TechSpot

Increasing Mem. Usage by svchost; Windows wanting activated again

By Dasle
Jan 10, 2012
  1. Hello everyone!

    I think I've contracted a virus or some form of malware on my PC. I left the PC on overnight, and when I woke up, the wireless connection was disconnected. I rebooted and the Windows Activation window popped up (Windows XP Home). Shortly after bootup, I realized that one of the svchost was going out of control. Memory usage would gradually increase to over 500,000 K before I'd end the process. A virus scan with Norton AntiVirus produced no results, however it did keep blocking attacks called Malicious Toolkit Website 9.

    I've followed the steps in the stickie, and appreciate any help you kind folks can offer. Thanks so much.

    Below are the logs:

    MBAM Log

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.10.05

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Jeff :: PROJECT [administrator]

    1/10/2012 10:55:29 AM
    mbam-log-2012-01-10 (10-55-29).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 220950
    Time elapsed: 44 minute(s), 43 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 2
    HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    -----------------------------------------------

    GMER Log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-01-10 11:58:24
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5 WDC_WD5000AACS-00ZUB0 rev.01.01B01
    Running: k0yp574g.exe; Driver: C:\DOCUME~1\Jeff\LOCALS~1\Temp\uwldapow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T0L0-11 8A49F2C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A49F2C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A49F2C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A49F2C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A49F2C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-5 8A49F2C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T1L0-19 8A49F2C6

    ---- EOF - GMER 1.0.15 ----


    --------------------------------------------------------------------------

    DDS Log: dds.txt

    .
    DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by Jeff at 12:08:15 on 2012-01-10
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1783 [GMT -6:00]
    .
    AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\Explorer.EXE
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\norton antivirus\engine\18.6.0.29\ips\IPSBHO.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [VTTimer] VTTimer.exe
    mRun: [S3Trayp] S3trayp.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1309924587859
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
    TCP: Interfaces\{8ECCA8B3-18EF-4F4F-A1F6-F25821F05B4E} : DhcpNameServer = 68.94.156.1 68.94.157.1
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\jeff\application data\mozilla\firefox\profiles\dldhuz2k.default\
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1206000.01d\symds.sys [2011-6-25 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1206000.01d\symefa.sys [2011-6-25 744568]
    R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-8-29 17920]
    S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20111223.001\BHDrvx86.sys [2011-11-30 820344]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1206000.01d\ironx86.sys [2011-6-25 136312]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 NAV;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\18.6.0.29\ccsvchst.exe [2011-6-25 130008]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-11-11 2253120]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-9 106104]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20120107.001\IDSXpx86.sys [2012-1-10 356280]
    S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20120110.002\NAVENG.SYS [2012-1-10 86136]
    S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20120110.002\NAVEX15.SYS [2012-1-10 1576312]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-11-11 119656]
    S3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2008-4-17 603648]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-01-10 16:53:53 -------- d-----w- c:\documents and settings\jeff\application data\Malwarebytes
    2012-01-10 16:53:24 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-01-10 16:53:23 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-10 16:53:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-10 15:42:05 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2012-01-10 13:02:55 -------- d-----w- c:\program files\AVG
    2012-01-10 12:47:30 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2012-01-10 12:47:13 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2012-01-10 12:17:19 -------- d-----w- c:\documents and settings\jeff\local settings\application data\Symantec
    2012-01-10 12:14:38 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2012-01-10 12:14:38 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-01-10 10:01:37 -------- d-----w- c:\documents and settings\jeff\local settings\application data\NPE
    2012-01-10 09:53:18 -------- d-----w- c:\documents and settings\jeff\application data\Tific
    2011-12-14 15:53:49 -------- d-----w- c:\documents and settings\jeff\local settings\application data\Auralog
    2011-12-14 15:52:32 -------- d-----w- c:\program files\Auralog
    2011-12-14 15:22:02 -------- d-sh--w- c:\documents and settings\jeff\IECompatCache
    2011-12-14 15:19:04 -------- d-sh--w- c:\documents and settings\jeff\PrivacIE
    2011-12-14 15:16:35 -------- d-sh--w- c:\documents and settings\jeff\IETldCache
    2011-12-14 15:01:16 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2011-12-14 15:00:56 -------- d-----w- c:\windows\ie8updates
    2011-12-14 15:00:16 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-12-14 15:00:16 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-12-14 15:00:16 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-12-14 15:00:16 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-12-14 15:00:16 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-12-14 15:00:16 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-12-14 15:00:16 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2011-12-14 14:58:54 -------- dc-h--w- c:\windows\ie8
    2011-12-14 14:46:09 -------- d-----w- c:\documents and settings\all users\application data\Auralog
    2011-12-13 12:14:23 -------- d-----w- c:\program files\iPod
    .
    ==================== Find3M ====================
    .
    2012-01-10 15:43:24 26112 ----a-w- c:\windows\system32\userinit.exe
    2012-01-10 09:46:58 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2012-01-10 09:46:58 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2012-01-09 18:16:19 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-22 11:02:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
    2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-24 20:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 20:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD5000AACS-00ZUB0 rev.01.01B01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys xfilt.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4A249F]<<
    c:\windows\system32\drivers\xfilt.sys VIA Technologies,Inc VIA filter driver
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4a9738]; MOV EAX, [0x8a4a98ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A568AB8]
    3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A56B9A0]
    5 xfilt[0xF7648046] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000074[0x8A56C968]
    7 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A5A8D98]
    \Driver\atapi[0x8A4FFA70] -> IRP_MJ_CREATE -> 0x8A4A249F
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A4A22C6
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 12:10:10.85 ===============


    --------------------------------------------------------------------------

    DDS Log: Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/29/2008 10:51:21 PM
    System Uptime: 1/10/2012 12:06:40 PM (0 hours ago)
    .
    Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-7253
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket AM2 | 2600/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 466 GiB total, 270.279 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: VIA Compatable Fast Ethernet Adapter
    Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_72531462&REV_7C\3&2411E6FE&0&90
    Manufacturer: VIA Technologies, Inc.
    Name: VIA Compatable Fast Ethernet Adapter
    PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_72531462&REV_7C\3&2411E6FE&0&90
    Service: FETNDIS
    .
    Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
    Description: Photosmart C4500 series
    Device ID: ROOT\IMAGE\0000
    Manufacturer: HP
    Name: Photosmart C4500,10.0.0.220
    PNP Device ID: ROOT\IMAGE\0000
    Service: StillCam
    .
    Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
    Description: Photosmart C4500 series
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Photosmart C4500 series
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:
    .
    ==== System Restore Points ===================
    .
    RP397: 10/12/2011 12:16:39 PM - System Checkpoint
    RP398: 10/13/2011 1:07:46 PM - System Checkpoint
    RP399: 10/15/2011 2:48:50 PM - System Checkpoint
    RP400: 10/16/2011 3:06:21 PM - System Checkpoint
    RP401: 10/17/2011 3:30:14 PM - System Checkpoint
    RP402: 11/4/2011 5:30:35 PM - System Checkpoint
    RP403: 11/6/2011 11:13:47 AM - System Checkpoint
    RP404: 11/7/2011 12:50:04 PM - System Checkpoint
    RP405: 11/8/2011 1:34:10 PM - System Checkpoint
    RP406: 11/9/2011 2:30:03 PM - System Checkpoint
    RP407: 11/10/2011 1:49:32 PM - Installed DirectX
    RP408: 11/10/2011 1:49:44 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    RP409: 11/11/2011 2:39:07 PM - System Checkpoint
    RP410: 11/11/2011 9:12:44 PM - Update to an unsigned driver
    RP411: 11/11/2011 9:19:49 PM - Update to an unsigned driver
    RP412: 11/11/2011 9:27:07 PM - Installed DirectX
    RP413: 11/12/2011 10:55:20 PM - System Checkpoint
    RP414: 11/14/2011 1:00:47 AM - System Checkpoint
    RP415: 11/15/2011 1:12:28 AM - System Checkpoint
    RP416: 11/16/2011 11:39:42 AM - System Checkpoint
    RP417: 11/17/2011 12:05:49 PM - System Checkpoint
    RP418: 11/18/2011 1:35:16 PM - System Checkpoint
    RP419: 11/19/2011 1:44:35 PM - System Checkpoint
    RP420: 11/20/2011 1:48:09 PM - System Checkpoint
    RP421: 11/21/2011 5:30:17 PM - System Checkpoint
    RP422: 11/22/2011 6:20:49 PM - System Checkpoint
    RP423: 11/23/2011 9:18:37 PM - System Checkpoint
    RP424: 11/24/2011 11:17:08 PM - System Checkpoint
    RP425: 11/26/2011 5:19:23 PM - System Checkpoint
    RP426: 11/27/2011 8:13:14 PM - System Checkpoint
    RP427: 11/28/2011 10:31:46 PM - System Checkpoint
    RP428: 11/29/2011 11:13:12 PM - System Checkpoint
    RP429: 12/1/2011 4:25:20 AM - System Checkpoint
    RP430: 12/2/2011 6:13:18 AM - System Checkpoint
    RP431: 12/3/2011 10:08:09 AM - System Checkpoint
    RP432: 12/4/2011 11:26:46 AM - System Checkpoint
    RP433: 12/5/2011 12:00:18 PM - System Checkpoint
    RP434: 12/6/2011 1:20:28 PM - System Checkpoint
    RP435: 12/7/2011 1:24:56 PM - System Checkpoint
    RP436: 12/9/2011 11:40:08 AM - System Checkpoint
    RP437: 12/10/2011 2:08:23 PM - System Checkpoint
    RP438: 12/12/2011 12:05:57 AM - System Checkpoint
    RP439: 12/13/2011 3:33:22 AM - System Checkpoint
    RP440: 12/14/2011 5:19:56 AM - System Checkpoint
    RP441: 12/14/2011 8:53:44 AM - Software Distribution Service 3.0
    RP442: 12/14/2011 9:26:26 AM - Software Distribution Service 3.0
    RP443: 12/14/2011 9:32:39 AM - Software Distribution Service 3.0
    RP444: 12/16/2011 4:18:15 PM - System Checkpoint
    RP445: 12/17/2011 4:59:51 PM - System Checkpoint
    RP446: 12/19/2011 3:28:12 AM - System Checkpoint
    RP447: 12/20/2011 6:54:48 AM - System Checkpoint
    RP448: 12/21/2011 7:37:11 AM - System Checkpoint
    RP449: 12/22/2011 4:23:43 PM - System Checkpoint
    RP450: 12/23/2011 4:58:09 PM - System Checkpoint
    RP451: 12/25/2011 11:37:15 AM - System Checkpoint
    RP452: 12/26/2011 12:35:49 PM - System Checkpoint
    RP453: 12/27/2011 5:21:45 PM - System Checkpoint
    RP454: 12/29/2011 10:46:30 AM - System Checkpoint
    RP455: 12/30/2011 3:48:00 PM - System Checkpoint
    RP456: 12/31/2011 10:42:57 PM - System Checkpoint
    RP457: 1/1/2012 10:46:59 PM - System Checkpoint
    RP458: 1/3/2012 1:34:55 AM - System Checkpoint
    RP459: 1/4/2012 1:48:47 AM - System Checkpoint
    RP460: 1/5/2012 12:48:39 PM - System Checkpoint
    RP461: 1/6/2012 1:38:43 PM - System Checkpoint
    RP462: 1/8/2012 12:10:06 PM - System Checkpoint
    RP463: 1/9/2012 12:58:11 PM - System Checkpoint
    RP464: 1/10/2012 4:13:50 AM - Restore Operation
    RP465: 1/10/2012 6:13:20 AM - Restore Operation
    RP466: 1/10/2012 9:20:55 AM - Installed Ad-Aware
    RP467: 1/10/2012 9:22:55 AM - Installed Ad-Aware
    RP468: 1/10/2012 10:42:23 AM - Removed AVG 2012
    RP469: 1/10/2012 10:43:13 AM - Removed AVG 2012
    RP470: 1/10/2012 10:47:17 AM - Removed Ad-Aware
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Photoshop Elements 2.0
    Adobe Reader 9.4.7
    Adobe Shockwave Player 11
    AOL Instant Messenger
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    BlackBerry Desktop Software 6.0
    Bonjour
    CompuServe
    EPSON Printer Software
    EPSON Scan
    EVGA Precision 2.0.4
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    HP Photosmart C4500 All-In-One Driver 12.0 Rel .4
    iSEEK AnswerWorks English Runtime
    iTunes
    Java 2 Runtime Environment Standard Edition v1.3.1_02
    Java Auto Updater
    Java(TM) 6 Update 26
    Malwarebytes Anti-Malware version 1.60.0.1800
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    mIRC
    MobileMe Control Panel
    Mozilla Firefox 8.0 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Network
    Norton AntiVirus
    NVIDIA Control Panel 285.58
    NVIDIA Graphics Driver 285.58
    NVIDIA HD Audio Driver 1.2.24.0
    NVIDIA Install Application
    NVIDIA nView 135.95
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.11.0621
    NVIDIA Update 1.5.20
    NVIDIA Update Components
    Platform
    PS_AIO_04_C4580_Software_Min
    Quicken 2011
    QuickTime
    RealPlayer Basic
    Realtek High Definition Audio Driver
    Roll
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2530548)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544521)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2559049)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    Star Wars: The Old Republic
    Starsiege TRIBES 1.8
    System Requirements Lab
    TELL ME MORE
    Toolbox
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB2598845)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2492386)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2616676-v2)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951618-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Ventrilo Client
    VIA Chrome9 HC IGP Family Display 6.14.10.0133
    VIA Platform Device Manager
    Viewpoint Media Player
    VLC media player 1.1.11
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Management Framework Core
    Windows Media Format Runtime
    Windows Search 4.0
    Windows XP Service Pack 3
    World of Warcraft
    Xvid 1.1.3 final uninstall
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/6/2012 2:13:22 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer MACBOOKAIR that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8ECCA8B3-18EF-4F4. The master browser is stopping or an election is being forced.
    1/10/2012 9:58:40 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    1/10/2012 9:52:25 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    1/10/2012 9:42:36 AM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    1/10/2012 9:31:02 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdPPM Avgldx86 Avgmfx86 BHDrvx86 eeCtrl Fips SRTSPX SymIRON SYMTDI
    1/10/2012 7:09:26 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVGIDSAgent service to connect.
    1/10/2012 7:09:26 AM, error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 7:07:09 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdPPM Avgldx86 Avgmfx86 BHDrvx86 eeCtrl Fips SRTSP SRTSPX SymIRON SYMTDI
    1/10/2012 6:50:13 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdPPM BHDrvx86 eeCtrl Fips SRTSP SRTSPX SymIRON SYMTDI
    1/10/2012 6:46:02 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdPPM BHDrvx86 eeCtrl Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSP SRTSPX SymIRON SYMTDI Tcpip
    1/10/2012 6:46:02 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    1/10/2012 6:46:02 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/10/2012 6:46:02 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/10/2012 6:46:02 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
    1/10/2012 6:46:02 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/10/2012 6:46:02 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/10/2012 6:43:08 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    1/10/2012 6:42:38 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    1/10/2012 6:41:55 AM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    1/10/2012 6:37:59 AM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    1/10/2012 6:17:13 AM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
    1/10/2012 6:02:36 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde ViaIde
    1/10/2012 5:56:07 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    1/10/2012 4:13:37 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SMR210.SYS' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    1/10/2012 11:52:37 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    1/10/2012 11:52:37 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 11:43:37 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Access is denied.
    1/10/2012 10:35:49 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    1/10/2012 10:33:58 AM, error: System Error [1003] - Error code 100000d4, parameter1 b17c7234, parameter2 0000001c, parameter3 00000000, parameter4 80502367.
    1/10/2012 10:33:56 AM, error: System Error [1003] - Error code 100000d1, parameter1 00000004, parameter2 00000002, parameter3 00000001, parameter4 b9f05e32.
    1/10/2012 10:33:44 AM, error: System Error [1003] - Error code 100000d1, parameter1 00000004, parameter2 00000002, parameter3 00000001, parameter4 b9f52e32.
    1/10/2012 10:33:34 AM, error: System Error [1003] - Error code 100000d1, parameter1 00000004, parameter2 00000002, parameter3 00000001, parameter4 b9eebe32.
    1/10/2012 10:30:17 AM, error: System Error [1003] - Error code 100000d1, parameter1 00000004, parameter2 00000002, parameter3 00000001, parameter4 b9eaae32.
    1/10/2012 10:27:02 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    .
    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================================================

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  3. Dasle

    Dasle TS Rookie Topic Starter

    TDSSKiller found one infected file which required a reboot. The log is below. Thanks again for your help and time Broni :D


    14:58:24.0805 3924 TDSS rootkit removing tool 2.7.0.0 Jan 10 2012 09:14:26
    14:58:25.0196 3924 ============================================================
    14:58:25.0196 3924 Current date / time: 2012/01/10 14:58:25.0196
    14:58:25.0196 3924 SystemInfo:
    14:58:25.0196 3924
    14:58:25.0196 3924 OS Version: 5.1.2600 ServicePack: 3.0
    14:58:25.0196 3924 Product type: Workstation
    14:58:25.0196 3924 ComputerName: PROJECT
    14:58:25.0196 3924 UserName: Jeff
    14:58:25.0196 3924 Windows directory: C:\WINDOWS
    14:58:25.0196 3924 System windows directory: C:\WINDOWS
    14:58:25.0196 3924 Processor architecture: Intel x86
    14:58:25.0196 3924 Number of processors: 2
    14:58:25.0196 3924 Page size: 0x1000
    14:58:25.0196 3924 Boot type: Normal boot
    14:58:25.0196 3924 ============================================================
    14:58:28.0290 3924 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000, SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
    14:58:28.0383 3924 Initialize success
    14:58:39.0820 3532 ============================================================
    14:58:39.0820 3532 Scan started
    14:58:39.0820 3532 Mode: Manual;
    14:58:39.0820 3532 ============================================================
    14:58:45.0023 3532 Abiosdsk - ok
    14:58:45.0117 3532 abp480n5 - ok
    14:58:45.0508 3532 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    14:58:45.0586 3532 ACPI - ok
    14:58:45.0695 3532 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    14:58:45.0695 3532 ACPIEC - ok
    14:58:45.0804 3532 adpu160m - ok
    14:58:45.0883 3532 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    14:58:45.0898 3532 aec - ok
    14:58:45.0976 3532 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    14:58:46.0023 3532 AFD - ok
    14:58:46.0070 3532 Aha154x - ok
    14:58:46.0336 3532 aic78u2 - ok
    14:58:46.0476 3532 aic78xx - ok
    14:58:46.0554 3532 AliIde - ok
    14:58:46.0711 3532 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
    14:58:46.0711 3532 AmdPPM - ok
    14:58:46.0773 3532 amsint - ok
    14:58:46.0804 3532 asc - ok
    14:58:46.0820 3532 asc3350p - ok
    14:58:46.0836 3532 asc3550 - ok
    14:58:46.0898 3532 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
    14:58:46.0898 3532 ASCTRM - ok
    14:58:46.0976 3532 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    14:58:46.0976 3532 AsyncMac - ok
    14:58:47.0008 3532 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    14:58:47.0008 3532 atapi - ok
    14:58:47.0023 3532 Atdisk - ok
    14:58:47.0070 3532 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    14:58:47.0086 3532 Atmarpc - ok
    14:58:47.0133 3532 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    14:58:47.0133 3532 audstub - ok
    14:58:47.0195 3532 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    14:58:47.0195 3532 Beep - ok
    14:58:47.0351 3532 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20111223.001\BHDrvx86.sys
    14:58:47.0351 3532 BHDrvx86 - ok
    14:58:47.0429 3532 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    14:58:47.0445 3532 cbidf2k - ok
    14:58:47.0461 3532 cd20xrnt - ok
    14:58:47.0508 3532 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    14:58:47.0508 3532 Cdaudio - ok
    14:58:47.0523 3532 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    14:58:47.0523 3532 Cdfs - ok
    14:58:47.0633 3532 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    14:58:47.0648 3532 Cdrom - ok
    14:58:47.0711 3532 Changer - ok
    14:58:47.0742 3532 CmdIde - ok
    14:58:47.0773 3532 Cpqarray - ok
    14:58:47.0804 3532 dac2w2k - ok
    14:58:47.0820 3532 dac960nt - ok
    14:58:47.0836 3532 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    14:58:47.0836 3532 Disk - ok
    14:58:47.0898 3532 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    14:58:47.0914 3532 dmboot - ok
    14:58:47.0945 3532 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    14:58:47.0945 3532 dmio - ok
    14:58:47.0976 3532 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    14:58:47.0976 3532 dmload - ok
    14:58:48.0008 3532 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    14:58:48.0008 3532 DMusic - ok
    14:58:48.0039 3532 dpti2o - ok
    14:58:48.0070 3532 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    14:58:48.0070 3532 drmkaud - ok
    14:58:48.0211 3532 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    14:58:48.0211 3532 eeCtrl - ok
    14:58:48.0242 3532 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    14:58:48.0242 3532 EraserUtilRebootDrv - ok
    14:58:48.0289 3532 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    14:58:48.0304 3532 Fastfat - ok
    14:58:48.0336 3532 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    14:58:48.0336 3532 Fdc - ok
    14:58:48.0414 3532 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
    14:58:48.0414 3532 FETNDIS - ok
    14:58:48.0445 3532 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    14:58:48.0445 3532 Fips - ok
    14:58:48.0461 3532 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    14:58:48.0461 3532 Flpydisk - ok
    14:58:48.0476 3532 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    14:58:48.0476 3532 FltMgr - ok
    14:58:48.0492 3532 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    14:58:48.0508 3532 Fs_Rec - ok
    14:58:48.0523 3532 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    14:58:48.0523 3532 Ftdisk - ok
    14:58:48.0539 3532 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
    14:58:48.0539 3532 gagp30kx - ok
    14:58:48.0804 3532 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    14:58:48.0804 3532 GEARAspiWDM - ok
    14:58:48.0836 3532 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    14:58:48.0836 3532 Gpc - ok
    14:58:48.0882 3532 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    14:58:48.0882 3532 HDAudBus - ok
    14:58:48.0929 3532 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    14:58:48.0929 3532 hidusb - ok
    14:58:48.0945 3532 hpn - ok
    14:58:49.0007 3532 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    14:58:49.0007 3532 HTTP - ok
    14:58:49.0023 3532 i2omgmt - ok
    14:58:49.0039 3532 i2omp - ok
    14:58:49.0054 3532 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    14:58:49.0054 3532 i8042prt - ok
    14:58:49.0289 3532 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20120107.001\IDSxpx86.sys
    14:58:49.0289 3532 IDSxpx86 - ok
    14:58:49.0304 3532 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    14:58:49.0320 3532 Imapi - ok
    14:58:49.0336 3532 ini910u - ok
    14:58:49.0539 3532 IntcAzAudAddService (41bb402c2ade27b32439bb765864ab3b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    14:58:49.0570 3532 IntcAzAudAddService - ok
    14:58:49.0586 3532 IntelIde - ok
    14:58:49.0632 3532 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    14:58:49.0632 3532 Ip6Fw - ok
    14:58:49.0648 3532 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    14:58:49.0664 3532 IpFilterDriver - ok
    14:58:49.0695 3532 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    14:58:49.0695 3532 IpInIp - ok
    14:58:49.0726 3532 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    14:58:49.0726 3532 IpNat - ok
    14:58:49.0757 3532 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    14:58:49.0757 3532 IPSec - ok
    14:58:49.0789 3532 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    14:58:49.0789 3532 IRENUM - ok
    14:58:49.0836 3532 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    14:58:49.0836 3532 isapnp - ok
    14:58:49.0851 3532 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    14:58:49.0851 3532 Kbdclass - ok
    14:58:49.0882 3532 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    14:58:49.0898 3532 kmixer - ok
    14:58:49.0929 3532 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    14:58:49.0929 3532 KSecDD - ok
    14:58:49.0945 3532 lbrtfdc - ok
    14:58:50.0007 3532 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    14:58:50.0007 3532 mnmdd - ok
    14:58:50.0023 3532 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    14:58:50.0023 3532 Modem - ok
    14:58:50.0039 3532 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    14:58:50.0039 3532 Mouclass - ok
    14:58:50.0086 3532 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    14:58:50.0086 3532 mouhid - ok
    14:58:50.0101 3532 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    14:58:50.0101 3532 MountMgr - ok
    14:58:50.0117 3532 mraid35x - ok
    14:58:50.0132 3532 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    14:58:50.0132 3532 MRxDAV - ok
    14:58:50.0179 3532 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    14:58:50.0195 3532 MRxSmb - ok
    14:58:50.0211 3532 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    14:58:50.0226 3532 Msfs - ok
    14:58:50.0273 3532 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    14:58:50.0289 3532 MSKSSRV - ok
    14:58:50.0382 3532 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    14:58:50.0382 3532 MSPCLOCK - ok
    14:58:50.0445 3532 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    14:58:50.0445 3532 MSPQM - ok
    14:58:50.0476 3532 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    14:58:50.0476 3532 mssmbios - ok
    14:58:50.0492 3532 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    14:58:50.0507 3532 Mup - ok
    14:58:50.0726 3532 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20120110.002\NAVENG.SYS
    14:58:50.0726 3532 NAVENG - ok
    14:58:50.0789 3532 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20120110.002\NAVEX15.SYS
    14:58:50.0804 3532 NAVEX15 - ok
    14:58:50.0851 3532 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    14:58:50.0851 3532 NDIS - ok
    14:58:50.0867 3532 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    14:58:50.0867 3532 NdisTapi - ok
    14:58:50.0929 3532 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    14:58:50.0929 3532 Ndisuio - ok
    14:58:50.0929 3532 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    14:58:50.0945 3532 NdisWan - ok
    14:58:50.0976 3532 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    14:58:50.0976 3532 NDProxy - ok
    14:58:50.0992 3532 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    14:58:51.0007 3532 NetBIOS - ok
    14:58:51.0023 3532 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    14:58:51.0023 3532 NetBT - ok
    14:58:51.0070 3532 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    14:58:51.0070 3532 Npfs - ok
    14:58:51.0101 3532 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    14:58:51.0117 3532 Ntfs - ok
    14:58:51.0164 3532 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    14:58:51.0164 3532 Null - ok
    14:58:51.0617 3532 nv (4b54dcd6adee535df80f07c59ddd8f14) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    14:58:51.0929 3532 nv - ok
    14:58:51.0945 3532 NVHDA (6a839ac21ecde8945d52007152f2695e) C:\WINDOWS\system32\drivers\nvhda32.sys
    14:58:51.0961 3532 NVHDA - ok
    14:58:52.0007 3532 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    14:58:52.0023 3532 NwlnkFlt - ok
    14:58:52.0023 3532 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    14:58:52.0039 3532 NwlnkFwd - ok
    14:58:52.0054 3532 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    14:58:52.0054 3532 Parport - ok
    14:58:52.0070 3532 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    14:58:52.0070 3532 PartMgr - ok
    14:58:52.0101 3532 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    14:58:52.0101 3532 ParVdm - ok
    14:58:52.0117 3532 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    14:58:52.0117 3532 PCI - ok
    14:58:52.0117 3532 PCIDump - ok
    14:58:52.0164 3532 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    14:58:52.0164 3532 PCIIde - ok
    14:58:52.0179 3532 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    14:58:52.0179 3532 Pcmcia - ok
    14:58:52.0195 3532 PDCOMP - ok
    14:58:52.0210 3532 PDFRAME - ok
    14:58:52.0226 3532 PDRELI - ok
    14:58:52.0242 3532 PDRFRAME - ok
    14:58:52.0257 3532 perc2 - ok
    14:58:52.0273 3532 perc2hib - ok
    14:58:52.0351 3532 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    14:58:52.0351 3532 PptpMiniport - ok
    14:58:52.0367 3532 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    14:58:52.0367 3532 Processor - ok
    14:58:52.0382 3532 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    14:58:52.0398 3532 PSched - ok
    14:58:52.0429 3532 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    14:58:52.0429 3532 Ptilink - ok
    14:58:52.0445 3532 ql1080 - ok
    14:58:52.0460 3532 Ql10wnt - ok
    14:58:52.0476 3532 ql12160 - ok
    14:58:52.0492 3532 ql1240 - ok
    14:58:52.0492 3532 ql1280 - ok
    14:58:52.0507 3532 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    14:58:52.0507 3532 RasAcd - ok
    14:58:52.0539 3532 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    14:58:52.0539 3532 Rasl2tp - ok
    14:58:52.0554 3532 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    14:58:52.0554 3532 RasPppoe - ok
    14:58:52.0570 3532 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    14:58:52.0570 3532 Raspti - ok
    14:58:52.0617 3532 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    14:58:52.0617 3532 Rdbss - ok
    14:58:52.0632 3532 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    14:58:52.0632 3532 RDPCDD - ok
    14:58:52.0679 3532 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    14:58:52.0695 3532 RDPWD - ok
    14:58:52.0726 3532 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    14:58:52.0726 3532 redbook - ok
    14:58:52.0742 3532 RimUsb - ok
    14:58:52.0773 3532 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    14:58:52.0773 3532 RimVSerPort - ok
    14:58:52.0789 3532 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
    14:58:52.0789 3532 ROOTMODEM - ok
    14:58:52.0867 3532 S3GIGP (d494f3f2b2a4802109a9513d49f5d9f6) C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys
    14:58:52.0882 3532 S3GIGP - ok
    14:58:52.0929 3532 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    14:58:52.0929 3532 Secdrv - ok
    14:58:52.0960 3532 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    14:58:52.0960 3532 serenum - ok
    14:58:52.0976 3532 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    14:58:52.0976 3532 Serial - ok
    14:58:53.0023 3532 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    14:58:53.0023 3532 Sfloppy - ok
    14:58:53.0054 3532 Simbad - ok
    14:58:53.0085 3532 Sparrow - ok
    14:58:53.0117 3532 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    14:58:53.0117 3532 splitter - ok
    14:58:53.0132 3532 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    14:58:53.0148 3532 sr - ok
    14:58:53.0226 3532 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\system32\drivers\NAV\1206000.01D\SRTSP.SYS
    14:58:53.0242 3532 SRTSP - ok
    14:58:53.0257 3532 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\NAV\1206000.01D\SRTSPX.SYS
    14:58:53.0257 3532 SRTSPX - ok
    14:58:53.0320 3532 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    14:58:53.0320 3532 Srv - ok
    14:58:53.0367 3532 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
    14:58:53.0367 3532 StillCam - ok
    14:58:53.0382 3532 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    14:58:53.0382 3532 swenum - ok
    14:58:53.0398 3532 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    14:58:53.0398 3532 swmidi - ok
    14:58:53.0429 3532 symc810 - ok
    14:58:53.0445 3532 symc8xx - ok
    14:58:53.0476 3532 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\NAV\1206000.01D\SYMDS.SYS
    14:58:53.0492 3532 SymDS - ok
    14:58:53.0539 3532 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\NAV\1206000.01D\SYMEFA.SYS
    14:58:53.0570 3532 SymEFA - ok
    14:58:53.0617 3532 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    14:58:53.0617 3532 SymEvent - ok
    14:58:53.0648 3532 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NAV\1206000.01D\Ironx86.SYS
    14:58:53.0648 3532 SymIRON - ok
    14:58:53.0695 3532 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\system32\drivers\NAV\1206000.01D\SYMTDI.SYS
    14:58:53.0695 3532 SYMTDI - ok
    14:58:53.0710 3532 sym_hi - ok
    14:58:53.0726 3532 sym_u3 - ok
    14:58:53.0757 3532 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    14:58:53.0757 3532 sysaudio - ok
    14:58:53.0820 3532 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    14:58:53.0835 3532 Tcpip - ok
    14:58:53.0867 3532 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    14:58:53.0867 3532 TDPIPE - ok
    14:58:53.0882 3532 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    14:58:53.0882 3532 TDTCP - ok
    14:58:53.0898 3532 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    14:58:53.0898 3532 TermDD - ok
    14:58:53.0914 3532 TosIde - ok
    14:58:53.0960 3532 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    14:58:53.0976 3532 Udfs - ok
    14:58:53.0992 3532 ultra - ok
    14:58:54.0054 3532 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    14:58:54.0070 3532 Update - ok
    14:58:54.0132 3532 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
    14:58:54.0164 3532 USBAAPL - ok
    14:58:54.0195 3532 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    14:58:54.0210 3532 usbccgp - ok
    14:58:54.0242 3532 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    14:58:54.0242 3532 usbehci - ok
    14:58:54.0257 3532 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    14:58:54.0257 3532 usbhub - ok
    14:58:54.0304 3532 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    14:58:54.0335 3532 usbprint - ok
    14:58:54.0382 3532 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    14:58:54.0382 3532 usbscan - ok
    14:58:54.0398 3532 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    14:58:54.0398 3532 USBSTOR - ok
    14:58:54.0429 3532 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    14:58:54.0429 3532 usbuhci - ok
    14:58:54.0445 3532 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    14:58:54.0445 3532 VgaSave - ok
    14:58:54.0460 3532 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    14:58:54.0460 3532 ViaIde - ok
    14:58:54.0507 3532 videX32 (f95c0fcfbcbda6d8f202d2df4052f88d) C:\WINDOWS\system32\DRIVERS\videX32.sys
    14:58:54.0507 3532 videX32 - ok
    14:58:54.0523 3532 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    14:58:54.0523 3532 VolSnap - ok
    14:58:54.0570 3532 W8335XP (f0bdc2b474e26117ee77bfdba051fb3c) C:\WINDOWS\system32\DRIVERS\Mrvw125.sys
    14:58:54.0585 3532 W8335XP - ok
    14:58:54.0585 3532 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    14:58:54.0585 3532 Wanarp - ok
    14:58:54.0632 3532 wanatw (ba1d9278448cb26152a18b6a06b61ea3) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
    14:58:54.0632 3532 wanatw - ok
    14:58:54.0664 3532 WDICA - ok
    14:58:54.0695 3532 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    14:58:54.0695 3532 wdmaud - ok
    14:58:54.0804 3532 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys
    14:58:54.0804 3532 WpdUsb - ok
    14:58:54.0867 3532 xfilt (bec604cdc548a528ebd3d7aa1dd46a89) C:\WINDOWS\system32\DRIVERS\xfilt.sys
    14:58:54.0867 3532 xfilt - ok
    14:58:54.0898 3532 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
    14:58:54.0929 3532 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
    14:58:54.0929 3532 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
    14:58:54.0929 3532 Boot (0x1200) (2d5d45f45853beb79cf21ebf6174d6a2) \Device\Harddisk0\DR0\Partition0
    14:58:54.0929 3532 \Device\Harddisk0\DR0\Partition0 - ok
    14:58:54.0929 3532 ============================================================
    14:58:54.0929 3532 Scan finished
    14:58:54.0929 3532 ============================================================
    14:58:54.0960 3568 Detected object count: 1
    14:58:54.0960 3568 Actual detected object count: 1
    14:59:42.0709 3568 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
    14:59:42.0709 3568 \Device\Harddisk0\DR0 - ok
    14:59:42.0709 3568 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
    14:59:49.0052 3572 Deinitialize success
     
  4. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Good :)

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==============================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  5. Dasle

    Dasle TS Rookie Topic Starter

    That took a while. svchost seems to be back under control. It isn't running away anymore.

    Here are the other two logs. Since you didn't specify, I'm assuming you meant to have me run the quick scan on aswMBR. I didn't realize there was even an option until the scan was already in progress.

    aswMBR log:

    aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-10 15:16:54
    -----------------------------
    15:16:54.765 OS Version: Windows 5.1.2600 Service Pack 3
    15:16:54.765 Number of processors: 2 586 0x4302
    15:16:54.765 ComputerName: PROJECT UserName: Jeff
    15:16:57.171 Initialize success
    15:20:18.890 AVAST engine defs: 12011001
    15:20:30.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5
    15:20:30.875 Disk 0 Vendor: WDC_WD5000AACS-00ZUB0 01.01B01 Size: 476940MB BusType: 3
    15:20:30.890 Disk 0 MBR read successfully
    15:20:30.890 Disk 0 MBR scan
    15:20:30.937 Disk 0 Windows XP default MBR code
    15:20:30.937 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
    15:20:30.937 Disk 0 scanning sectors +976752000
    15:20:31.062 Disk 0 scanning C:\WINDOWS\system32\drivers
    15:20:40.609 Service scanning
    15:20:42.531 Modules scanning
    15:20:46.375 Disk 0 trace - called modules:
    15:20:46.390 ntkrnlpa.exe CLASSPNP.SYS disk.sys xfilt.sys ACPI.sys hal.dll atapi.sys videX32.sys PCIIDEX.SYS
    15:20:46.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a624ab8]
    15:20:46.890 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> [0x8a602ed0]
    15:20:46.890 5 xfilt.sys[b80f9046] -> nt!IofCallDriver -> \Device\00000074[0x8a606f18]
    15:20:46.890 7 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-5[0x8a5d2d98]
    15:20:48.062 AVAST engine scan C:\WINDOWS
    15:21:03.437 AVAST engine scan C:\WINDOWS\system32
    15:23:08.140 AVAST engine scan C:\WINDOWS\system32\drivers
    15:23:39.281 AVAST engine scan C:\Documents and Settings\Jeff
    15:58:33.625 AVAST engine scan C:\Documents and Settings\All Users
    16:01:36.984 Scan finished successfully
    16:02:08.343 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jeff\Desktop\MBR.dat"
    16:02:08.343 The log file has been saved successfully to "C:\Documents and Settings\Jeff\Desktop\aswMBR.txt"


    ---------------------------------------------------

    boot_cleaner log

    Posted incorrect log...deleted. Correct log in the following posts.
     
  6. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Second log is TDSSKiller log.
    I asked for Bootkit Remover log.

    Please pay attention...
     
  7. Dasle

    Dasle TS Rookie Topic Starter

    Yes, yes it is. Not sure how I managed that one, but I had pasted the TDSS log in the text file I created for the boot cleaner. Sorry about that.

    Here is the correct one:

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  8. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Looks good :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. Dasle

    Dasle TS Rookie Topic Starter

    I tripled checked to make sure I got the right log this time!

    ComboFix Report:


    ComboFix 12-01-10.02 - Jeff 01/10/2012 17:13:34.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1452 [GMT -6:00]
    Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
    AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Jeff\Recent\Thumbs.db
    C:\Install.exe
    c:\windows\system32\Thumbs.db
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-10 to 2012-01-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-10 16:53 . 2012-01-10 16:53 -------- d-----w- c:\documents and settings\Jeff\Application Data\Malwarebytes
    2012-01-10 16:53 . 2012-01-10 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-01-10 16:53 . 2012-01-10 16:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-10 16:53 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-10 15:42 . 2012-01-10 15:42 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2012-01-10 13:02 . 2012-01-10 13:02 -------- d-----w- c:\program files\AVG
    2012-01-10 12:47 . 2012-01-10 12:47 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2012-01-10 12:47 . 2012-01-10 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2012-01-10 12:17 . 2012-01-10 12:17 -------- d-----w- c:\documents and settings\Jeff\Local Settings\Application Data\Symantec
    2012-01-10 12:14 . 2012-01-10 12:14 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-01-10 10:01 . 2012-01-10 12:13 -------- d-----w- c:\documents and settings\Jeff\Local Settings\Application Data\NPE
    2012-01-10 09:53 . 2012-01-10 09:53 -------- d-----w- c:\documents and settings\Jeff\Application Data\Tific
    2012-01-09 22:08 . 2012-01-09 22:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-12-14 15:53 . 2011-12-14 15:53 -------- d-----w- c:\documents and settings\Jeff\Local Settings\Application Data\Auralog
    2011-12-14 15:52 . 2011-12-14 15:52 -------- d-----w- c:\program files\Auralog
    2011-12-14 15:22 . 2011-12-14 15:22 -------- d-sh--w- c:\documents and settings\Jeff\IECompatCache
    2011-12-14 15:19 . 2011-12-14 15:19 -------- d-sh--w- c:\documents and settings\Jeff\PrivacIE
    2011-12-14 15:18 . 2011-12-14 15:18 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-12-14 15:16 . 2011-12-14 15:16 -------- d-sh--w- c:\documents and settings\Jeff\IETldCache
    2011-12-14 15:01 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2011-12-14 15:00 . 2011-11-04 19:20 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-12-14 15:00 . 2011-11-04 19:20 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-12-14 15:00 . 2011-11-04 19:20 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-12-14 15:00 . 2011-11-04 19:20 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-12-14 15:00 . 2011-11-04 19:20 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-12-14 15:00 . 2011-11-04 19:20 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-12-14 15:00 . 2011-11-04 19:20 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2011-12-14 14:58 . 2011-12-14 15:00 -------- dc-h--w- c:\windows\ie8
    2011-12-14 14:46 . 2011-12-14 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Auralog
    2011-12-13 12:14 . 2011-12-13 12:14 -------- d-----w- c:\program files\iPod
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-10 15:43 . 2004-08-04 12:00 26112 ----a-w- c:\windows\system32\userinit.exe
    2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-22 11:02 . 2011-05-16 19:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-04 19:20 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
    2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-24 20:29 . 2011-10-24 20:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 20:29 . 2011-10-24 20:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-11-14 18:38 . 2011-09-07 14:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "VTTimer"="VTTimer.exe" [2006-09-21 53248]
    "S3Trayp"="S3trayp.exe" [2007-09-30 200704]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
    "NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
    "nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-28 113664]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CompuServe 7.0 Tray Icon.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CompuServe 7.0 Tray Icon.lnk
    backup=c:\windows\pss\CompuServe 7.0 Tray Icon.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2008-06-19 20:20 57344 ----a-r- c:\windows\Alcmtr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2008-10-24 13:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-12-08 07:36 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2011-10-08 04:50 203072 ----a-w- c:\windows\system32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 20:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2008-09-02 23:44 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2008-07-03 20:51 16876032 ----a-r- c:\windows\RTHDCPL.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Dynamix Mapping\\TRIBES\\Tribes.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
    "c:\\Program Files\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
    "c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars-The Old Republic\\launcher.exe"=
    "c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars-The Old Republic\\betatest\\retailclient\\swtor.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1206000.01D\symds.sys [6/25/2011 5:06 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1206000.01D\symefa.sys [6/25/2011 5:06 PM 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 8:25 PM 820344]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1206000.01D\ironx86.sys [6/25/2011 5:06 PM 136312]
    R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\18.6.0.29\ccsvchst.exe [6/25/2011 5:06 PM 130008]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [11/11/2011 9:22 PM 2253120]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/9/2011 4:09 AM 106104]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20120107.001\IDSXpx86.sys [1/10/2012 2:57 AM 356280]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [11/11/2011 9:19 PM 119656]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 6:00 AM 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
    FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\dldhuz2k.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-Advanced Tools Check - c:\progra~1\NORTON~1\AdvTools\ADVCHK.EXE
    MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
    MSConfigStartUp-nwiz - nwiz.exe
    MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-10 17:22
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
    "ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    Completion time: 2012-01-10 17:24:47
    ComboFix-quarantined-files.txt 2012-01-10 23:24
    .
    Pre-Run: 292,374,224,896 bytes free
    Post-Run: 296,172,027,904 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 66D2F3317D6917470C0F25D1B9689195
     
  10. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Looks good.

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  11. Dasle

    Dasle TS Rookie Topic Starter

    It seems to be running normal again. I still get the windows activation requirement, but I've been waiting until we finish to try to reactivate it. Performance-wise, it certainly hasn't been bogging down like before.

    The OTL file is really long. I hope it's alright if I break it into two posts?


    OTL.txt:

    OTL logfile created on: 1/10/2012 5:42:17 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Jeff\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.37 Gb Available Physical Memory | 68.39% Memory free
    3.85 Gb Paging File | 3.36 Gb Available in Paging File | 87.23% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 465.75 Gb Total Space | 275.86 Gb Free Space | 59.23% Space Free | Partition Type: NTFS

    Computer Name: PROJECT | User Name: Jeff | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/01/10 17:41:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
    PRC - [2011/10/07 22:50:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    PRC - [2011/04/16 18:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\18.6.0.29\ccsvchst.exe
    PRC - [2008/04/13 18:12:40 | 000,032,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wpabaln.exe
    PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/01/11 02:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
    PRC - [2006/09/21 07:36:18 | 000,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
    PRC - [2001/09/25 07:32:50 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/10/07 22:50:00 | 001,564,264 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\nView\nView.dll
    MOD - [2011/10/07 22:50:00 | 000,355,432 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\nView\nvShell.dll
    MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
    MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
    SRV - [2011/10/07 22:50:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
    SRV - [2011/04/16 18:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe -- (NAV)
    SRV - [2007/01/11 02:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)
    SRV - [2001/09/25 07:32:50 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/11/30 20:25:03 | 000,820,344 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20111223.001\BHDrvx86.sys -- (BHDrvx86)
    DRV - [2011/11/09 04:09:47 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2011/11/09 04:09:47 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2011/11/04 15:52:35 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20120110.002\NAVEX15.SYS -- (NAVEX15)
    DRV - [2011/11/04 15:52:35 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20120110.002\NAVENG.SYS -- (NAVENG)
    DRV - [2011/11/03 17:01:08 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20120107.001\IDSXpx86.sys -- (IDSxpx86)
    DRV - [2011/07/07 17:21:30 | 000,119,656 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)
    DRV - [2011/06/25 17:07:05 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2011/03/30 21:00:09 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1206000.01D\SRTSP.SYS -- (SRTSP)
    DRV - [2011/03/30 21:00:09 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1206000.01D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
    DRV - [2011/03/21 18:39:49 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1206000.01D\SYMTDI.SYS -- (SYMTDI)
    DRV - [2011/03/14 20:31:23 | 000,744,568 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1206000.01D\SYMEFA.SYS -- (SymEFA)
    DRV - [2011/01/27 00:47:10 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1206000.01D\SYMDS.SYS -- (SymDS)
    DRV - [2011/01/26 23:07:05 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1206000.01D\Ironx86.SYS -- (SymIRON)
    DRV - [2008/09/02 17:44:53 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
    DRV - [2008/07/03 15:03:14 | 004,745,216 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2008/04/17 04:57:14 | 000,603,648 | ---- | M] (S3 Graphics Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\S3gIGPm.sys -- (S3GIGP)
    DRV - [2007/04/16 19:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
    DRV - [2006/10/18 15:39:58 | 000,017,920 | R--- | M] (VIA Technologies,Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\xfilt.sys -- (xfilt)
    DRV - [2006/10/17 18:22:26 | 000,009,216 | R--- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\videX32.sys -- (videX32)
    DRV - [2005/12/29 04:07:50 | 000,282,624 | R--- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Mrvw125.sys -- (W8335XP)
    DRV - [2001/09/27 09:00:26 | 000,028,396 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-682003330-507921405-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-682003330-507921405-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:3.1
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
    FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll File not found
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\CompuServe 7.0\Extensions\\:
    FF - HKEY_LOCAL_MACHINE\software\mozilla\CompuServe 7.0\Extensions\\Components: C:\Program Files\Common Files\csshare\plugins0942 [2011/11/11 19:15:33 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\CompuServe 7.0\Extensions\\Plugins: C:\Program Files\Common Files\csshare\plugins0942 [2011/11/11 19:15:33 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPlgn\ [2011/09/28 04:15:41 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/14 12:38:18 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/11 19:15:33 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\CompuServe 7.0\Extensions\\:
    FF - HKEY_CURRENT_USER\software\mozilla\CompuServe 7.0\Extensions\\Components: C:\Program Files\Common Files\csshare\plugins0942 [2011/11/11 19:15:33 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\CompuServe 7.0\Extensions\\Plugins: C:\Program Files\Common Files\csshare\plugins0942 [2011/11/11 19:15:33 | 000,000,000 | ---D | M]

    [2009/09/01 20:22:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Extensions
    [2009/09/01 20:22:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\dldhuz2k.default\extensions
    [2011/11/14 12:38:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/09/28 04:15:41 | 000,000,000 | ---D | M] (Symantec IPS) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPLGN
    [2011/07/09 13:54:43 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2011/09/28 03:57:49 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
    [2011/11/14 12:38:18 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/07/09 13:54:42 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2011/09/07 10:29:27 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2011/11/14 12:38:18 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/01/10 17:22:26 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\18.6.0.29\ips\ipsbho.dll (Symantec Corporation)
    O3 - HKU\S-1-5-21-682003330-507921405-839522115-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-682003330-507921405-839522115-1004\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()
    O4 - HKLM..\Run: [S3Trayp] C:\WINDOWS\System32\S3Trayp.exe (S3 Graphics Co., Ltd.)
    O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-682003330-507921405-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-682003330-507921405-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-682003330-507921405-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-682003330-507921405-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\S-1-5-21-682003330-507921405-839522115-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-682003330-507921405-839522115-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=67633 (Office Genuine Advantage Validation Tool)
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1309924587859 (WUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab (Java Plug-in 1.3.1_02)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.94.156.1 68.94.157.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8ECCA8B3-18EF-4F4F-A1F6-F25821F05B4E}: DhcpNameServer = 68.94.156.1 68.94.157.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2008/08/29 21:50:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: AppMgmt - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/01/10 17:41:00 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
    [2012/01/10 17:08:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012/01/10 16:56:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/01/10 16:56:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/01/10 16:56:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/01/10 16:56:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/01/10 16:56:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2012/01/10 16:56:31 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/01/10 16:50:31 | 004,377,322 | R--- | C] (Swearware) -- C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
    [2012/01/10 16:03:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Desktop\bootkit_remover
    [2012/01/10 15:15:54 | 004,713,472 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Jeff\Desktop\aswMBR.exe
    [2012/01/10 14:57:06 | 001,972,528 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jeff\Desktop\tdsskiller.exe
    [2012/01/10 12:08:16 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
    [2012/01/10 12:08:15 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Jeff\Start Menu\Programs\Administrative Tools
    [2012/01/10 12:03:37 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Jeff\Desktop\dds.scr
    [2012/01/10 10:53:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Application Data\Malwarebytes
    [2012/01/10 10:53:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/01/10 10:53:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2012/01/10 10:53:23 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2012/01/10 10:53:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/01/10 10:49:28 | 010,847,608 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jeff\Desktop\mbam-setup-1.60.0.1800.exe
    [2012/01/10 09:42:05 | 000,101,720 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
    [2012/01/10 09:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
    [2012/01/10 07:02:55 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
    [2012/01/10 06:47:30 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2012/01/10 06:47:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2012/01/10 06:26:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Start Menu\Programs\Norton
    [2012/01/10 06:26:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton
    [2012/01/10 06:24:09 | 000,770,776 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Jeff\Desktop\AutoDetectPkg.exe
    [2012/01/10 06:17:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Local Settings\Application Data\Symantec
    [2012/01/10 04:01:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Local Settings\Application Data\NPE
    [2012/01/10 03:53:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Application Data\Tific
    [2012/01/10 03:37:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
    [2012/01/10 03:37:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2012/01/09 16:08:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2012/01/09 16:07:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2011/12/14 09:53:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Local Settings\Application Data\Auralog
    [2011/12/14 09:53:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Start Menu\Programs\TELL ME MORE V10 DC Universal
    [2011/12/14 09:52:32 | 000,000,000 | ---D | C] -- C:\Program Files\Auralog
    [2011/12/14 09:22:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Jeff\IECompatCache
    [2011/12/14 09:19:04 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Jeff\PrivacIE
    [2011/12/14 09:16:35 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Jeff\IETldCache
    [2011/12/14 09:00:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
    [2011/12/14 09:00:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
    [2011/12/14 08:58:54 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
    [2011/12/14 08:46:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Auralog
    [2011/12/13 06:15:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
    [2011/12/13 06:14:23 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/01/10 17:41:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
    [2012/01/10 17:38:42 | 000,001,230 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/01/10 17:38:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/01/10 17:22:26 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2012/01/10 17:08:28 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2012/01/10 16:50:47 | 004,377,322 | R--- | M] (Swearware) -- C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
    [2012/01/10 16:02:08 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\MBR.dat
    [2012/01/10 15:16:39 | 004,713,472 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Jeff\Desktop\aswMBR.exe
    [2012/01/10 14:57:25 | 001,972,528 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jeff\Desktop\tdsskiller.exe
    [2012/01/10 12:37:53 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/01/10 12:03:39 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Jeff\Desktop\dds.scr
    [2012/01/10 11:42:08 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\k0yp574g.exe
    [2012/01/10 10:53:28 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/01/10 10:51:31 | 010,847,608 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jeff\Desktop\mbam-setup-1.60.0.1800.exe
    [2012/01/10 10:39:00 | 000,000,746 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\Norton Installation Files.lnk
    [2012/01/10 10:02:17 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
    [2012/01/10 10:02:16 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
    [2012/01/10 09:42:02 | 000,101,720 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
    [2012/01/10 06:42:57 | 003,888,054 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\untitled.bmp
    [2012/01/10 06:24:12 | 000,770,776 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Jeff\Desktop\AutoDetectPkg.exe
    [2012/01/10 06:00:32 | 000,000,340 | ---- | M] () -- C:\Documents and Settings\Jeff\Application Data\SMRResults210.dat
    [2012/01/10 03:46:58 | 000,285,176 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb0.bin
    [2012/01/10 03:46:58 | 000,000,001 | ---- | M] () -- C:\WINDOWS\System32\nvdrssel.bin
    [2012/01/09 12:16:19 | 000,285,176 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb1.bin
    [2012/01/09 12:16:18 | 000,000,013 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
    [2011/12/29 21:33:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2011/12/14 09:54:33 | 000,000,226 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
    [2011/12/14 09:53:33 | 000,002,120 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\TELL ME MORE V10 DC Universal Fran├žais.lnk
    [2011/12/14 09:27:25 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/12/14 09:16:47 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Jeff\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/12/14 09:16:24 | 000,267,800 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/12/14 09:06:44 | 000,502,658 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/12/14 09:06:44 | 000,087,124 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/01/10 17:08:27 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2012/01/10 17:08:25 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2012/01/10 16:56:41 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/01/10 16:56:41 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/01/10 16:56:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/01/10 16:56:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/01/10 16:56:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/01/10 16:02:08 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\MBR.dat
    [2012/01/10 11:42:08 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\k0yp574g.exe
    [2012/01/10 10:53:27 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/01/10 06:42:57 | 003,888,054 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\untitled.bmp
    [2012/01/10 06:26:33 | 000,000,746 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\Norton Installation Files.lnk
    [2012/01/10 06:00:32 | 000,000,340 | ---- | C] () -- C:\Documents and Settings\Jeff\Application Data\SMRResults210.dat
    [2011/12/14 09:54:33 | 000,000,226 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
    [2011/12/14 09:53:33 | 000,002,120 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\TELL ME MORE V10 DC Universal Fran├žais.lnk
    [2011/11/11 21:45:16 | 002,130,002 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
    [2011/11/11 21:13:17 | 000,285,176 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
    [2011/11/11 21:13:17 | 000,285,176 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
    [2011/11/11 21:13:17 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
    [2011/11/11 21:12:19 | 002,116,858 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
    [2011/11/04 15:43:46 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/10/08 21:45:39 | 000,158,528 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2011/09/14 12:45:55 | 000,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
    [2011/07/09 19:22:57 | 000,000,013 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
    [2011/02/20 13:10:01 | 000,118,870 | ---- | C] () -- C:\WINDOWS\hpoins30.dat
    [2011/02/20 13:10:01 | 000,000,449 | ---- | C] () -- C:\WINDOWS\hpomdl30.dat
    [2010/10/17 18:35:02 | 000,056,532 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
    [2009/11/20 12:44:57 | 000,002,108 | ---- | C] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\rx_audio.Cache
    [2009/11/20 12:44:57 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\rx_image.Cache
    [2009/09/08 14:21:50 | 000,000,256 | ---- | C] () -- C:\WINDOWS\_delis32.ini
    [2009/09/01 20:22:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2009/02/25 18:27:41 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
    [2008/12/07 19:08:09 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
    [2008/11/21 11:45:26 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2008/11/21 11:45:25 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2008/10/24 19:03:46 | 000,000,314 | ---- | C] () -- C:\WINDOWS\Sierra.ini
    [2008/09/02 19:38:34 | 000,000,291 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
    [2008/09/02 19:38:30 | 000,045,568 | ---- | C] () -- C:\WINDOWS\UniFish3.exe
    [2008/08/29 22:53:30 | 000,044,032 | ---- | C] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/08/29 22:30:21 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
    [2008/08/29 21:51:24 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2008/08/29 21:48:04 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2008/08/29 17:39:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2008/08/29 17:38:58 | 000,267,800 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2008/05/26 20:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
    [2008/05/26 20:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
    [2008/05/16 12:01:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
    [2008/02/04 16:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
    [2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
    [2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
    [2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
    [2007/05/22 07:54:46 | 001,769,472 | ---- | C] () -- C:\WINDOWS\System32\VTROM.bin
    [2004/08/04 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/04 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 06:00:00 | 000,502,658 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 06:00:00 | 000,087,124 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 06:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
     
  12. Dasle

    Dasle TS Rookie Topic Starter

    ========== LOP Check ==========

    [2011/12/14 08:46:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Auralog
    [2012/01/10 06:47:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2008/09/02 18:48:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
    [2008/09/03 22:07:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileOpen
    [2012/01/10 10:43:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2009/10/28 20:28:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
    [2008/09/02 17:53:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2009/03/29 22:34:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
    [2010/05/01 21:42:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2009/09/26 21:57:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    [2009/04/16 21:09:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    [2008/09/02 17:53:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Aim
    [2009/03/06 12:09:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\EPSON
    [2008/10/29 18:44:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\FileOpen
    [2011/10/17 18:31:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\nView_Wallpaper
    [2009/02/25 18:27:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Research In Motion
    [2011/07/09 13:57:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\SystemRequirementsLab
    [2012/01/10 03:53:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Tific
    [2008/11/07 22:06:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Viewpoint
    [2011/09/28 04:48:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Windows Desktop Search
    [2011/11/12 10:33:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Windows Search

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2008/08/29 21:50:07 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2011/09/28 06:16:36 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2012/01/10 17:08:28 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2012/01/10 17:24:48 | 000,014,779 | ---- | M] () -- C:\ComboFix.txt
    [2008/08/29 21:50:07 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2007/11/07 06:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
    [2007/11/07 06:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
    [2007/11/07 06:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
    [2007/11/07 06:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
    [2007/11/07 06:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
    [2007/11/07 06:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
    [2007/11/07 06:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
    [2007/11/07 06:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
    [2007/11/07 06:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
    [2007/11/07 06:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
    [2007/11/07 06:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
    [2007/11/07 06:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
    [2007/11/07 06:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
    [2007/11/07 06:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
    [2007/11/07 06:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
    [2007/11/07 06:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
    [2007/11/07 06:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
    [2007/11/07 06:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
    [2007/11/07 06:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
    [2007/11/07 06:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
    [2008/08/29 21:50:07 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2008/08/29 21:50:07 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/09/02 16:54:57 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2012/01/10 17:38:35 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
    [2012/01/10 14:59:49 | 000,049,986 | ---- | M] () -- C:\TDSSKiller.2.7.0.0_10.01.2012_14.58.24_log.txt
    [2007/11/07 06:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
    [2007/11/07 06:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
    [2007/11/07 06:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI

    < %systemroot%\Fonts\*.com >
    [2006/04/18 13:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 12:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 13:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 12:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2008/08/29 21:49:47 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 06:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2008/10/24 10:48:38 | 000,321,536 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp696.dll
    [2008/07/06 04:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2008/08/29 17:38:08 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2008/08/29 17:38:08 | 000,634,880 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2008/08/29 17:38:08 | 000,909,312 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2008/09/02 16:58:46 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2008/09/02 17:01:53 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Jeff\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2008/08/29 21:56:05 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Jeff\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2012/01/10 15:16:39 | 004,713,472 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Jeff\Desktop\aswMBR.exe
    [2012/01/10 06:24:12 | 000,770,776 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Jeff\Desktop\AutoDetectPkg.exe
    [2012/01/10 16:50:47 | 004,377,322 | R--- | M] (Swearware) -- C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
    [2012/01/10 11:42:08 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\k0yp574g.exe
    [2012/01/10 10:51:31 | 010,847,608 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jeff\Desktop\mbam-setup-1.60.0.1800.exe
    [2012/01/10 17:41:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
    [2011/11/22 04:42:12 | 025,599,928 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\SWTOR_setup.exe
    [2012/01/10 14:57:25 | 001,972,528 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jeff\Desktop\tdsskiller.exe
    [2008/10/16 21:12:00 | 006,216,032 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Jeff\Desktop\windowsupdateagent30-x86.exe
    [2011/07/20 06:13:30 | 001,266,056 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Jeff\Desktop\WindowsXP-KB927891.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2008/09/02 17:01:53 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Jeff\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2012/01/10 17:39:06 | 000,507,904 | ---- | M] () -- C:\Documents and Settings\Jeff\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2008/04/13 18:12:38 | 000,208,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/13 18:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/03 23:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/03 23:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 08:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 11:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/13 18:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2007/04/02 12:07:23 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2007/04/02 12:07:23 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2007/04/02 12:07:24 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/03 23:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/03 23:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 60 bytes -> C:\Documents and Settings\Jeff\Desktop\Jeff Smith Resume - Cage Supervisor.docx:AFP_AfpInfo

    < End of report >
     
  13. Dasle

    Dasle TS Rookie Topic Starter

    Extras.txt


    OTL Extras logfile created on: 1/10/2012 5:42:17 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Jeff\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.37 Gb Available Physical Memory | 68.39% Memory free
    3.85 Gb Paging File | 3.36 Gb Available in Paging File | 87.23% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 465.75 Gb Total Space | 275.86 Gb Free Space | 59.23% Space Free | Partition Type: NTFS

    Computer Name: PROJECT | User Name: Jeff | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "4481:TCP" = 4481:TCP:LocalSubNet:Enabled:BlackBerry Desktop Software music sync service data transfer
    "4481:UDP" = 4481:UDP:LocalSubNet:Enabled:BlackBerry Desktop Software music sync service discovery
    "4482:TCP" = 4482:TCP:LocalSubNet:Enabled:BlackBerry Desktop Software music sync service data transfer
    "4482:UDP" = 4482:UDP:LocalSubNet:Enabled:BlackBerry Desktop Software music sync service discovery
    "5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
    "C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
    "C:\Program Files\Electronic Arts\BioWare\Star Wars-The Old Republic\launcher.exe" = C:\Program Files\Electronic Arts\BioWare\Star Wars-The Old Republic\launcher.exe:*:Enabled:Star Wars - The Old Republic -- (BioWare)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
    "C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
    "C:\Dynamix Mapping\TRIBES\Tribes.exe" = C:\Dynamix Mapping\TRIBES\Tribes.exe:*:Enabled:Tribes -- ()
    "C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- ()
    "C:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
    "C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
    "C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe" = C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe:*:Enabled:BlackBerry Desktop Software -- (Research In Motion)
    "C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
    "C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
    "C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe" = C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe:*:Enabled:Daemonu.exe -- (NVIDIA Corporation)
    "C:\Program Files\Electronic Arts\BioWare\Star Wars-The Old Republic\launcher.exe" = C:\Program Files\Electronic Arts\BioWare\Star Wars-The Old Republic\launcher.exe:*:Enabled:Star Wars - The Old Republic -- (BioWare)
    "C:\Program Files\Electronic Arts\BioWare\Star Wars-The Old Republic\betatest\retailclient\swtor.exe" = C:\Program Files\Electronic Arts\BioWare\Star Wars-The Old Republic\betatest\retailclient\swtor.exe:*:Enabled:Star Wars: The Old Republic -- (BioWare, A Division of Electronic Arts)
    "C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
    "C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
    "{0BC1A5B2-79A1-4716-B3E5-4071E9AB6F43}" = HP Photosmart C4500 All-In-One Driver 12.0 Rel .4
    "{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}" = iSEEK AnswerWorks English Runtime
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
    "{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java(TM) 6 Update 26
    "{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3B11D799-48E0-48ED-BFD7-EA655676D8BB}" = Star Wars: The Old Republic
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
    "{48D0B1A3-11AC-4A87-AFB2-2002CCB88B34}" = PS_AIO_04_C4580_Software_Min
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{5FE545A1-D215-4216-9189-E7B39C9D1CC1}" = Quicken 2011
    "{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
    "{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
    "{7F6D7FD9-648D-4DD9-BB6E-3990C675ECA4}" = NVIDIA PhysX
    "{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
    "{87A9A9A9-FAB7-4224-9328-0FA2058C0FD5}" = Network
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{92482FB3-C05B-41C6-89E7-75D985602A6E}" = System Requirements Lab
    "{926BD0E8-24A3-41D2-AF9B-340F1A37ED12}" = MobileMe Control Panel
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9CCCFD9C-248F-47FE-9496-1680E3E5C163}" = Scan
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{AC13BA3A-336B-45a4-B3FE-2D3058A7B533}" = Toolbox
    "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.7
    "{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 285.58
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 285.58
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView" = NVIDIA nView 135.95
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.11.0621
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.5.20
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD Audio Driver 1.2.24.0
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
    "{B7DBF6E8-0D17-4BE4-853B-ACD6EFBD4A1F}" = iTunes
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D25F26E6-7F37-4580-9E83-2BDD9BE9E0CE}" = BlackBerry Desktop Software 6.0
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Adobe Photoshop Elements 2.0" = Adobe Photoshop Elements 2.0
    "Adobe Shockwave Player" = Adobe Shockwave Player 11
    "AOL Instant Messenger" = AOL Instant Messenger
    "BlackBerry_Desktop" = BlackBerry Desktop Software 6.0
    "Chrome9HC" = VIA Chrome9 HC IGP Family Display 6.14.10.0133
    "CompuServe us" = CompuServe
    "ENTERPRISER" = Microsoft Office Enterprise 2007
    "EPSON Printer and Utilities" = EPSON Printer Software
    "EPSON Scanner" = EPSON Scan
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
    "JRE 1.3.1_02" = Java 2 Runtime Environment Standard Edition v1.3.1_02
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
    "NAV" = Norton AntiVirus
    "NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
    "Precision" = EVGA Precision 2.0.4
    "RealPlayer 6.0" = RealPlayer Basic
    "RollerCoaster Tycoon Setup" = Roll
    "Starsiege TRIBES" = Starsiege TRIBES 1.8
    "ViewpointMediaPlayer" = Viewpoint Media Player
    "VLC media player" = VLC media player 1.1.11
    "Windows Media Format Runtime" = Windows Media Format Runtime
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "World of Warcraft" = World of Warcraft
    "Xvid_is1" = Xvid 1.1.3 final uninstall

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-682003330-507921405-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "TMM10R_3c23d8cc-c666-4a35-b84a-5371c1cb3f45" = TELL ME MORE

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 1/10/2012 11:24:22 AM | Computer Name = PROJECT | Source = MsiInstaller | ID = 11923
    Description = Product: Ad-Aware -- Error 1923. Service 'Lavasoft Ad-Aware Service'
    (Lavasoft Ad-Aware Service) could not be installed. Verify that you have sufficient
    privileges to install system services.

    Error - 1/10/2012 11:24:23 AM | Computer Name = PROJECT | Source = MsiInstaller | ID = 11923
    Description = Product: Ad-Aware -- Error 1923. Service 'Lavasoft Ad-Aware Service'
    (Lavasoft Ad-Aware Service) could not be installed. Verify that you have sufficient
    privileges to install system services.

    Error - 1/10/2012 11:42:36 AM | Computer Name = PROJECT | Source = Lavasoft Ad-Aware Service | ID = 0
    Description =

    Error - 1/10/2012 12:34:50 PM | Computer Name = PROJECT | Source = MsiInstaller | ID = 11704
    Description = Product: Ad-Aware -- Error 1704. An installation for Ad-Aware is currently
    suspended. You must undo the changes made by that installation to continue. Do
    you want to undo those changes?

    Error - 1/10/2012 1:06:03 PM | Computer Name = PROJECT | Source = Application Error | ID = 1000
    Description = Faulting application , version 0.0.0.0, faulting module unknown, version
    0.0.0.0, fault address 0x00000000.

    Error - 1/10/2012 1:51:56 PM | Computer Name = PROJECT | Source = Application Error | ID = 1004
    Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
    unknown, version 0.0.0.0, fault address 0x00000000.

    Error - 1/10/2012 1:53:57 PM | Computer Name = PROJECT | Source = Application Hang | ID = 1002
    Description = Hanging application hsplayer.exe, version 11.5.0.12, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 1/10/2012 2:00:25 PM | Computer Name = PROJECT | Source = Application Error | ID = 1004
    Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
    unknown, version 0.0.0.0, fault address 0x00000000.

    Error - 1/10/2012 2:13:34 PM | Computer Name = PROJECT | Source = Application Error | ID = 1004
    Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
    unknown, version 0.0.0.0, fault address 0x00000000.

    Error - 1/10/2012 2:18:01 PM | Computer Name = PROJECT | Source = Application Error | ID = 1001
    Description = Fault bucket 00536409.

    [ System Events ]
    Error - 1/10/2012 2:11:41 PM | Computer Name = PROJECT | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 1/10/2012 4:55:12 PM | Computer Name = PROJECT | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 15 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 1/10/2012 4:55:12 PM | Computer Name = PROJECT | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 1/10/2012 4:55:12 PM | Computer Name = PROJECT | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 15 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 1/10/2012 4:55:12 PM | Computer Name = PROJECT | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 15 minutes. NtpClient has no source of accurate
    time.

    Error - 1/10/2012 6:56:27 PM | Computer Name = PROJECT | Source = Service Control Manager | ID = 7034
    Description = The EPSON V3 Service4(01) service terminated unexpectedly. It has
    done this 1 time(s).

    Error - 1/10/2012 7:03:04 PM | Computer Name = PROJECT | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 1/10/2012 7:04:20 PM | Computer Name = PROJECT | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    AmdPPM BHDrvx86 eeCtrl Fips SRTSPX SymIRON SYMTDI

    Error - 1/10/2012 7:04:40 PM | Computer Name = PROJECT | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 1/10/2012 7:07:11 PM | Computer Name = PROJECT | Source = Service Control Manager | ID = 7034
    Description = The EPSON V3 Service4(01) service terminated unexpectedly. It has
    done this 1 time(s).


    < End of report >
     
  14. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Good news :)

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3 - HKU\S-1-5-21-682003330-507921405-839522115-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O3 - HKU\S-1-5-21-682003330-507921405-839522115-1004\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
      [2012/01/10 07:02:55 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
      [2008/09/02 17:53:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      [2008/11/07 22:06:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Viewpoint
      @Alternate Data Stream - 60 bytes -> C:\Documents and Settings\Jeff\Desktop\Jeff Smith Resume - Cage Supervisor.docx:AFP_AfpInfo
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ============================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ===============================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  15. Dasle

    Dasle TS Rookie Topic Starter

    Finished all of those steps. From what I can tell, everything is looking good. No threats were found with the ESETscan.

    Second OTL Log:

    All processes killed
    ========== OTL ==========
    Registry value HKEY_USERS\S-1-5-21-682003330-507921405-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
    Registry value HKEY_USERS\S-1-5-21-682003330-507921405-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    C:\Program Files\AVG\AVG2012\awacs\speedtest\component folder moved successfully.
    C:\Program Files\AVG\AVG2012\awacs\speedtest folder moved successfully.
    C:\Program Files\AVG\AVG2012\awacs folder moved successfully.
    C:\Program Files\AVG\AVG2012 folder moved successfully.
    C:\Program Files\AVG folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint folder moved successfully.
    C:\Documents and Settings\Jeff\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 folder moved successfully.
    C:\Documents and Settings\Jeff\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 folder moved successfully.
    C:\Documents and Settings\Jeff\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 folder moved successfully.
    C:\Documents and Settings\Jeff\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 folder moved successfully.
    C:\Documents and Settings\Jeff\Application Data\Viewpoint\Viewpoint Experience Technology\Resources folder moved successfully.
    C:\Documents and Settings\Jeff\Application Data\Viewpoint\Viewpoint Experience Technology folder moved successfully.
    C:\Documents and Settings\Jeff\Application Data\Viewpoint folder moved successfully.
    ADS C:\Documents and Settings\Jeff\Desktop\Jeff Smith Resume - Cage Supervisor.docx:AFP_AfpInfo deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Jeff
    ->Temp folder emptied: 853 bytes
    ->Temporary Internet Files folder emptied: 1054964 bytes
    ->Java cache emptied: 4673 bytes
    ->FireFox cache emptied: 1117862992 bytes
    ->Flash cache emptied: 201691 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 8388742 bytes
    ->Flash cache emptied: 7356 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 8847494 bytes
    ->Flash cache emptied: 20766 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2162283 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 36261 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 1,086.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User

    User: Jeff
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    User: UpdatusUser

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 01102012_182629

    Files\Folders moved on Reboot...
    C:\WINDOWS\temp\Perflib_Perfdata_6f0.dat moved successfully.

    Registry entries deleted on Reboot...


    ***********************************************************************

    Checkup:

    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Norton AntiVirus
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 30
    Adobe Flash Player 11.1.102.55
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Norton ccSvcHst.exe
    ``````````End of Log````````````


    *****************************************************************

    FSS:


    Farbar Service Scanner
    Ran by Jeff (administrator) on 10-01-2012 at 18:47:44
    Microsoft Windows XP Home Edition Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ===========

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4)
    0x09000000050000000100000002000000030000000400000008000000090000000600000007000000
    IpSec Tag value is correct.

    **** End of log ****
     
  16. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  17. Dasle

    Dasle TS Rookie Topic Starter

    Good Afternoon!

    I finally got through everything in your last post. The computer seems to be running like normal again, so thanks a ton! You've been a huge help.

    Here is the log you requested:

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Jeff
    ->Temp folder emptied: 1712 bytes
    ->Temporary Internet Files folder emptied: 33174 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 18775554 bytes
    ->Flash cache emptied: 589 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 42302 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 56746 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 18.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User

    User: Jeff
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    User: UpdatusUser

    Total Flash Files Cleaned = 0.00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.31.0 log created on 01112012_071102

    Files\Folders moved on Reboot...
    C:\WINDOWS\temp\Perflib_Perfdata_738.dat moved successfully.

    Registry entries deleted on Reboot...
     
  18. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Yes!! [​IMG]
    Good luck and stay safe :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...