TechSpot

Malwarebytes blocking incomming IP

Inactive
By Michael Best
Sep 3, 2012
  1. Malwarebytes is blocking ip's at a rate of 100 per second. Logs caused my server to run out of disk space because of 250GB of logs. Server is running Windows 2003 SP2. The logs are all identical except the IP changes every so offten.

    2012/09/03 11:47:57 -0400 ECT05 (null) IP-BLOCK 222.186.18.72 (Type: incoming)
    2012/09/03 11:47:57 -0400 ECT05 (null) IP-BLOCK 222.186.18.72 (Type: incoming)
    2012/09/03 11:47:57 -0400 ECT05 (null) IP-BLOCK 222.186.18.72 (Type: incoming)
    2012/09/03 11:47:57 -0400 ECT05 (null) IP-BLOCK 222.186.18.72 (Type: incoming)
    2012/09/03 11:47:57 -0400 ECT05 (null) IP-BLOCK 222.186.18.72 (Type: incoming)
    2012/09/03 11:47:57 -0400 ECT05 (null) IP-BLOCK 222.186.18.72 (Type: incoming)
    2012/09/03 11:47:57 -0400 ECT05 (null) IP-BLOCK 222.186.18.72 (Type: incoming)
    2012/09/03 11:47:57 -0400 ECT05 (null) IP-BLOCK 222.186.18.72 (Type: incoming)
    2012/09/03 11:47:57 -0400 ECT05 (null) IP-BLOCK 222.186.18.72 (Type: incoming)
    2012/09/03 11:47:57 -0400 ECT05 (null) IP-BLOCK 222.186.18.72 (Type: incoming)

    I was not able to run DDS.com because it did support Windows 2003.
    I scanned with both ESET and Malwarebytes with no infections. This server did get infected and I thought I cleaned it all up with Malwarebytes a few months ago.

    Malwarebytes logs:
    Malwarebytes Anti-Malware (PRO) 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.09.03.05
    Windows Server 2003 Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.18702
    mikebest66 :: ECT05 [administrator]
    Protection: Enabled
    9/3/2012 12:57:16 PM
    mbam-log-2012-09-03 (12-57-16).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 532965
    Time elapsed: 6 minute(s), 47 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-09-03 12:30:03
    Windows 5.2.3790 Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\symmpi1Port1Path0Target0Lun0 VMware__ rev.1.0_
    Running: 9pf5ljsr.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapog.sys

    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat Dfs.sys (Distributed File System Filter Driver/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
    AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
    ---- EOF - GMER 1.0.15 ----
     
  2. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    Another Item I forgot to mention. This server is a virtual server running on VMWare.
     
  3. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================

    We don't have to many tools to deal with Server 2003 so let's see how it goes.

    First I need some clarification.

    Is it on virtual partition of some other Windows version?
    If so what Windows version?
     
  4. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    VMWare is the host OS which is a bare bone linux but so customized you can't really call it linux either. I would not think too much about it. For the most part Windows thinks it's on a dedicated server. The drives are virtual drives and the OS thinks they are dedicated only to it. Also, since this is a virtual server making back-ups and recovering from back-ups are super easy. I have software that does incremental backups every 30 minutes or so. This is also invisible to the OS.

    Here is a description of the Host OS from Wikipedia:
    VMware states that the ESX product runs on bare metal.[7] In contrast to other VMware products, it does not run atop a third-party operating system,[8] but instead includes its own kernel. Up through the current ESX version 5.0, a Linux kernel is started first,[9] and is used to load a variety of specialized virtualization components, including VMware's vmkernel component. This previously booted Linux kernel then becomes the first running virtual machine and is called the service console. Thus, at normal run-time, the vmkernel is running on the bare computer and the Linux-based service console runs as the first virtual machine.
     
  5. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Let's run some checks.
    I can't guarantee which tool will, will not run on your server so we just have to try.

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    ==================================

    Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    If normal mode still doesn't work, run the tool from safe mode.

    When the scan is done Notepad will open with rKill log.
    Post it in your next reply.

    NOTE. rKill.txt log will also be present on your desktop.

    ==================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  6. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    Looks like it found some registry entries that it wants to delete.

    RogueKiller V8.0.2 [08/31/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows XP 64 / Windows Home Server / Windows Server 2003 (5.2.3790 Service Pack 2) 32 bits version
    Started in : Normal mode
    User : mikebest66 [Admin rights]
    Mode : Scan -- Date : 09/03/2012 22:53:54
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 3 ¤¤¤
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    ¤¤¤ Infection : ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts
    127.0.0.1 localhost
    192.168.1.4 ect
    192.168.1.4 ectsrv1
    192.168.1.4 ectsrv1.ect.local
    192.168.1.4 ect.local

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: VMware Virtual disk SCSI Disk Device +++++
    --- User ---
    [MBR] f6445ce070c1b05936778cfa45e832c3
    [BSP] f3c6641ff6b1ee35f15013d15cec3eca : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 20465 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    +++++ PhysicalDrive1: VMware Virtual disk SCSI Disk Device +++++
    --- User ---
    [MBR] 52013234979f9e035d6812e7b3c53c0a
    [BSP] 4b7892ee4a0eb3bda2606163d641b96b : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 358395 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[1].txt >>
    RKreport[1].txt
     
  7. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Do NOT fix anything.
     
  8. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    Rkill 2.3.4 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html
    Program started at: 09/03/2012 11:15:19 PM in x86 mode.
    Windows Version: Microsoft Windows Server 2003 Service Pack 2
    Checking for Windows services to stop.
    * No malware services found to stop.
    Checking for processes to terminate.
    * C:\WINDOWS\system32\spool\drivers\w32x86\3\SH0XRCV.exe (PID: 1860) [WD-HEUR]
    * C:\WINDOWS\system32\spool\drivers\w32x86\3\SH0XRCV.exe (PID: 2328) [WD-HEUR]
    * C:\WINDOWS\system32\spool\drivers\w32x86\3\SH0XRCV.exe (PID: 7728) [WD-HEUR]
    * C:\WINDOWS\system32\spool\drivers\w32x86\3\SH0XRCV.exe (PID: 5444) [WD-HEUR]
    * C:\WINDOWS\system32\spool\drivers\w32x86\3\SH0XRCV.exe (PID: 2636) [WD-HEUR]
    5 proccesses terminated!
    Checking Registry for malware related settings.
    * No issues found in the Registry.
    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
    Performing miscellaneous checks.
    * Windows Firewall Disabled
    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = dword:00000000
    Checking Windows Service Integrity:
    * No issues found.
    Searching for Missing Digital Signatures:
    * No issues found.
    Program finished at: 09/03/2012 11:15:54 PM
    Execution time: 0 hours(s), 0 minute(s), and 34 seconds(s)
     
  9. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-09-03 23:25:09
    -----------------------------
    23:25:09.718 OS Version: Windows 5.2.3790 Service Pack 2
    23:25:09.718 Number of processors: 4 586 0x402
    23:25:09.718 ComputerName: ECT05 UserName:
    23:25:10.156 Initialize success
    23:27:40.515 AVAST engine defs: 12090301
    23:28:32.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\symmpi1Port1Path0Target0Lun0
    23:28:32.593 Disk 0 Vendor: VMware__ 1.0_ Size: 20480MB BusType: 1
    23:28:32.609 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\symmpi1Port1Path0Target1Lun0
    23:28:32.609 Disk 1 Vendor: VMware__ 1.0_ Size: 358400MB BusType: 1
    23:28:32.625 Disk 0 MBR read successfully
    23:28:32.625 Disk 0 MBR scan
    23:28:32.671 Disk 0 Windows XP default MBR code
    23:28:32.687 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 20465 MB offset 63
    23:28:32.703 Disk 0 scanning sectors +41913585
    23:28:32.765 Disk 0 scanning C:\WINDOWS\system32\drivers
    23:28:41.171 Service scanning
    23:28:50.093 Modules scanning
    23:28:53.078 Disk 0 trace - called modules:
    23:28:53.109 ntkrnlpa.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll symmpi.sys
    23:28:53.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8cdffab8]
    23:28:53.125 3 CLASSPNP.SYS[f725c601] -> nt!IofCallDriver -> \Device\Scsi\symmpi1Port1Path0Target0Lun0[0x8ccf1030]
    23:28:53.421 AVAST engine scan C:\WINDOWS
    23:28:57.453 AVAST engine scan C:\WINDOWS\system32
    23:31:10.375 AVAST engine scan C:\WINDOWS\system32\drivers
    23:31:20.296 AVAST engine scan E:\Documents and Settings\mikebest66.ECT01
    23:31:55.750 AVAST engine scan E:\Documents and Settings\All Users
    23:32:03.421 Scan finished successfully
    23:51:47.781 Disk 0 MBR has been saved successfully to "E:\Documents and Settings\mikebest66.ECT01\Desktop\MBR.dat"
    23:51:47.796 The log file has been saved successfully to "E:\Documents and Settings\mikebest66.ECT01\Desktop\aswMBR.txt"
     
  10. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  11. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    00:12:18.0703 2520 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
    00:12:19.0031 2520 ============================================================
    00:12:19.0031 2520 Current date / time: 2012/09/04 00:12:19.0031
    00:12:19.0031 2520 SystemInfo:
    00:12:19.0031 2520
    00:12:19.0031 2520 OS Version: 5.2.3790 ServicePack: 2.0
    00:12:19.0031 2520 Product type: Server
    00:12:19.0031 2520 ComputerName: ECT05
    00:12:19.0031 2520 UserName: mikebest66
    00:12:19.0031 2520 Windows directory: C:\WINDOWS
    00:12:19.0031 2520 System windows directory: C:\WINDOWS
    00:12:19.0031 2520 Processor architecture: Intel x86
    00:12:19.0031 2520 Number of processors: 4
    00:12:19.0031 2520 Page size: 0x1000
    00:12:19.0031 2520 Boot type: Normal boot
    00:12:19.0031 2520 ============================================================
    00:12:19.0578 2520 Drive \Device\Harddisk0\DR0 - Size: 0x500000000 (20.00 Gb), SectorSize: 0x200, Cylinders: 0xA32, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
    00:12:19.0593 2520 Drive \Device\Harddisk1\DR1 - Size: 0x5780000000 (350.00 Gb), SectorSize: 0x200, Cylinders: 0xB279, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
    00:12:19.0609 2520 ============================================================
    00:12:19.0609 2520 \Device\Harddisk0\DR0:
    00:12:19.0609 2520 MBR partitions:
    00:12:19.0609 2520 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x27F8CB2
    00:12:19.0609 2520 \Device\Harddisk1\DR1:
    00:12:19.0609 2520 MBR partitions:
    00:12:19.0609 2520 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2BBFDAFA
    00:12:19.0609 2520 ============================================================
    00:12:19.0625 2520 C: <-> \Device\Harddisk0\DR0\Partition1
    00:12:19.0640 2520 E: <-> \Device\Harddisk1\DR1\Partition1
    00:12:19.0640 2520 ============================================================
    00:12:19.0640 2520 Initialize success
    00:12:19.0640 2520 ============================================================
    00:12:32.0046 5988 ============================================================
    00:12:32.0046 5988 Scan started
    00:12:32.0046 5988 Mode: Manual;
    00:12:32.0046 5988 ============================================================
    00:12:32.0843 5988 ================ Scan system memory ========================
    00:12:36.0328 5988 System memory - ok
    00:12:36.0328 5988 ================ Scan services =============================
    00:12:36.0515 5988 Abiosdsk - ok
    00:12:36.0546 5988 [ A0A850BAC6F8A88AD0FC964C6BEA170D ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
    00:12:36.0546 5988 ACPI - ok
    00:12:36.0578 5988 [ 043C89CC533FF546D835CB998B95B198 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
    00:12:36.0578 5988 ACPIEC - ok
    00:12:36.0625 5988 [ B2B64AF436FACCFA854DD397027C5360 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    00:12:36.0640 5988 AdobeFlashPlayerUpdateSvc - ok
    00:12:36.0640 5988 adpu160m - ok
    00:12:36.0656 5988 adpu320 - ok
    00:12:36.0671 5988 [ D01968EDEBF1DC11E4C93517C98CDF7C ] AeLookupSvc C:\WINDOWS\System32\aelupsvc.dll
    00:12:36.0671 5988 AeLookupSvc - ok
    00:12:36.0671 5988 afcnt - ok
    00:12:36.0703 5988 [ 336D51E35C5737809449128F421431A1 ] AFD C:\WINDOWS\System32\drivers\afd.sys
    00:12:36.0718 5988 AFD - ok
    00:12:36.0734 5988 [ B9985042687A43685FC64B282B627653 ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
    00:12:36.0750 5988 agp440 - ok
    00:12:36.0765 5988 aic78u2 - ok
    00:12:36.0781 5988 aic78xx - ok
    00:12:36.0796 5988 [ 055318E373B45AD6C3F518732809EF4E ] Alerter C:\WINDOWS\system32\alrsvc.dll
    00:12:36.0796 5988 Alerter - ok
    00:12:36.0796 5988 [ 8E89CB0283D7DED092D76AE53D123C40 ] ALG C:\WINDOWS\System32\alg.exe
    00:12:36.0796 5988 ALG - ok
    00:12:36.0812 5988 AliIde - ok
    00:12:36.0828 5988 [ D175D3C400A412B9CB2095E452AFBBB0 ] AmdIde C:\WINDOWS\system32\drivers\AmdIde.sys
    00:12:36.0828 5988 AmdIde - ok
    00:12:36.0859 5988 [ 8A5AD4CFE2D84371ABADFCF9E21954F6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
    00:12:36.0859 5988 AppMgmt - ok
    00:12:36.0875 5988 [ A9C7273645A06A01AC2CA070D7D7EC87 ] arc C:\WINDOWS\system32\drivers\arc.sys
    00:12:36.0906 5988 arc - ok
    00:12:36.0984 5988 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
    00:12:36.0984 5988 aspnet_state - ok
    00:12:37.0000 5988 [ A35B971F631D4DFDEB68D71E770D2CE9 ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    00:12:37.0015 5988 AsyncMac - ok
    00:12:37.0031 5988 [ FF953A8F08CA3F822127654375786BBE ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
    00:12:37.0062 5988 atapi - ok
    00:12:37.0062 5988 Atdisk - ok
    00:12:37.0078 5988 [ D12DAD5032285343CE3AA4906F661181 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    00:12:37.0078 5988 Atmarpc - ok
    00:12:37.0093 5988 [ 754A448D5B87CBEDE41A0F0E0B237B03 ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
    00:12:37.0093 5988 AudioSrv - ok
    00:12:37.0109 5988 [ 5BFD980C2107D88101D1DC14055526FC ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
    00:12:37.0109 5988 audstub - ok
    00:12:37.0140 5988 [ 99572503E15A3D10239B7B9887CBAF89 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
    00:12:37.0156 5988 Beep - ok
    00:12:37.0203 5988 [ 9D7A318B2C7AE51E9D5374F8EEDE856C ] BITS C:\WINDOWS\system32\qmgr.dll
    00:12:37.0203 5988 BITS - ok
    00:12:37.0234 5988 [ F750A96D7478D435F5AC9ECE6698F81E ] Browser C:\WINDOWS\System32\browser.dll
    00:12:37.0234 5988 Browser - ok
    00:12:37.0250 5988 [ 1342877DE604A5A6BFF986E288E3A8A7 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
    00:12:37.0250 5988 cbidf2k - ok
    00:12:37.0265 5988 cd20xrnt - ok
    00:12:37.0281 5988 [ E6D72780C957B69C48BFC66BC3ECDAD4 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
    00:12:37.0281 5988 Cdfs - ok
    00:12:37.0296 5988 [ 825AA877A852ECC731FA0C39C8C37744 ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
    00:12:37.0296 5988 Cdrom - ok
    00:12:37.0296 5988 Changer - ok
    00:12:37.0312 5988 [ 934EE973E9EE6AC414E9A0F07AB73D6E ] CiSvc C:\WINDOWS\system32\cisvc.exe
    00:12:37.0328 5988 CiSvc - ok
    00:12:37.0328 5988 [ E53196BA56081F154E2D7A9E50A1D33F ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
    00:12:37.0328 5988 ClipSrv - ok
    00:12:37.0359 5988 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    00:12:37.0359 5988 clr_optimization_v2.0.50727_32 - ok
    00:12:37.0375 5988 [ 54308CDF97622FAE1620BB1EC39EF014 ] ClusDisk C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
    00:12:37.0375 5988 ClusDisk - ok
    00:12:37.0390 5988 [ F9D6ABD426E51ED3F688D42D8467C62D ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    00:12:37.0390 5988 CmBatt - ok
    00:12:37.0390 5988 CmdIde - ok
    00:12:37.0406 5988 [ 1DCBF98F0FA712E384A1A2926F774673 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
    00:12:37.0406 5988 Compbatt - ok
    00:12:37.0421 5988 COMSysApp - ok
    00:12:37.0437 5988 Cpqarray - ok
    00:12:37.0437 5988 cpqarry2 - ok
    00:12:37.0453 5988 cpqcissm - ok
    00:12:37.0468 5988 cpqfcalm - ok
    00:12:37.0484 5988 [ 0EE27D9DBB208C13314F3C60F66AED26 ] crcdisk C:\WINDOWS\system32\DRIVERS\crcdisk.sys
    00:12:37.0484 5988 crcdisk - ok
    00:12:37.0500 5988 [ FEB85DA744DD3F41A427CF6D2BC04FE4 ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
    00:12:37.0500 5988 CryptSvc - ok
    00:12:37.0500 5988 dac2w2k - ok
    00:12:37.0515 5988 dac960nt - ok
    00:12:37.0546 5988 [ 305A8757D66B5D416B47C497C27A01FE ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
    00:12:37.0562 5988 DcomLaunch - ok
    00:12:37.0562 5988 dellcerc - ok
    00:12:37.0593 5988 [ 6217AA084EF7E052F3B5D7C3F67F68AF ] Dfs C:\WINDOWS\system32\Dfssvc.exe
    00:12:37.0593 5988 Dfs - ok
    00:12:37.0609 5988 [ 444726B01C31D29C70E60F7C35DE43E5 ] DfsDriver C:\WINDOWS\system32\drivers\Dfs.sys
    00:12:37.0609 5988 DfsDriver - ok
    00:12:37.0625 5988 [ 1201DF9A11FBB0F69EBD22E503D3BC87 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
    00:12:37.0625 5988 Dhcp - ok
    00:12:37.0640 5988 [ 98433302C02F1168EFB7364F8111A179 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
    00:12:37.0640 5988 Disk - ok
    00:12:37.0640 5988 dmadmin - ok
    00:12:37.0671 5988 [ 89FA376D83042F6F1AED505106A5719D ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
    00:12:37.0671 5988 dmboot - ok
    00:12:37.0687 5988 [ 15081421EE62DC1C95ABB387D9081571 ] dmio C:\WINDOWS\system32\drivers\dmio.sys
    00:12:37.0718 5988 dmio - ok
    00:12:37.0734 5988 [ 3D9BFA13B6F1CD2D91C50C52B32E91A2 ] dmload C:\WINDOWS\system32\drivers\dmload.sys
    00:12:37.0734 5988 dmload - ok
    00:12:37.0750 5988 [ 78A11666307820AF94B5712D53DECC55 ] dmserver C:\WINDOWS\System32\dmserver.dll
    00:12:37.0750 5988 dmserver - ok
    00:12:37.0781 5988 [ F303D921BC2A3D0164B0A189F17BD496 ] DNS C:\WINDOWS\System32\dns.exe
    00:12:37.0796 5988 DNS - ok
    00:12:37.0796 5988 [ E927F3B46F85D934C8F420FE08593D1B ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
    00:12:37.0812 5988 Dnscache - ok
    00:12:37.0812 5988 dpti2o - ok
    00:12:37.0828 5988 [ C3CE1FF8F8FBDE0AA2A85BA431527D8A ] E1000 C:\WINDOWS\system32\DRIVERS\e1000325.sys
    00:12:37.0843 5988 E1000 - ok
    00:12:37.0859 5988 [ 7BD902F59C9430DB405C6E57DAB0D5B7 ] eamon C:\WINDOWS\system32\DRIVERS\eamon.sys
    00:12:37.0859 5988 eamon - ok
    00:12:37.0890 5988 [ A6C77EBB65D025B826222C6BE6D869F2 ] ehdrv C:\WINDOWS\system32\DRIVERS\ehdrv.sys
    00:12:37.0906 5988 ehdrv - ok
    00:12:37.0968 5988 [ 2916CE9AC747CED4437A242464061C39 ] EhttpSrv E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    00:12:37.0968 5988 EhttpSrv - ok
    00:12:38.0031 5988 [ 80D9141FF39B15CD00E29B151EF8C6B8 ] ekrn E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    00:12:38.0046 5988 ekrn - ok
    00:12:38.0062 5988 elxstor - ok
    00:12:38.0078 5988 [ FB2E7B7160CA024042BAD41DBFF44F4C ] epfwtdir C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
    00:12:38.0093 5988 epfwtdir - ok
    00:12:38.0109 5988 [ 6F09AE902663735B6BD24198D25F453A ] ERSvc C:\WINDOWS\System32\ersvc.dll
    00:12:38.0109 5988 ERSvc - ok
    00:12:38.0125 5988 [ CF500580CDD83B145646A4DCFCE1CF3C ] Eventlog C:\WINDOWS\system32\services.exe
    00:12:38.0125 5988 Eventlog - ok
    00:12:38.0156 5988 [ C17C56E91045E14DF45D62DD89AED50C ] EventSystem C:\WINDOWS\system32\es.dll
    00:12:38.0171 5988 EventSystem - ok
    00:12:38.0187 5988 [ E792A18ABDC32286212DCE8E75BAA124 ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
    00:12:38.0187 5988 Fastfat - ok
    00:12:38.0203 5988 [ 5090CD3F6AB1D71AD507953CFF556EA9 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
    00:12:38.0203 5988 Fdc - ok
    00:12:38.0218 5988 [ B485AC2EDC466C538BDFF32BC3F2E506 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
    00:12:38.0218 5988 Fips - ok
    00:12:38.0234 5988 [ C621A51F415419A3145A5939ABDE39FA ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    00:12:38.0234 5988 Flpydisk - ok
    00:12:38.0250 5988 [ F978277EF786532195CDD9F88E908632 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
    00:12:38.0265 5988 FltMgr - ok
    00:12:38.0281 5988 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    00:12:38.0281 5988 FontCache3.0.0.0 - ok
    00:12:38.0296 5988 [ AEBFF3D810B74971B91B2B77B289A98B ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
    00:12:38.0296 5988 Fs_Rec - ok
    00:12:38.0312 5988 [ ACAF1DCA2B709FD7461B9696F370FBD9 ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    00:12:38.0312 5988 Ftdisk - ok
    00:12:38.0328 5988 [ 30B1653A955F548352024A5FEE203CC3 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
    00:12:38.0328 5988 Gpc - ok
    00:12:38.0375 5988 [ F02A533F517EB38333CB12A9E8963773 ] gupdate E:\Program Files\Google\Update\GoogleUpdate.exe
    00:12:38.0375 5988 gupdate - ok
    00:12:38.0375 5988 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem E:\Program Files\Google\Update\GoogleUpdate.exe
    00:12:38.0375 5988 gupdatem - ok
    00:12:38.0421 5988 [ 40CA39DBA80372ED8EC34C4BECE68495 ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
    00:12:38.0421 5988 helpsvc - ok
    00:12:38.0421 5988 HidServ - ok
    00:12:38.0437 5988 [ 8A445379D6E73731A6A37318DBB0C880 ] hpcisss C:\WINDOWS\system32\drivers\hpcisss.sys
    00:12:38.0437 5988 hpcisss - ok
    00:12:38.0437 5988 hpn - ok
    00:12:38.0453 5988 hpt3xx - ok
    00:12:38.0484 5988 [ 7A5D176C4B43F0A47DA4051C96C56439 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
    00:12:38.0500 5988 HTTP - ok
    00:12:38.0515 5988 [ D4B61A935670C57A0DEA81B4F4A12169 ] HTTPFilter C:\WINDOWS\system32\lsass.exe
    00:12:38.0515 5988 HTTPFilter - ok
    00:12:38.0515 5988 i2omgmt - ok
    00:12:38.0531 5988 i2omp - ok
    00:12:38.0546 5988 [ 68E8FF9EEAF8B37A66CAC2C57835FFBD ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    00:12:38.0562 5988 i8042prt - ok
    00:12:38.0593 5988 icvmlt32 - ok
    00:12:38.0656 5988 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    00:12:38.0671 5988 idsvc - ok
    00:12:38.0671 5988 iirsp - ok
    00:12:38.0703 5988 [ 58AC18BC908A78FBA5430D23066D183A ] IISADMIN C:\WINDOWS\system32\inetsrv\inetinfo.exe
    00:12:38.0703 5988 IISADMIN - ok
    00:12:38.0718 5988 [ 44C132B35921B54B4A9AC64369D86D83 ] imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
    00:12:38.0750 5988 imapi - ok
    00:12:38.0781 5988 [ 5DA3013244229422C9CBD91A16A477C4 ] ImapiService C:\WINDOWS\system32\imapi.exe
    00:12:38.0781 5988 ImapiService - ok
    00:12:38.0796 5988 [ 1690A4BE249BA6195BA7258943CADA58 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
    00:12:38.0812 5988 IntelIde - ok
    00:12:38.0828 5988 [ D7E7E7898A05C53DD862B49828747C1E ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
    00:12:38.0828 5988 Ip6Fw - ok
    00:12:38.0843 5988 [ 5A41F207B7C39EE4918F7496A4F19B14 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    00:12:38.0843 5988 IpFilterDriver - ok
    00:12:38.0843 5988 IpInIp - ok
    00:12:38.0875 5988 [ 890E7A14A63AEC2EA9257A79A88BE784 ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
    00:12:38.0875 5988 IpNat - ok
    00:12:38.0890 5988 [ 1A9AEAC49683B32DF55B7FB1516F3028 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
    00:12:38.0890 5988 IPSec - ok
    00:12:38.0906 5988 ipsraidn - ok
    00:12:38.0921 5988 [ B71BA04A3B5D4404225CCDBF1969078F ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
    00:12:38.0921 5988 isapnp - ok
    00:12:38.0937 5988 [ 1B1A2084540CC1F2E9A297A263D69D23 ] IsmServ C:\WINDOWS\System32\ismserv.exe
    00:12:38.0937 5988 IsmServ - ok
    00:12:38.0984 5988 [ B04BFA1551B634970F21B68007521D3D ] JCard Service E:\ICVERIFY\ICWin403\Jcard\JCardService.exe
    00:12:39.0000 5988 JCard Service - ok
    00:12:39.0000 5988 [ E5097A07E14F36ABC21FA18D88F93655 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    00:12:39.0000 5988 Kbdclass - ok
    00:12:39.0015 5988 [ D4B61A935670C57A0DEA81B4F4A12169 ] kdc C:\WINDOWS\System32\lsass.exe
    00:12:39.0015 5988 kdc - ok
    00:12:39.0031 5988 [ 9A99005E1A41AB360DE231FB8E2F6184 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
    00:12:39.0046 5988 KSecDD - ok
    00:12:39.0062 5988 [ DFC5B13F931461ACC025D76D39AFEC0D ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
    00:12:39.0062 5988 lanmanserver - ok
    00:12:39.0078 5988 [ 5E8A9C4673B194DD1181B3F003D4F996 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
    00:12:39.0093 5988 lanmanworkstation - ok
    00:12:39.0125 5988 [ 647945B72994E7B4A07F6DA10F1DCD79 ] LicenseService C:\WINDOWS\System32\llssrv.exe
    00:12:39.0125 5988 LicenseService - ok
    00:12:39.0140 5988 [ 1916D44188853A53DB93AECC6E6197D0 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
    00:12:39.0140 5988 LmHosts - ok
    00:12:39.0250 5988 [ 63DAF163D1617DD611BD0AB8E41A43E8 ] LMIGuardianSvc E:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    00:12:39.0250 5988 LMIGuardianSvc - ok
    00:12:39.0265 5988 [ 4F69FAAABB7DB0D43E327C0B6AAB40FC ] LMIInfo E:\Program Files\LogMeIn\x86\RaInfo.sys
    00:12:39.0265 5988 LMIInfo - ok
    00:12:39.0296 5988 [ 175F50F37EEAA1D4D744BCCCBB7CF68C ] LMIMaint E:\Program Files\LogMeIn\x86\RaMaint.exe
    00:12:39.0296 5988 LMIMaint - ok
    00:12:39.0312 5988 [ 4477689E2D8AE6B78BA34C9AF4CC1ED1 ] lmimirr C:\WINDOWS\system32\DRIVERS\lmimirr.sys
    00:12:39.0312 5988 lmimirr - ok
    00:12:39.0312 5988 LMIRfsClientNP - ok
    00:12:39.0328 5988 [ 3FAA563DDF853320F90259D455A01D79 ] LMIRfsDriver C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
    00:12:39.0328 5988 LMIRfsDriver - ok
    00:12:39.0375 5988 [ 432618FA75B61059D2C57D6A7E55147A ] LogMeIn E:\Program Files\LogMeIn\x86\LogMeIn.exe
    00:12:39.0375 5988 LogMeIn - ok
    00:12:39.0390 5988 lp6nds35 - ok
    00:12:39.0406 5988 [ 6DFE7F2E8E8A337263AA5C92A215F161 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys
    00:12:39.0406 5988 MBAMProtector - ok
    00:12:39.0468 5988 [ 43683E970F008C93C9429EF428147A54 ] MBAMService E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    00:12:39.0468 5988 MBAMService - ok
    00:12:39.0500 5988 [ 7CE5BA9DD4BEAFA48DD099564046C6DE ] Messenger C:\WINDOWS\System32\msgsvc.dll
    00:12:39.0500 5988 Messenger - ok
    00:12:39.0562 5988 [ 7C4C76B39D5525C4A465E0BE32528E19 ] Microsoft Office Groove Audit Service E:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
    00:12:39.0578 5988 Microsoft Office Groove Audit Service - ok
    00:12:39.0593 5988 [ C35BB38904D843C0465858195B30DAB7 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
    00:12:39.0593 5988 mnmdd - ok
    00:12:39.0609 5988 [ E2D859FA2E90FD1F12CA0806DF8A4B3E ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
    00:12:39.0609 5988 mnmsrvc - ok
    00:12:39.0609 5988 [ 81EC1C6D3798B36A92A6D7A355BA2C62 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
    00:12:39.0609 5988 Modem - ok
    00:12:39.0625 5988 [ AA50DA5AB638CE0BAB5F7D5D633110C2 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
    00:12:39.0625 5988 Mouclass - ok
    00:12:39.0640 5988 [ FC43A7A34309C750B9DAEADF2F6EC9B9 ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
    00:12:39.0656 5988 MountMgr - ok
    00:12:39.0671 5988 mraid35x - ok
    00:12:39.0687 5988 [ AB6DB63A1791F8E86B085291686464FD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    00:12:39.0687 5988 MRxDAV - ok
    00:12:39.0734 5988 [ 31FBFD5E41C8BC896651C7B38578D35C ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    00:12:39.0734 5988 MRxSmb - ok
    00:12:39.0750 5988 [ 2EAA1763A77BE385B9A71A843C7F159E ] MSDTC C:\WINDOWS\system32\msdtc.exe
    00:12:39.0750 5988 MSDTC - ok
    00:12:39.0781 5988 [ 8F50B87361585763841C6B603D23260C ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
    00:12:39.0781 5988 Msfs - ok
    00:12:39.0781 5988 MSIServer - ok
    00:12:39.0796 5988 [ 92AFAB2F216CE8FFBAD3BC510FCF4A33 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    00:12:39.0796 5988 mssmbios - ok
    00:12:39.0828 5988 MSSQL$ICV - ok
    00:12:39.0859 5988 [ ADAF062116B4E6D96E44D26486A87AF6 ] MSSQLServerADHelper E:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe
    00:12:39.0859 5988 MSSQLServerADHelper - ok
    00:12:39.0875 5988 [ 834560ABEE4EAE62620F4026263AA051 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
    00:12:39.0875 5988 Mup - ok
    00:12:39.0906 5988 [ 33739AB31D36184772AF1EE132D5C2E2 ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
    00:12:39.0906 5988 NDIS - ok
    00:12:39.0921 5988 [ BBAB8CE7A8D2B1302DA0B03825D9CAE4 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    00:12:39.0921 5988 NdisTapi - ok
    00:12:39.0937 5988 [ 8B8E682B03483092E17AB9DFE70FEDFF ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    00:12:39.0937 5988 Ndisuio - ok
    00:12:39.0953 5988 [ 1B397EEF4614419BE5679E0209F7848B ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    00:12:39.0953 5988 NdisWan - ok
    00:12:39.0968 5988 [ 5298ED90BBE5C5EEEDC363EED2888A25 ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
    00:12:39.0968 5988 NDProxy - ok
    00:12:39.0984 5988 [ A0D5D6AE530CA78A062FC0471F1E6F78 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
    00:12:40.0000 5988 NetBIOS - ok
    00:12:40.0031 5988 [ 5CD7CCA08498EC8753B22E92D367CA11 ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
    00:12:40.0031 5988 NetBT - ok
    00:12:40.0046 5988 [ 13D9A8B63A2A99A88339C0E00B702C92 ] NetDDE C:\WINDOWS\system32\netdde.exe
    00:12:40.0046 5988 NetDDE - ok
    00:12:40.0062 5988 [ 13D9A8B63A2A99A88339C0E00B702C92 ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
    00:12:40.0062 5988 NetDDEdsdm - ok
    00:12:40.0062 5988 [ D4B61A935670C57A0DEA81B4F4A12169 ] Netlogon C:\WINDOWS\system32\lsass.exe
    00:12:40.0078 5988 Netlogon - ok
    00:12:40.0109 5988 [ 12BCFB57162AD17CEA545E362CD886A8 ] Netman C:\WINDOWS\System32\netman.dll
    00:12:40.0109 5988 Netman - ok
    00:12:40.0125 5988 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
    00:12:40.0140 5988 NetTcpPortSharing - ok
    00:12:40.0140 5988 nfrd960 - ok
    00:12:40.0171 5988 [ 9C0BF64484E9D297CB3E96DC22765A82 ] Nla C:\WINDOWS\System32\mswsock.dll
    00:12:40.0171 5988 Nla - ok
    00:12:40.0187 5988 [ D5BB605F6DCBDFE0129670C8DE57913E ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
    00:12:40.0187 5988 Npfs - ok
    00:12:40.0296 5988 [ 981756F0532439AA3A1A4AE9DA9F930E ] NtFrs C:\WINDOWS\system32\ntfrs.exe
    00:12:40.0296 5988 NtFrs - ok
    00:12:40.0359 5988 [ 482EA51AADB8763A0F67588C394EC693 ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
    00:12:40.0359 5988 Ntfs - ok
    00:12:40.0375 5988 [ D4B61A935670C57A0DEA81B4F4A12169 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
    00:12:40.0375 5988 NtLmSsp - ok
    00:12:40.0406 5988 [ FEA5225EF80D5930B86D7A6570BCBBDF ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
    00:12:40.0421 5988 NtmsSvc - ok
    00:12:40.0421 5988 [ 5DB0EDE7AAF3A7BC9110D18C12524BE0 ] Null C:\WINDOWS\system32\drivers\Null.sys
    00:12:40.0421 5988 Null - ok
    00:12:40.0500 5988 [ 1F0E05DFF4F5A833168E49BE1256F002 ] odserv E:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
    00:12:40.0500 5988 odserv - ok
    00:12:40.0531 5988 [ 5A432A042DAE460ABE7199B758E8606C ] ose E:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    00:12:40.0531 5988 ose - ok
    00:12:40.0562 5988 [ EE3333B36DEB86A0D472F037172DA10A ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
    00:12:40.0562 5988 Parport - ok
    00:12:40.0562 5988 [ ED7405704F0771F01DE9E9CA10ED8F20 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
    00:12:40.0562 5988 PartMgr - ok
    00:12:40.0578 5988 [ A9D29F3D7AE71B7EA721B53A0C436C66 ] Parvdm C:\WINDOWS\system32\DRIVERS\parvdm.sys
    00:12:40.0578 5988 Parvdm - ok
    00:12:40.0593 5988 [ 8217000E5C53CE823B3111F339E47C41 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
    00:12:40.0609 5988 PCI - ok
    00:12:40.0609 5988 PCIIde - ok
    00:12:40.0625 5988 [ FC9F4C9C73E9698357C836BE4628A299 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
    00:12:40.0656 5988 Pcmcia - ok
    00:12:40.0671 5988 PDCOMP - ok
    00:12:40.0671 5988 PDFRAME - ok
    00:12:40.0687 5988 PDRELI - ok
    00:12:40.0703 5988 PDRFRAME - ok
    00:12:40.0703 5988 perc2 - ok
    00:12:40.0718 5988 perc2hib - ok
    00:12:40.0750 5988 [ CF500580CDD83B145646A4DCFCE1CF3C ] PlugPlay C:\WINDOWS\system32\services.exe
    00:12:40.0750 5988 PlugPlay - ok
    00:12:40.0765 5988 [ D4B61A935670C57A0DEA81B4F4A12169 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
    00:12:40.0765 5988 PolicyAgent - ok
    00:12:40.0781 5988 [ 4454F2639BCCA93BE86A45137E427277 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
    00:12:40.0781 5988 PptpMiniport - ok
    00:12:40.0781 5988 [ 1872FD9EBF85D7375BFA53F36663A699 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
    00:12:40.0812 5988 Processor - ok
    00:12:40.0828 5988 [ D4B61A935670C57A0DEA81B4F4A12169 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
    00:12:40.0828 5988 ProtectedStorage - ok
    00:12:40.0843 5988 [ 0320FD91FB5ED4298355977CECFC0EB4 ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
    00:12:40.0843 5988 Ptilink - ok
    00:12:40.0843 5988 ql1080 - ok
    00:12:40.0859 5988 Ql10wnt - ok
    00:12:40.0859 5988 ql12160 - ok
    00:12:40.0875 5988 ql1240 - ok
    00:12:40.0890 5988 ql1280 - ok
    00:12:40.0890 5988 ql2100 - ok
    00:12:40.0906 5988 ql2200 - ok
    00:12:40.0906 5988 ql2300 - ok
    00:12:40.0921 5988 [ 48EE7B6802C0306F9A66F34DB7E9EF75 ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
    00:12:40.0937 5988 RasAcd - ok
    00:12:40.0968 5988 [ ED67FA5DC9CE0BFC5CCCE4296C684A57 ] RasAuto C:\WINDOWS\System32\rasauto.dll
    00:12:40.0968 5988 RasAuto - ok
    00:12:40.0984 5988 [ 3633175613E052ECB41776DEE2777A89 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    00:12:40.0984 5988 Rasl2tp - ok
    00:12:41.0000 5988 [ 02BC610CC90CA5415EB2C9409E77D583 ] RasMan C:\WINDOWS\System32\rasmans.dll
    00:12:41.0000 5988 RasMan - ok
    00:12:41.0015 5988 [ 59842F0A22216A71CADE6F89FE84C973 ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    00:12:41.0015 5988 RasPppoe - ok
    00:12:41.0031 5988 [ 5B11871DE804D3ED28BBDCC65FE14EDE ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
    00:12:41.0046 5988 Raspti - ok
    00:12:41.0062 5988 [ 4496B15C44CCB703FBC54F2CF5B67F15 ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
    00:12:41.0062 5988 Rdbss - ok
    00:12:41.0078 5988 [ AC5BB528ECD2BEA4FF4BFF9DF9BAF749 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    00:12:41.0093 5988 RDPCDD - ok
    00:12:41.0125 5988 [ FF678596B761E1CCBA79F49981EF51BC ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    00:12:41.0125 5988 rdpdr - ok
    00:12:41.0156 5988 [ 477D7AF3C3583EB85E23375225650B1C ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
    00:12:41.0156 5988 RDPWD - ok
    00:12:41.0171 5988 [ 81F1CF0ED96E58A391FF83F792C87F3E ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
    00:12:41.0171 5988 RDSessMgr - ok
    00:12:41.0187 5988 [ C6F8751F3263603935866E71629CFAE4 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
    00:12:41.0187 5988 redbook - ok
    00:12:41.0203 5988 [ D8F172C1CA72666D8193E226DA7225F4 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
    00:12:41.0203 5988 RemoteAccess - ok
    00:12:41.0218 5988 [ 55EFA91D1C0DE44C22D2D83413B06510 ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
    00:12:41.0234 5988 RemoteRegistry - ok
    00:12:41.0250 5988 [ A83414D7A45555274E99793AA22D54AB ] RpcLocator C:\WINDOWS\system32\locator.exe
    00:12:41.0250 5988 RpcLocator - ok
    00:12:41.0281 5988 [ 305A8757D66B5D416B47C497C27A01FE ] RpcSs C:\WINDOWS\system32\rpcss.dll
    00:12:41.0281 5988 RpcSs - ok
    00:12:41.0312 5988 [ 3357C6EDD71E73110C83F54E35ECDE4D ] RSoPProv C:\WINDOWS\system32\RSoPProv.exe
    00:12:41.0312 5988 RSoPProv - ok
    00:12:41.0328 5988 [ 34D79729D6E4D1289E08322405045085 ] sacdrv C:\WINDOWS\system32\drivers\sacdrv.sys
    00:12:41.0328 5988 sacdrv - ok
    00:12:41.0343 5988 [ 77919394900DEC12C8E65CB35D6272FE ] sacsvr C:\WINDOWS\system32\sacsvr.dll
    00:12:41.0343 5988 sacsvr - ok
    00:12:41.0359 5988 [ D4B61A935670C57A0DEA81B4F4A12169 ] SamSs C:\WINDOWS\system32\lsass.exe
    00:12:41.0359 5988 SamSs - ok
    00:12:41.0375 5988 [ EDF6B1852A55581ECC6BA18B4E2C6E8E ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
    00:12:41.0375 5988 SCardSvr - ok
    00:12:41.0406 5988 [ 7E60F04AE424401A14D153CA6E851A85 ] Schedule C:\WINDOWS\system32\schedsvc.dll
    00:12:41.0406 5988 Schedule - ok
    00:12:41.0421 5988 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
    00:12:41.0437 5988 Secdrv - ok
    00:12:41.0453 5988 [ 03911D9A5D15A80301E767F787C0B015 ] seclogon C:\WINDOWS\System32\seclogon.dll
    00:12:41.0468 5988 seclogon - ok
    00:12:41.0468 5988 [ 97B6172283112AF7451E4ABE83DD6F24 ] SENS C:\WINDOWS\system32\sens.dll
    00:12:41.0468 5988 SENS - ok
    00:12:41.0484 5988 [ B261D4597BF9A2723B7020207260C72A ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
    00:12:41.0484 5988 serenum - ok
    00:12:41.0500 5988 [ 95768FDE08DD34089AA90DCCB5537704 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
    00:12:41.0515 5988 Serial - ok
    00:12:41.0546 5988 [ 831826DC54FA225F0B654EF2F1E13AF9 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
    00:12:41.0562 5988 Sfloppy - ok
    00:12:41.0593 5988 [ 27C6B8C2AFED21C10429A56DB95735F6 ] SharedAccess C:\WINDOWS\system32\ipnathlp.dll
    00:12:41.0593 5988 SharedAccess - ok
    00:12:41.0609 5988 [ 0AF6401BDBD41A8B7AED5C923B8FDF4D ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
    00:12:41.0625 5988 ShellHWDetection - ok
    00:12:41.0625 5988 Simbad - ok
    00:12:41.0640 5988 [ 30B32E3127D9BBAA1E32394134718070 ] Spooler C:\WINDOWS\system32\spoolsv.exe
    00:12:41.0656 5988 Spooler - ok
    00:12:41.0671 5988 [ D2B096CD2F56FAC6EEEED9A77DDF6DC8 ] SQLBrowser E:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    00:12:41.0687 5988 SQLBrowser - ok
    00:12:41.0703 5988 [ 54902536AAD0E9B99BC65F89C0CAF93F ] SQLWriter E:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    00:12:41.0703 5988 SQLWriter - ok
    00:12:41.0750 5988 [ E8B1A07774A9E4FEC3105CBAD49BF289 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
    00:12:41.0750 5988 Srv - ok
    00:12:41.0781 5988 [ 0DF3C24094F68A5E5FA77A681E438A46 ] stisvc C:\WINDOWS\system32\wiaservc.dll
    00:12:41.0781 5988 stisvc - ok
    00:12:41.0796 5988 [ 93965919785102BA847545AB460CE2DF ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
    00:12:41.0796 5988 swenum - ok
    00:12:41.0828 5988 [ EACF829DC2CED42F5D5DA81365D33597 ] swprv C:\WINDOWS\System32\swprv.dll
    00:12:41.0828 5988 swprv - ok
    00:12:41.0843 5988 symc810 - ok
    00:12:41.0843 5988 symc8xx - ok
    00:12:41.0859 5988 [ 868204832E011E2D64281D7EABEE572E ] symmpi C:\WINDOWS\system32\DRIVERS\symmpi.sys
    00:12:41.0859 5988 symmpi - ok
    00:12:41.0875 5988 sym_hi - ok
    00:12:41.0875 5988 sym_u3 - ok
    00:12:41.0890 5988 [ CC8610D2FFAFF19D5C9CF8CE9FFAD71A ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
    00:12:41.0906 5988 SysmonLog - ok
    00:12:41.0906 5988 [ 3B45D2674414D1F5400B9C452A7A293F ] tap0901 C:\WINDOWS\system32\DRIVERS\tap0901.sys
    00:12:41.0906 5988 tap0901 - ok
    00:12:41.0937 5988 [ CE1FCAF92F06BB8549C9E1B8605B90CC ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
    00:12:41.0953 5988 TapiSrv - ok
    00:12:41.0984 5988 [ 238DC2B879D1B37B91F8D5D44F3815D3 ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
    00:12:41.0984 5988 Tcpip - ok
    00:12:42.0000 5988 [ 45D49FB800463DE84D1CC2E231319AD5 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
    00:12:42.0000 5988 TDPIPE - ok
    00:12:42.0015 5988 [ D7C31008DE209B8B11CED207580E9C91 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
    00:12:42.0015 5988 TDTCP - ok
    00:12:42.0031 5988 [ A01E46FFF445A38D35DB188C5458582C ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
    00:12:42.0046 5988 TermDD - ok
    00:12:42.0078 5988 [ 5F0BD29CBD95465A3AA3CA319BC591A9 ] TermService C:\WINDOWS\System32\termsrv.dll
    00:12:42.0078 5988 TermService - ok
    00:12:42.0109 5988 [ BC18BEE62E7AEC10B33C149CA3B64EAE ] TermServLicensing C:\WINDOWS\system32\lserver.exe
    00:12:42.0109 5988 TermServLicensing - ok
    00:12:42.0125 5988 [ 0AF6401BDBD41A8B7AED5C923B8FDF4D ] Themes C:\WINDOWS\System32\shsvcs.dll
    00:12:42.0125 5988 Themes - ok
    00:12:42.0140 5988 [ FE7FF05A90C1A24855B1CDC066B959E0 ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
    00:12:42.0140 5988 TlntSvr - ok
    00:12:42.0156 5988 TosIde - ok
    00:12:42.0187 5988 [ 2EE42ACED5FD4E1988116EDECED90E93 ] TrkSvr C:\WINDOWS\system32\trksvr.dll
    00:12:42.0187 5988 TrkSvr - ok
    00:12:42.0218 5988 [ 671FC35E995FFDBCED00202771C6D169 ] TrkWks C:\WINDOWS\system32\trkwks.dll
    00:12:42.0218 5988 TrkWks - ok
    00:12:42.0234 5988 [ 43992245309838EACD05506B474985E5 ] Tssdis C:\WINDOWS\System32\tssdis.exe
    00:12:42.0234 5988 Tssdis - ok
    00:12:42.0250 5988 [ C26024265A7523312A5D06FC33AA57AA ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
    00:12:42.0250 5988 Udfs - ok
    00:12:42.0265 5988 ultra - ok
    00:12:42.0281 5988 [ 997FE835C85D0FB0501DF6664D6FD072 ] UMWdf C:\WINDOWS\system32\wdfmgr.exe
    00:12:42.0281 5988 UMWdf - ok
    00:12:42.0312 5988 [ 424421053064846A85D32B048EA27E7E ] Update C:\WINDOWS\system32\DRIVERS\update.sys
    00:12:42.0312 5988 Update - ok
    00:12:42.0328 5988 [ 92C3A632E963A8224FE62AA37C9508F6 ] UPS C:\WINDOWS\System32\ups.exe
    00:12:42.0328 5988 UPS - ok
    00:12:42.0359 5988 [ 5CE9331DC4C9E3B1FA4AAEF1B212701F ] vds C:\WINDOWS\System32\vds.exe
    00:12:42.0375 5988 vds - ok
    00:12:42.0375 5988 [ 2EB062B434792BB6BB614F107DD3A5CF ] vga C:\WINDOWS\system32\DRIVERS\vgapnp.sys
    00:12:42.0406 5988 vga - ok
    00:12:42.0406 5988 [ 062FBC10147FD837D819F94AA394E661 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
    00:12:42.0406 5988 VgaSave - ok
    00:12:42.0421 5988 ViaIde - ok
    00:12:42.0437 5988 [ 0AE5526FD72EE4B8A5721FFCF7EBCC4A ] VolSnap C:\WINDOWS\system32\DRIVERS\volsnap.sys
    00:12:42.0453 5988 VolSnap - ok
    00:12:42.0500 5988 [ C10C5C9E1D24614393106722F6388C24 ] VSS C:\WINDOWS\System32\vssvc.exe
    00:12:42.0500 5988 VSS - ok
    00:12:42.0531 5988 [ 42CDAE64DA5BEABB51C0C0F613658545 ] W32Time C:\WINDOWS\system32\w32time.dll
    00:12:42.0546 5988 W32Time - ok
    00:12:42.0562 5988 [ DB0E023EE673896AD1780ACAD3BAB393 ] W3SVC C:\WINDOWS\system32\inetsrv\iisw3adm.dll
    00:12:42.0578 5988 W3SVC - ok
    00:12:42.0578 5988 [ CE030B1D05A01FA012D32F2D25676B1C ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
    00:12:42.0609 5988 Wanarp - ok
    00:12:42.0625 5988 WDICA - ok
    00:12:42.0640 5988 [ 6F66E66AB1C25C0BD363F2252DB04360 ] WebClient C:\WINDOWS\System32\webclnt.dll
    00:12:42.0640 5988 WebClient - ok
    00:12:42.0656 5988 WinHttpAutoProxySvc - ok
    00:12:42.0703 5988 [ F8D5B9C1A26C933B9EA7740BAB35BCF5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
    00:12:42.0703 5988 winmgmt - ok
    00:12:42.0734 5988 [ D346E2F289F23E557DDFB9132D1DAB35 ] WLBS C:\WINDOWS\system32\DRIVERS\wlbs.sys
    00:12:42.0734 5988 WLBS - ok
    00:12:42.0750 5988 [ 4D32F7BDBF325792AE28D5380DDF6BCF ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
    00:12:42.0750 5988 WmdmPmSN - ok
    00:12:42.0796 5988 [ 5F1120D0CA0ED6B1CEAE21555E06333D ] Wmi C:\WINDOWS\System32\advapi32.dll
    00:12:42.0796 5988 Wmi - ok
    00:12:42.0828 5988 [ 796D30C693F7B8A717499A9ABEB3AF39 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
    00:12:42.0828 5988 WmiApSrv - ok
    00:12:42.0843 5988 [ 996CEC79B1662044E8462E130A65739E ] wuauserv C:\WINDOWS\system32\wuauserv.dll
    00:12:42.0843 5988 wuauserv - ok
    00:12:42.0890 5988 [ E21B2D0A0D4AB1D2441FE9FCC961C392 ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
    00:12:42.0906 5988 WZCSVC - ok
    00:12:42.0921 5988 [ C5B83F9A09A3EBFE8A931472F6DA4E38 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
    00:12:42.0921 5988 xmlprov - ok
    00:12:42.0937 5988 ================ Scan global ===============================
    00:12:42.0953 5988 [ CF34734715FAADCF38BFDAA9E65DCC57 ] C:\WINDOWS\system32\basesrv.dll
    00:12:42.0984 5988 [ 17F20107B04E2C112D6AB228308500BC ] C:\WINDOWS\system32\winsrv.dll
    00:12:42.0984 5988 [ 17F20107B04E2C112D6AB228308500BC ] C:\WINDOWS\system32\winsrv.dll
    00:12:43.0000 5988 [ CF500580CDD83B145646A4DCFCE1CF3C ] C:\WINDOWS\system32\services.exe
    00:12:43.0000 5988 [Global] - ok
    00:12:43.0015 5988 ================ Scan MBR ==================================
    00:12:43.0015 5988 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
    00:12:43.0234 5988 \Device\Harddisk0\DR0 - ok
    00:12:43.0250 5988 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk1\DR1
    00:12:43.0265 5988 \Device\Harddisk1\DR1 - ok
    00:12:43.0265 5988 ================ Scan VBR ==================================
    00:12:43.0265 5988 [ 0D6EE529B8C9FFD9CDD9A685C3391F9A ] \Device\Harddisk0\DR0\Partition1
    00:12:43.0265 5988 \Device\Harddisk0\DR0\Partition1 - ok
    00:12:43.0281 5988 [ D46B2105CF6440F6E3C0C6A51F4B12DB ] \Device\Harddisk1\DR1\Partition1
    00:12:43.0281 5988 \Device\Harddisk1\DR1\Partition1 - ok
    00:12:43.0281 5988 ============================================================
    00:12:43.0281 5988 Scan finished
    00:12:43.0281 5988 ============================================================
    00:12:43.0312 4840 Detected object count: 0
    00:12:43.0312 4840 Actual detected object count: 0
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    I don't see much so far....

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  13. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    OTL logfile created on: 9/4/2012 8:25:34 PM - Run 1
    OTL by OldTimer - Version 3.2.61.0 Folder = E:\installers\fixer
    Windows Server 2003 Enterprise Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    8.00 Gb Total Physical Memory | 6.00 Gb Available Physical Memory | 75.01% Memory free
    9.31 Gb Paging File | 6.91 Gb Available in Paging File | 74.28% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = E:\Program Files
    Drive C: | 19.99 Gb Total Space | 8.34 Gb Free Space | 41.73% Space Free | Partition Type: NTFS
    Drive E: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
    Drive G: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
    Drive P: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
    Drive S: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
    Drive T: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
    Drive Y: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
    Drive Z: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS

    Computer Name: ECT05 | User Name: mikebest66 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/09/04 20:24:59 | 000,599,040 | ---- | M] (OldTimer Tools) -- E:\installers\fixer\OTL.exe
    PRC - [2012/07/12 22:11:18 | 000,136,616 | ---- | M] (LogMeIn, Inc.) -- E:\program files\LogMeIn\x86\ramaint.exe
    PRC - [2012/07/12 22:10:08 | 000,374,184 | ---- | M] (LogMeIn, Inc.) -- E:\program files\LogMeIn\x86\LMIGuardianSvc.exe
    PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- E:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- E:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2011/10/24 09:40:10 | 000,814,264 | ---- | M] (ESET) -- E:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe
    PRC - [2011/10/24 09:40:04 | 002,219,184 | ---- | M] (ESET) -- E:\program files\ESET\ESET NOD32 Antivirus\egui.exe
    PRC - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- E:\program files\LogMeIn\x86\LogMeIn.exe
    PRC - [2010/01/27 12:22:02 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- E:\program files\LogMeIn\x86\LogMeInSystray.exe
    PRC - [2009/02/16 07:37:19 | 000,450,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dns.exe
    PRC - [2008/04/07 19:09:00 | 000,122,880 | ---- | M] () -- E:\ICVERIFY\ICWin403\Jcard\JCardService.exe
    PRC - [2008/01/10 09:28:10 | 000,135,168 | ---- | M] (Sun Microsystems, Inc.) -- E:\ICVERIFY\ICWin403\jre1.6.0\bin\javaw.exe
    PRC - [2007/11/06 21:48:40 | 003,619,304 | ---- | M] (Intuit Inc.) -- E:\program files\Intuit\QuickBooks 2006\QBW32.EXE
    PRC - [2007/11/06 20:40:54 | 000,815,104 | ---- | M] (Intuit Inc.) -- E:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    PRC - [2007/11/06 19:38:58 | 000,086,016 | ---- | M] (Intuit Inc.) -- E:\program files\Common Files\Intuit\QuickBooks\axlbridge.exe
    PRC - [2007/02/17 04:06:52 | 000,283,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tsadmin.exe
    PRC - [2007/02/17 03:55:16 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rdpclip.exe
    PRC - [2007/02/17 03:31:58 | 000,349,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lserver.exe
    PRC - [2007/02/17 03:31:48 | 000,509,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logon.scr
    PRC - [2007/02/17 02:58:36 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2006/10/19 17:31:02 | 000,102,400 | ---- | M] (SHARP CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\SH0XRCV.exe
    PRC - [2005/10/10 13:18:00 | 000,126,976 | ---- | M] (Intuit, Inc.) -- E:\program files\Intuit\QuickBooks 2006\QBDBMgr.exe
    PRC - [2005/06/03 01:39:40 | 000,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scrnsave.scr
    PRC - [2000/03/13 03:56:26 | 000,405,504 | ---- | M] (Corel Corporation) -- E:\program files\Corel\Paradox 9 Runtime\Programs\PDXRWN32.exe


    ========== Modules (No Company Name) ==========

    MOD - [2010/02/06 02:54:24 | 001,278,464 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
    MOD - [2009/11/05 08:39:40 | 000,087,552 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll
    MOD - [2009/07/30 21:44:14 | 000,176,235 | ---- | M] () -- C:\WINDOWS\system32\Primomonnt.dll
    MOD - [2009/02/14 05:04:38 | 000,756,040 | ---- | M] () -- E:\program files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
    MOD - [2008/10/26 05:42:14 | 000,065,376 | ---- | M] () -- E:\program files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll
    MOD - [2008/04/07 19:09:00 | 000,122,880 | ---- | M] () -- E:\ICVERIFY\ICWin403\Jcard\JCardService.exe
    MOD - [2008/03/21 14:56:54 | 000,166,912 | ---- | M] () -- C:\WINDOWS\system32\HylaPrintMon.dll
    MOD - [2007/11/06 21:07:30 | 000,147,456 | ---- | M] () -- E:\program files\Intuit\QuickBooks 2006\mbpopup.dll
    MOD - [2007/02/17 02:49:32 | 000,061,440 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
    MOD - [2006/10/27 15:35:18 | 000,436,512 | ---- | M] () -- E:\program files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll
    MOD - [2005/06/03 01:39:32 | 000,016,896 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll
    MOD - [2000/03/13 03:51:54 | 000,364,544 | ---- | M] () -- E:\program files\Corel\Paradox 9 Runtime\Programs\PRVIEW32.dll
    MOD - [2000/03/13 03:51:50 | 000,765,952 | ---- | M] () -- E:\program files\Corel\Paradox 9 Runtime\Programs\PXRSRV32.dll
    MOD - [2000/03/13 03:48:14 | 000,081,920 | ---- | M] () -- E:\program files\Corel\Paradox 9 Runtime\Programs\PXRFVW32.dll
    MOD - [2000/03/13 03:47:38 | 000,225,280 | ---- | M] () -- E:\program files\Corel\Paradox 9 Runtime\Programs\PXRTRN32.dll
    MOD - [2000/03/13 03:18:08 | 000,049,152 | ---- | M] () -- E:\program files\Corel\Paradox 9 Runtime\Programs\SrvMFC.dll
    MOD - [2000/03/13 02:58:12 | 000,045,056 | ---- | M] () -- E:\program files\Corel\Paradox 9 Runtime\Programs\pxcoed32.dll
    MOD - [1999/06/14 01:46:14 | 000,360,448 | ---- | M] () -- E:\program files\Corel\Paradox 9 Runtime\Programs\pxchrt32.dll
    MOD - [1999/01/04 10:45:34 | 000,118,784 | ---- | M] () -- E:\program files\Corel\Paradox 9 Runtime\Programs\Pdeldr.dll
    MOD - [1998/10/10 04:01:00 | 000,589,312 | ---- | M] () -- E:\program files\Borland\Common Files\Bde\idapi32.dll
    MOD - [1998/10/10 04:01:00 | 000,422,400 | ---- | M] () -- E:\program files\Borland\Common Files\Bde\idqbe32.dll
    MOD - [1998/10/10 04:01:00 | 000,255,488 | ---- | M] () -- E:\program files\Borland\Common Files\Bde\idpdx32.dll
    MOD - [1998/10/10 04:01:00 | 000,139,264 | ---- | M] () -- E:\program files\Borland\Common Files\Bde\idbat32.dll
    MOD - [1998/10/10 04:01:00 | 000,116,736 | ---- | M] () -- E:\program files\Borland\Common Files\Bde\idr20009.dll
    MOD - [1998/10/10 04:01:00 | 000,101,376 | ---- | M] () -- E:\program files\Borland\Common Files\Bde\bantam.dll


    ========== Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
    SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
    SRV - [2012/08/26 13:56:49 | 000,250,568 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/07/12 22:11:18 | 000,136,616 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- E:\program files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
    SRV - [2012/07/12 22:10:08 | 000,374,184 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- E:\program files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
    SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- E:\program files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2011/10/24 09:40:44 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- E:\program files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
    SRV - [2011/10/24 09:40:10 | 000,814,264 | ---- | M] (ESET) [Auto | Running] -- E:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
    SRV - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- E:\program files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
    SRV - [2009/02/16 07:37:19 | 000,450,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dns.exe -- (DNS)
    SRV - [2008/05/05 21:08:38 | 000,049,152 | ---- | M] () [On_Demand | Stopped] -- E:\ICVERIFY\ICWin403\PCVXWinServiceManager.exe -- (icvmlt32)
    SRV - [2008/04/07 19:09:00 | 000,122,880 | ---- | M] () [Auto | Running] -- E:\ICVERIFY\ICWin403\Jcard\JCardService.exe -- (JCard Service)
    SRV - [2007/02/18 00:30:26 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
    SRV - [2007/02/17 04:07:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
    SRV - [2007/02/17 03:55:56 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
    SRV - [2007/02/17 03:41:50 | 000,792,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
    SRV - [2007/02/17 03:31:58 | 000,349,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lserver.exe -- (TermServLicensing)
    SRV - [2007/02/17 03:20:52 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
    SRV - [2007/02/17 03:19:44 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
    SRV - [2007/02/17 03:19:28 | 000,216,576 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll -- (W3SVC)
    SRV - [2007/02/17 02:50:02 | 000,164,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
    SRV - [2005/06/03 01:39:42 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
    SRV - [2005/06/03 01:39:32 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapog.sys -- (pxtdapog)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Adapter | On_Demand | Unknown] -- -- (LicenseInfo)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand | Unknown] -- E:\DOCUME~1\MIKEBE~1.ECT\LOCALS~1\Temp\2\aswMBR.sys -- (aswMBR)
    DRV - [2012/07/12 22:10:09 | 000,083,392 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
    DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2011/10/24 09:40:20 | 000,094,872 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
    DRV - [2011/10/24 09:40:06 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
    DRV - [2011/10/24 09:39:24 | 000,141,264 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
    DRV - [2010/06/16 08:41:38 | 000,025,984 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
    DRV - [2010/01/27 12:22:02 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
    DRV - [2010/01/27 12:22:02 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- E:\program files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
    DRV - [2007/02/17 04:09:26 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
    DRV - [2007/02/17 03:57:50 | 000,072,704 | ---- | M] (Microsoft Corporation) [Kernel | Unavailable | Unknown] -- C:\WINDOWS\System32\drivers\sacdrv.sys -- (sacdrv)
    DRV - [2007/02/17 02:49:38 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dfs.sys -- (DfsDriver)
    DRV - [2007/02/17 02:31:14 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
    DRV - [2005/03/24 19:25:38 | 000,049,664 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (symmpi)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B6 11 38 B0 67 11 CB 01 [binary data]
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B6 11 38 B0 67 11 CB 01 [binary data]
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1010\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E2 60 9D A1 C4 8A CD 01 [binary data]
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1010\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1010\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1010\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1011\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1011\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1011\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 10 CE DB A0 50 85 CD 01 [binary data]
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1011\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1011\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1011\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1011\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1012\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1012\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1012\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B0 2D AA A2 3B 89 CD 01 [binary data]
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1012\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1012\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1013\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1013\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1013\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DE 80 4D 6E 12 86 CD 01 [binary data]
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1013\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1013\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1013\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&mkt=en-gb&FORM=IE0000
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1013\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1015\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.search.yahoo.com/?fr=w3i&type=W3i_SP,204,0_0,StartPage,20110834,16898,0,8,0
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1015\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1015\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1015\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 42 16 54 11 82 5B CC 01 [binary data]
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1015\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1015\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - No CLSID value found
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1015\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1015\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1015\..\SearchScopes\{D482E073-FB00-4D6D-8A89-A29FDBE013C7}: "URL" = http://search.yahoo.com/search?p={s...ype=W3i_DS,136,0_0,Search,20110834,6901,0,8,0
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1015\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1017\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1017\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1017\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C6 A0 77 5A 78 84 CD 01 [binary data]
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1017\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1017\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1017\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1017\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1018\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1018\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1018\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 58 53 D1 B2 75 50 CD 01 [binary data]
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1018\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1018\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1018\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1018\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1025\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1025\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1025\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1025\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 82 3C 9C 23 57 93 CC 01 [binary data]
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1025\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1025\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1025\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-1025\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-2313297223-338309279-785217241-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/softAdmin.htm
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-500\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/softAdmin.htm
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B6 11 38 B0 67 11 CB 01 [binary data]
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-500\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-2313297223-338309279-785217241-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: E:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: E:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: E:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: E:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: E:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2012/08/26 09:17:40 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2011/06/17 00:16:29 | 000,000,834 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 192.168.1.4 ect
    O1 - Hosts: 192.168.1.4 ectsrv1
    O1 - Hosts: 192.168.1.4 ectsrv1.ect.local
    O1 - Hosts: 192.168.1.4 ect.local
    O4 - HKLM..\Run: [egui] E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
    O4 - HKLM..\Run: [LogMeIn GUI] E:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [netconnect] c:\netconnect.cmd ()
    O4 - HKLM..\Run: [SH0XRCV] C:\WINDOWS\system32\spool\drivers\w32x86\3\SH0XRCV.exe (SHARP CORPORATION)
    O4 - HKU\.DEFAULT..\Run: [] File not found
    O4 - HKU\S-1-5-18..\Run: [] File not found
    O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
    O4 - Startup: E:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = E:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
    O4 - Startup: E:\Documents and Settings\Candace\Start Menu\Programs\Startup\null ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2313297223-338309279-785217241-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2313297223-338309279-785217241-1011\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2313297223-338309279-785217241-1012\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2313297223-338309279-785217241-1013\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2313297223-338309279-785217241-1015\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2313297223-338309279-785217241-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2313297223-338309279-785217241-1018\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2313297223-338309279-785217241-1025\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2313297223-338309279-785217241-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271125018593 (WUWebControl Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=928 (Performance Viewer Activex Control)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{36969B39-EF0F-4C74-B318-82CF7A0F3246}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{40BBC676-D5F9-42C5-A1C8-7A13A759AEEE}: NameServer = 208.67.222.222,208.67.220.220
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8C78A131-2BDD-4379-A42B-6591861F9B06}: DhcpNameServer = 216.134.212.107
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/04/12 20:34:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/09/03 22:50:26 | 000,000,000 | ---D | C] -- E:\Documents and Settings\mikebest66.ECT01\Desktop\RK_Quarantine
    [2012/08/26 09:17:39 | 000,000,000 | ---D | C] -- E:\Program Files\ESET
    [2012/08/26 09:17:39 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Start Menu\Programs\ESET
    [2012/08/26 09:17:39 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\ESET
    [2012/08/08 16:20:58 | 000,000,000 | -HSD | C] -- E:\Documents and Settings\mikebest66.ECT01\IECompatCache
    [2012/08/08 10:24:03 | 000,000,000 | ---D | C] -- E:\Program Files\NirSoft
    [7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/09/04 20:34:00 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2313297223-338309279-785217241-1010UA.job
    [2012/09/04 20:12:00 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2313297223-338309279-785217241-1025UA.job
    [2012/09/04 20:06:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
    [2012/09/04 20:02:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2012/09/04 12:26:54 | 000,002,473 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Microsoft Office Excel 2007.lnk
    [2012/09/04 11:18:43 | 000,002,515 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Microsoft Office Word 2007.lnk
    [2012/09/04 11:02:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2012/09/04 08:34:02 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2313297223-338309279-785217241-1010Core.job
    [2012/09/04 04:12:00 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2313297223-338309279-785217241-1025Core.job
    [2012/09/04 00:00:00 | 000,000,824 | ---- | M] () -- C:\WINDOWS\tasks\Daily Backup Incremental 2.job
    [2012/09/03 23:51:47 | 000,000,512 | ---- | M] () -- E:\Documents and Settings\mikebest66.ECT01\Desktop\MBR.dat
    [2012/09/03 23:03:55 | 000,001,065 | ---- | M] () -- E:\Documents and Settings\mikebest66.ECT01\Desktop\Continue Download Manager Installation.lnk
    [2012/09/03 22:59:44 | 130,692,136 | ---- | M] () -- E:\Documents and Settings\mikebest66.ECT01\My Documents\backup.reg
    [2012/09/03 12:36:19 | 000,053,062 | ---- | M] () -- E:\Documents and Settings\mikebest66.ECT01\null
    [2012/09/02 14:50:36 | 000,543,664 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/09/02 14:50:35 | 000,103,228 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/09/02 11:25:38 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/09/02 11:25:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/09/02 00:01:00 | 000,000,856 | ---- | M] () -- C:\WINDOWS\tasks\Weekly Backup.job
    [2012/08/30 09:21:36 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/08/21 09:13:58 | 000,001,512 | ---- | M] () -- E:\Documents and Settings\mikebest66.ECT01\Desktop\Computer Management.lnk
    [2012/08/17 10:41:06 | 000,001,738 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
    [2012/08/15 00:15:00 | 000,000,872 | ---- | M] () -- C:\WINDOWS\tasks\Monthly Backup.job
    [7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/09/03 23:51:47 | 000,000,512 | ---- | C] () -- E:\Documents and Settings\mikebest66.ECT01\Desktop\MBR.dat
    [2012/09/03 23:03:55 | 000,001,065 | ---- | C] () -- E:\Documents and Settings\mikebest66.ECT01\Desktop\Continue Download Manager Installation.lnk
    [2012/09/03 22:59:30 | 130,692,136 | ---- | C] () -- E:\Documents and Settings\mikebest66.ECT01\My Documents\backup.reg
    [2012/08/17 10:41:06 | 000,002,181 | ---- | C] () -- E:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
    [2012/08/17 10:41:06 | 000,001,738 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
    [2012/05/14 17:38:10 | 000,053,062 | ---- | C] () -- E:\Documents and Settings\mikebest66.ECT01\null
    [2010/06/21 14:57:47 | 000,000,434 | RHS- | C] () -- E:\Documents and Settings\All Users\ntuser.pol

    ========== LOP Check ==========

    [2012/05/17 12:29:11 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\AppAssure
    [2012/08/26 09:17:39 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\ESET
    [2012/09/04 08:44:05 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\LogMeIn
    [2011/04/01 08:02:31 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\Trusteer
    [2012/05/14 21:54:14 | 000,000,000 | ---D | M] -- E:\Documents and Settings\BStafford\Application Data\SHARP
    [2012/05/14 18:34:27 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Candace\Application Data\FASTTRAK Technologies
    [2012/08/22 10:48:58 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Candace\Application Data\SHARP
    [2012/06/08 04:15:29 | 000,000,000 | ---D | M] -- E:\Documents and Settings\dwhite\Application Data\PrimoPDF
    [2011/02/11 16:37:57 | 000,000,000 | ---D | M] -- E:\Documents and Settings\dwhite\Application Data\SHARP
    [2010/07/30 14:00:31 | 000,000,000 | ---D | M] -- E:\Documents and Settings\emarkley\Application Data\PrimoPDF
    [2011/05/26 16:48:57 | 000,000,000 | ---D | M] -- E:\Documents and Settings\emarkley\Application Data\SHARP
    [2012/05/14 19:25:29 | 000,000,000 | ---D | M] -- E:\Documents and Settings\gfranks\Application Data\FinalMediaPlayer
    [2010/07/22 16:33:41 | 000,000,000 | ---D | M] -- E:\Documents and Settings\gfranks\Application Data\PrimoPDF
    [2011/02/14 12:14:34 | 000,000,000 | ---D | M] -- E:\Documents and Settings\jewing\Application Data\SHARP
    [2012/05/14 20:18:49 | 000,000,000 | ---D | M] -- E:\Documents and Settings\kclark\Application Data\SHARP
    [2011/12/02 10:26:18 | 000,000,000 | ---D | M] -- E:\Documents and Settings\kclark\Application Data\TightVNC
    [2012/05/14 21:01:05 | 000,000,000 | ---D | M] -- E:\Documents and Settings\MSobol\Application Data\FASTTRAK Technologies
    [2012/05/14 20:21:05 | 000,000,000 | ---D | M] -- E:\Documents and Settings\rholt\Application Data\FASTTRAK Technologies
    [2012/05/14 20:21:06 | 000,000,000 | ---D | M] -- E:\Documents and Settings\rholt\Application Data\FinalMediaPlayer
    [2012/05/14 20:22:38 | 000,000,000 | ---D | M] -- E:\Documents and Settings\rholt\Application Data\SHARP
    [2012/05/14 22:27:58 | 000,000,000 | ---D | M] -- E:\Documents and Settings\treed\Application Data\SHARP
    [2011/12/02 10:26:18 | 000,000,000 | ---D | M] -- E:\Documents and Settings\treed\Application Data\TightVNC
    [2012/09/04 00:00:00 | 000,000,824 | ---- | M] () -- C:\WINDOWS\Tasks\Daily Backup Incremental 2.job
    [2012/08/15 00:15:00 | 000,000,872 | ---- | M] () -- C:\WINDOWS\Tasks\Monthly Backup.job
    [2012/09/04 10:12:00 | 000,032,444 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt
    [2012/09/02 00:01:00 | 000,000,856 | ---- | M] () -- C:\WINDOWS\Tasks\Weekly Backup.job

    ========== Purity Check ==========



    < End of report >
     
  14. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    OTL Extras logfile created on: 9/4/2012 8:25:34 PM - Run 1
    OTL by OldTimer - Version 3.2.61.0 Folder = E:\installers\fixer
    Windows Server 2003 Enterprise Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    8.00 Gb Total Physical Memory | 6.00 Gb Available Physical Memory | 75.01% Memory free
    9.31 Gb Paging File | 6.91 Gb Available in Paging File | 74.28% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = E:\Program Files
    Drive C: | 19.99 Gb Total Space | 8.34 Gb Free Space | 41.73% Space Free | Partition Type: NTFS
    Drive E: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
    Drive G: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
    Drive P: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
    Drive S: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
    Drive T: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
    Drive Y: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
    Drive Z: | 350.00 Gb Total Space | 286.85 Gb Free Space | 81.96% Space Free | Partition Type: NTFS

    Computer Name: ECT05 | User Name: mikebest66 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

    [HKEY_USERS\S-1-5-21-2313297223-338309279-785217241-1010\SOFTWARE\Classes\<extension>]
    .html [@ = htmlfile] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "3389:TCP" = 3389:TCP:*:Enabled:mad:xpsp2res.dll,-22009

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
    "{0C262D84-FFA4-4621-8ED7-41F8287369F5}" = Google Apps Migration For Microsoft Outlook® 2.3.12.34
    "{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (ICV)
    "{33286280-8617-11E1-8FF6-B8AC6F97B88E}" = Google Earth Plug-in
    "{4475560E-9418-4908-A158-472D873AE139}" = LogMeIn
    "{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
    "{5E903AAE-A6E7-4972-B74C-E38663E69540}" = Google Apps Sync™ for Microsoft Outlook® 3.1.94.203
    "{5EA38FCB-382B-4D24-8CA5-6A23D649614B}" = Trip Tracker V11 Icons
    "{69B02159-7624-4DBB-B9EE-F933039830AD}" = QuickBooks Premier Edition 2006
    "{6C5E8393-68D6-4FAF-96DF-A2B4D3A8BF0B}" = ICVERIFY for Windows 4.0.3
    "{769252B2-FF9A-4006-A986-F1DB0E29A638}" = Winprint HylaFAX
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{978FC90C-E6C5-40A1-8B1A-87B78E6DEA7C}" = Chilkat Crypt ActiveX
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AA53316F-C568-4069-9EFC-CA3D39E418A6}" = ICVERIFY User Manager
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
    "{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D01521C5-ECC6-4A9E-A3E4-1B981D7B7504}" = ESET NOD32 Antivirus
    "{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer
    "{F5CB2684-204C-44BD-8D8D-192FFDF3E982}" = Trip Tracker V11 Icons
    "{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
    "{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "Corel Applications" = Corel Applications
    "CutePDF Writer Installation" = CutePDF Writer 2.8
    "ENTERPRISE" = Microsoft Office Enterprise 2007
    "ICVPay Active Payment Control" = ICVPay Active Payment Control
    "ie8" = Windows Internet Explorer 8
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft SQL Server 2005" = Microsoft SQL Server 2005
    "NirSoft NK2Edit" = NirSoft NK2Edit
    "PrimoPDF" = PrimoPDF -- by Nitro PDF Software
    "SHARP AR-280 300 350 450 Series PC-Fax Driver" = SHARP AR-280/300/350/450 Series PC-Fax Driver
    "WIC" = Windows Imaging Component
    "Windows Server 2003 Service Pack" = Windows Server 2003 Service Pack 2

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-2313297223-338309279-785217241-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome
    "GoToMeeting" = GoToMeeting 5.1.0.880

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-2313297223-338309279-785217241-1015\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "NetAssistant 3.8.3" = Freeze.com NetAssistant

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-2313297223-338309279-785217241-1025\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 9/2/2012 11:20:39 AM | Computer Name = ECT05 | Source = Userenv | ID = 1502
    Description = Windows cannot load the locally stored profile. Possible causes of
    this error include insufficient security rights or a corrupt local profile. If
    this problem persists, contact your network administrator. DETAIL - The process
    cannot access the file because it is being used by another process.

    Error - 9/2/2012 11:20:39 AM | Computer Name = ECT05 | Source = Userenv | ID = 1515
    Description = Windows has backed up this user's profile. Windows will automatically
    try to use the backed up profile the next time this user logs on.

    Error - 9/2/2012 11:20:41 AM | Computer Name = ECT05 | Source = Userenv | ID = 1511
    Description = Windows cannot find the local profile and is logging you on with a
    temporary profile. Changes you make to this profile will be lost when you log off.

    Error - 9/2/2012 2:24:45 PM | Computer Name = ECT05 | Source = MBAMService | ID = 131073
    Description =

    Error - 9/2/2012 2:24:45 PM | Computer Name = ECT05 | Source = MBAMService | ID = 131073
    Description =

    Error - 9/3/2012 12:22:46 AM | Computer Name = ECT05 | Source = Application Hang | ID = 1002
    Description = Hanging application PDXRWN32.exe, version 9.0.738.0, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 9/3/2012 7:07:29 PM | Computer Name = ECT05 | Source = Userenv | ID = 1508
    Description = Windows was unable to load the registry. This is often caused by insufficient
    memory or insufficient security rights. DETAIL - The process cannot access the
    file because it is being used by another process. for E:\Documents and Settings\msobol\ntuser.dat

    Error - 9/3/2012 7:07:37 PM | Computer Name = ECT05 | Source = Userenv | ID = 1502
    Description = Windows cannot load the locally stored profile. Possible causes of
    this error include insufficient security rights or a corrupt local profile. If
    this problem persists, contact your network administrator. DETAIL - The process
    cannot access the file because it is being used by another process.

    Error - 9/3/2012 7:07:37 PM | Computer Name = ECT05 | Source = Userenv | ID = 1515
    Description = Windows has backed up this user's profile. Windows will automatically
    try to use the backed up profile the next time this user logs on.

    Error - 9/3/2012 7:07:37 PM | Computer Name = ECT05 | Source = Userenv | ID = 1511
    Description = Windows cannot find the local profile and is logging you on with a
    temporary profile. Changes you make to this profile will be lost when you log off.

    [ OSession Events ]
    Error - 6/3/2011 3:56:08 PM | Computer Name = ECT01 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 76641
    seconds with 4500 seconds of active time. This session ended with a crash.

    Error - 6/4/2011 2:31:55 PM | Computer Name = ECT01 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 90270
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 6/4/2011 2:31:55 PM | Computer Name = ECT01 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 90257
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 6/8/2011 3:04:21 PM | Computer Name = ECT01 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 100167
    seconds with 4320 seconds of active time. This session ended with a crash.

    Error - 8/21/2012 9:37:24 AM | Computer Name = ECT05 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 38
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 8/21/2012 9:40:42 AM | Computer Name = ECT05 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 193
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 8/27/2012 10:10:16 AM | Computer Name = ECT05 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 585
    seconds with 540 seconds of active time. This session ended with a crash.

    Error - 8/31/2012 12:57:04 AM | Computer Name = ECT05 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 401592
    seconds with 9660 seconds of active time. This session ended with a crash.

    Error - 8/31/2012 11:01:30 AM | Computer Name = ECT05 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 7245
    seconds with 60 seconds of active time. This session ended with a crash.

    Error - 8/31/2012 1:03:49 PM | Computer Name = ECT05 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 6573
    seconds with 300 seconds of active time. This session ended with a crash.

    [ System Events ]
    Error - 9/4/2012 9:31:10 AM | Computer Name = ECT05 | Source = TermServDevices | ID = 1111
    Description = Driver Microsoft Shared Fax Driver required for printer Fax is unknown.
    Contact the administrator to install the driver before you log in again.

    Error - 9/4/2012 11:18:35 AM | Computer Name = ECT05 | Source = TermServDevices | ID = 1111
    Description = Driver SHARP AR-P300 PCL6 required for printer SHARP AR-P300 PCL6
    is unknown. Contact the administrator to install the driver before you log in again.

    Error - 9/4/2012 12:51:22 PM | Computer Name = ECT05 | Source = TermServDevices | ID = 1111
    Description = Driver Xerox WorkCentre Pro 35 PS required for printer Xerox WorkCentre
    Pro 35 PS is unknown. Contact the administrator to install the driver before you
    log in again.

    Error - 9/4/2012 12:51:32 PM | Computer Name = ECT05 | Source = TermServDevices | ID = 1111
    Description = Driver Xerox WorkCentre Pro 35 PS required for printer Auto Xerox
    WorkCentre Pro 35 PS on BUZZ is unknown. Contact the administrator to install the
    driver before you log in again.

    Error - 9/4/2012 12:51:32 PM | Computer Name = ECT05 | Source = TermServDevices | ID = 1111
    Description = Driver Xerox WorkCentre Pro 35 PS required for printer Auto Xerox
    WorkCentre Pro 35 PS on DELL-1 is unknown. Contact the administrator to install
    the driver before you log in again.

    Error - 9/4/2012 12:51:33 PM | Computer Name = ECT05 | Source = TermServDevices | ID = 1111
    Description = Driver Microsoft Office Document Image Writer Driver required for
    printer Microsoft Office Document Image Writer is unknown. Contact the administrator
    to install the driver before you log in again.

    Error - 9/4/2012 3:09:16 PM | Computer Name = ECT05 | Source = Print | ID = 6161
    Description = The document Microsoft Word - Credit Application.doc owned by msobol
    failed to print on printer CutePDF Writer. Data type: NT EMF 1.008. Size of the
    spool file in bytes: 1048576. Number of bytes printed: 0. Total number of pages
    in the document: 1. Number of pages printed: 0. Client machine: \\ECT05. Win32
    error code returned by the print processor: 6. The handle is invalid.

    Error - 9/4/2012 5:42:01 PM | Computer Name = ECT05 | Source = TermServDevices | ID = 1111
    Description = Driver HP LaserJet P1006 required for printer HP LaserJet P1006 (Copy
    1) is unknown. Contact the administrator to install the driver before you log in
    again.

    Error - 9/4/2012 5:42:01 PM | Computer Name = ECT05 | Source = TermServDevices | ID = 1111
    Description = Driver HP Deskjet D1400 series required for printer HP Deskjet D1400
    series is unknown. Contact the administrator to install the driver before you log
    in again.

    Error - 9/4/2012 5:42:11 PM | Computer Name = ECT05 | Source = TermServDevices | ID = 1111
    Description = Driver Microsoft Office Document Image Writer Driver required for
    printer Microsoft Office Document Image Writer is unknown. Contact the administrator
    to install the driver before you log in again.


    < End of report >
     
  15. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Are you familiar with these two items?
    O4 - Startup: E:\Documents and Settings\Candace\Start Menu\Programs\Startup\null ()
    O4 - HKLM..\Run: [netconnect] c:\netconnect.cmd ()

    ==================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapog.sys -- (pxtdapog)
      IE - HKU\S-1-5-21-2313297223-338309279-785217241-1010\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
      IE - HKU\S-1-5-21-2313297223-338309279-785217241-1011\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
      IE - HKU\S-1-5-21-2313297223-338309279-785217241-1013\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
      IE - HKU\S-1-5-21-2313297223-338309279-785217241-1015\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
      IE - HKU\S-1-5-21-2313297223-338309279-785217241-1015\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - No CLSID value found
      IE - HKU\S-1-5-21-2313297223-338309279-785217241-1017\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
      IE - HKU\S-1-5-21-2313297223-338309279-785217241-1018\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
      IE - HKU\S-1-5-21-2313297223-338309279-785217241-1025\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
      O4 - HKU\.DEFAULT..\Run: [] File not found
      O4 - HKU\S-1-5-18..\Run: [] File not found
      O4 - Startup: E:\Documents and Settings\Candace\Start Menu\Programs\Startup\null ()
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [resethosts]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply. Only one log will be created.
    NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.
     
  16. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    I put this end. It is a login script.
    O4 - HKLM..\Run: [netconnect] c:\netconnect.cmd ()
     
  17. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    What about the other one?
     
  18. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    I don't know what the other one is. It should not be running. The infection originated with that user too.
     
  19. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    I added it to OTL fix script.
    You can run it now.
     
  20. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    OTL is not responding. A pop up window came up "MBAMService Terminated unexpectedly: see Event Log for Details" Ok. Click OK does nothing.
     
  21. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    Can I reset the server? It is locked up.
     
  22. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Run the fix from safe mode.
     
  23. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    We posted at the same time.
     
  24. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    All processes killed
    ========== OTL ==========
    Error: No service named pxtdapog was found to stop!
    Service\Driver key pxtdapog not found.
    File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapog.sys not found.
    Registry key HKEY_USERS\S-1-5-21-2313297223-338309279-785217241-1010\Software\Microsoft\Internet Explorer\URLSearchHooks not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\ not found.
    Registry key HKEY_USERS\S-1-5-21-2313297223-338309279-785217241-1011\Software\Microsoft\Internet Explorer\URLSearchHooks not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\ not found.
    Registry key HKEY_USERS\S-1-5-21-2313297223-338309279-785217241-1013\Software\Microsoft\Internet Explorer\URLSearchHooks not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\ not found.
    Registry key HKEY_USERS\S-1-5-21-2313297223-338309279-785217241-1015\Software\Microsoft\Internet Explorer\URLSearchHooks not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\ not found.
    Registry key HKEY_USERS\S-1-5-21-2313297223-338309279-785217241-1015\Software\Microsoft\Internet Explorer\URLSearchHooks not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}\ not found.
    Registry key HKEY_USERS\S-1-5-21-2313297223-338309279-785217241-1017\Software\Microsoft\Internet Explorer\URLSearchHooks not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\ not found.
    Registry key HKEY_USERS\S-1-5-21-2313297223-338309279-785217241-1018\Software\Microsoft\Internet Explorer\URLSearchHooks not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\ not found.
    Registry key HKEY_USERS\S-1-5-21-2313297223-338309279-785217241-1025\Software\Microsoft\Internet Explorer\URLSearchHooks not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\ not found.
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
    E:\Documents and Settings\Candace\Start Menu\Programs\Startup\null moved successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\disablecad deleted successfully.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\WINDOWS\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 1288047 bytes
    ->Temporary Internet Files folder emptied: 590226 bytes
    ->Flash cache emptied: 781 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 402 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 402 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2511504 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 17846423 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 65572046 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 84.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.61.0 log created on 09042012_225905

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
     
  25. Michael Best

    Michael Best TS Rookie Topic Starter Posts: 23

    MalwareBytes has stopped logging the IP blocks! I am re-running OTL now.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.