:29 . 2012-11-09 17:29 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3558E51C-7782-4E3B-B8C8-5CC2FFF3D34D}\MpKslca894eb0.sys
    2012-11-08 17:27 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3558E51C-7782-4E3B-B8C8-5CC2FFF3D34D}\mpengine.dll
    2012-11-06 19:07 . 2012-11-06 19:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-11-06 19:07 . 2012-09-30 00:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-11-06 18:38 . 2012-11-06 18:39 -------- d-----w- C:\RK_Quarantine
    2012-10-26 14:26 . 2012-10-26 14:26 -------- d--h--w- c:\documents and settings\userid\Local Settings\Application Data\PCHealth
    2012-10-22 17:07 . 2012-10-22 17:07 -------- d--h--w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-11-06 18:10 . 2012-03-12 16:27 612288 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2012-10-12 05:56 . 2012-01-12 18:47 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SetGrammaticaLicense"="c:\windows\system32\gl.vbs" [2009-08-03 486]
    "PinAInfo"="c:\windows\system32\ai.vbs" [2009-09-04 922]
    "SetDefaultPrinter"="c:\windows\system32\dp.vbs" [2010-09-20 398]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-01-08 1044480]
    "GPUpdate"="c:\windows\system32\gpupdate.exe" [2008-08-11 57344]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2011-9-15 6144]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylockeduserid"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-789336058-682003330-538188\Scripts\Logon\0\0]
    "Script"=firefox_login.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-789336058-682003330-538189\Scripts\Logon\0\0]
    "Script"=firefox_login.vbs
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\EVN\\BIN\\evn.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R0 megasas;megasas;c:\windows\system32\drivers\megasas.sys [5/2/2011 10:23 AM 17664]
    R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [5/2/2011 10:23 AM 10880]
    R1 MpKslca894eb0;MpKslca894eb0;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3558E51C-7782-4E3B-B8C8-5CC2FFF3D34D}\MpKslca894eb0.sys [11/9/2012 12:29 PM 29904]
    R2 pdlndldl6;IBM Enterprise Extender (HPR/IPv6);c:\windows\system32\drivers\pdlndldl6.sys [3/3/2011 10:57 AM 72704]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/6/2012 2:07 PM 22856]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [5/2/2011 11:49 AM 168616]
    S3 iftrcdrv;InfraTools Remote Control Driver;c:\progra~1\PEREGR~1\INFRAT~1\bin\iftrcdrv.sys [5/2/2011 9:41 AM 6097]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSLCA894EB0
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1597753769-3272558778-1852756267-2651Core.job
    - c:\documents and settings\userid\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-24 12:56]
    .
    2012-11-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1597753769-3272558778-1852756267-2651UA.job
    - c:\documents and settings\userid\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-24 12:56]
    .
    2012-11-09 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: {C33E0064-3567-40E8-9D59-E27921F85CA7} - hxxps://secure.identrust.com/ms/IdenTrustCertEnroll.cab
    DPF: {E81D4451-F9A6-4E99-AE23-0D040C020A62} - hxxps://secure.identrust.com/ms/IdenTrustCertEnroll.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\FlashUtil10v_ActiveX.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-11-09 12:49
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(936)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    .
    Completion time: 2012-11-09 12:52:14
    ComboFix-quarantined-files.txt 2012-11-09 17:52
    .
    Pre-Run: 139,984,830,464 bytes free
    Post-Run: 140,160,446,464 bytes free
    .
    - - End Of File - - 9AD360F50B0E92F2D69EED319636D20B
    ------------
    Thanks.
  13. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    I still cannot logon to the computer with network cable connected.
     
  14. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Combofix log looks good.

    Create new profile with admin rights, restart computer and login into a new account to see if you have same problem.
  15. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Is my computer clean now? can we clean up the computer first then solve the logon problem? I am so worry about bring the verius to the networt. Thanks.
  16. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    That may be a good idea.

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  17. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    File OTL.txt:
    -------------
    OTL logfile created on: 11/13/2012 2:08:49 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\userid\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.97 Gb Total Physical Memory | 1.31 Gb Available Physical Memory | 66.73% Memory free
    3.81 Gb Paging File | 3.28 Gb Available in Paging File | 86.01% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.00 Gb Total Space | 130.53 Gb Free Space | 87.60% Space Free | Partition Type: NTFS

    Computer Name: computer-name | User Name: userid | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/11/13 14:07:31 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\userid\Desktop\OTL.exe
    PRC - [2012/09/29 19:54:26 | 000,766,536 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
    PRC - [2011/04/27 15:39:26 | 000,228,520 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
    PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    PRC - [2011/03/03 10:57:54 | 000,032,768 | ---- | M] (IBM Corporation) -- C:\WINDOWS\system32\drivers\trcboot.exe
    PRC - [2011/03/03 10:57:53 | 000,040,960 | ---- | M] (IBM Corporation) -- C:\WINDOWS\system32\drivers\ldlcserv6.exe
    PRC - [2011/03/03 10:57:53 | 000,028,672 | ---- | M] (IBM Corporation) -- C:\WINDOWS\system32\drivers\ldlcserv.exe
    PRC - [2011/03/03 10:57:08 | 000,028,672 | ---- | M] () -- C:\Program Files\IBM\Personal Communications\tpam.exe
    PRC - [2011/03/03 10:55:05 | 000,036,864 | ---- | M] (IBM Corporation) -- C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
    PRC - [2010/03/04 21:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
    PRC - [2009/11/12 20:59:02 | 000,132,392 | ---- | M] (Juniper Networks) -- C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
    PRC - [2009/09/18 03:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
    PRC - [2008/08/29 12:58:16 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    PRC - [2008/08/11 13:16:40 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2002/01/11 14:35:13 | 000,454,928 | ---- | M] (Peregrine Systems, Inc.) -- C:\Program Files\Peregrine\InfraTools Remote Control\bin\iftlsnr.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/03/03 10:57:08 | 000,028,672 | ---- | M] () -- C:\Program Files\IBM\Personal Communications\tpam.exe
    MOD - [2011/03/03 10:54:50 | 000,485,376 | ---- | M] () -- C:\Program Files\IBM\Personal Communications\OOCSVCS2.DLL
    MOD - [2010/03/04 21:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
    MOD - [2009/11/05 07:39:40 | 000,087,552 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll
    MOD - [2008/08/29 12:58:26 | 000,197,408 | ---- | M] () -- C:\WINDOWS\system32\vpnapi.dll


    ========== Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
    SRV - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
    SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
    SRV - [2011/03/03 10:57:55 | 000,032,768 | ---- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\appnnode.exe -- (AppnNode)
    SRV - [2011/03/03 10:57:54 | 000,032,768 | ---- | M] (IBM Corporation) [Auto | Running] -- C:\WINDOWS\system32\drivers\trcboot.exe -- (TrcBoot)
    SRV - [2011/03/03 10:57:53 | 000,040,960 | ---- | M] (IBM Corporation) [Auto | Running] -- C:\WINDOWS\system32\drivers\ldlcserv6.exe -- (ldlcserv6)
    SRV - [2011/03/03 10:57:53 | 000,036,864 | ---- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cstrcser.exe -- (cstrcser)
    SRV - [2011/03/03 10:57:53 | 000,028,672 | ---- | M] (IBM Corporation) [Auto | Running] -- C:\WINDOWS\system32\drivers\ldlcserv.exe -- (ldlcserv)
    SRV - [2011/03/03 10:54:46 | 000,049,152 | ---- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\Program Files\IBM\Personal Communications\csrcmds.exe -- (csrcmds)
    SRV - [2010/03/04 21:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
    SRV - [2009/11/12 20:59:02 | 000,132,392 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe -- (JuniperAccessService)
    SRV - [2009/09/18 03:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
    SRV - [2009/09/18 03:00:00 | 000,246,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
    SRV - [2008/08/29 12:58:16 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
    SRV - [2002/01/11 14:35:13 | 000,454,928 | ---- | M] (Peregrine Systems, Inc.) [Auto | Running] -- C:\Program Files\Peregrine\InfraTools Remote Control\bin\iftlsnr.exe -- (iftlsnr)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\userid\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2012/11/13 13:59:43 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ECFB3762-ECA2-4147-9FCD-7C9522040D3A}\MpKsl1bbd3b21.sys -- (MpKsl1bbd3b21)
    DRV - [2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2011/07/08 03:12:48 | 007,023,104 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2011/03/03 10:57:57 | 000,208,928 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\appnbase.sys -- (AppnBase)
    DRV - [2011/03/03 10:57:57 | 000,058,432 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlnsx25.sys -- (pdlnsx25)
    DRV - [2011/03/03 10:57:57 | 000,054,416 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlnsv25.sys -- (pdlnsv25)
    DRV - [2011/03/03 10:57:57 | 000,022,384 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlnslea.sys -- (pdlnslea)
    DRV - [2011/03/03 10:57:56 | 000,067,184 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlnemap.sys -- (pdlnemap)
    DRV - [2011/03/03 10:57:56 | 000,067,072 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlndsdl.sys -- (pdlndsdl)
    DRV - [2011/03/03 10:57:56 | 000,059,504 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlnshay.sys -- (pdlnshay)
    DRV - [2011/03/03 10:57:56 | 000,053,248 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlndqll.sys -- (pdlndqll)
    DRV - [2011/03/03 10:57:56 | 000,050,336 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlnecfg.sys -- (pdlnecfg)
    DRV - [2011/03/03 10:57:56 | 000,019,984 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlnepkt.sys -- (pdlnepkt)
    DRV - [2011/03/03 10:57:56 | 000,018,944 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlndoem.sys -- (pdlndoem)
    DRV - [2011/03/03 10:57:56 | 000,012,768 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlnemsg.sys -- (pdlnemsg)
    DRV - [2011/03/03 10:57:56 | 000,008,608 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlnebas.sys -- (pdlnebas)
    DRV - [2011/03/03 10:57:55 | 000,160,288 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlncfwk.sys -- (pdlncfwk)
    DRV - [2011/03/03 10:57:55 | 000,075,200 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlnacom.sys -- (pdlnacom)
    DRV - [2011/03/03 10:57:55 | 000,070,144 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlndlpb.sys -- (pdlndlpb)
    DRV - [2011/03/03 10:57:55 | 000,064,512 | ---- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pdlndldl.sys -- (pdlndldl)
    DRV - [2011/03/03 10:57:55 | 000,036,048 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlnafac.sys -- (pdlnafac)
    DRV - [2011/03/03 10:57:55 | 000,012,800 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlndint.sys -- (pdlndint)
    DRV - [2011/03/03 10:57:55 | 000,006,784 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdlncbas.sys -- (pdlncbas)
    DRV - [2011/03/03 10:57:54 | 001,322,080 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\appn.sys -- (Appn)
    DRV - [2011/03/03 10:57:54 | 000,120,224 | ---- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\appnapi.sys -- (AppnApi)
    DRV - [2011/03/03 10:57:54 | 000,101,696 | ---- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\llc2.sys -- (IBM_LLC2)
    DRV - [2011/03/03 10:57:54 | 000,072,704 | ---- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pdlndldl6.sys -- (pdlndldl6)
    DRV - [2011/03/03 10:57:54 | 000,038,280 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\anydlc.sys -- (Anydlc)
    DRV - [2011/03/03 10:57:53 | 000,024,588 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klognt.sys -- (KLOGNT)
    DRV - [2011/03/03 10:57:53 | 000,012,028 | ---- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nstrcnt.sys -- (NsTrcNT)
    DRV - [2010/04/05 23:35:56 | 000,168,616 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress)
    DRV - [2009/11/12 12:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2009/09/18 03:00:00 | 000,020,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
    DRV - [2008/10/20 19:08:06 | 000,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)
    DRV - [2008/08/29 12:57:18 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
    DRV - [2008/08/21 05:38:10 | 000,020,480 | R--- | M] (Dell Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
    DRV - [2008/03/29 16:36:28 | 000,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
    DRV - [2007/05/11 23:00:14 | 000,045,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI)
    DRV - [2007/01/18 17:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2005/11/30 21:30:14 | 000,010,880 | ---- | M] (VMware, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\vmscsi.sys -- (vmscsi)
    DRV - [2005/08/12 11:46:42 | 000,062,080 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SI3112.sys -- (SI3112)
    DRV - [2005/08/12 09:14:20 | 000,004,736 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\SiRemFil.sys -- (SiRemFil)
    DRV - [2004/11/01 11:21:32 | 000,010,368 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SiWinAcc.sys -- (SiFilter)
    DRV - [2001/04/19 02:58:05 | 000,006,097 | ---- | M] (Peregrine Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Peregrine\InfraTools Remote Control\bin\iftrcdrv.sys -- (iftrcdrv)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = Reg Error: Value error.
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = file://c:\WINDOWS\IEaccess\IEaccess.htm
    IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = file://c:\WINDOWS\IEaccess\IEaccess.htm
    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\..\SearchScopes,DefaultScope = {E05A147D-4288-45BD-985F-255FB2DEBB45}
    IE - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\..\SearchScopes\{E05A147D-4288-45BD-985F-255FB2DEBB45}: "URL" = http://www.bing.com/search?q={searchTerms}&form=B8DFDF&pc=B8DF&src=IE-SearchBox
    IE - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\userid\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\userid\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)



    O1 HOSTS File: ([2012/11/09 12:49:10 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O4 - HKLM..\Run: [GPUpdate] C:\WINDOWS\System32\gpupdate.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [PinAInfo] C:\WINDOWS\system32\ai.vbs ()
    O4 - HKLM..\Run: [SetDefaultPrinter] C:\WINDOWS\system32\dp.vbs ()
    O4 - HKLM..\Run: [SetGrammaticaLicense] C:\WINDOWS\system32\gl.vbs ()
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylockeduserid = 1
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {C33E0064-3567-40E8-9D59-E27921F85CA7} https://secure.identrust.com/ms/IdenTrustCertEnroll.cab (PreVistaEnrollControl Class)
    O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://juniper.net/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupControlXP Class)
    O16 - DPF: {E81D4451-F9A6-4E99-AE23-0D040C020A62} https://secure.identrust.com/ms/IdenTrustCertEnroll.cab (PreVistaEnrollControl Class)
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.72.126.59 10.72.126.26
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Grid12NT.nysdol.us
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E48819ED-8852-43E7-8370-81B6FFA49C09}: DhcpNameServer = 10.72.126.59 10.72.126.26
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2011/08/12 17:19:37 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/11/13 14:07:24 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\userid\Desktop\OTL.exe
    [2012/11/13 14:06:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
    [2012/11/09 12:52:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2012/11/06 14:38:39 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\userid\Desktop\aswMBR.exe
    [2012/11/06 14:07:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/11/06 14:07:02 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2012/11/06 14:07:02 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/11/06 13:38:31 | 000,000,000 | ---D | C] -- C:\RK_Quarantine
    [2012/11/06 13:14:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\userid\Desktop\tdsskiller
    [2012/11/02 10:00:42 | 000,307,777 | ---- | C] (Farbar) -- C:\Documents and Settings\userid\Desktop\ListParts.exe
    [2012/11/01 15:46:00 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/11/01 15:46:00 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/11/01 15:46:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/11/01 15:46:00 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/11/01 15:43:36 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/11/01 15:38:09 | 004,998,937 | R--- | C] (Swearware) -- C:\Documents and Settings\userid\Desktop\ComboFix.exe
    [2012/10/26 12:08:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\userid\Recent
    [2012/10/26 09:27:34 | 010,669,952 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\userid\Desktop\mbam-setup-1.65.1.1000.exe
    [2012/10/26 09:26:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\userid\Local Settings\Application Data\PCHealth
    [2012/10/22 12:07:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
    [2012/10/22 11:53:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump

    ========== Files - Modified Within 30 Days ==========

    [2012/11/13 14:11:01 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1597753769-3272558778-1852756267-2651UA.job
    [2012/11/13 14:07:31 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\userid\Desktop\OTL.exe
    [2012/11/13 14:04:16 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2012/11/13 14:03:52 | 000,509,682 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/11/13 14:03:52 | 000,089,828 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/11/13 14:03:38 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    [2012/11/13 14:03:23 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/11/13 13:58:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/11/13 13:58:52 | 2111,422,464 | -HS- | M] () -- C:\hiberfil.sys
    [2012/11/09 12:49:10 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2012/11/09 12:42:02 | 004,998,937 | R--- | M] (Swearware) -- C:\Documents and Settings\userid\Desktop\ComboFix.exe
    [2012/11/08 12:30:02 | 000,002,299 | ---- | M] () -- C:\Documents and Settings\userid\Desktop\Google Chrome.lnk
    [2012/11/08 12:30:02 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\userid\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2012/11/06 15:02:03 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\userid\Desktop\MBR.dat
    [2012/11/06 14:38:39 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\userid\Desktop\aswMBR.exe
    [2012/11/06 14:13:19 | 000,000,630 | RHS- | M] () -- C:\Documents and Settings\userid\ntuser.pol
    [2012/11/06 14:09:22 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/11/06 13:58:16 | 010,669,952 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\userid\Desktop\mbam-setup-1.65.1.1000.exe
    [2012/11/06 13:36:15 | 000,430,592 | ---- | M] () -- C:\Documents and Settings\userid\Desktop\RogueKiller.exe
    [2012/11/06 13:11:44 | 002,195,061 | ---- | M] () -- C:\Documents and Settings\userid\Desktop\tdsskiller.zip
    [2012/11/01 22:18:32 | 000,307,777 | ---- | M] (Farbar) -- C:\Documents and Settings\userid\Desktop\ListParts.exe
    [2012/10/24 21:43:48 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\userid\Desktop\1gls3wdz.exe
    [2012/10/22 11:27:04 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/10/22 09:11:00 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1597753769-3272558778-1852756267-2651Core.job
    [2012/10/22 07:41:12 | 000,030,192 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

    ========== Files Created - No Company Name ==========

    [2012/11/09 12:47:35 | 000,002,447 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    [2012/11/09 12:47:35 | 000,001,793 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    [2012/11/09 12:47:30 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
    [2012/11/09 12:47:30 | 000,001,809 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
    [2012/11/09 12:47:30 | 000,001,686 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/11/09 12:47:30 | 000,001,562 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\CDBurnerXP.lnk
    [2012/11/09 12:47:30 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
    [2012/11/09 12:47:30 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
    [2012/11/08 14:08:29 | 2111,422,464 | -HS- | C] () -- C:\hiberfil.sys
    [2012/11/06 15:02:03 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\userid\Desktop\MBR.dat
    [2012/11/06 14:07:10 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/11/06 13:36:04 | 000,430,592 | ---- | C] () -- C:\Documents and Settings\userid\Desktop\RogueKiller.exe
    [2012/11/06 13:11:37 | 002,195,061 | ---- | C] () -- C:\Documents and Settings\userid\Desktop\tdsskiller.zip
    [2012/11/01 15:46:00 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/11/01 15:46:00 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/11/01 15:46:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/11/01 15:46:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/11/01 15:46:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/10/26 11:35:37 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\userid\Desktop\1gls3wdz.exe
    [2012/08/17 11:15:15 | 000,000,768 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
    [2011/12/15 12:50:57 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/08/25 11:28:01 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\userid\Local Settings\Application Data\PUTTY.RND
    [2011/08/23 12:17:59 | 000,000,630 | RHS- | C] () -- C:\Documents and Settings\userid\ntuser.pol
    [2011/08/12 17:38:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
    [2011/08/12 17:35:18 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
    [2011/08/12 17:35:18 | 000,234,142 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2011/08/12 17:35:18 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
    [2011/08/12 14:17:33 | 000,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
    [2011/08/12 13:43:04 | 000,030,192 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
    [2011/05/02 11:52:04 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2011/05/02 11:52:04 | 000,509,682 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/05/02 11:52:04 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2011/05/02 11:52:04 | 000,089,828 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/05/02 11:52:04 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2011/05/02 11:52:04 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2011/05/02 11:52:04 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2011/05/02 11:52:04 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2011/05/02 11:52:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2011/05/02 11:52:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2011/05/02 11:51:59 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2011/05/02 11:51:59 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2011/05/02 10:32:02 | 000,000,393 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2011/05/02 09:46:29 | 000,316,416 | ---- | C] () -- C:\WINDOWS\System32\ct_corct.dll
    [2011/05/02 09:46:29 | 000,272,384 | ---- | C] () -- C:\WINDOWS\System32\ct_bar.dll
    [2011/05/02 09:46:29 | 000,176,640 | ---- | C] () -- C:\WINDOWS\System32\ct_file.dll
    [2011/05/02 09:46:29 | 000,025,088 | ---- | C] () -- C:\WINDOWS\System32\ct_zset.dll
    [2011/05/02 09:46:28 | 000,022,944 | ---- | C] () -- C:\WINDOWS\System32\ci_file.dll
    [2011/05/02 09:46:28 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ci_corct.dll
    [2011/05/02 09:46:28 | 000,005,888 | ---- | C] () -- C:\WINDOWS\System32\ci_srv.dll
    [2011/05/02 09:46:28 | 000,003,968 | ---- | C] () -- C:\WINDOWS\System32\ci_bar.dll
    [2011/05/02 09:41:41 | 000,000,261 | ---- | C] () -- C:\WINDOWS\iftagt.ini
    [2011/05/02 09:41:40 | 000,000,072 | ---- | C] () -- C:\WINDOWS\iftlsnr.ini
    [2011/05/02 09:40:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcsmig.INI
    [2011/05/02 09:39:53 | 000,411,391 | ---- | C] () -- C:\WINDOWS\System32\Info.exe
    [2011/05/02 09:04:37 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
    [2011/05/02 09:03:49 | 000,000,078 | ---- | C] () -- C:\WINDOWS\init.ini
    [2011/05/02 09:03:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ps2pdf.dll
    [2011/05/02 08:54:33 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
    [2011/05/02 08:53:30 | 012,832,768 | ---- | C] () -- C:\WINDOWS\System32\gsdll32.dll
    [2011/05/02 08:01:27 | 000,000,051 | ---- | C] () -- C:\WINDOWS\smsts.ini
    [2011/05/02 08:00:24 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2011/05/02 07:57:59 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2011/05/02 07:57:47 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
    [2011/05/02 03:56:23 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2011/05/02 03:55:55 | 000,269,392 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/03/03 10:57:53 | 000,000,251 | ---- | C] () -- C:\WINDOWS\System32\drivers\hlldrvr.com

    ========== ZeroAccess Check ==========

    [2011/05/02 08:07:12 | 000,000,227 | -HS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shdocvw.dll -- [2011/02/17 08:51:57 | 001,510,400 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = %systemroot%\system32\wbem\wbemess.dll -- [2008/08/11 13:13:18 | 000,273,920 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    ========== LOP Check ==========

    [2011/05/02 09:39:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Grammatica
    [2011/05/02 09:06:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\IBM
    [2011/08/15 12:05:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.computer-name\Application Data\Windows Desktop Search
    [2011/08/12 13:55:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GroupPolicy
    [2011/05/02 09:10:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IBM
    [2011/05/02 09:04:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
    [2011/08/25 08:29:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\userid\Application Data\Windows Desktop Search
    [2012/01/13 10:22:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\userid\Application Data\Windows Search

    ========== Purity Check ==========


    < End of report >
  18. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    File Extras.Txt
    --------------------OTL Extras logfile created on: 11/13/2012 2:08:49 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\user-id\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.97 Gb Total Physical Memory | 1.31 Gb Available Physical Memory | 66.73% Memory free
    3.81 Gb Paging File | 3.28 Gb Available in Paging File | 86.01% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.00 Gb Total Space | 130.53 Gb Free Space | 87.60% Space Free | Partition Type: NTFS

    Computer Name: computer-name | User Name: user-id | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-1597753769-3272558778-1852756267-2651\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
    "Enabled" = 1
    "RemoteAddresses" =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop]
    "Enabled" = 1
    "RemoteAddresses" =

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
    "5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 -- (Microsoft Corporation)
    "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 -- (Microsoft Corporation)
    "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 -- (Microsoft Corporation)
    "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 -- (Microsoft Corporation)
    "C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
    "C:\EVN\BIN\evn.exe" = C:\EVN\BIN\evn.exe:*:Enabled:evn -- ()


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
    "{2609EDF1-34C4-4B03-B634-55F3B3BC4931}" = Configuration Manager Client
    "{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema v1.4.2499.0
    "{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 30
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
    "{3A31B199-99D8-4203-9E0E-E3C9D8902534}" = xEditor
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{447D8B58-880C-4627-BF57-9C408219313E}" = Juniper Installer Service
    "{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
    "{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}" = Cisco Systems VPN Client 5.0.04.0300
    "{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
    "{5DBE95F6-823A-4547-9921-CEDFADA1D2D8}" = McAfee Agent
    "{721ABC3B-5F12-4332-9C0C-C11424EF666C}" = WIMGAPI
    "{73868DD9-CC9A-4F7F-B708-99F096DEAB6D}" = Adobe Shockwave Player 11.5
    "{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
    "{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
    "{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{95120000-0052-0409-0000-0000000FF1CE}" = Microsoft Office Visio Viewer 2007
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
    "{B3AE8231-C74A-4412-8701-EB494088C7A5}" = IBM Personal Communications
    "{B7BDAF22-9647-4846-8EA9-6E0A5B785651}" = Adobe Flash Player 10 Plugin
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D787C24E-809D-4C48-BF53-EC5C76689A13}" = PolicyMakerâ„¢ Registry Extension Client
    "{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
    "{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
    "1CF754F21E4C8FD08B6F7C7CC3879C7395616841" = Windows Driver Package - Hewlett-Packard DOT4 (11/04/2007 10.1.1.3)
    "2ED8EBC618ADA2092998C1AD5B6F07600EC8CEDB" = Windows Driver Package - Hewlett-Packard DOT4USB (02/18/2008 10.1.1.3)
    "44A1336677759DD100DBA0E475E6C92114FFA5E8" = Windows Driver Package - Hewlett-Packard DOT4 (02/18/2008 10.1.1.3)
    "656EF72B6C5328B8FB837688D9282663C5046571" = Windows Driver Package - Hewlett-Packard DOT4USB (07/25/2007 10.1.1.3)
    "66373F198F5809ED38963BFA32FAC8008F8371D2" = Windows Driver Package - HP HP LaserJet P4010_P4510 Series PCL 6 (02/28/2008 61.072.51.02)
    "66ED737C9D2B25C479FE362736CDC0734A1BC20A" = Windows Driver Package - Hewlett-Packard (HPZs2k12) DiskDrive (02/18/2008 10.1.1.5)
    "6BFBF3E69880B92F09E46EAAF1A5BCA3EC73B329" = Windows Driver Package - Hewlett-Packard DOT4PRT (02/18/2008 10.1.1.3)
    "8688956EC139638F031FB8EFEB14ECA17BCF98DA" = Windows Driver Package - HP HP LaserJet 5200LX PCL 6 (07/24/2007 61.063.941.00)
    "997246873C67DB6031D55D0688BF87DFFB21EB69" = Windows Driver Package - Hewlett-Packard DOT4 (02/18/2008 10.1.1.3)
    "9F1C57C4F855806D0B6F9BB24E2041E3FE19A2E1" = Windows Driver Package - Hewlett-Packard DOT4 (07/25/2007 10.1.1.3)
    "Adobe AIR" = Adobe AIR
    "BE25A62BB7041ED0F5643AA34A6FB49F7F8A63D6" = Windows Driver Package - Hewlett-Packard DOT4PRT (07/25/2007 10.1.1.3)
    "CutePDF Writer Installation" = CutePDF Writer 2.8
    "D3BBA59DAEC58919DF6127C26F86D481A4B90B73" = Windows Driver Package - Hewlett-Packard Ports (07/25/2007 10.1.1.3)
    "F2BC9F814E94612B191E1AD48872E3B5349686AC" = Windows Driver Package - Hewlett-Packard Ports (02/18/2008 10.1.1.3)
    "GPL Ghostscript 9.00" = GPL Ghostscript 9.00
    "Grammatica_is1" = Grammatica 7.0.3
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "InfraTools Remote Control@5.53@en" = InfraTools Remote Control version 5.53 en
    "IWPMNTV2R3" = IWPM for Windows XP
    "Juniper_Setup_Client Activex Control" = Juniper Networks Setup Client Activex Control
    "Letter Generator" = Letter Generator
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials
    "Microsoft Visual Studio 2005 Tools for Office Runtime" = Microsoft Visual Studio 2005 Tools for Office Runtime
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "PROPLUS" = Microsoft Office Professional Plus 2007
    "RDC" = RDC
    "Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "YTdetect" = Yahoo! Detect
    "ZHCIELangPack" = Chinese (Simplified) Language Support

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-1597753769-3272558778-1852756267-2651\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 5/13/2012 8:32:08 AM | Computer Name = computer-name | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 5/13/2012 4:32:08 PM | Computer Name = computer-name | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 5/14/2012 12:32:08 AM | Computer Name = computer-name | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 5/14/2012 8:32:08 AM | Computer Name = computer-name | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 5/14/2012 9:08:08 AM | Computer Name = computer-name | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    Error - 5/14/2012 4:32:08 PM | Computer Name = computer-name | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 5/15/2012 12:32:08 AM | Computer Name = computer-name | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 5/15/2012 8:32:08 AM | Computer Name = computer-name | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 5/15/2012 1:46:14 PM | Computer Name = computer-name | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    Error - 5/15/2012 1:46:15 PM | Computer Name = computer-name | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 5/15/2012 2:16:45 PM | Computer Name = computer-name | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    [ System Events ]
    Error - 11/9/2012 2:13:09 PM | Computer Name = computer-name | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 11/9/2012 2:13:09 PM | Computer Name = computer-name | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 15 minutes. NtpClient has no source of accurate
    time.

    Error - 11/9/2012 2:13:32 PM | Computer Name = computer-name | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    SiRemFil

    Error - 11/13/2012 2:59:08 PM | Computer Name = computer-name | Source = NETLOGON | ID = 5719
    Description = No Domain Controller is available for domain domain-name due to the following:
    %%1311. Make sure that the computer is connected to the network and try again. If
    the problem persists, please contact your domain administrator.

    Error - 11/13/2012 2:59:51 PM | Computer Name = computer-name | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    SiRemFil

    Error - 11/13/2012 3:00:39 PM | Computer Name = computer-name | Source = Windows Update Agent | ID = 16
    Description = Unable to Connect: Windows is unable to connect to the automatic updates
    service and therefore cannot download and install updates according to the set
    schedule. Windows will continue to try to establish a connection.

    Error - 11/13/2012 3:06:03 PM | Computer Name = computer-name | Source = NETLOGON | ID = 3210
    Description = This computer could not authenticate with \\network-domain,
    a Windows domain controller for domain domain-name, and therefore this computer might
    deny logon requests. This inability to authenticate might be caused by another computer
    on the same network using the same name or the password for this computer account
    is
    not recognized. If this message appears again, contact your system administrator.

    Error - 11/13/2012 3:06:03 PM | Computer Name = computer-name | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 11/13/2012 3:09:50 PM | Computer Name = computer-name | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.139.1637.0 Update Source: %%859 Update Stage:
    %%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8904.0 Error
    code: 0x80244015 Error description: An unexpected problem occurred while checking
    for updates. For information on installing or troubleshooting updates, see Help
    and Support.

    Error - 11/13/2012 3:14:09 PM | Computer Name = computer-name | Source = NETLOGON | ID = 3210
    Description = This computer could not authenticate with \\network-domain,
    a Windows domain controller for domain domain-name, and therefore this computer might
    deny logon requests. This inability to authenticate might be caused by another computer
    on the same network using the same name or the password for this computer account
    is
    not recognized. If this message appears again, contact your system administrator.

    < End of report >
    ------ Thanks.
  19. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    OTL logs are clean.

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    3. Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Next...

    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall.
    • Confirm with yes.

    4. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    5. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  20. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Log of Security check
    --------------------------
    Results of screen317's Security Check version 0.99.54
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Security Center service is not running! This report may not be accurate!
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.65.1.1000
    Java(TM) 6 Update 30
    Java version out of Date!
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Flash Player 10.3.181.14 Flash Player out of Date!
    Adobe Reader X 10.1.2 Adobe Reader out of Date!
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials msseces.exe
    Windows Defender MSMpEng.exe
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    Microsoft Security Client Antimalware MsMpEng.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````
  21. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Log of FSS
    ----------------------------
    Farbar Service Scanner Version: 09-11-2012
    Ran by userid (administrator) on 14-11-2012 at 12:42:52
    Running from "C:\Documents and Settings\userid\Desktop"
    Microsoft Windows XP Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is offline
    Attempt to access Google.com returned error: Google.com is offline
    Attempt to access Yahoo IP returned error. Yahoo IP is offline
    Attempt to access Yahoo.com returned error: Yahoo.com is offline

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
    Extra List:
    =======
    DNE(10) Gpc(6) IPSec(4) NetBT(5) PSched(8) Tcpip(3)
    0x0A0000000400000001000000020000000300000007000000050000000600000008000000090000000A000000
    IpSec Tag value is correct.
    **** End of log ****
  22. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Log of AdwClearner
    -----------------
    # AdwCleaner v2.007 - Logfile created 11/14/2012 at 12:47:22
    # Updated 06/11/2012 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : userid - computername
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\userid\Desktop\adwcleaner.exe
    # Option [Delete]

    ***** [Services] *****

    ***** [Files / Folders] *****

    ***** [Registry] *****

    ***** [Internet Browsers] *****
    -\\ Internet Explorer v8.0.6001.18702
    [OK] Registry is clean.
    -\\ Google Chrome v23.0.1271.64
    File : C:\Documents and Settings\userid\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
    [OK] File is clean.
    *************************
    AdwCleaner[S1].txt - [712 octets] - [14/11/2012 12:47:22]
    ########## EOF - C:\AdwCleaner[S1].txt - [771 octets] ##########
  23. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    I tried to ran TFC twice. 1st time, after about one hour, I still got blank blue screen. Both keyboard and mouse not working. I had to push the button to turn it off. 2nd time, I ran the TFC, after messeage "stop running processes" then microsoft security Essential warning, the computer just frozen, no key stroke or mouse response. The clock was not running.
  24. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Run TFC from safe mode.
  25. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    I ran TFC from safe mode, no log file generated. a message pop up suggest to run system restore first, I ignored it and ran the TFC.
    then I ran TFC from normal mode, computer frozen again.
    I ran ESET, no threats found.
    Thanks.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.